CCI staff share recent surveys, reports and analysis on risk, compliance, governance, infosec and leadership issues. Share details of your survey with us: editor@corporatecomplianceinsights.com.
Only 22% of organizations have defined AI strategies despite widespread adoption
Only 22% of organizations have a visible, defined AI strategy despite clear evidence that strategic AI adoption drives significantly better outcomes, according to new research from Thomson Reuters. Organizations with AI strategies are twice as likely as those with informal adoption approaches to experience revenue growth from AI and 3.5 times more likely to achieve critical AI benefits compared to those with no significant adoption plan, the report said.
The survey of 2,275 global professionals across legal, risk, compliance, tax, accounting, audit and global trade found that more than half of organizations are already seeing return on investment from AI adoption, with improved efficiency and productivity being the most common benefits. However, 40% of organizations are adopting AI without a strategy, and 30% of professionals say their organizations are moving too slowly on AI implementation.
Professional-class workers predict AI will save them an average of five hours weekly within the next year, up from four hours predicted in 2024, unlocking an estimated $19,000 in annual value per person. In the US alone, this AI-driven efficiency could translate to a $32 billion combined annual impact for the legal and CPA sectors.
Other key findings:
- Eighty percent of professionals believe AI will have a high or transformational impact on their profession over the next five years, but only 38% expect significant change at their own organization this year.
- Fifty-five percent of professionals have experienced or expect significant changes in their work, with 46% reporting skills gaps on their teams, mainly in technology and data competencies.
- Eighty-eight percent of professionals favor having profession-specific AI assistants.
“Professional work is now being shaped by AI, and those who fail to adapt risk being left behind,” said Steve Hasker, president and CEO of Thomson Reuters. “Our research shows that organizations with AI strategies are seeing significant returns on investment, while those without are struggling to keep pace.”
The research was conducted in February and March 2025 via online survey of professionals employed by corporations, firms and government agencies across North America, Latin America, the UK, Europe and Asia-Pacific.
Mature AI orgs 6 times more likely to deploy AI across multiple GRC functions
Leading organizations are six times more likely than their peers to apply AI across multiple governance, risk and compliance functions, transforming compliance from a reactive process into a strategic advantage, according to new research from AuditBoard. The survey of more than 400 GRC professionals found that 72% of the most mature organizations use AI to track risk proactively, compared to just 52% at the lowest-maturity tier.
The research reveals a significant maturity divide in AI adoption for GRC functions. More than half of mature organizations use AI for predictive risk modeling, shaping risk posture and strategic planning rather than simply checking compliance boxes. Meanwhile, only 14% of organizations at the lowest maturity level use AI meaningfully in GRC, with most still relying on manual processes and fragmented systems.
The most advanced organizations are also preparing for expanded AI investment, with 44% planning to invest further in AI-driven risk management in the next 12 months. These leading organizations treat AI as core GRC infrastructure, with 76% using AI across both risk and compliance functions compared to 34% at mid-tier organizations and just 6% at the lowest maturity level.
Other key findings:
- Sixty percent of the most mature organizations use AI-powered automation for regulatory change monitoring compared to 56% at mid-tier and 48% at lower-maturity organizations.
- Integration remains the biggest roadblock across all maturity levels, with only 39% of organizations reporting strong integration between compliance, information security and risk functions.
- Seventy-two percent of the most mature organizations agree that embedding compliance into innovation helps scale faster with fewer disruptions.
“Plugging in AI throughout GRC functions can help companies differentiate themselves from competitors and see around corners in today’s rapidly changing regulatory environment,” said Rich Marcus, chief information security officer at AuditBoard.
The research was conducted by AuditBoard in partnership with Panterra Research across the US, Canada, Germany and the UK. Survey respondents included C-suite executives (54%), team leads (36%), managers (8%) and other roles (2%) at companies with at least 1,000 employees.
Data deletion requests surge 82%
Eighty-two percent of consumer data requests now involve deletion rather than access, according to new research from DataGrail, a San Francisco-based data privacy platform provider. The surge in deletion requests has driven overall data subject requests up 43% year-over-year, with businesses now spending an estimated $1.3 million annually to manually process privacy requests per 5 million unique website visitors, a 43% increase from 2023, the report found.
The shift toward deletion reflects growing consumer awareness of privacy rights and distrust of how companies handle personal data, particularly amid concerns about AI training and data breaches. DataGrail’s analysis of privacy requests processed in 2024 found that deletion requests increased 82% while access requests declined 45%, marking the fourth consecutive year that deletion has outpaced access requests.
