How AI governance became a top priority in service

For years, enterprise software deals followed a familiar playbook. Buyers evaluated features, pricing, integrations, and implementation timelines. Security and legal were vetted by a separate procurement team, often secondary to the business decision.

That era is over. Something fundamental has shifted as AI moves from answering questions to taking actions—processing refunds, updating records, routing resolutions without human review. When AI gets it wrong at that level, the consequences aren't simply a wrong answer in a chat. They're data incidents, compliance violations, brand damage, and lost customers. And buyers know it.

Our research, conducted with 300 U.S.-based professionals who recommend or evaluate customer service platforms, shows that trust in AI is no longer evaluated outside of the purchase decision. In many organizations, it is the purchase decision. This report presents what the Zendesk research team found—and what it means for every company navigating AI in customer service.

Key findings:

• Security and governance don't just matter—they dominate
• The biggest blocker to AI adoption isn't budget or skills—it's governance
• Companies aren't waiting. They're sequencing
• When trust breaks down, the consequences are real
• Three things every trust-ready AI vendor must deliver
• Buyer’s guide: The AI trust evaluation checklist
• Frequently asked questions
• Put AI governance into action

“The biggest limiter to AI adoption right now isn't capability. The models are extraordinary. The limiter is confidence.” Shana Simmons, Chief Legal Officer, Zendesk

Security and governance don't just matter—they dominate

In our research, we asked respondents to evaluate 21 platform capabilities when selecting a customer service solution. Security, compliance, and governance controls ranked #1—rated more important than proven AI features, demonstrated ROI, and total cost of ownership.

We also asked them to identify their most critical operational challenge from 25 options. Compliance and security ranked #1 there too.

The same concern tops both lists. That doesn't happen often, and it's a signal worth paying attention to.

Top 5 challenges to solve (out of 25):

1. Compliance/security

2. Inconsistent service quality

3. First response time delays

4. Long resolution times

5. Rising costs to serve

The biggest blocker to AI adoption isn't budget or skills—it's governance

Companies aren't debating whether to adopt AI in customer service. That question has been settled. But when we asked what was actually preventing organizations from moving forward, one answer rose clearly above the rest.

Not budget. Not skills. Not technical readiness. Governance (data protection, security testing, and risk evaluation) is the single greatest obstacle standing between organizations and the AI deployment they're racing toward.

The barrier isn't capability. The models are extraordinary. The barrier is confidence—and confidence requires governance infrastructure that most organizations are still building.

Companies aren't waiting. They're sequencing

Despite governance concerns, organizations aren't standing still. They're moving through AI adoption in a deliberate sequence—calibrated by trust.

Nearly 2 in 3 respondents have already deployed AI copilot to support their agents. The data reveals a clear pattern: organizations are racing to adopt AI that keeps humans in the loop, while moving with far more caution when it comes to AI that acts autonomously on behalf of customers.

This isn't organizational timidity. It's rational calibration. And the intent data makes clear this isn't permanent hesitation—4 in 10 organizations say they want to deploy autonomous AI agents but haven't yet. The demand is there. What's holding them back isn't willingness, it's the confidence that comes from mature trust infrastructure.

The organizations moving most deliberately through this sequence are building the foundation that makes the next leap possible.

When trust breaks down, the consequences are real

When asked what they'd tell their CEO to justify prioritizing security and compliance, respondents' answers fell into three consistent themes.

Brand reputation

Respondents share that a security failure doesn't just cost you a customer, it hands them to a competitor, and positive experiences can become shadowed by doubt that rarely resolves in your favor.

“A data breach or security incident can cause irreparable damage to our brand's reputation. Customers need to trust that their sensitive information is safe with us. Losing that trust can lead to a mass exodus of customers.” Commercial, IT

Financial penalties

The financial exposure from a compliance failure rarely ends with formal fines—restricted market access, elevated audit scrutiny, and a growth ceiling can also follow.

“Any data breach or non-compliance incident can lead to significant financial penalties, legal consequences, and long-term damage to our brand.” Digital, Operations

Operational disruption

Security incidents don't just pause operations—they consume them, shifting leadership attention from growth to damage control while eroding employee confidence in the process.

“It results in security breaches, loss of productivity, and reputational damage to the organization.” Enterprise, Operations

Three things every trust-ready AI vendor must deliver

Based on what the data reveals buyers are demanding in vendor evaluations, trust-ready vendors need to demonstrate strength across three core dimensions. Ask for specifics—not marketing claims—when evaluating each one.

1. Governance

The governance question buyers are asking has shifted from 'do you have a policy?' to 'can you show me the evidence?'

Organizations are managing compliance demands that require documented, auditable proof—controls that hold up under annual scrutiny, not just marketing assurances. Equally pressing: the regulatory environment around AI is moving fast, and keeping pace is a genuine operational challenge.

The vendors who earn trust here aren't those with a governance page on their website. They're the ones whose controls hold up when the auditor shows up.

2. Control

The control requirements emerging from buyers are fundamentally about confidence—not just capability.

Organizations need to know what their AI is doing with their data, who can access it, and whether it can be stopped. They ask whether their data is isolated from other customers. They ask whether PII exposure is caught before it becomes an audit finding.

Transparency isn't a product nicety. It's how organizations stay accountable for AI acting on their behalf.

3. Consequence management

No governance posture eliminates the possibility of failure—and buyers know it.

The consequences they describe are concrete: irreparable brand damage that turns loyal customers into former ones, financial penalties that compound long after the initial incident, and operational disruption that shifts leadership attention from growth to damage control.

These aren't hypothetical—they're why incident response has become a condition of vendor selection, not an afterthought. Buyers want to know who is accountable when something breaks. That answer is a core trust signal.

Vendors who answer questions about these three pillars with specificity—and who back their answers with documentation, independent controls, and real examples—are building real trust infrastructure. In the AI era, that's not just good practice. It's competitive differentiation.

Buyer’s guide: The AI trust evaluation checklist

As you evaluate AI in customer service, trust should be a first-order criterion, asked during the RFP—not after the decision to buy. Here are the questions worth asking every vendor:

On governance:

• Can you show documented processes for preventing AI harm and have they been independently verified or certified?

• What AI management certifications do you hold? (e.g., ISO 42001, CSA STAR Levels 1 & 2)?

• How does your legal and security team participate in AI product decisions?

• How do you stay ahead of AI regulation changes across jurisdictions?

• Can you share your AI impact assessment process?

On control:

• How do I monitor what my AI agents are doing in real time—and can I see the reasoning behind specific interactions, not just outcomes?

• How do you monitor and block adversarial threats like prompt injection?

• What visibility and control do you have over data flows to third-party systems integrating to your platform?

• How much oversight and control do I have over my workflows and AI automation journey?

On consequence management:

• What does your incident response process look like when something goes wrong?

• How quickly can you patch vulnerabilities—and does that require action from my team?

• Do you maintain 24/7 global coverage for security incidents?

• Can you share examples of how you've responded to past incidents?

Frequently asked questions