The enterprise AI governance gap
AI adoption is moving faster than governance, data-flow control, and regulatory readiness.
Adoption — Eurostat reports that 20.0% of EU enterprises with 10 or more employees used AI technologies in 2025, up from 13.5% in 2024.
Scaling gap — McKinsey's 2025 State of AI survey found broad AI usage, but nearly two-thirds of respondents said their organizations had not yet begun scaling AI across the enterprise.
Governance gap — IBM's 2025 breach research reports that 63% of organizations lacked AI governance policies to manage AI or prevent shadow AI.
Regulatory timing — Under the current official AI Act timeline, Annex III high-risk obligations and Article 50 transparency rules apply from 2 August 2026, although Digital Omnibus amendments may still change dates if formally adopted.
Evidence-backed risk map
The problem is not one universal cost number. It is a set of risks every enterprise AI deployment must quantify before rollout.
| Risk area | Current public fact | What to validate in PoV |
|---|---|---|
| AI governance | 63% of organizations lacked AI governance policies in IBM's 2025 research. | Approved tools, access controls, model/data ownership, audit ownership. |
| Data breach exposure | IBM reports USD 4.44M global average breach cost in 2025; IBM Germany reports EUR 3.87M in Germany. | Which prompts, documents, embeddings, and logs leave the controlled environment. |
| Shadow AI | IBM Germany reports USD 670k higher average breach cost for organizations with high shadow-AI usage. | Unapproved AI usage, logging gaps, training data exposure, employee workflow reality. |
| Regulatory readiness | AI Act enforcement and Annex III/Article 50 timing currently point to 2 August 2026 unless Omnibus changes are formally adopted. | Risk class, documentation, logging, human oversight, transparency, deployer duties. |
| Variable cost | Public market forecasts show rapid AI spending growth, but provider-specific TCO must be modeled per use case. | Seat fees, inference/API usage, infrastructure, support, compliance operations. |
The shadow AI multiplier
The risk is not only the approved AI tool. It is the unmanaged AI usage that appears when employees need answers faster than internal systems can provide them.
The regulatory window
- Feb 2025 Prohibitions and AI literacy The first AI Act obligations became applicable.
- Aug 2025 GPAI and governance Governance rules and obligations for general-purpose AI models became applicable.
- Aug 2026 Current planning date Most AI Act rules, Annex III high-risk obligations, Article 50 transparency rules, and enforcement currently apply from 2 August 2026.
- Proposed Digital Omnibus delay Parliament and Council have proposed later dates, but formal adoption is required before the legal calendar changes.
Three questions every AI buyer must answer
- 01 Where do prompts, documents, embeddings, outputs, and logs actually go? Decision point: Data-flow evidence matters more than vendor assurances. High-X position: Selected workflows can run inside customer-controlled infrastructure.
- 02 Can human oversight be shown as a system event, not only as a policy document? Decision point: High-risk workflows need reviewable evidence. High-X position: Human approval or rejection can be captured inside the workflow.
- 03 Which AI workflows must continue when external services are unavailable? Decision point: Resilience depends on deployment architecture. High-X position: Local-first deployment can reduce dependency for defined workflows.
Competitive matrix
| High-X | Cloud AI | Generic On-Prem | |
|---|---|---|---|
| Data flow | Local-first for configured workflows | Provider-controlled processing path | Depends on vendor architecture |
| Governance evidence | Designed around audit and oversight workflows | Often policy and platform dependent | Often integration dependent |
| Deployment control | Customer-controlled infrastructure | Cloud account and provider terms | Hardware local, stack may remain proprietary |
| Cost model | Fixed license hypothesis plus local operations | Seat, usage, and provider pricing | License, hardware, and operating cost |
| Offline operation | Targeted for selected local workflows | Limited or unavailable | Varies by product |
| Validation path | Bounded Proof of Value in customer environment | Vendor trial or sandbox | Project/integration phase |
Sources: Eurostat 2025, McKinsey State of AI 2025, IBM Cost of a Data Breach 2025, EU AI Act Service Desk, Council and Parliament Digital Omnibus updates.