<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[The Data-AI Continuum: The Illusion Series]]></title><description><![CDATA[The enterprise world runs on confident beliefs. That governance means control. That sovereignty means ownership. That certification means safety. That transformation means change. That the title on the org chart reflects the authority it claims. Most of these beliefs are never tested — until the regulatory letter arrives, the capital add-on lands, or the system acts in ways no policy document anticipated.

The Illusion Series examines the gap between what organisations believe they hold and what they actually do. Not to embarrass institutions, but to name the structural forces that make false confidence rational — and to ask what it would actually take to close the distance between appearance and reality.]]></description><link>https://dataaicontinuum.substack.com/s/the-illusion-series</link><image><url>https://substackcdn.com/image/fetch/$s_!E46p!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F179dedb3-3d70-448b-89eb-77826f571c60_1024x1024.png</url><title>The Data-AI Continuum: The Illusion Series</title><link>https://dataaicontinuum.substack.com/s/the-illusion-series</link></image><generator>Substack</generator><lastBuildDate>Thu, 02 Jul 2026 20:24:07 GMT</lastBuildDate><atom:link href="https://dataaicontinuum.substack.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[M Maruf Hossain, PhD]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[dataaicontinuum@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[dataaicontinuum@substack.com]]></itunes:email><itunes:name><![CDATA[M Maruf Hossain, PhD, GAICD]]></itunes:name></itunes:owner><itunes:author><![CDATA[M Maruf Hossain, PhD, GAICD]]></itunes:author><googleplay:owner><![CDATA[dataaicontinuum@substack.com]]></googleplay:owner><googleplay:email><![CDATA[dataaicontinuum@substack.com]]></googleplay:email><googleplay:author><![CDATA[M Maruf Hossain, PhD, GAICD]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[The Maturity Illusion]]></title><description><![CDATA[Your Score Is 3.2 Out of 5. Congratulations. It Tells You Almost Nothing.]]></description><link>https://dataaicontinuum.substack.com/p/the-maturity-illusion</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/the-maturity-illusion</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Fri, 26 Jun 2026 03:30:33 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!odGN!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><span>At some point in the last five years, someone sent you a slide deck with a spider diagram on it.</span></p><p><span>Eight axes. Or maybe six. Or maybe twelve &#8212; the number varies because nobody has agreed on what maturity actually consists of in any given domain, which is the first sign that something is wrong. Each axis had a scale from one to five. Your organisation was plotted somewhere on it, forming a shape that resembled a deflated football. A competitor&#8217;s shape, or an industry benchmark, was overlaid in a different colour. The gap between the two shapes was, conveniently, exactly the gap that the firm presenting the deck was positioned to close.</span></p><p><span>You probably sat in that meeting and felt a faint, nameless unease. The unease had something to do with the fact that the number on the &#8220;Governance&#8221; axis &#8212; 2.4, say &#8212; had been produced by asking your own leadership team how good their governance was. And that the number on the &#8220;Strategy&#8221; axis had been produced the same way. And that you could not quite articulate how a weighted average of those self-reports, translated into a polygon on a slide, told you anything useful about whether your organisation would hold up under regulatory scrutiny, deliver what it promised at 2 am on a Sunday, or survive the thing that was going to go wrong next quarter that nobody had anticipated.</span></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!odGN!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!odGN!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!odGN!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!odGN!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!odGN!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!odGN!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png" width="1200" height="900" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:1086,&quot;width&quot;:1448,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:3202132,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/202811803?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!odGN!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!odGN!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!odGN!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!odGN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76881000-4ba2-4605-acc1-5d9a7840e76d_1448x1086.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div class="pullquote"><p><em><span>You were right to feel that unease. It was methodologically sound.</span></em></p></div><p><span>The maturity model is one of the most commercially successful governance artefacts of the last three decades, and one of the least examined. The academic record on this is not ambiguous. A systematic mapping study published in </span><em><span>Information and Software Technology</span></em><span> found that &#8220;despite that many models were proposed in the last decade, the level of empirical evidence that reveals the validity and usefulness of these models is scarce.&#8221; James Bach, writing one of the sharpest critiques of the original CMM &#8212; the grandfather of all modern maturity models &#8212; identified that it &#8220;has no formal theoretical basis&#8221; and &#8220;only vague empirical support&#8221;, and that without controlled comparison against alternative models, &#8220;the empirical case can never be closed&#8221;. That was in the 1990s. The critique has not aged. The models have proliferated regardless.