Most people sort of assume that heavily regulated enterprises are the last ones to move on new technology. That assumption is actually pretty wrong, and the data coming out of the GRC space is starting to make it very clear.
Anton Dam, SVP of Product AI at Optro, has been watching a quite counterintuitive pattern play out in real time. Some of the largest, most historically conservative companies in the world are now the most aggressive adopters of AI — in the kinds of risk and compliance workflows that carry the highest stakes for getting it wrong. That trend is accelerating fast, and it is changing what AI governance actually looks like from inside the teams responsible for it.
Optro, which recently rebranded from AuditBoard, serves nearly 3,000 customers globally and counts half the Fortune 500 among its client base. The platform is built around helping enterprises go from reactive risk mitigation to something far more strategic — proactive risk management. With the introduction of Optro AI, that transformation is now moving faster than most organizations really expected.
The Companies You Least Expected Are Leading the AI Charge
You might sort of expect the companies with the most regulatory exposure to be the most cautious about letting AI anywhere near their audit workflows. Anton has found the opposite to be true — and the reason makes a lot of sense once you see it.
Larger enterprises tend to have clearer board mandates, stronger internal enablement resources, and more dedicated budget for AI security reviews. A 2024 McKinsey report on the state of AI in business found that 72 percent of organizations had adopted AI in at least one business function, with enterprise-scale firms outpacing mid-market companies in high-stakes sectors like finance and compliance.
"Audit teams, when it comes to frontier technology adoption, go according to wherever their company at the top level drags them or pulls them," Anton said. "And if you unleash your people, what you get is this flurry of adoption." That kind of top-down mandate, combined with dedicated internal enablement teams and real budget, is producing results that look very different from what most observers predicted a few years ago. The companies that were supposed to move last are actually moving first.
Three Tiers of AI — and Why Quality Thresholds Change Everything
One of the more genuinely useful frameworks Anton has developed at Optro is a three-tier classification of AI experiences: assistive, co-pilot, and agentic. Each tier requires a very different quality threshold, and getting that calibration right is sort of where all the trust-building actually happens.
At the assistive level, the bar is relatively low. If an auditor asks AI to reformat a piece of text from first person to third person and make it a bit more formal, a human is still reviewing every change. Minor errors are easily caught before anything goes near a system of record.
Co-pilot experiences are a bit more demanding. The AI is sort of working alongside the user and performing tasks with real independence, so performance below roughly 70 percent accuracy is actually worse than just doing the task manually. Users who see low-quality co-pilot outputs will simply stop using the tool, which means quality is really the only adoption lever that matters at that tier.
Agentic AI — where the system takes actions autonomously — requires the highest bar of all. Optro has one ironclad rule across all three tiers: nothing gets entered into a system of record without human review. "At the end of the day, everything sort of goes through a person," Anton said. "We just want the person to go more and more towards the beginning and more towards the end of the process." That philosophy has produced some pretty remarkable adoption numbers — about 80 percent of Optro AI customers currently accept AI-generated or AI-recommended content into their systems of record.
Betting on Human Creativity When Machines Are Getting Smarter
"Where do we go next? What do we want to be? How do we really think about and act on risk — aligning those things to corporate goals and values?" Anton said. "That is the space for human creativity. As we automate more things, the things we have already figured out get automated away. But where we go next, that is the question AI cannot answer for you."
This has real implications for the GRC space. The Institute of Internal Auditors has increasingly stressed the need for internal audit to move from a reactive control-testing function toward a more advisory and strategic role — a shift that requires exactly the kind of human judgment Anton is describing. AI governance frameworks from NIST to the EU AI Act are recognizing that human oversight is not a limitation of responsible AI systems. It is a core feature.
Optro's data supports the case. For audit teams that invest time in learning to structure prompts, set up workflows, and sequence tasks correctly, time spent on manual document review can drop by 50 to 70 percent. That kind of efficiency gain is what lets a team stop being reactive and start being genuinely strategic.
Shadow AI Is the New Shadow IT
One of the more pressing issues Anton raised is what he calls "shadow AI" — the enterprise equivalent of shadow IT from a decade ago. Most companies deploying AI today actually have very limited visibility into how it is being used internally. Employees are sometimes copying sensitive documents into personal AI tools with no oversight, no security controls, and no awareness from compliance or IT teams.
"The only solution, aside from trying to lock down where you can, is to aggressively, aggressively enable," Anton said. The logic is pretty clear. AI tools are so directly relevant to everyday knowledge work that if organizations do not provide sanctioned, secure options, people will find their own. And their own choices often involve privacy settings they forget to check and data that has no business leaving the corporate environment.
A survey by Deloitte on AI adoption in the enterprise found that a majority of executives reported concerns about uncontrolled internal AI usage, yet relatively few had comprehensive governance policies in place. Optro addresses this partly by logging everything in its development process, tracking how models are trained and tuned, and building every feature with evolving regulatory standards already in mind.
What Internal Audit Looks Like in Five Years
"The internal audit function becomes a strategic function," Anton said. "Whereas they spend most of their time today just trying to keep up with the amount of work the business throws at them." The shift is really from doing last year's work faster to helping the business make better decisions this year. Audit teams of the future will spend less time flagging problems after the fact and more time helping leadership understand real-time risk, evaluate new market opportunities, and make informed trade-offs about where to invest and where to hold back.
Anton makes a broader structural prediction as well: the AI governance role will follow the trajectory of the CISO role after GDPR. Just as data privacy raised the chief information security officer to a board-level strategic function over the past decade, a similar rise is coming for whoever ends up holding the AI accountability role. Every function in every enterprise will be using AI for something. Making sure that use aligns with fiduciary responsibilities, regulatory requirements, and company values is not a small job — and someone is going to own it at the executive level.
Optro is building for that future right now. And if the adoption patterns Anton is seeing hold up, the biggest and most risk-averse companies will keep on being the ones who lead the way.
Enjoying insights from industry leaders? Subscribe to The Winners' Circle podcast on your favorite podcast player and never miss an episode. Listen and subscribe at bintelligence.com/podcast.