The short answer: AI is scaling faster than enterprise control
IBM Institute for Business Value surveyed 2,000 CxO leaders across 33 countries and 19 industries, and the message is difficult to ignore: enterprise AI has moved from experimentation to operations, but governance has not kept pace.
According to the research, 70% of executives say business teams are adopting technology faster than IT can track it. 80% operate under a CEO mandate to accelerate AI transformation. 77% report that AI adoption is already outpacing their governance capabilities. Only 11% believe they are fully prepared for the expected growth in AI agents by 2027.
This is not a technical inconvenience. It is an operating model problem.
The enterprise question is no longer whether AI can create value. The question is whether the organization can control that value before it turns into operational, financial, or security risk.
Shadow IT has become shadow intelligence
Shadow IT used to mean unsanctioned SaaS tools, spreadsheets with business logic, or teams buying software without IT approval. That was manageable, at least compared with what is happening now.
AI agents introduce a different class of risk because they do not merely store information or automate a fixed workflow. They interpret, decide, trigger actions, call systems, generate content, and sometimes coordinate with other tools. In other words, they participate in business execution.
That changes the governance equation.
A spreadsheet can contain a bad formula. An AI agent can make a bad judgment, repeat it at scale, expose sensitive data, and trigger downstream failures before anyone notices. IBM’s numbers make this tangible: organizations experienced an average of 54 AI agent incidents in the past year that required human intervention. 17% were classified as severe, requiring more than four hours to resolve. Among those incidents, 37% involved data exposure or security breaches, and 33% caused cascading system failures.
For executives, this should be a wake-up call. AI agents are not another software category to procure. They are a new operational workforce that must be supervised, measured, permissioned, and retired when necessary.
The board should care because the economics are now material
AI is becoming a meaningful line item. IBM reports that AI budgets are expected to grow from 15% of IT budgets in 2025 to almost 25% by 2027. Yet 84% of executives have not implemented full AI financial management, and 85% lack full real-time visibility into AI spending.
That combination is dangerous: high growth, low visibility, and unclear accountability.
The financial issue is not only model usage cost. Enterprises must understand the total cost of AI execution, including:
- Model consumption across teams, agents, and environments
- Infrastructure and integration costs
- Vendor subscriptions and overlapping platforms
- Human review and exception handling
- Security, compliance, and audit overhead
- Cost of incidents, rework, and operational disruption
- Opportunity cost when AI initiatives remain stuck in pilots
The companies that treat AI finance as a mature management discipline will outperform those that treat it as innovation spending. This is where CFOs and CIOs need a shared language. If AI is now part of the operating engine, then AI cost, risk, and productivity must be managed like any other strategic asset.
Built-in control beats manual governance
One of the strongest findings in the IBM research is the performance gap between organizations with embedded AI control and those relying on manual governance. Companies with built-in control deploy 16 times more AI agents, report 18% higher operating profit margins, and spend only a quarter of the AI budget compared with peers.
This is the most important insight in the entire study.
Governance is often misunderstood as a brake. In AI, good governance is an accelerator. If every new agent requires manual review, custom approval, one-off security discussions, and unclear operational ownership, scale becomes impossible. But if control is designed into the platform, the organization can move faster with less risk.
A mature AI control layer should include:
- Central inventory of AI agents, models, prompts, workflows, and owners
- Role-based access to tools, systems, and data
- Policy enforcement before actions are executed
- Logging of decisions, tool calls, outputs, and human interventions
- Real-time cost monitoring by business unit and use case
- Incident classification, escalation, and rollback mechanisms
- Testing environments for agents before production deployment
- Version control for prompts, agent logic, and connected workflows
- Clear retirement process for unused or unsafe AI assets
This is why enterprises need an efficient platform for building and managing AI agents. Without it, AI adoption becomes fragmented and fragile.
Human in the loop is essential, but it must scale
Human oversight remains one of the most important principles in enterprise AI. Non-deterministic processes require judgment, context, and accountability. AI can replace parts of work that previously depended on human discretion, but it should not remove responsibility from the organization.
At the same time, a naive human-in-the-loop design can quietly destroy the business case. If every AI-driven action requires a human to review every detail, the company has not transformed the process. It has only moved the bottleneck.
The real goal is different: yesterday, one employee supervised and executed one process. Tomorrow, that same employee should supervise hundreds of AI-assisted processes through exception management, confidence thresholds, audit trails, and smart escalation.