</span></p><blockquote><p><em><span>The maturity model exists because it is useful to the people selling it, legible to the people buying it, and sufficiently numerical to feel rigorous without requiring anyone to verify whether the numbers are true.</span></em></p></blockquote><p><span>In enterprise AI, where boards are now using maturity scores to make deployment, risk appetite, and governance investment decisions, the gap between the number and the truth has consequences that the original CMM never faced.</span></p><h1>A Genre With No Empirical Foundation</h1><p><span>Before examining what maturity models measure, it is worth examining where they came from and what, if anything, justifies treating their output as meaningful.</span></p><p><span>The maturity model as a governance instrument has its roots in quality management thinking of the 1930s, but its modern commercial form derives from the Capability Maturity Model (CMM) developed by the Software Engineering Institute at Carnegie Mellon in the early 1990s. CMM gave the world the five-level scale &#8212; Initial, Repeatable, Defined, Managed, Optimising &#8212; and the spider diagram. Every maturity model produced since then, across software development, data management, risk management, AI governance, and dozens of other domains, is essentially a reskin of this architecture.</span></p><p><span>The CMM was never empirically validated as the term implies. Tarhan et al., in a systematic literature review of business process maturity models published in </span><em><span>Information and Software Technology</span></em><span>, found that &#8220;the current state of research on BPM maturity is in its early phases, and academic literature lacks methodical applications of many mainstream models that have been proposed&#8221;. They called explicitly for research to &#8220;conduct empirical studies to demonstrate the validity and usefulness&#8221; of models &#8212; research that, decades after the original CMM, still does not exist at scale.</span></p><blockquote><p><em>&#8220;The lack of an academic research base is not felt to be a disadvantage, as ProMMM represents the accumulated wisdom and expertise of project management professionals who are leading practitioners in the field.&#8221; Davy and Kinninment (2002)</em></p></blockquote><p><span>This is not a marginal position. It is the mainstream position of the maturity model industry: the models are useful because practitioners find them useful, and the question of whether they measure what they claim to measure is treated as secondary at best.</span></p><p><span>The software industry eventually answered this question with its feet. Significant parts of it abandoned CMM and CMMI entirely and adopted Agile methods, in part because the taxing, documentation-heavy nature of high CMMI levels bore no observable relationship to software quality. This rejection helped motivate the Agile Manifesto &#8212; a direct repudiation of the assumption that process maturity, as CMM defined it, was the route to better outcomes. A survey of maturity models published on arXiv noted that &#8220;many parts of the software industry abandoned CMM/CMMI and adopted Agile methods precisely due to the taxing nature of the CMMI approach&#8221;, and that &#8220;raising the concept of a CMMI assessment to these teams is generally not welcome&#8221;.</span></p><p><span>That lesson has not been absorbed by the governance consulting industry. It has simply applied the same architecture to new domains.</span></p><h1>The Market That Created the Problem It Sells Solutions To</h1><p><span>The modern AI maturity model is the CMM genre&#8217;s latest and most commercially successful iteration. And it has inherited every structural problem of its predecessors, now amplified by the scale of AI investment decisions it is being used to inform.</span></p><p><span>Gartner sells AI Maturity Model toolkits and AI roadmap advisory services. McKinsey produces the AI Adoption Curve and the </span><em><span>Rewired</span></em><span> methodology, and charges organisations to close the gaps it identifies. BCG publishes AI@Scale research and sells the transformation programmes required to reach &#8220;AI future-built&#8221; status. Deloitte offers the Trustworthy AI Framework and the accompanying implementation practice. The AWS Cloud Adoption Framework for AI is produced by Amazon Web Services, which sells the cloud infrastructure required to advance through it.</span></p><p><span>This is not a conspiracy. It is a structure. Every firm that produces an authoritative maturity model, AI or otherwise, has a direct commercial interest in two findings: that your current maturity is insufficient, and that their services address the deficiency. The frameworks are not fraudulent. They contain genuine analytical insight. But they are designed by people who profit from the gap, and that design inevitably shapes what the frameworks choose to measure.</span></p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span>5%</span></strong></h1><p style="text-align: center;"><span>of organisations qualify as &#8220;AI future-built&#8221; &#8212; capturing disproportionate value while the other 95% remain in the addressable market for transformation services</span></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">BCG Build for the Future Global Study, n=1,250, 2025</span></em></p></div><p><span>BCG&#8217;s 2025 </span><em><span>Build for the Future</span></em><span> research found that only about 5% of organisations qualify as &#8220;AI future-built&#8221;, capturing disproportionate value, while 95% are still figuring out how to convert AI investment into sustained business value. McKinsey&#8217;s 2025 State of AI report found that 88% of organisations use AI in at least one function, but only 39% report any measurable enterprise-level EBIT impact, and only 6% qualify as high performers.