The organisations deepest into AI adoption reported the strongest governance on paper and the weakest operational controls in practice.
That is the central finding of HCRAI's first Behavioural AI Risk Assessment study, based on responses from 314 AI practitioners, involved in the design, development and management of AI systems in their organisations.
View ReportFour findings stand out
The gap between governance maturity (74/100) and operational controls (31/100) in organisations with established AI adoption.
At each successive stage of adoption maturity, governance grows stronger and operational safeguards grow weaker. Confidence is building faster than the safeguards meant to back it up.
Behavioural risk does not appear in dashboards or audit trails, and governance maturity does not reduce it. Organisations with exemplary governance report the same risk profile as those with almost none.
AI systems sit in the two highest risk bands, High or Critical. Most are already live or in real-world pilot.
Underneath these findings sits a more fundamental problem. An organisation can have policies, accountability structures, audit trails, incident and escalation processes, and still not see its users over-relying on outputs, misreading confidence, or being shaped or harmed by repeated interaction.
Incident processes detect events, and behavioural risk rarely presents as an event. It accumulates, and by the time it surfaces as a reportable incident, it is usually under a model error or performance issue. The record captures the symptom, but the behavioural cause stays invisible.
View ReportGovernance frameworks describe what organisations intend. Behaviour reveals how AI systems shape people.
This study suggests the two have become disconnected and that the disconnect is wider with deeper AI adoption.