Skip to content
Bernhard Götzendorfer
Business Strategy

Why Governed Organizations Adopt AI Slower Than Individuals

Established companies with approval processes lag on AI not out of inertia, but because of a widening gap between what the tools can do and what their structures allow.

Abstract visualization: a single fast arrow next to a heavy, slowly grinding gear apparatus

TL;DR

Established companies adopt AI slower than individuals not because their people are sluggish, but because a widening gap exists between two things: what the tools can do today, and what approval processes, compliance, and IT governance allow. I argued this thesis at a panel in Vienna on June 16, and it polarized the room. This article explains why the gap is real, why it leads to private shadow AI, and what organizations can concretely do without throwing their safeguards overboard.

One Evening at the Börse, One Thesis That Polarized

On June 16, I sat on a panel at the Accenture office in Vienna's Börse building. The topic of the evening: how software architecture and development are changing through AI. On the panel: two voices from Accenture, one from SQUER, one from a product company, and me, the only solo practitioner in the room. The others spoke from the enterprise and consulting perspective. I spoke from the perspective of someone whose code has been written almost entirely by AI agents since late 2024, but who personally signs off on every approval.

One thesis I argued that evening landed especially well while also provoking the strongest reaction: governed organizations adopt AI structurally slower than individuals. Not because their people are less capable. But because they do not even have the tools and the freedom that I, as an individual, use every day.

I want to lay this out here, because it sounds uncomfortable but is meant constructively. The point is not to mock compliance or governance. The point is to name a structural problem honestly so it can be solved.

What the Tools Can Do and What the Structure Allows

Picture two numbers that should have nothing to do with each other and yet do. The first number grows exponentially: what an AI agent can accomplish in a single day today was unthinkable a year ago. The second number grows linearly, at best: the speed at which an organization can evaluate, approve, and embed new tools into its processes.

These two lines diverge. And it is precisely this distance that is the problem, not the speed itself.

As an individual, I stand with both feet on the fast line. I can test a new model on the day it launches. I can rebuild an agent setup without asking anyone. I can scrap a workflow that does not work and set up a new one the same afternoon. My only approval authority is myself.

An established company stands on the slow line, and for good reasons. Before a new AI tool may be used in production, it has to pass through a series of gates: data protection review, security clearance, vendor assessment, budget approval, often a works-council sign-off. Each individual gate is justified. But in sum, they create a latency of weeks to months before anyone is even allowed to touch the tool.

The speed of AI is not the problem for organizations. The problem is the widening gap between what is technically possible today and what a guardrail-bound structure allows.

The result: by the time the tool clears approval, it is often already two generations old. The employee who filed the request has long since been using something better in private.

Why This Is Not an Inertia Problem

Here lies the misunderstanding I wanted to correct on panel night. The obvious explanation goes: corporations are slow because they are sluggish, because the employees cannot be bothered, because the culture is calcified. That is convenient, but usually wrong.

The people in these companies are often just as curious and capable as any solo builder. I regularly meet developers and specialists from large enterprises who know exactly what would be possible, and who are visibly frustrated that they are not allowed to do it at work.

The problem is not the person but the asymmetry of risk. When I try a new tool as an individual and it goes wrong, I carry the damage alone, and it is bounded. When a corporation deploys an unvetted tool in production and it leads to a data leak, a GDPR violation, or a faulty automated process, the damage scales with the size of the organization. The caution is therefore rational. It is the correct response to a real risk.

That is exactly what makes this so hard. You cannot simply abolish the approval processes, because they protect against real dangers. But you also cannot pretend they cost nothing. Every day of latency widens the gap between what the company is officially allowed to do and what has long been standard outside its walls.

In my article on the 9 trends shaping work in 2026, I described how AI rollouts rarely fail because of the technology, but because of cultural dissonance. The approval gap is the structural sibling of that problem: even when the culture is right, the structure can hold people back.

The Inevitable Consequence: Shadow AI

When the official gap grows too large, an unofficial bridge appears. The people who see what would be possible, and who are not allowed to do it at work, do it anyway, just privately and around the organization.

This is shadow AI, and it is not a fringe phenomenon. The employee who quickly summarizes a contract draft on a private AI account. The analyst who copies company data into an unapproved tool because the sanctioned one is simply worse. The developer who runs a coding assistant on a personal laptop because IT blocks it on the company device.

From the individual's point of view, this is entirely understandable. They want to do their job well, and the best available tool happens to be the one they use privately. From the organization's point of view, it is a nightmare: exactly the risks the approval processes were meant to protect against now occur uncontrolled, only without any visibility. There is no audit trail, no data protection impact assessment, no control over which data ends up where.

