By Dario Perfettibile, General Manager, EMEA GTM & Customer Operations at Kiteworks
Manufacturing has invested in AI controls. Kiteworks Data Security and Compliance Risk: 2026 Forecast Report reveals the sector has implemented many security measures at rates comparable to or better than global averages. The problem is documentation. Manufacturing organisations cannot prove their controls work, and increasingly, proof is what regulators, customers, and auditors require.
The audit trail gap is foundational. A third (33%) of manufacturing organisations lack evidence-quality audit trails and more than three in five (61%) have fragmented logs across systems. Manufacturing’s operational complexity – multiple plants, diverse systems, legacy equipment integrated with modern platforms – makes log aggregation particularly challenging. When a quality incident occurs or a customer audit requests AI governance documentation, manufacturing organisations often cannot produce unified evidence of what their AI systems did and when.
The correlation between audit trails and overall maturity was the strongest finding in the study. Organisations with evidence-quality audit trails show 20–32-point advantages across every AI metric compared to those without. Audit trails are not merely compliance checkboxes; they are the keystone capability that makes everything else demonstrable.
The third-party documentation gap creates customer and regulatory exposure. Manufacturing organisations increasingly face customer requirements to demonstrate AI governance across their supply chain. The report found that two thirds (67%) of manufacturing organisations cite end-to-end visibility gaps as their top third-party concern, 21 points above the global average. When customers ask for documentation of supply chain AI governance, manufacturing organisations cannot provide it. The visibility gap creates a documentation gap that creates a compliance gap.
Manufacturing’s concern about third-party AI handling is the highest of any industry. The report found that over half (52%) of manufacturing organisations cite third-party AI vendor handling as a top security concern, compared to 30% globally. Manufacturing sees the risk more clearly than other sectors. Complex, multi-tier supply chains create exposure at every connection point, yet lacks the visibility tools to manage what it correctly identifies as dangerous.
The training data documentation deficit affects product compliance. Manufacturing AI systems trained on production data, quality specifications, and process parameters must increasingly demonstrate training data governance. The report found that 77% of organisations cannot trace training data provenance and 78% cannot validate data before it enters training pipelines. For manufacturing organisations whose AI systems influence product quality or safety, the inability to document training data creates compliance exposure that extends to the products themselves.
The containment controls gap poses risks for manufacturing operations. The report identified a 15–20-point gap between governance controls (monitoring, human-in-the-loop oversight) and containment controls (kill switches, purpose binding, network isolation). Across all industries, 63% of organisations cannot enforce purpose limitations on AI agents and 60% cannot quickly terminate an AI system that misbehaves. For manufacturing, where AI systems run quality inspection, predictive maintenance, and production optimization continuously, the inability to stop a malfunctioning system creates both safety and compliance exposure. Organisations can observe what their AI systems do. They cannot prevent them from exceeding authorized scope or shut them down quickly when something goes wrong.
The EU AI Act preview is instructive for manufacturing. The report found that organisations not impacted by the EU AI Act are 22-33 points behind on AI impact assessments, purpose binding, and human oversight. Manufacturing organisations selling into Europe face direct requirements. For example, AI systems in machinery must satisfy specific safety and documentation standards.
The report found that 38% of manufacturing organisations rely on manual or periodic compliance processes rather than automated, continuous evidence collection. For AI systems that operate continuously (quality inspection, predictive maintenance, production optimisation) periodic compliance checks cannot capture what the systems do between checks. Continuous operation requires continuous evidence.
The file transfer infrastructure gap compounds documentation challenges. The report found that MFT security adoption stands at only 46% globally, yet 27% of organisations are planning AI-driven MFT automation. Manufacturing organisations exchange sensitive data such as designs, specifications, and quality reports with suppliers and customers through file transfer systems that predate modern security requirements. Legacy MFT solutions lack the granular access controls, real-time data loss prevention, and evidence-quality logging that AI governance demands. Organisations planning to add autonomous agents to file transfer workflows are, therefore, building on infrastructure that cannot support the documentation requirements those agents will create.
The supplier documentation challenge compounds internal gaps. Manufacturing supply chains typically include multiple tiers of suppliers, each potentially using AI systems that affect components or processes. The report found that almost nine in ten (87%) organisations lack joint incident response playbooks with partners and 89% have never practiced incident response with vendors. When regulators or customers ask how manufacturing organisations ensure supplier AI systems meet governance standards, the honest answer for most is that they rely on contractual representations they cannot verify through documentation.
The incident response documentation gap creates post-incident vulnerability. The report found that over half (52%) have not tested their recovery time and recovery point objectives. For manufacturing, where AI system failures can affect production continuity, the inability to document tested recovery capabilities creates both operational risk and compliance exposure. Auditors expect documented, tested recovery procedures; manufacturing organizations without them face findings.
The path forward requires manufacturing to prioritise documentation infrastructure alongside security controls. Audit trail consolidation should be treated as a prerequisite for AI governance. Fragmented logs across systems cannot support compliance claims. Training data provenance documentation should be mandatory for AI systems affecting product quality or safety. Supplier AI attestation requirements should be added to procurement processes, creating documentation chains across the supply chain. Containment controls such as kill switches and purpose binding should be implemented before AI systems reach production, not retrofitted after incidents reveal their absence.
Organisations with audit trails predict overall maturity better than industry, region, or organisation size. Manufacturing organisations that build evidence-quality documentation infrastructure will find every other AI governance initiative more achievable. Organisations that implement controls without documentation will have security they cannot prove. And increasingly, proof is what compliance requires.
The uncomfortable reality is that manufacturing has invested in AI controls while underinvesting in the documentation that makes those controls demonstrable. The sector recognises its third-party risks more acutely than any other industry but lacks the visibility to manage them. It operates AI systems continuously but collects evidence periodically. It plans AI-driven automation on infrastructure that cannot support modern governance requirements. In a regulatory and customer environment where AI governance must be proven rather than asserted, undocumented controls are indistinguishable from absent controls.
Read other recent news: https://industrial-compliance.co.uk/category/news/
