See also (wiki): agentic-ai-governance · ai-maturity-models · shadow-ai · board-ai-strategy
Executive Summary
- The average Responsible AI (RAI) maturity score across ~500 surveyed organizations rose to 2.3 out of 4.0 in 2026, up from 2.0 in 2025 — progress, but still well short of the threshold where governance actually constrains risk.
- Only about one-third of organizations reach maturity level 3 or higher in strategy, governance, and agentic AI governance — meaning two-thirds have not achieved even moderate oversight of their AI programs.
- Organizations that invest $25 million or more in RAI report significantly higher maturity scores and are far more likely to achieve EBIT impact above 5 percent — the first hard investment-threshold-to-financial-outcome correlation in the corpus for AI governance specifically.
- Security and risk concerns are the top barrier to scaling agentic AI, cited by nearly two-thirds of respondents — ahead of regulatory uncertainty and technical limitations.
- Organizations with a clearly accountable function for RAI score an average of 2.6 on maturity; those without score 1.8. A named owner is worth 0.8 maturity points.
The Governance Gap Is Now Quantified
McKinsey’s 2026 AI Trust Maturity Survey (n=~500 organizations, fieldwork December 2025–January 2026) is the first large-scale primary-survey benchmark that assigns a numeric maturity score to AI governance programs and correlates it with financial outcomes. That makes it a different kind of evidence than the prevalence surveys that dominate this space.
The framework assesses five dimensions: strategy, risk management, data and technology, governance, and — new in 2026 — agentic AI governance and controls. The scale runs from 1 (foundational) to 4 (comprehensive and proactive). The average score across all dimensions is 2.3, up from 2.0 in 2025. That sounds like progress. The problem is where the gaps sit.
The three dimensions with the worst scores are also the most consequential: strategy, governance, and agentic AI governance. Only about 30 percent of organizations reach level 3 or higher in any of these. That means roughly 70 percent of organizations have governance programs that are either ad hoc or partially built — not systematized, not proactive, not capable of handling the autonomous systems being deployed on top of them.
The timing is pointed. Organizations are not waiting for governance to catch up before deploying agents. They are deploying agents and hoping governance scales to meet them.
Where the Risks Are Concentrating
Insight 4 from the survey is the most operationally significant: nearly two-thirds of respondents name security and risk concerns as the top barrier to fully scaling agentic AI. This is not about model capability or cost. The bottleneck is trust — specifically, organizations do not believe their controls are adequate to safely run autonomous systems at scale.
The specific risks most cited:
- Inaccuracy: 74 percent of respondents identify it as highly relevant
- Cybersecurity: 72 percent identify it as highly relevant
Both numbers have grown as adoption expands. More AI deployment means more surface area for both hallucination-driven errors and security vulnerabilities. This is not a “pilot phase” problem that resolves itself at scale — it amplifies.
The mitigation gap is the sharper signal. Across almost all risk categories, organizations report a meaningful gap between the risks they consider relevant and the risks they are actively mitigating. The gap is sharpest for intellectual property infringement and personal privacy — two categories with direct legal exposure. Knowing a risk exists and having a control in place for it are not the same thing, and this survey puts numbers to that distance for the first time.
AI incident response is deteriorating relative to frequency. The share of organizations reporting AI-related incidents has held steady at roughly 8 percent. But 60 percent of organizations that experienced incidents report satisfactory or negative views of their organization’s response. Incident rates are not rising. Response quality is falling behind system complexity. That is a different problem — one that gets worse as agentic deployments multiply the number of things that can go wrong simultaneously.
The Investment Threshold That Changes the Outcome
Insight 3 is where the governance-as-business-case argument becomes concrete. Organizations investing $25 million or more in RAI initiatives report significantly higher maturity scores and are far more likely to achieve EBIT impact above 5 percent.
This is the first investment-threshold-to-financial-outcome correlation for AI governance in the corpus. Prior research established that AI investment correlates with AI returns at the enterprise level. McKinsey’s 2026 survey establishes a more specific claim: investing in the governance and trust infrastructure — not just the AI capabilities themselves — is associated with better business outcomes.
The mechanism is plausible. Organizations with strong RAI programs experience fewer incidents, sustain higher adoption rates (because employees trust the systems), and face lower remediation costs when something goes wrong. But the direction of causality is unverified; it is equally plausible that organizations performing well financially have more budget to invest in governance. McKinsey’s survey is correlational, not causal.
Still, for a board asking “what is the ROI on building a governance program,” this is the sharpest answer currently available in the research base.
Accountability Is Worth 0.8 Maturity Points
Insight 9 is the most immediately actionable finding. Organizations with clear ownership for RAI — through AI-specific governance roles or internal audit and ethics teams — average a maturity score of 2.6. Organizations without a clearly accountable function average 1.8.
That 0.8-point gap is larger than the total improvement the average organization achieved over the last year (from 2.0 to 2.3). The structural decision of whether to assign a named owner produces a larger maturity difference than 12 months of organic program development.
The implication for mid-market organizations is direct: before investing in governance tooling, training programs, or external advisors, the single highest-leverage action is assigning explicit ownership. The title does not matter. The clarity of accountability does.
Industry and Regional Variation
Technology, media, and telecommunications lead RAI maturity, followed by financial services. Both sectors have stronger risk management and data foundations, and both operate under more explicit regulatory scrutiny — which appears to be driving program development even as the survey shows regulatory influence declining as a primary motivation.