</span></p><p><span>These are real findings. They are also produced by organisations whose revenue depends on the remaining 94% of the addressable market for transformation services. The conflict is structural. It is worth noting that before treating the numbers as neutral.</span></p><h1>The Self-Assessment Problem</h1><p><span>The more fundamental issue is not who produces maturity models. It is how they are completed.</span></p><p><span>The overwhelming majority of maturity assessments &#8212; across every domain the genre has colonised &#8212; are self-reported. A leadership team answers questions about its strategy, infrastructure, governance practices, and capability. Scores are assigned. The result reflects what leadership believes to be true about its organisation &#8212; which is systematically different from the truth.</span></p><p><span>This is not a new observation. The academic critique of CMM identified self-assessment as a core validity problem from the outset. An organisation&#8217;s self-reported maturity level has no verified relationship to its actual performance. The assessment measures confidence, not capability.</span></p><p><span>In the AI domain, the data on this gap is striking. Uplevel surveyed over 100 engineering leaders and found that 88% rated their organisations as highly prepared for AI. In the same survey, only 2% had a documented AI strategy. 88% of leaders believed they were ready. 2% had the foundational artefact that readiness requires.</span></p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span>88% vs 2%</span></strong></h1><p style="text-align: center;"><span>of engineering leaders rated their organisation as highly prepared for AI &#8212; yet only 2% had a documented AI strategy</span></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">Uplevel, survey of 100+ engineering leaders, 2025</span></em></p></div><p><span>There is now cognitive science explaining why this happens. A study published in </span><em><span>Computers in Human Behavior</span></em><span> in late 2025, conducted by researchers at Aalto University, found that using AI tools leads users to consistently overestimate their cognitive performance regardless of actual ability. The typical Dunning-Kruger Effect was reversed entirely: participants with higher AI literacy showed greater overconfidence, not less. Greater familiarity with AI did not lead to more accurate self-assessment. It produced more inflated self-assessment.</span></p><blockquote><p><em><span>&#8220;When it comes to AI, the Dunning-Kruger Effect vanishes. All users &#8212; regardless of actual ability &#8212; significantly overestimated their performance. Higher AI literacy brings more overconfidence.&#8221; Professor Robin Welsch, Aalto University, 2025</span></em></p></blockquote><p><span>If this pattern holds at the organisational level &#8212; and the Uplevel data strongly suggests it does &#8212; the organisations most engaged with AI, most familiar with the tools, most likely to be completing maturity assessments are precisely the organisations whose self-assessments are least reliable. The assessment is most confidently wrong where it is most confidently completed.</span></p><p><span>McKinsey&#8217;s own research reinforces this from a different angle. Leaders systematically overestimate readiness compared to frontline teams doing the actual work. The leader is reading the strategy deck. The team is looking at the data pipeline that only works because one engineer knows every undocumented quirk of it.</span></p><h1>What the Score Actually Measures</h1><p><em><strong><span>When a maturity model produces a score of 3.2 out of 5, what has been measured?</span></strong></em></p><p><span>Typically: whether policies exist; whether programmes have been initiated; whether training has been completed; whether relevant infrastructure has been procured; whether use cases have been identified and piloted. These are inputs and activities. They are not outcomes. The Tarhan et al. systematic review was precise on this point &#8212; it called for research to separate &#8220;the assessment method used to evaluate the maturity level from the maturity model which acts as the reference framework for the assessment.&#8221; In practice, this separation does not happen. The model defines what to measure, the assessment measures it, and the output is treated as evidence of capability rather than evidence of activity.</span></p><p><span>Specifically in AI governance, the consequences of this conflation are evident in the data. Gartner&#8217;s own 2025 research found that 34% of low-maturity organisations and 29% of high-maturity organisations cite data availability and quality as top challenges. The gap between low-maturity and high-maturity organisations on this foundational dimension is </span><strong><span>five percentage points</span></strong><span>. High-maturity organisations still struggle with the same fundamental data quality problems as low-maturity ones. The score moves. The underlying problem does not.</span></p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span>85%</span></strong><em><span> </span></em></h1><p style="text-align: center;"><span>of organisations claim data-driven or AI-First status. Only 11% demonstrate true readiness.</span></p><p style="text-align: center;"><em><span>IBM and Ecosystm APAC Research, 2025</span></em></p></div><p><span>The maturity model is not correcting this gap. It is producing the number that enables the claim.</span></p><h1>The Linear Illusion Within the Illusion</h1><p><span>Embedded in every maturity model is a further structural assumption that warrants scrutiny: that maturity progresses linearly through predefined stages.