AI-generated security patches are increasingly embedded in software engineering workflows, yet many enterprise release decisions still rely on narrow validation signals such as successful compilation, functional-test passage, static-warning disappearance, or blocking of a single demonstrated exploit. These signals reduce local uncertainty but do not necessarily measure whether a patch removes the vulnerability root cause, resists exploit variants, and preserves business-critical services after release. This article develops a business risk analytics framework for evaluating AI-generated security patches in enterprise software workflows. The framework translates cross-oracle divergence into business risk indicators by linking patch-level validation outcomes to release exposure, remediation delay, operational interruption, compliance risk, and security debt accumulation. A controlled enterprise-style analytical experiment is constructed with 480 AI-generated candidate patches across four vulnerability families: SQL injection, path traversal, cross-site scripting, and missing authorization. Each patch is evaluated across six validation layers: build validity, functional preservation, original proof-of-concept blocking, exploit-variant resistance, root-cause conformance, and regression-safety review. The results show that weak-oracle acceptance substantially overstates business-safe release readiness. In the constructed dataset, 76.7% of patches block the original exploit evidence, whereas only 47.7% satisfy the release-acceptance protocol after variant, root-cause, and regression checks. Oracle divergence is highest for path traversal and missing authorization, where business risk arises from exploit-specific blocking and incomplete trust-boundary repair. The article contributes a managerial analytics model that separates apparent technical repair from release-grade assurance, demonstrates how patch-level validation data can be converted into portfolio risk metrics, and provides governance guidance for enterprises adopting LLM-based vulnerability repair in CI/CD and DevSecOps environments.