Asia-Pacific leads globally on overall maturity. Governance and agentic AI controls lag behind data and technology across all regions — making the governance gap a globally consistent pattern, not a US or European anomaly. North American organizations dealing with the regulatory ambiguity of 2026 are not uniquely disadvantaged; they are in the same position as peers globally.
Key Data Points
| Finding | Metric | Date | Source Tier |
|---|---|---|---|
| Average RAI maturity score | 2.3/4.0 (up from 2.0 in 2025) | Q1 2026 | TIER 1 |
| Organizations at maturity level ≥3 in strategy/governance/agentic | ~30% | Q1 2026 | TIER 1 |
| Top barrier to scaling agentic AI: security/risk concerns | ~65% of respondents | Q1 2026 | TIER 1 |
| Inaccuracy as highly relevant AI risk | 74% | Q1 2026 | TIER 1 |
| Cybersecurity as highly relevant AI risk | 72% | Q1 2026 | TIER 1 |
| $25M+ RAI investment → EBIT impact >5% correlation | Significantly higher likelihood | Q1 2026 | TIER 1 |
| Knowledge/training gaps as barrier to RAI implementation | ~60% (up from ~50% in 2025) | Q1 2026 | TIER 1 |
| Maturity score with clear RAI accountability | 2.6 average | Q1 2026 | TIER 1 |
| Maturity score without clear RAI accountability | 1.8 average | Q1 2026 | TIER 1 |
| Organizations reporting satisfactory/negative incident response | ~60% of those with incidents | Q1 2026 | TIER 1 |
| AI incident frequency | ~8% of organizations | Q1 2026 | TIER 1 |
Source credibility: MEDIUM-HIGH. McKinsey/QuantumBlack has direct commercial interest in responsible AI and trust-transformation engagements — the framing that governance investment drives financial returns aligns with McKinsey’s service offering. Sample size of ~500 is small for a global survey. Maturity scores are self-reported. No independent audit of maturity assessments. That said: McKinsey AI Trust Maturity is a defined framework with published dimensions, the survey methodology is disclosed, and the ten specific findings are internally consistent. Cross-reference against EY Autonomous AI Tech Pulse 2026 (52% ungoverned at department level), MIT CISR Minimum Viable Governance (four-characteristic governance framework), and KPMG Global AI Pulse 2026 (20% vs. 49% risk-confidence bifurcation).
What This Means for Your Organization
The McKinsey maturity score of 2.3 is a number your board will ask about. The useful question is not “where does this company score” but “which of the five dimensions are we missing.” Strategy, governance, and agentic AI governance are the three dimensions where most organizations are below level 3. If your organization has a working AI program but has not formalized governance accountability, has not established agentic AI controls, or has not connected the AI program to a documented enterprise strategy, that is where the gap is.
The $25M investment correlation should be read carefully. Most organizations in this survey are large enterprises. The $25M threshold likely corresponds to a meaningful percentage of the AI program budget for the organizations achieving that level — not a flat dollar amount that mid-market companies can simply match. The underlying logic is scale-invariant: proportionate investment in governance, not just capability, is associated with better outcomes.
The accountability finding is the most executable insight here. If the question is “what is the one structural change that produces the largest governance improvement,” the data says: name the owner. The gap between organizations with explicit RAI accountability (2.6) and those without (1.8) is larger than a year of organic progress. That is a decision that can be made in one meeting, and the McKinsey data gives it a quantified rationale.
For a more detailed look at where your current program stands relative to these five dimensions, the conversation is worth having — brandon@brandonsneider.com.
Sources
-
McKinsey/QuantumBlack — “State of AI Trust in 2026: Shifting to the Agentic Era” Authors: Gabriel Morgan Asaftei, Roger Roberts, Abby Sticha, Cécile Prinsen Published: March 25, 2026 Methodology: 2026 AI Trust Maturity Survey, n=~500 organizations, fieldwork December 2025–January 2026, respondents with direct responsibility in AI governance/risk/investment URL: https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era Credibility: MEDIUM-HIGH — McKinsey has direct commercial interest in RAI/trust transformation engagements; self-reported maturity scoring; n=~500 is small for global; framework and methodology are disclosed and internally consistent
-
EY Technology Pulse Poll: Autonomous AI Adoption (Ernst & Young LLP, Mar 4, 2026, n=500 US tech-sector director-level+) Cross-reference: 52% of department-level AI initiatives operate without formal approval or oversight URL: https://www.ey.com/en_us/newsroom/2026/03/ey-survey-autonomous-ai-adoption-surges-at-tech-companies-as-oversight-falls-behind
-
MIT CISR “Minimum Viable Governance for Generative AI” (van der Meulen, Jewer, Levallet — Mar 19, 2026) Cross-reference: Four-characteristic × five-domain governance framework; shadow AI paradox URL: https://cisr.mit.edu/publication/2026_0301_GenAIGovernance_VanderMeulenJewerLevallet
-
KPMG Global AI Pulse Survey Q1 2026 (n=2,110, published Mar 31, 2026) Cross-reference: 20% of experimenting organizations feel confident managing AI risks vs. 49% of AI leaders URL: https://kpmg.com/xx/en/media/press-releases/2026/03/kpmg-global-ai-pulse-survey.html
Brandon Sneider | brandon@brandonsneider.com April 2026