</span></p><p><span>This is the CMM&#8217;s deepest legacy. Initial. Repeatable. Defined. Managed. Optimising. Every major model in software development, data management, risk management, and AI governance uses some variant of this five-level sequence. The assumption is that an organisation at stage three has passed through stages one and two and is on its way to stage five. The score is a position on a single line.</span></p><p><span>The academic critique of this assumption is longstanding. Gerald Weinberg, whose work Bach cited in his CMM critique, argued that the very concept of maturity as applied to organisational processes was misconceived &#8212; that organisations should be understood as complex adaptive systems, not as processes progressing along a linear scale toward an optimal endpoint. His critique was directed at CMM in the early 1990s. It applies with equal force to every maturity model produced since.</span></p><p><span>Research on how organisations actually develop capability confirms the non-linearity. Cusick&#8217;s 2025 review of AI maturity frameworks found that &#8220;organisations often develop AI capabilities unevenly across dimensions, with experimentation, stagnation, and regression occurring simultaneously&#8221;. A manufacturing firm can be at stage four on data infrastructure and stage one on governance. A financial institution can have world-class AI engineering and entirely paper-based risk controls. A single aggregate score collapses this complexity into a number that obscures precisely the information a board needs to make sound decisions.</span></p><p><span>The linear model is not just analytically inadequate. It is actively misleading in a specific and consequential way: it creates the impression that advancing on one dimension advances the organisation overall. A board that approves an AI skills training programme because it will move the maturity score from 2.8 to 3.1 has approved something with a measurable output &#8212; </span><em><span>the score moved</span></em><span> &#8212; that has no necessary relationship to whether the organisation&#8217;s AI systems are better governed, more effective, or less risky.</span></p><p><span>The software industry discovered this. Parts of it responded by abandoning the maturity model genre entirely in favour of outcome-based approaches. The AI governance industry has not yet received that memo.</span></p><h1>The Question the Score Cannot Answer</h1><p><span>There is a test I apply to any maturity assessment, and I have yet to encounter one that passes it.</span></p><p><span>The test is simple. If an AI system in this organisation causes material harm to a customer tonight &#8212; a discriminatory lending decision, an erroneous claims denial, an incorrect medical recommendation &#8212; what exactly does your maturity score of 3.2 tell a regulator about whether you had the controls in place to prevent it?</span></p><p><span>The answer is: nothing useful. The score tells the regulator that you have a strategy document, a governance policy, a training programme, and a data platform. It does not tell them whether the governance policy has a technical enforcement mechanism. It does not tell them whether the training programme produced operational competence or compliance completion rates. It does not tell them whether the data platform is actually connected to the AI systems producing decisions at scale.</span></p><p><span>APRA&#8217;s April 2025 Court Enforceable Undertaking against ANZ was not triggered by a low score on a maturity assessment. It was triggered by six years of remediation programmes that produced documentation without producing improvement. The CEU required ANZ to provide written attestation from Accountable Persons that remediation activities had been completed and target states achieved &#8212; not that a maturity score had moved.</span></p><p><span>That is the direction regulatory scrutiny is travelling. From inputs to outcomes. From documentation to demonstrated effectiveness. From the score to the system.</span></p><h1>What an Honest Assessment Would Look Like</h1><p><span>This is not an argument against structured assessment in principle. Structured self-reflection is better than no reflection. The problem is treating the output as a measurement of something it does not measure &#8212; and making investment, deployment, and governance decisions on that basis.</span></p><p><span>An honest assessment would separate what exists on paper from what exists in operation. It would ask not whether a governance policy has been written but whether there is a technical mechanism that enforces it at the point of action. It would ask not whether risk assessments have been completed, but whether the findings from those assessments are traceable to changes in controls in production systems. It would ask not whether training completion rates are high, but whether the people who completed the training can identify a failure mode in the system they are operating.</span></p><p><span>It would be completed not by leadership alone but by triangulating leadership self-assessment with frontline team assessment and independent technical review. The gap between those three inputs &#8212; which is consistently large, based on McKinsey&#8217;s own research &#8212; is more informative than any single score. It would treat regression as an expected finding, not a failure. It would be completed by someone whose fee is not contingent on the follow-on transformation engagement.</span></p><p><span>The academic literature proposed this thirty years ago. Tarhan et al. recommended that future maturity model research focus on &#8220;conducting empirical studies to demonstrate validity and usefulness&#8221; and on &#8220;separating the assessment method from the reference framework&#8221;. Neither recommendation has been absorbed by the consulting firms designing the models. The incentive structure does not reward honest assessment. It rewards assessments that produce a gap large enough to justify the engagement.