The research also revealed widespread noncompliance with consumer opt-out preferences. An audit of 5,000 websites found that 69% of organizations continue to deploy three or more cookie trackers despite users opting out of data sharing, potentially exposing companies to regulatory fines and lawsuits. “Do not sell” requests increased 37% in 2024, with California’s Privacy Protection Agency focusing enforcement efforts on companies that fail to honor such requests.
Other key findings:
- Data brokers received the highest volume of privacy requests across all industries, driven partly by California’s Delete Act.
- Forty-one percent of US data subject requests came from states with active privacy laws, up from 12.5% in 2023.
- Globally, 31.5% of requests originated from countries without privacy laws, indicating worldwide demand for data control regardless of regulatory protection.
“This surge in DSRs, particularly deletions, is making compliance more expensive for organizations,” said Daniel Barber, co-founder and chief executive officer of DataGrail. “The privacy landscape, driven by stricter laws and heightened enforcement globally, means proactive data privacy management is no longer optional but mandatory for brands.”
The survey analyzed data subject requests processed by DataGrail on behalf of customers from January through December 2024, covering more than 700 million records. DataGrail used Gartner’s estimate of $1,524 per manually processed request to calculate compliance costs.
78% of employees lack confidence in spotting AI-powered cyberattacks as risky workplace behaviors persist
Nearly eight in 10 employees say they are not fully confident in detecting sophisticated AI-enabled threats like deepfakes and voice spoofing, according to new research from Traliant, an online compliance training provider. The survey of 656 US employees also found widespread unsafe cybersecurity practices, including 23% who write down passwords and 18% who reuse passwords across work accounts.
Personal device usage presents another significant risk, with 42% of employees admitting they have accessed sensitive company information on personal devices without IT approval. Convenience and ease of access drove 67% of unauthorized personal device usage, according to the survey. Younger employees showed higher rates of this behavior, with 51% of Millennials and 48% of Gen Z workers using personal phones to access sensitive company data compared to 24% of Baby Boomers.
The research reveals gaps in cybersecurity preparedness as threats become more sophisticated. Only 30% use password managers despite their proven security benefits, and less than half consistently use multi-factor authentication when available. Email remains the primary phishing method employees encounter at 85%, though only 33% feel extremely confident in spotting traditional phishing attempts.
Other key findings:
- Phone-based attacks via text (26%) and calls (19%) are increasing beyond traditional email phishing.
- Office workers reported the highest instances of encountering phishing threats at 75%.
- While 90% of employees receive cybersecurity training annually or more frequently, 40% say current training doesn’t feel relevant to their daily responsibilities.
“AI engineered cyberthreats have become more complex, harder to detect, and exploit employee behaviors,” said John Brushwood, compliance counsel at Traliant.
The survey was conducted by independent market research firm Researchscape in March and April 2025 among employees at organizations with 100 or more workers across healthcare, hospitality, retail, industrial, manufacturing and professional services sectors.
Payment systems top target as hotels brace for summer cyberattack surge
Hotels are bracing for increased cyberattacks this summer, with payment systems and point-of-sale technology emerging as the top target for cybercriminals during peak travel season. Seventy-two percent of hotel IT and security executives identify payment and POS systems as most vulnerable to attack, according to new research from VikingCloud, a cybersecurity and compliance provider.
The hospitality industry faces mounting pressure as 66% of hotel executives expect a rise in attack frequency and 50% anticipate more severe attacks during summer 2025. During last summer’s travel season, 82% of North American hotels experienced successful cyberattacks, with 58% targeted by five or more separate attacks, VikingCloud said.
Beyond payment systems, guest Wi-Fi networks rank as the second-most vulnerable target at 56%, followed by front desk systems at 34%. Thirty-four percent of hotel executives worry specifically about POS system attacks disrupting in-person transactions, while 32% say increased credit card transaction volumes during busy travel periods will heighten cybersecurity risk.
Other key findings:
- Data breaches exposing payment details, passports, loyalty accounts or other sensitive guest information represent the top attack method at 46%, followed by phishing attacks at 40%.
- Third-party system weaknesses, including payment processors and booking platforms, increase cybersecurity risk according to 42% of respondents.
- Potential business impacts include reputational damage from negative reviews (66%), financial losses (46%), lawsuits (42%) and lower occupancy rates (32%).
- Twelve percent said a successful attack could lead to hotel closure.
“Peak travel season is here, and it’s also the busy season for cybercriminals,” said Kevin Pierce, chief product officer at VikingCloud. “Hotels are a prime target given the surge in guest transactions, reliance on interconnected systems, and vast amounts of sensitive data.”
