Enterprise Artificial Intelligence has moved beyond the controlled pilot phase. It’s no longer just about testing an internal chatbot, automating summaries, or adding a text generation layer to a corporate application. The new stage is characterized by agents capable of initiating actions, coordinating processes, and operating on business systems with decreasing human intervention. And that’s where the problem arises: many companies are deploying AI faster than they can govern it.
A new study from IBM Institute for Business Value, conducted jointly with Oxford Economics, provides figures on this gap. The research gathers responses from 2,000 CIOs, CTOs, and other technology executives across 33 geographies and 19 industries, showing a growing tension between ambition, control, and operational capacity. Two-thirds of surveyed technology leaders state they are accountable for AI systems they do not fully control. 70% say business teams deploy technology faster than IT can keep up, and 77% acknowledge that AI adoption is already ahead of their current governance capabilities.
Perhaps the most revealing data point is that only 11% of CIOs and CTOs consider themselves fully prepared for the scale of AI agents deployment planned in the next twelve months. Moreover, pressure isn’t coming solely from technical departments. 80% of respondents indicate that AI transformation mandates come directly from the CEO.
Manual Governance No Longer Works for Autonomous Systems
IBM defines an AI agent as a system capable of initiating, coordinating, or executing multi-step actions with limited human intervention. This definition marks a clear boundary from traditional software. A conventional application responds to a command. An agent can interpret a goal, break it down into tasks, query data, interact with tools, and execute actions sequentially.
When such systems go into production, classical controls start falling short. Manual reviews, committees, internal policies, pre-approvals, and tracking spreadsheets work poorly when agents operate continuously and generate thousands of decisions daily. Governance designed for human cycles doesn’t fit with systems that act at machine speed.
The consequences are already visible. Surveyed organizations recorded an average of 54 incidents related to AI agents last year. Seventeen percent were high-severity incidents requiring more than four hours to contain. Among these serious incidents, 37% involved data exposure or security breaches, 33% caused cascading failures, 17% resulted in compliance issues, and 13% eroded trust among customers, employees, or other stakeholders.
| Study Indicator | Highlighted Data |
|---|---|
| Surveyed tech executives | 2,000 |
| Represented geographies | 33 |
| Industries analyzed | 19 |
| Organizations where AI surpasses current governance | 77% |
| Teams deploying technology faster than IT can follow | 70% |
| Full readiness of CIOs and CTOs for scaling agents | 11% |
| AI mandates driven by CEO | 80% |
| Projected increase in AI agents by 2027 | +38% |
| Average AI-related incidents last year | 54 |
| High-severity incidents | 17% |
| Projected AI spending increase over IT budget in 2027 | 24.9% |
The technical message is clear: governance can no longer be an after-the-fact layer. It must be integrated into the architecture. An agent that isn’t registered, has no owner, leaves no trace, cannot be stopped, and lacks rollback capability shouldn’t go into production. The question shifts from “who approved this agent?” to “what executable limits does it have, what can it tinker with, who monitors it, and how is it shut down?”
From Shadow IT to Shadow AI
This phenomenon isn’t new. For years, companies managed shadow IT: tools purchased by business units outside of IT’s control, critical spreadsheets, unauthorized SaaS, or improvised integrations. Agentic AI elevates this issue to another scale. It’s no longer just about isolated applications but systems capable of acting on data, processes, and enterprise applications.
That’s why the IBM report emphasizes that control does not mean centralizing every decision within IT. This approach would slow innovation excessively and push business teams to find shortcuts. The emerging model is federated: business teams can create and deploy use cases within frameworks defined by shared platforms, model registries, identity controls, telemetry, audit, access policies, execution limits, and incident response procedures.
In practice, this demands a new control architecture. Platform teams must manage shared guardrails: agent registration, model cataloging, logging, observability, runtime controls, rollback, and identity management. Risk and compliance teams must define thresholds, evidence requirements, review rules, and escalation criteria. Architecture should set reference patterns and interoperability standards. Business teams must assume responsibility for outcomes, exceptions, and daily operations of use cases.