</span></p><h1>The Number Your Board Is Using to Make Decisions</h1><p><span>Boards are approving AI investment decisions, deployment decisions, and risk appetite decisions based on maturity scores produced by the firms that stand to benefit from the gap, completed by leadership teams that overestimate readiness, assessed against criteria that measure activities rather than outcomes, and expressed as a number on a linear scale that has no validated empirical relationship to organisational capability.</span></p><p><span>The genre to which this score belongs has never been empirically validated. Its foundational structure was criticised as theoretically unfounded within years of its invention, abandoned by significant parts of the industry that experienced it, and has continued to proliferate regardless &#8212; because it serves the interests of the people producing it more reliably than it serves the interests of the people paying for it.</span></p><p><span>The maturity illusion is genuinely epistemic, unlike the governance illusion. Organisations are not knowingly producing or filing false scores. They believe the score reflects their capability because the assessment was designed to produce that belief and because no one in the transaction has a strong incentive to test whether it is true.</span></p><p><span>The score is not lying to you. It is telling you the truth about something that is not what you think you are measuring. And in AI governance, the gap between those two things is where failures happen &#8212; in the space between what the dashboard says and what the production system does at 2 am on a Sunday when nobody is watching.</span></p><div class="pullquote"><p><span>A score of 3.2 out of 5 is not a position on a path to capability. It measures how much activity your organisation has been producing in the relevant domain. Those are different things. They have always been different things. The maturity model industry has simply made a very good living from the confusion.</span></p></div><div class="callout-block" data-callout="true"><h3><span data-color="rgb(27, 58, 92)" style="color: rgb(27, 58, 92);">What a governance-anchored maturity assessment would actually look like</span></h3><p><span>The diagnosis in this article points toward a specific design requirement: a maturity assessment that measures governance </span><em><span>effectiveness</span></em><span> rather than governance activity; that scores governance domains independently rather than collapsing them into a single number; that gates the expansion of AI autonomy behind demonstrated capability rather than allowing deployment to run ahead of oversight; and that is assessed against defined criteria rather than self-reported by the leadership team whose performance it is measuring.</span></p><p><span>The Governance Maturity Index (GMI), introduced in </span><em><span>The Autonomy Budget</span></em><span> (Hossain, 2026), is designed around precisely these requirements. It comprises five certification levels, each permitting a maximum autonomous system deployment level and requiring independent demonstration of governance capability across defined domains. An organisation at GMI Level 2 cannot deploy a Level 4 autonomous system regardless of its business case. The ceiling is enforced through a deployment gate that checks GMI certification against the proposed system&#8217;s autonomy level before any sign-off is issued.</span></p><p><span>Critically, GMI certification is not self-assessed. It moves because you can demonstrate that your governance infrastructure can safely manage the systems you are deploying, not because you completed more programmes. That is the distinction the vendor-produced maturity model cannot make, because making it would require the vendor to tell you that your score should not have moved.</span></p></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h1>References</h1><h4><strong><span>Foundational Academic Sources &#8212; Maturity Model Critique</span></strong></h4><ol><li><p><strong><span>Tarhan, A., Turetken, O. and Reijers, H.A. (2016). </span></strong><em><span>Business Process Maturity Models: A Systematic Literature Review. </span></em><span>Information and Software Technology, 75: 122&#8211;134.</span></p></li><li><p><strong><span>Bach, J. (1994). </span></strong><em><span>The Immaturity of CMM. </span></em><span>American Programmer, 7(9). Available at: satisfice.com.</span></p></li><li><p><strong><span>Paulk, M.C. et al. (1993). </span></strong><em><span>Capability Maturity Model for Software, Version 1.1. </span></em><span>Software Engineering Institute, Carnegie Mellon University, CMU/SEI-93-TR-024.</span></p></li><li><p><strong><span>R&#246;glinger, M., P&#246;ppelbu&#223;, J. and Becker, J. (2012). </span></strong><em><span>The Maturity of Maturity Model Research: A Systematic Mapping Study. </span></em><span>Information and Software Technology, 54(12): 1319&#8211;1339.</span></p></li><li><p><strong><span>Lahrmann, G. et al. (2011). </span></strong><em><span>Business Intelligence Maturity: Development and Evaluation of a Theoretical Model. </span></em><span>Proceedings of the 44th Hawaii International Conference on System Sciences (HICSS).</span></p></li><li><p><strong><span>Wendler, R. (2012). </span></strong><em><span>The Maturity of Maturity Model Research: A Systematic Mapping Study. </span></em><span>Information and Software Technology, 54(12): 1317&#8211;1339.</span></p></li><li><p><strong><span>PMI (2002). </span></strong><em><span>Benchmarking Project Management: Capability Maturity Model. </span></em><span>Project Management Institute Library. Note: explicitly acknowledges &#8216;lack of an academic research base is not felt to be a disadvantage&#8217;.