That is the bitter punchline: the stricter the official gates, the more attractive the unofficial side path. An organization that bans AI entirely does not get zero AI. It gets invisible, uncontrolled AI. I have written more about the related topic of uncontrolled data flows and sovereign alternatives in the guide to EU sovereignty in the AI stack.

What Organizations Can Learn From This

So far this sounds like a dead end. It is not. The gap cannot be closed by abolishing the gates, but it can be narrowed by building the structure more intelligently. From my observation, three approaches have proven workable.

One Champion Per Area

The most effective lever is not a central AI committee, but a named person per department who drives AI forward not as a side activity but as an explicit part of their role. Full disclosure: this is also the model I advocate for in my training work, so I am not observing it neutrally but have found it workable in practice. This champion knows both the tools and the operational workflows of their department. They are close enough to the work to recognize where a tool genuinely helps, and legitimate enough to negotiate faster approvals for their area.

The effect: instead of thirty people secretly using thirty different private tools, there is one person who consolidates, vets, and negotiates with governance for their area. Shadow AI is made visible and brought into orderly channels, rather than fought.

Important: champion does not mean extra burden piled on top. If this role only exists as a hobby alongside the day job, it fizzles out. It needs real time and a clear mandate.

Protected Spaces for Experimentation

The second approach is to legalize the gap rather than suppress it. An organization can define a clearly bounded space where things may be tried out that are not yet permitted in production: a sandbox with synthetic or anonymized data, with no connection to real customer data, with reduced approval latency.

In this space, one simple rule applies, which I have adopted for my own work: anything that can be reversed without a trace may be tried without heavy approval. Anything that has an external effect or is irreversible needs sign-off. This split by reversibility is far more practical than a blanket allowed-or-forbidden, because it concentrates the risk where it is real.

The purpose of such a space is not that every experiment goes into production. The purpose is that the organization learns which tools are worth anything at all, before they run the lengthy approval gauntlet. That way you validate cheaply instead of guessing expensively. I describe this same logic, validate cheaply first and then invest, for SMEs getting started in the realistic getting-started guide.

Build Verification Into the Architecture, Not the Process

The third point is the one I emphasized most strongly on the panel, and it is the only one that belongs here only at the margins, because it is a topic of its own. Briefly: much of what organizations today secure through slow manual approvals can be secured better by machine. A rule that lives only in a policy document barely exists in practice. A rule anchored as an automatic gate in the system, a test, a permission boundary, a mandatory check before every risky step, blocks reliably and costs no weeks.

If part of the approval latency stems from humans manually checking what a machine could check more reliably, that is a starting point. I have described in detail how to build such checking and control structures for AI agents in harness design for AI coding agents.

What the Gap Means for You

If you run or are responsible for a company with approval processes, the central insight is not that your caution is wrong. It is right. The insight is that caution has a price, one you should measure and manage rather than ignore.

Three questions help make this price visible:

  • How long does it really take, in your company, before a new tool may be used? Measure the latency from request to productive use. If the answer is in months, you know the size of your gap.
  • Where is shadow AI already happening in your company today? Not whether, but where. If you do not know, that is the most important gap to close, through visibility, not through stricter bans.
  • Who actively drives AI forward in each area, with a mandate and time? If the answer is nobody, the mechanism that could narrow the gap at all is missing.

The companies that win here are not the ones that approve everything fastest. They are the ones that honestly acknowledge a gap exists, and actively narrow it instead of suppressing it.

Conclusion: The Gap Is Designable

Governed organizations adopt AI slower than individuals, and that is not an accusation but a structural fact. The gap between what the tools can do and what the structure allows is real and growing. But it is designable.

The key points summarized:

  1. The gap is structural, not human. Your people are not the problem. The asymmetry of risk between an individual and an organization is.
  2. Bans produce shadow AI, not zero AI. The stricter the official gates, the more attractive the invisible side path.
  3. One champion per area consolidates what otherwise happens in hiding. With a real mandate and real time, not as a hobby.
  4. Protected experimentation spaces validate cheaply. Split by reversibility, not by blanket ban.
  5. What a machine can check should not cost weeks of manual approval. Secure it in the architecture wherever possible.

A good first step, especially for non-technical employees, is to begin with one clearly bounded work step where the human stays in the loop and AI only assists. I have put together a neutral, curated entry point for this at agenticbuilders.at/ressourcen.

If you want to find out how large your approval gap really is, and where a champion model or an experimentation space would help most, reach out via the contact page. I deliberately work with only 1-2 clients at a time and take the corresponding time for your specific situation.