The Gap No One Talks About

Here is a pattern we see over and over again. A company is smart. The engineering team is strong. AI adoption is moving fast. And leadership is confident they have it under control.

Then someone looks under the hood.

That is what happened when we ran an AI Security and Risk Assessment for a fintech firm in a regulated market. The company had strong instincts — early AI adoption, skilled teams, and a growing set of use cases. What they lacked was a way to see, govern, or defend how AI was really being used.

They are not alone. After walking the show floor at RSA Conference 2026, one thing is clear: the industry knows this is a problem. Andy Ellis’s post-RSAC vendor report found that 37% of booths mentioned AI. Identity, governance, and security operations led the way. But here is the hard truth behind the buzz — most firms are still figuring out how to close the gap between AI power and AI control.

That gap is where the real risk lives.

What We Found

The assessment covered eight domains and included interviews across leadership, engineering, and business teams. The results told a clear story.

• Upwards of 100 risks identified across governance, security, data, and infrastructure

• The heaviest concentration was in governance and compliance — with over a dozen rated high or critical

• Security and trust risks followed close behind, with the majority rated high severity

• Data and AI platform risks rounded out the picture, including several high-priority findings

The risks were not scattered. They were concentrated in three areas: governance, security, and data. That pattern points to structural gaps, not one-off problems.

Three challenges stood out above the rest.

Governance without enforcement. Policies existed. Intent was there. But there was no defined ownership, no enforcement mechanism, and no audit trail. Governance was informal and hard to defend.

Identity and access gaps in AI systems. AI agents and services had no steady identity. Access was too broad. Nothing was centrally managed. This is the kind of risk that builds quietly — until it does not.

Uncontrolled AI use case growth. AI was being developed across business units, deployed without formal approval, and extended into customer-facing workflows. Governance simply could not keep pace with adoption.

Why This Matters Right Now

FINRA’s 2026 guidance makes the stakes clear. AI is no longer treated as a test. It is part of the firm’s control environment. That means oversight of AI-driven processes, data quality and tracing, logging of AI outputs, and close attention to the risks of agentic AI — autonomy, scope, and the ability to audit.

The shift is simple but significant. If AI touches decisions that affect customers, markets, or compliance, it must be governed like any other control.

Ellis’s RSA report backs this up from the vendor side. The categories with the most booths — identity, app security, and security operations — are the same areas where this assessment found the deepest gaps. The market is building answers. But most firms have not yet mapped the problems those answers are meant to solve.

What Changed

After the assessment, the organization had something it did not have before: clarity.

• A full view of AI-related risks and where they are concentrated

• A prioritized list of what matters most — and what can wait

• Leadership aligned around AI as a governance challenge, not just a growth play

• A structured path from experimentation to governed execution

Identient also delivered a digital twin of the assessment itself. Instead of leaving findings locked in a static report, a conversational agent makes risk insights easy to query, explore, and apply in real time. Leaders can ask questions, revisit findings, and act on insights as things change.

This is the shift we described in our earlier post on Verified Digital Twins. Risk management cannot be a point-in-time exercise. It has to become a continuous, intelligence-driven function.

The Bottom Line

This firm is not behind. They are at a turning point — and they had the sense to act before the gap became a crisis.

The firms that win with AI will not be the fastest to deploy. They will be the ones that can trust, control, and defend the choices AI makes on their behalf.

That requires three things: structured governance, verified data, and disciplined execution.

Ready to See What You’re Missing?

Experience how Identient reveals the signals behind your strategy — from real-time insight to board-level clarity. Move beyond assumptions, align execution to what matters, and lead with confidence.

Schedule a Discovery Call →