In June 2025, Klarna’s CEO publicly walked back the company’s “AI-first” strategy, admitting that aggressive automation had degraded customer service quality to the point that the company began rehiring humans. The reversal landed hard because Klarna had spent two years positioning its AI rollout as a cost-savings story for the market.
The numbers behind the headline told a quieter version of the same problem playing out across the Global 2000: AI was everywhere in the business, but the returns weren’t where leadership had promised they would be. That’s the pattern. Most organizations now use AI in at least one business function, but only a small share report significant bottom-line impact at scale, and few finance leaders say their AI investments have delivered clear, measurable returns.
At the same time, AI budgets keep growing. Organizations are increasing AI spend even as proof of returns remains elusive. That creates a widening gap between AI adoption and AI impact. This article examines why enterprises remain stuck between AI ambition and AI accountability, and how Operational AI risk management, combining visibility, enforceable controls, and auditability, can close the gap while enabling safe AI adoption at scale.
Key takeaways
- Enterprise use of AI is expanding faster than many organizations can tie it to clear financial or operational results.
- Legacy approval processes, pervasive shadow AI usage, and limited ROI tracking keep promising AI efforts from scaling beyond experimentation.
- Companies are more likely to unlock production value when AI risk management becomes an ongoing operational function, combining continuous visibility, real-time controls, and measurable governance, rather than a static policy exercise.
- The need for visibility, enforceable controls, and defensible audit trails is intensifying as regulatory pressure increases and agentic systems take on more autonomous, high-impact work.
What the AI adoption-impact gap is
The AI adoption-impact gap reflects a structural disconnect: organizations are deploying AI at a record pace, but lack the visibility and control required to translate that adoption into measurable business outcomes.
Gartner projects worldwide AI spending will reach $2.52 trillion in 2026, and analysts have started describing the dynamic as a paradox of rising investment and elusive returns. 2026 is shaping up as a turning point where buyers increasingly demand measurable proof of AI value.
The conversion problem is stark. Most large enterprises are running dozens of AI pilots in parallel, yet only a small minority achieve scale or measurable business impact. MIT’s NANDA Initiative found that roughly 5% of AI pilot programs drive rapid revenue acceleration, while the vast majority deliver little to no measurable impact on P&L.
Your Employees Use 5x More AI Tools Than You Think
WitnessAI scans your entire network to catalog every AI app, agent, and conversation. No endpoint clients or browser extensions are required.
See How Observe WorksWhy enterprises can’t convert AI spending into measurable returns
Three root causes stand out in the research. Governance models designed for a different technological era, Shadow AI that freezes formal deployment, and a measurement vacuum all prevent demonstrating ROI.
1. Governance structures designed for deterministic software break under AI
Enterprise procurement and approval workflows were built for predictable software with defined inputs and outputs. The pattern is well documented: a business unit identifies an AI tool with clear productivity gains, the proposal enters procurement, and security raises concerns.
Legal asks new questions, compliance hesitates, and momentum slows. If your security team is already running point on AI evaluations, you’ve seen this pattern. Governance and risk are among the top-cited barriers to AI adoption for North American AI decision-makers.
2. Shadow AI generates the incidents that justify more restrictions
Nearly 60% of employees use unapproved AI tools at work, even when approved alternatives exist. 20% suffered a breach tied to shadow AI security incidents in IBM’s 2025 Cost of a Data Breach analysis. Those incidents carried more than $650,000 in additional costs per event.
The dynamic is self-reinforcing. Stricter formal approval processes push more employees toward ungoverned tools. Those tools produce the security incidents that justify further tightening. Formal AI projects stay trapped in pilot while informal usage proliferates undetected.
3. Few organizations built the measurement infrastructure
Many organizations struggle to prove AI ROI because they lack the instrumentation to measure it. Organizations continue to invest heavily in AI, with many reporting realized AI ROI, but few have built the measurement infrastructure needed to connect AI activity to business outcomes.
Most enterprises can tell you how much they spent on AI last quarter. Far fewer can tell you which prompts drove which decisions, which models touched which data, or which workflows actually shortened because a copilot was in the loop.
Without that interaction-level telemetry, AI ROI conversations default to anecdotes from the loudest internal champions, and finance teams have no defensible way to separate productivity theater from real margin impact. The result is what CFOs increasingly describe as a confidence problem: spend is real, usage is real, but the line connecting the two is missing.
You Can’t Secure What You Can’t See
WitnessAI gives you network-level visibility into every AI interaction across employees, models, apps, and agents. One platform. No blind spots.
Explore the PlatformAI risk management: the missing variable
Most organizations treat governance, compliance, and risk management as interchangeable. They’re distinct disciplines, and the gaps between them help explain why AI investments stall.
The two sections below unpack where governance and compliance fall short on their own, and why regulatory pressure is now forcing AI risk management into the operating model.