</span></p></li><li><p><strong><span>Cusick, J.J. (2019). </span></strong><em><span>A Survey of Maturity Models from Nolon to DevOps and Their Applications in Process Improvement.</span></em><span> arXiv:1907.01878.</span></p></li><li><p><strong>Hossain, M.M. (2026). </strong><em>The Autonomy Budget: A Portfolio-Level Framework for Governing Delegated Machine Authority in Regulated Enterprises. </em>Zenodo Preprint. DOI: 10.5281/zenodo.20480491.</p></li></ol><h4><strong><span>Cognitive Science and Self-Assessment Research</span></strong></h4><ol><li><p><strong><span>Welsch, R. et al. (2025). </span></strong><em><span>AI Use Makes Us Overestimate Our Cognitive Performance. </span></em><span>Computers in Human Behavior; Aalto University, October 2025.</span></p></li><li><p><strong><span>McKinsey Global Institute (2025). </span></strong><em><span>The State of AI: How Organisations Are Rewiring to Capture Value. </span></em><span>McKinsey &amp; Company. Notes leader/frontline readiness gap.</span></p></li><li><p><strong>Davy, C. and Kinninment, D. (2002). </strong><em>Benchmarking Project Management: The ProMMM Model.</em> PMI Learning Library. pmi.org</p></li></ol><h4><strong><span>AI Maturity Research and Survey Sources</span></strong></h4><ol><li><p><strong><span>BCG Henderson Institute (2025). </span></strong><em><span>The Widening AI Value Gap: Build for the Future. </span></em><span>BCG Global Study, n=1,250, September 2025.</span></p></li><li><p><strong><span>IBM and Ecosystm (2025). </span></strong><em><span>AI-First Status vs. AI Readiness: APAC Research. </span></em><span>IBM and Ecosystm.</span></p></li><li><p><strong><span>Uplevel (2025). </span></strong><em><span>AI Capabilities Maturity: Engineering Leader Survey. </span></em><span>Uplevel, 100+ engineering leaders.</span></p></li><li><p><strong><span>Gartner (2025). </span></strong><em><span>AI Maturity Model Research: Data Quality Findings. </span></em><span>Gartner Research.</span></p></li><li><p><strong><span>Fosso Wamba, S. et al. (2025). </span></strong><em><span>Artificial Intelligence Maturity in Small and Medium-Sized Enterprises. </span></em><span>arXiv:2603.08728. Notes uneven, non-linear AI capability development.</span></p></li></ol><h4><strong><span>Regulatory Sources</span></strong></h4><ol><li><p><strong><span>APRA (2025). </span></strong><em><span>APRA accepts Court Enforceable Undertaking from ANZ and increases capital add-on to $1 billion. </span></em><span>APRA media release, 3 April 2025.</span></p></li></ol>]]></content:encoded></item><item><title><![CDATA[The Compliance Illusion]]></title><description><![CDATA[Passing the Audit Is Not the Same as Managing the Risk. The Evidence Has Been Saying This for Decades.]]></description><link>https://dataaicontinuum.substack.com/p/the-compliance-illusion</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/the-compliance-illusion</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Tue, 23 Jun 2026 03:40:15 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!3mv2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>In 2024, TD Bank paid $3.09 billion &#8212; the largest penalty ever imposed under the Bank Secrecy Act in the United States &#8212; for systemic AML compliance failures. The bank was not unsophisticated. It was not under-resourced. It had compliance programmes, training requirements, risk registers, and documented controls. It had, by every formal measure, a compliance function.</p><p>What it lacked was a compliance function that actually stopped the conduct it was designed to prevent.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!3mv2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!3mv2!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!3mv2!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!3mv2!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!3mv2!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!3mv2!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png" width="1200" height="900" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:1086,&quot;width&quot;:1448,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:3217837,&quot;alt&quot;:&quot;&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://maruf42.substack.com/i/202798890?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" title="" srcset="https://substackcdn.com/image/fetch/$s_!3mv2!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!3mv2!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!3mv2!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!3mv2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fad4a1371-6589-4b49-a6cc-235de1f14f15_1448x1086.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>In the same year, global financial penalties reached $4.6 billion &#8212; a <strong>522% increase</strong> from the previous year. Banks accounted for $3.65 billion of that total. In 2023, Santander UK was fined &#163;107.7 million by the FCA for repeated AML control failures &#8212; despite previous warnings that had already produced remediation programmes. In 2022, Danske Bank paid $2 billion for money-laundering violations committed over multiple years through its Estonian branch.</p><p>Each of these institutions had compliance. None of them had control.</p><p>This is the compliance illusion: the belief &#8212; held in boardrooms, risk committees, and audit sign-offs across the regulated world &#8212; that a functioning compliance programme means the risk it addresses is being managed. The evidence, accumulated across decades of regulatory enforcement and three significant waves of financial services misconduct, is unambiguous. A compliance programme demonstrates that controls <em>are in place</em>. It does not demonstrate that controls <em>work</em>. And the gap between those two things is where penalties, enforcement actions, and customer harm accumulate.