Nine in 10 respondents to ISACA’s recently released 2026 AI Pulse Poll say employees are using AI within their organizations, yet only 22% report that AI has met or exceeded their ROI expectations.
The poll engaged over 3,400 digital trust professionals, offering insights into AI’s integration across roles in IT audit, governance, cybersecurity, privacy, and emerging technologies.
While AI is undeniably transforming day-to-day operations, organizations are grappling with aligning its capabilities with effective governance and operational readiness. The poll highlights a shift toward formalizing AI policies, currently at 38% compared to last year's 28%. Nonetheless, 25% of organizations still operate without an active policy, reflecting an area for growth.
Regarding AI’s ROI, perceptions vary. A significant portion—23%—believes it’s premature to assess ROI, while 22% are unsure of their financial gains. Another 20% cite limited returns thus far.
“There's enormous pressure on organizations to show that AI is paying off, but the pulse poll reveals a more honest picture: most organizations aren’t yet sure whether it has,” says Keith Bloomfield-DeWeese, Senior Manager of AI Product Development at ISACA. “That uncertainty isn’t a failure of AI, but a reflection of how hard it is to build something that actually works at scale. The thing with ROI in AI is that it doesn't arrive on schedule; it’s not a switch that can be flipped: it’s the result of sustained investment in the people, processes, and governance structures that make intelligent systems reliable. The organizations that resist the urge to declare victory too early are the ones most likely to get there.”
On the operational front, AI contributes notably to enhancing productivity (62%), generating content (62%), automating tasks (50%) and data analysis (49%). Consequently, AI proficiency is increasingly critical, with 78% recognizing its importance—up from 72% last year. Meanwhile, 33% of organizations now provide AI training for all employees, a significant increase from 22% in 2025.
However, many organizations are still searching for how to address AI scenarios that go poorly.
“One of the most important findings in the poll is not about adoption at all. It is about control under pressure,” writes Tamim Ahmed in an ISACA Now blog post. “Only 12 percent of respondents say their organization has a documented process for shutting down or overriding AI systems if something goes wrong and that the process is tested regularly. Just as concerning, 56 percent do not know how long it would take to halt an AI system in the event of a security incident.
“For cybersecurity professionals, these are not abstract governance gaps. They point to a basic readiness problem. A policy may describe acceptable use, but a real incident requires something more operational: clear ownership, defined escalation paths, decision authority, fallback options and tested procedures. If an organization cannot quickly answer who can halt an AI-enabled process, under what conditions and within what timeframe, then its resilience is weaker than it may appear on paper.”
Learn more and gain additional insights by accessing ISACA’s 2026 AI Pulse Poll and related resources at www.isaca.org/ai-pulse-poll.