- Why governance and compliance alone aren’t sufficient: Governance sets policies. Compliance verifies adherence. AI risk management is the continuous, operational work of identifying, measuring, and mitigating AI-specific risks in production. Conflating these distinct functions blocks progress. Operationalized governance is an “accelerator, not a brake“: proofs of concept are easy, but viable AI-enabled processes require a parallel approach to AI governance.
- Regulatory pressure is converting best practice into legal obligation: The EU AI Act’s penalty regime took effect on 2 August 2025, with fines of up to €35 million or 7% of annual global turnover. DORA has applied to financial services since January 2025. In May 2025, the SEC named “AI washing” an immediate enforcement priority. For CISOs and compliance officers, the question has shifted from “should we formalize AI governance?” to “can we prove enforcement when a regulator asks?”
Taken together, these shifts mean AI risk management is no longer an optional layer atop governance and compliance; it is the operational discipline that determines whether enterprises can defend their AI investments to regulators, boards, and the business.
You Can’t Secure What You Can’t See
WitnessAI gives you network-level visibility into every AI interaction across employees, models, apps, and agents. One platform. No blind spots.
Explore the PlatformWhat closing the adoption-impact gap requires in practice
If AI risk management is the missing strategic discipline, the next question is what that looks like in practice. The path from pilot purgatory to production value requires three operational capabilities: visibility into where AI activity actually occurs, intelligent policies that align with how large enterprises operate, and audit infrastructure that satisfies boards and regulators.
Visibility must extend to where AI activity actually occurs
Shadow AI persists because most security tools are architecturally limited to browser-based web traffic. A significant and growing share of enterprise AI usage occurs outside browsers, in native desktop applications, developer IDEs, and autonomous agents making API calls.
Closing this gap requires network-level visibility that doesn’t depend on browser extensions or endpoint clients, and that can discover AI usage across the thousands of applications now in circulation.
Platforms like WitnessAI, a unified AI governance and security platform, take this approach through an Observe module covering native apps, IDEs, embedded copilots, and agentic plugins. The effect is straightforward: Shadow AI shifts from an unquantified risk into a manageable inventory that security and AI teams can actually govern.
Intelligent policies replace the binary enforcement that kills adoption
When a security team can only approve or ban an AI tool for an entire department, the rational choice under uncertainty is often to ban. That binary constraint is a primary driver of pilot purgatory.
WitnessAI’s Control module introduces four enforcement actions: allow, warn, block, and route. Intent-based classification, powered by intent-based machine learning engines that analyze conversational context and purpose rather than keywords, determines which action applies. A pharmaceutical researcher uploading drug data for summarization can trigger a policy warning or be routed to an approved internal model.
Audit trails must prove enforcement, not just document policy
Regulators and boards are no longer satisfied by policy documents. Industry commentators argue that regulators and frameworks like the EU AI Act, DORA, and U.S. regulators increasingly expect evidence that AI governance controls are enforced in practice, potentially down to the level of individual interactions. That said, the EU AI Act, DORA, and the SEC’s enforcement division don’t themselves explicitly require interaction-by-interaction evidence.
Meeting that bar typically requires capturing both prompts and model responses and maintaining immutable audit trails for interactions, which is the approach WitnessAI takes. Beyond auditability, runtime defense at the point of interaction is becoming a critical requirement for enterprise AI security. That means inspecting incoming prompts for prompt injection, jailbreaking, and exposure of sensitive data, while filtering outgoing responses for harmful content and policy violations.
Tokenizing or redacting sensitive content before it reaches external models, then restoring the original values when policy allows, keeps data protected without breaking workflows. Pre-deployment red-teaming, using techniques such as multimodal attacks, multi-step jailbreaks, fuzzing, and reinforcement-learning attacks, can further strengthen model readiness before production.
Runtime AI Threats Need Runtime Defense.
WitnessAI’s enterprise AI firewall delivers bidirectional runtime defense, blocking prompt injections, jailbreaks, and data exfiltration before they reach your models or your customers.
Explore ProtectTurning AI adoption into measurable outcomes
Current enterprise AI surveys suggest broad adoption, but many organizations still struggle to demonstrate measurable business impact and strong accountability. Closing the gap requires continuous AI risk management as an operational discipline.
That means visibility into AI activity across the human and digital workforce, intelligent policies that enable rather than obstruct, runtime defense at the point of interaction, and audit trails that convert governance from aspiration into evidence.
WitnessAI’s unified AI security and governance platform acts as a confidence layer, enabling security and AI teams to move from hesitation to controlled adoption. Your priority may be proving AI control to regulators, accelerating projects stuck in pilot, or governing autonomous agents before incidents force the conversation.The path forward starts with a platform that can see, govern, and protect AI activity across employees, applications, models, and agents.
Book a demo to see how that works in practice.