</p><h1>How the Distinction Got Buried</h1><p>The conflation of compliance and risk management is not accidental. It is the natural outcome of how compliance functions were built and what they were originally designed to do.</p><p>The modern compliance function emerged from the post-financial-crisis regulatory environment of the late 2000s and early 2010s. Its design logic was defensive and custodial: document controls, demonstrate adherence to regulatory requirements, produce evidence that the organisation takes its obligations seriously. Its primary audience was external &#8212; regulators, auditors, courts. Its primary output was documentation.</p><p>This design logic was not dishonest. In a regulatory environment where enforcement depended on whether an organisation had a policy, the rational response was to adopt one. The problem is that the regulatory environment has moved, and the compliance function has not.</p><p>McKinsey&#8217;s 2024 compliance benchmarks found a specific and telling gap: many organisations report strong policies, procedures, and training programmes, yet far fewer embed active remediation, continuous monitoring, or board-level accountability. The documentation layer is strong. The operational effectiveness layer is weak.</p><blockquote><p><em>&#8220;It&#8217;s no longer enough to intend to comply or to have a policy on paper. Regulators now demand demonstrable governance &#8212; documented evidence that you have robust systems, controls, and processes in place and that they are actually working.&#8221; Compliance and Risks, February 2026</em></p></blockquote><p>The DOJ&#8217;s 2023 updated guidance on evaluating effective compliance programmes is explicit on this point. Prosecutors are now instructed to evaluate not whether a compliance programme exists but whether it is &#8220;adequately designed&#8221; and &#8220;being applied earnestly and in good faith&#8221; &#8212; and specifically whether the organisation has &#8220;invested adequately in testing&#8221; the effectiveness of its controls. The test has shifted from existence to effectiveness. Most compliance programmes were not built to pass the new test.</p><h2>The Audit Passes. The Risk Remains.</h2><p>The most revealing feature of the compliance illusion is that it persists even in the face of formal audit processes designed to detect it.</p><p>PwC&#8217;s Global Compliance Survey found that 59% of organisations report that their compliance functions benefit from improved coordination. In the same survey landscape, only <strong>16%</strong> have successfully integrated the data systems required to make those functions operational. Organisations are coordinating their compliance activities. They are not connecting those activities to the operational data that would reveal whether the risk is actually being managed.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>59%</strong></h1><p style="text-align: center;">of organisations report improved compliance coordination. Only 16% have successfully integrated the data systems required to operationalise that coordination.</p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">PwC Global Compliance Survey / Compliance Week</span></em></p></div><p>The Q3 2025 GC Risk Index from Corporate Board Member and Diligent Institute surveyed AI governance and found that 29% of companies report having comprehensive AI governance policies, and another 38 % are drafting them. Yet 44% acknowledge that their policies need refinement, and 33% say they are entirely insufficient. That is a survey of what organisations know about their own governance. The gap between the 29% who report comprehensive policies and the 33% who say policies are insufficient is not a measurement error. It reflects organisations at different stages of the same discovery: that the policy they wrote is not the control they needed.</p><p>Gartner&#8217;s research on risk management found that only <strong>18%</strong> of ERM leaders express high confidence in their ability to identify emerging risks. 82% are operating compliance programmes with known uncertainty about whether those programmes are catching the risks they are designed to catch.</p><p>The audit measures documentation, process adherence, and the existence of controls. What the regulator eventually measures &#8212; in enforcement actions, in prudential reviews, in post-failure inquiries &#8212; is whether harm was prevented. These are different measurements. The audit and the enforcement action are not always consistent because they measure different things.</p><h1>The Pattern in Enforcement Actions</h1><p>The consistency of the enforcement record on this point is striking. The same structural finding appears across jurisdictions, sectors, and decades: organisations that sustained significant regulatory penalties almost always had compliance programmes in place. The programme was insufficient not because it was absent but because it was designed to demonstrate compliance rather than achieve it.</p><p>HSBC was fined &#163;57.4 million by the PRA in 2024 for failing to accurately identify customer deposits eligible for FSCS protection between 2015 and 2022. The PRA found that 99% of eligible beneficiary deposits were incorrectly marked as ineligible. Seven years. The compliance function did not catch it. The audit process did not catch it. The regulator caught it.</p><p>Santander UK received warnings from the FCA about its AML controls before the &#163;107.7 million fine in 2023. Remediation programmes were produced. The underlying weakness persisted. The remediation documented the intent to address the problem. It did not solve the problem.