IBM calls this approach “orchestrated control.” According to their analysis, organizations integrating control within the architecture deploy 16 times more agents than those relying on manual governance. They spend four times less of their AI budget and achieve operational margins 18% higher. The message isn’t that control hinders AI but that well-designed control enables broader scaling with less friction.
Cloud Lock-in Also Impacts AI
The control gap isn’t limited to agents. The report links AI scalability to a broader issue: infrastructure rigidity. Many companies find their workloads aren’t as portable as they thought. Although 88% of organizations attempt or plan to move workloads to another cloud provider, tech leaders estimate that only 25% of those workloads are easily portable.
Cost is also a concern. Cloud expenses exceeded initial forecasts by an average of 48%, and 80% of tech leaders report higher-than-expected data transfer costs. Common barriers include egress fees, reliance on specific provider services, and technical complexity.
This directly affects AI deployment. Building agents, data pipelines, and inference workflows on overly proprietary services makes switching models, providers, or architectures costly and slow. In a market where models are replaced every few months, lack of portability isn’t just a technical issue—it constrains strategic agility.
IBM suggests that readiness is now measured by change capability, not just stability. Being able to move workloads, swap models, absorb new capabilities, and avoid difficult-to-reverse dependencies has become a maturity metric. Organizations that designed for this flexibility early on will see an AI ROI 10% higher by 2025, according to the study.
AI Requires Its Own FinOps
The third aspect is financial. AI doesn’t behave like traditional technology investments. ERP, databases, or virtualization platforms could be planned over several years. AI models age faster—IBM estimates a median lifespan of about 14 months. 71% of tech leaders say they retire or replace models when better alternatives emerge, and 60% do so because business needs or use cases change.
Spending is also rising rapidly. AI expenses will go from just under 15% of the IT budget in 2025 to nearly 25% in 2027—a 71% increase over two years. Yet, 84% of tech leaders have not fully operationalized AI financial management, and 85% lack real-time visibility into expenditures.
This underscores the need for a dedicated AI FinOps. It’s not enough to know cloud costs—it’s critical to track the cost of each agent, use case, model, pipeline, inference call, and automation. Costs should be linked to measurable outcomes like time savings, fewer incidents, conversion improvements, productivity, margins, or service quality.
Companies treating AI as a portfolio, rather than a collection of pilots, have better options to scale successful initiatives and phase out those that don’t add value. Clear ownership, success criteria, exit points, visibility into costs per use case, and stronger IT-Finance collaboration are essential.
IBM’s study offers a clear warning: companies deploying agents without proper architecture, observability, and financial discipline might initially gain speed but risk operational issues down the line. Those trying to control everything via committees and manual reviews will lose momentum. The solution lies in designing a platform where autonomy operates within verifiable boundaries.
Agentic AI doesn’t scale just by buying models or approving pilots. It requires adaptive infrastructure, integrated governance, and real-time financial management. For CIOs and CTOs, the challenge in 2026 won’t be proving AI works—it will be demonstrating it can operate securely, cost-effectively, and with trust within the organization.
Frequently Asked Questions
What is enterprise agentic AI?
It’s the use of AI systems capable of initiating, coordinating, or executing multi-step actions with limited human involvement. Unlike traditional applications, an agent can act on tools, data, and processes to achieve a specific goal.
Why does this concern CIOs and CTOs?
Because many organizations are deploying AI agents faster than IT can govern them. According to IBM, two-thirds of tech leaders consider themselves responsible for systems they do not fully control.
What does “governance by design” mean?
It means integrating controls into the architecture: agent registration, clear ownership, traceability, observability, access limits, rollback, kill switches, and scaling rules before going live.
Why does AI need its own financial management?
Because models change quickly, inference costs can rise with usage, and many projects have uneven returns. Companies need to know the cost of each use case and its value to decide what to scale, adjust, or retire.
