Over the past few years, AI has moved from something that technical teams experiment with to an everyday workplace tool. Not only are many employees using generative AI tools to support with their day-to-day output, developers, product teams and even entire business units are increasingly building their own AI tools using publicly available models and low-code platforms.
While this democratisation of AI has accelerated take-up and innovation, it has also created a new challenge for businesses in that DIY AI systems are appearing faster than organisations can properly govern them. Indeed, recent Microsoft research revealed that over half of UK employees use unapproved AI tools at work every week.
This means that AI tools are now being used in workplaces around the world with zero formal guidance or oversight. Without strong foundations in data quality, infrastructure, security and governance, these tools can quickly introduce operational risks, from unreliable outputs and fragile production systems to uncontrolled compute costs and exposure to sensitive data leaks and security breaches.
The AI gap
This growing prevalence of shadow AI means that many organisations are now inadvertently running a vast, decentralised AI experiment without the proper foundations in place to support it. While execs are still in the boardroom debating organisational AI strategy, employees are already integrating these technologies into their day-to-day work.
This non-governed experimentation is also often the starting point of a cycle that eventually leads organisations into ‘pilot purgatory’ – endless experimentation without any meaningful deployment. Research from Gartner found that 30% of AI projects don’t progress beyond proof of concept.
In this purgatory, projects that initially show promise can’t move into widescale adoption because the underlying conditions needed for scale, such as reliable data, security controls, governance frameworks and clear ownership, weren’t set up in the first place. This is why many now argue that the biggest AI challenge organisations face isn’t access to the technology, but instead, operational readiness.
A 5-step readiness framework
To avoid this pilot purgatory, before they even start playing around with AI and allocating budget to it, organisations should first assess their readiness across five core areas:
1. Data maturity
AI systems are only as good as the data behind them and many projects fail due to a lack of usable, well-instrumented, labelled or representative data. It’s important to flag here that there is a notable confidence gap in data readiness within organisations – while the majority of business leaders believe that their data ecosystem is ready to deploy AI at scale, few technologists report confidence in their organisation’s data readiness, controls and quality. So, assessing data quality should be the first step and organisations should be figuring out whether their data is accurate, structured and accessible, whether there’s enough historical data to train useful models, and whether data pipelines are reliable and updated regularly.
2. Security and regulatory compliance
While many AI initiatives can appear promising during early trials, they often stall when organisations realise they cannot meet the security, legal or regulatory standards needed to run them at scale. For organisations that want to deploy AI more formally, security teams typically need to ensure that systems meet internal standards around data protection, identity management, system monitoring and model access. That can involve questions such as where data is stored, how models are trained, who can access outputs and how AI systems interact with core business infrastructure. If these controls are not designed early on, even the most promising of pilots often can’t progress.
3. Engineering and deployment capability
Building an AI model is relatively easy in the grand scheme of things – it’s running it reliably inside an organisation that tends to be hard. To run reliably, AI systems require a robust engineering backbone that includes good data pipelines, models that can easily integrate into existing systems and workflows, and monitoring systems that track performance once models are live, tweaking things where necessary.
4. Appropriate governance
Governance holds an entire AI programme together – policies, principles and guardrails are needed to enable safe, compliant, AI use across the enterprise. However, the increasing use of shadow AI means being able to govern systems properly is becoming increasingly difficult. In the simplest form, organisations need to be asking themselves a set of fundamental questions: who is responsible for AI, what rules does it need to operate within, and how should it be monitored over time, from both a risk and quality perspective?
With regulatory frameworks such as the EU AI Act increasing expectations around data governance, risk management and human oversight – and therefore making informal AI experimentation a bigger risk – it’s more important than ever that organisations get this right.
5. Workforce skills and adoption
Skills gaps, siloed teams, poor stakeholder communication and change management issues can all impact the effectiveness of AI programmes and lead to stalled projects. Almost every organisation currently using AI is dealing with some form of skills gap. Government research revealed that 97% of companies report at least one skills gap, while lack of expertise is cited as the top barrier to AI adoption among UK businesses. It’s safe to say that AI adoption is now happening faster than sufficient skills are coming into the workforce.
So, organisations need to look realistically at the skills they have and not bite off more than they can chew. Many would be better starting small and growing the scale of projects as AI resource improves.
Setting up for success
Many companies are running before they can walk when it comes to AI. Here, the technology itself is rarely the problem – the failure to set up robust enterprise infrastructure is. Ultimately, overlooking the right foundations puts organisations at risk of significant reputational damage, regulatory non-compliance, and strategic missteps.
AI has the potential to deliver genuine business value, however, in order for this to happen the foundations need to be in place to enable organisations to adopt it securely, at scale, and in compliance with emerging regulation. The organisations that do this will be less likely to end up in pilot purgatory or waste money on AI programmes before they are really ready.
