The AI control gap: IBM finds CIOs accountable for systems they cannot govern

Bottom line. IBM’s June 2026 study of 2,000 technology executives puts a number on a feeling most CIOs already have: 66% are held accountable for AI systems they do not fully control. The control gap is not a phase that experience cures. It is what continuous, autonomous AI does to governance models built for a slower estate, and the organisations that close it design control into the system rather than govern around it afterward.

The definition. The AI control gap is the distance between who is accountable for an AI system and who actually controls it. IBM frames it as the predictable result of AI moving from pilots to enterprise-wide deployment: the systems now operate continuously and autonomously, while the governance and architecture meant to contain them were built for something slower and more predictable. The accountable owner stays the same. The thing they are accountable for changed shape underneath them.

IBM’s own CIO put the mismatch plainly:

“For CIOs and CTOs, the challenge now is scaling AI systems that operate continuously and autonomously, often within governance models and architectures designed for a far slower, more predictable environment.” — Matt Lyteson, Chief Information Officer, IBM

The measurement. The study, conducted with Oxford Economics across 33 geographies and 19 industries from January to April 2026, sizes the gap with four numbers. 66% of technology leaders are accountable for AI they do not fully control. 70% say business teams deploy faster than IT can track. Only 11% feel completely ready for the AI agent scale expected by 2027. And 80% report a CEO-driven AI mandate, which is the force pushing deployment past the speed governance can match.

The visibility problem shows up most sharply in spend. AI’s share of IT budgets is projected to rise from just under 15% in 2025 to nearly 25% by 2027, a 71% increase in two years, and IBM reports that 85% of technology executives still lack full visibility into real-time AI spend. An owner who cannot see real-time consumption cannot control it; the budget line is the control gap made legible.

The pattern. The more useful half of the study is what separates the organisations that close the gap from the ones that widen it, because the separator is architectural rather than procedural.

Organisations that embed control directly into their AI systems report 25% fewer incidents, four times less wasted AI budget, and 18% higher operating margins than those relying on manual governance. The ones that designed for adaptability early, keeping workloads portable and models replaceable rather than locked into hard dependencies, reported a 10% higher return on AI investment in 2025. The lesson is consistent across the metrics: control built into the system outperforms control applied around it.

What it means for IT leaders. The control gap reframes the AI governance question from “what policy do we write” to “what does the system measure about itself.” A policy governs intentions. An embedded control governs behaviour at runtime, which is the only layer where a continuously running agent can actually be held. This is the practical home of our MTTD-for-Agents framing: a system without a measured time-to-detect for agent misbehaviour has an unmeasured one, and an unmeasured detection time is the control gap expressed as risk.

The accountability does not move. The CEO mandate is not going to slow down, and the 80% figure says it is nearly universal. So the only variable a CIO actually controls is whether the next AI system ships with control designed in, instrumented for visibility and cost from the first deployment, or whether governance gets retrofitted onto a system already running in production, which is the configuration IBM’s data associates with more incidents and more waste.

What a CIO does about it. Stop scoring AI initiatives only on what they deliver, and start scoring them on what they expose: any system whose real-time spend, decision quality and detection time you cannot see is one you are accountable for and do not control, and that is the one to fix before the next mandate adds another.