Jason Belnick

Writing · · 5 min read

The missing 90 percent of AI adoption

73% of surveyed enterprises use AI but only 10% run on it. Missing ownership, sign-off paths, and measured workflows create the gap; the models are fine

Publicis Sapient surveyed 1,550 AI decision-makers for its 2026 Global Enterprise AI Report. 73% of them use AI regularly or across most of their processes. Only 10% say AI is core to how their business operates. Those two numbers describe enterprise AI right now: most organizations use it, and very few run on it.

I have run 40 GenAI deployments into enterprises, every one of them through security review, and I work in the gap between those two numbers. The most useful number in the report is the third one: 42% of respondents say AI is capable but their organization is not set up to capture the value. Almost half the people paying for these systems say the model is fine. They place the failure inside their own organizations.

It was never the demo

The demo has been good for a while now. Anyone can build a pilot that summarizes tickets or drafts responses, show it to a leadership team, and get applause. The pilot then enters a phase nobody budgeted for, and the 90% goes missing there.

The meeting three or four weeks after the demo decides an AI rollout: a security admin asks who is accountable when the model sends something wrong to a customer, what data leaves the tenant, and who reviewed the vendor's retention terms. Then the room goes quiet, because the pilot team treated those as someone else's questions. I have sat in that meeting many times. The admin is doing their job, not obstructing the rollout, and they are usually right.

So the 90% that goes missing sits in the operating model: who owns the workflow, who checks quality, how security signs off, how anyone would know if the thing stopped working. A better model does not answer any of those questions. I keep coming back to the same thesis: trust, workflow, and ownership problems block AI adoption, and demos solve none of them.

What the 10 percent do

In my experience, the organizations where AI is core to operations do four unglamorous things, and none of the four involves having the smartest model.

First, every AI workflow has a named owner. One person, rather than a committee or "the AI team." When output quality drops or the workflow needs to change, there is one name on it, the same way there is a name on the payroll run. Workflows without owners decay until someone notices in a customer escalation.

Second, they design the security sign-off path in from the start instead of begging for it after. The teams that clear review fast are the ones that show up with the data-flow diagram, the access scoping, and the failure modes already written down. In the deployments I run, the sign-off memo is a design artifact that exists before the pilot, and security reviews a plan instead of reacting to a surprise. That single change is most of the difference between clearing review in weeks and stalling for months.

Third, they measure the workflow before and after. Minutes per ticket, error rate, rework rate, escalation rate, rather than "user satisfaction with the AI assistant," which measures the demo. If you did not measure the workflow before the model arrived, you cannot claim it improved, and sooner or later the CFO notices.

Fourth, they make quality drift fail in CI, in front of the team, instead of in front of a customer. This is the pattern I open-sourced in llm-judge-evals: keep a golden dataset of inputs with known-good outputs, run a judge model over the system's current outputs, and fail the build when scores drift below threshold. Teams swap models and edit prompts, and vendors push silent updates. An eval gate moves the first sighting of a regression from a user to a red pipeline, the cheapest place to catch a failure.

This is the same operational discipline enterprises already apply to payments and deployments, extended to a system that is probabilistic instead of deterministic. That extension is the work.

Why "agents for everyone" dies in security review

The current version of the demo trap is agents. The pitch is to roll coding and workflow agents out to the whole company. Then it reaches security review, and OWASP's State of Agentic AI Security report from June 11 explains what happens next: prompt injection maps to six of the ten categories in OWASP's Agentic Top 10, and coding agents are the epicenter. Of the 53 agentic projects OWASP tracks, 28 are coding agents, and the top repositories by security advisories are n8n at 57, Claude Code at 22, and AutoGPT at 15. Only 37% of organizations say they can detect shadow AI in their environment.

That report reads like ammunition against adoption. I read it the opposite way. It is a map of why the blanket rollout fails and the scoped one survives. An agent with access to sensitive data, exposure to untrusted content, and the ability to take external actions is the configuration OWASP flags via Simon Willison's "lethal trifecta" heuristic, and it is what "agents for everyone" ships by default. The 10% ship the narrow version instead: scoped permissions, a named owner, untrusted-input boundaries, an eval gate on output. The security admin approves that version because the team shows up with answers to the admin's questions.

The regulation clock slowed but did not stop

On May 7 the EU reached a political agreement to postpone key AI Act high-risk deadlines: roughly 16 extra months for new Annex III high-risk systems and about 12 for product-safety components, with formal adoption due before the original August 2 date. Penalties still run up to 7% of worldwide turnover.

Some teams heard that as a pass. It is breathing room, and teams get to choose how they spend it. The compliance obligations coming (risk management, logging, human oversight, documented accountability) are the same operating-model machinery the 10% already built, because named owners, sign-off paths, measured outcomes, and eval evidence are what a regulator asks for too. Teams that spend the extension building that machinery will find most of the compliance work done; teams that spend it shipping more demos will do a panicked retrofit in 2027, and retrofitted accountability is expensive and ugly.

No model release will deliver the missing 90%. Teams build it one owned, measured, signed-off workflow at a time. That is slower than a demo and much less fun to present. It is also the only version that survives contact with the security admin, the CFO, and, in time, the regulator.