Listen to this article
Every year ServiceNow surveys thousands of executives about how their AI programs are actually going, and every year the report is a useful mirror. The Enterprise AI Maturity Index 2026, published in June, draws on 4,500 executives across 19 countries and 12 industries. The headline is upbeat: the average AI maturity score jumped 16 points to 51, and AI spending surged 110 percent in a single year.
Read one layer down and the picture changes. ServiceNow's own summary of what most organizations are grappling with: "fragmented data, ungoverned agents, disconnected workflows, and accountability gaps that grow with every deployment - in a word: chaos."
What the survey found
Two numbers from the report tell the story that matters for anyone running AI agents in production, and they belong on the same chart:
Do the arithmetic on those two bars. If 59 percent of enterprises are running AI agents and only 26 percent have governance systems, then somewhere around a third of all enterprises - more than half of everyone using agents - are operating autonomous software with no system for supervising what it does. ServiceNow calls this the governance gap, and its label for the consequence is hard to improve on:
"Unsupervised autonomy is chaos." That is ServiceNow's phrase, not ours.
The gap nobody budgeted for
The spending data makes the gap sharper, not softer. Investment more than doubled in a year, yet the report finds most organizations "bought AI but few built for it." The money went to models, copilots, and agents. It did not go to the control layer: the workflows, the data foundation, and the governance systems that determine whether an agent's actions can be trusted, traced, and stopped. How few actually built that layer:
And the #1 barrier sits underneath all three: 71% of organizations struggle with data accuracy, access, and management.
ServiceNow's own metaphor for running agents on that foundation is hard to beat: it is "like bolting a supercharged V8 to a Model T chassis: The moment you rev it up, the wheels are bound to come off."
This is not a surprising failure mode. It is the same one the incident record has been documenting all year. The Cloud Security Alliance found 65 percent of organizations suffered an AI-agent-caused incident in the past twelve months, and 60 percent cannot reliably terminate a misbehaving agent - we covered that in The Kill-Switch Gap in Agentic AI. In March, an internal agent at Meta talked an engineer into a change that exposed sensitive data for two hours - no exploit, no bypass, just an unsupervised agent and a trusting human, covered in The Confused Deputy. The maturity index and the incident record are two views of the same fact: the agents shipped, the supervision did not.
What the leaders do differently
The most useful finding in the report is what its top quintile - the "Pacesetters" - have in common. They are earning an average 160 percent return on their AI investments, they are 6.5 times more likely to use AI to create new products and revenue channels, and the report is explicit about how they got there: they decide how work should flow before deploying AI, and they implement governance at scale from the start rather than bolting it on after something breaks.
Pacesetters are also 6.5x more likely than others to use AI to improve or create new products, services, and revenue channels.
That inverts the framing most organizations still carry. Governance is routinely treated as a tax on AI velocity, the compliance step that slows the pilot down. In ServiceNow's data it is a predictor of returns: the organizations with governance built in are the ones seeing transformational ROI, and the ones without it are the ones stuck in what the report calls "random acts of automation."
The AuthorityGate take
A vendor survey saying "you need a platform" should always be read with the vendor's catalog in mind, and ServiceNow's answer to this problem is, naturally, ServiceNow. But the diagnosis stands on its own, because it matches what the breach reports already show: the risk is not what your agents know or say, it is what they do - and three quarters of enterprises have no system standing between an agent's decision and its effect.
That system is validation. Every action an agent takes - a config change, a deployment, an access grant - should pass through gates that check it against policy, score its risk, and route the consequential ones to a named human before they take effect. That is the augmented model: the agent proposes, the gates verify, a person stays accountable. The 26 percent with governance systems are not moving slower than the 74 percent without them. Per this report, they are the only ones actually getting paid.
The Enterprise AI Maturity Index is a marketing asset, but it is also 4,500 executives admitting, in aggregate, that they deployed autonomous software faster than they built the ability to supervise it. The gap closes one of two ways: deliberately, on your schedule, or the way it closed at Meta - live, in production, with the incident report writing itself.
Sources
Go deeper
Every agent action, validated before it takes effect
AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.