This is where professional experience matters. AI implementation is not just prompt writing or tool configuration. It requires deep understanding of the business process, risk points, incentives, data quality, operational exceptions, and managerial accountability.
Organizations should be careful with self-appointed AI experts who present AI as a simple technical shortcut. In small and mid-sized businesses especially, poor advice can cause real damage. Serious AI work is multidisciplinary. It benefits from academic depth, practical business experience, process design, security thinking, and management discipline.
IT departments are becoming HR departments for AI agents
The organizational shift is bigger than many leaders realize. As AI agents become operational actors, IT will increasingly manage something that looks less like software and more like a digital workforce.
That means IT will need to answer questions such as:
- Which agents are allowed to work in production?
- What data can each agent access?
- Who is the business owner of each agent?
- What performance metrics define acceptable work?
- When should an agent ask for human approval?
- Who investigates agent misconduct or failure?
- How do we onboard, monitor, promote, restrict, or retire agents?
This is not science fiction. It is the natural consequence of deploying autonomous or semi-autonomous systems into business operations.
The companies that build internal capabilities for agent creation and management will have a major advantage. Outsourcing every AI workflow may look efficient at the beginning, but it prevents the organization from developing the institutional muscle it will need later.
Enterprises need two AI tracks, not one
Many AI strategies fail because they choose the wrong lane. Some focus only on employee AI literacy. Others focus only on agents and automation. Mature organizations need both.
AI literacy is essential because employees must learn how to communicate effectively with models, challenge outputs, protect data, and use AI in their daily work. This is a behavioral change, and behavioral change is often harder than the technology itself.
Agent development is different. Agents can reduce the need for employees to change their daily habits because the automation happens inside or around existing workflows. Technically, agents may look more complex, but organizationally they can sometimes be easier to adopt than broad tool-based transformation.
Both tracks matter:
- AI literacy improves the capability of the human workforce
- AI agents improve operational throughput
- AI governance connects both into a controlled enterprise system
A company that trains employees but does not build agents leaves efficiency on the table. A company that builds agents without literacy creates dependency and risk.
Tool selection matters, but architecture matters more
There is no single AI platform that will permanently solve enterprise AI. The market is moving too quickly. Anthropic has become one of the most impressive players in enterprise AI, with Claude, Claude Code, and emerging collaborative workflows offering strong practical value. Claude is often highly effective for broad enterprise adoption, although security and data governance must be handled carefully.
Microsoft Copilot is a solid infrastructure play, especially for organizations already invested in the Microsoft ecosystem. Innovation has historically moved more slowly because Microsoft is a large organization, but Copilot has improved significantly and is shipping new capabilities faster than before. Copilot Studio can also be useful for agents inside the Microsoft environment.
At the same time, tools such as n8n are entering serious enterprise environments. What once looked too lightweight or too open for large organizations is now finding its way into major companies because the need for flexible workflow automation is urgent.
This is why IBM’s point about architectural flexibility is so important. Organizations that planned early for portability, keeping workloads mobile and models replaceable, reported 10% higher AI ROI in 2025. Vendor lock-in is especially risky in a market where the leading model, platform, or agent framework may change within months.
The right architecture should allow the enterprise to change models, vendors, and orchestration layers without rebuilding the entire operating model.
What leaders should do now
The practical response is not to slow AI adoption. Slowing down may feel safe, but it usually pushes business teams further into shadow adoption. The better response is to create controlled speed.
Executives should prioritize the following actions:
- Build a complete inventory of AI tools, agents, workflows, and model usage across the organization.
- Define ownership for every production AI use case, including business owner, technical owner, risk owner, and escalation path.
- Create an AI financial management layer that tracks usage, cost, ROI, and budget accountability in near real time.
- Establish a standard platform for rapid agent creation, monitoring, permissions, and lifecycle management.
- Implement human-in-the-loop patterns that focus on exceptions, high-risk actions, and confidence thresholds rather than universal manual review.
- Train employees in AI literacy, model communication, data protection, and critical evaluation of outputs.
- Design for model and vendor portability from the beginning.
- Treat AI governance as an operating capability, not as a policy document.
The real lesson from IBM’s research
The AI control gap is not a sign that enterprises should retreat. It is a sign that AI has become serious enough to require serious management.
Organizations with embedded governance are not only safer. They are deploying more agents, spending less, experiencing fewer incidents, and generating stronger margins. That should end the false debate between speed and control.
The future belongs to companies that can move fast because they have control, not despite the absence of it.