</p><p>This is APRA&#8217;s finding about ANZ&#8217;s non-financial risk management, verbatim, applied to a different institution in a different jurisdiction: a remediation programme running for years, producing documentation, governance forums, and policies, while <em>&#8220;APRA has yet to observe significant improvements.&#8221;</em> The pattern is not sector-specific or jurisdiction-specific. It is structural.</p><blockquote><p><em>&#8220;Is enough attention being given to compliance? Or is it just &#8216;box ticking&#8217;?&#8221; Commissioner Hayne, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, 2019</em></p></blockquote><p>The boxes were ticked. The risk was not controlled.</p><h1>Why the Illusion Persists</h1><p>Understanding why sophisticated organisations consistently confuse compliance with control requires taking seriously the incentive structure that makes the confusion rational.</p><p>Compliance documentation is verifiable. It can be audited, signed off, and filed. Risk management effectiveness is hard to verify prospectively. You can only know with confidence whether a control worked after a failure has occurred over a meaningful time horizon. In an environment where auditors and regulators evaluate inputs rather than outcomes, the rational investment is in inputs.</p><p>This is Michael Power&#8217;s &#8220;comfort production&#8221; argument from <em>The Audit Society: Rituals of Verification</em> (Oxford University Press, 1997), now 28 years old and entirely intact: the assurance industry is paid to produce verifiable documentation and legitimacy signals, not to test whether controls actually prevent harm. The external auditor who certifies compliance is not certifying that risk is controlled. They are certifying that the organisation has produced the documentation required for compliance.</p><p>When the incentive shifts &#8212; when a regulator can impose a $3 billion penalty, a billion-dollar capital add-on, or a Court Enforceable Undertaking based on the <em>demonstrated ineffectiveness</em> of controls &#8212; organisations respond. TD Bank&#8217;s $3.09 billion penalty produced a wholesale restructuring of its AML function. APRA&#8217;s CEU produced ANZ&#8217;s Program PACT. The remediation that decades of voluntary compliance improvements failed to produce arrived within months of enforcement actions with real consequences.</p><p>The compliance illusion persists not because organisations are incompetent. It persists because the institutional environment has been structured to reward the appearance of control more reliably than its substance.</p><h1>AI Compliance Is Replicating the Pattern in Real Time</h1><p>The Q3 2025 GC Risk Index finding that 67% of organisations either have comprehensive AI governance policies or are drafting them describes the documentation layer of AI compliance forming at speed. Organisations are writing policies, adopting frameworks, pursuing ISO/IEC 42001 certifications, and completing NIST AI RMF profiles.</p><p>What they are not doing, in most cases, is building technical controls that enforce those policies at the point where AI systems act. The policy says the AI system will not make discriminatory decisions. The technical architecture lacks a runtime control that intercepts the decision before it executes and tests it against the constraint. The compliance documentation exists. The control does not.</p><p>This is the same gap that produced Santander&#8217;s AML failures, HSBC&#8217;s deposit-protection failures, and seven years of governance deficiencies at ANZ. The mechanism is identical: a policy layer that satisfies the documentation requirement, disconnected from an operational layer that would actually prevent the harm.</p><p>There is an additional complexity in AI that makes the gap with its predecessors more dangerous. Traditional compliance failures occur in processes with human actors at decision points. There are natural points of intervention. AI systems making sixty decisions a minute in autonomous workflows have no equivalent natural intervention point unless one is engineered into the architecture.</p><blockquote><p><em>&#8220;Traditional GRC models reinforce this gap. Many programs are designed to document controls and address known risks but are less effective in environments defined by rapid change and interdependence. Static assessments become outdated quickly.&#8221; MJH News, Enterprise Risk Management in 2026, April 2026</em></p></blockquote><p>As of mid-2026, the binding EU AI Act obligations requiring organisations to move from documentation to demonstrated effectiveness have been proposed for deferral until December 2027. The compliance layer is forming faster than the enforcement regime that would test whether it is real.</p><h1>What the Distinction Actually Requires</h1><p>Separating compliance from control is not a philosophical exercise. It has specific operational implications.</p><p>A compliance programme demonstrates that a control exists. A risk management programme demonstrates that the control works &#8212; which requires testing under conditions that would reveal failure, not conditions optimised for audit sign-off.</p><p>In practice, this means: compliance reviews that include live system testing, not just documentation review. AI governance frameworks that specify technical enforcement mechanisms rather than just policy statements. Incident response processes that are tested before incidents occur. Remediation programmes assessed for effectiveness rather than completion, and assessed by parties without a commercial interest in reporting improvement.</p><p>It means asking, before approving a compliance programme, not <em>&#8220;does this demonstrate that we are complying?&#8221;</em> but <em>&#8220;does this demonstrate that the risk is being managed?&#8221;</em> Those are different questions. The first can be answered with documentation. The second requires evidence of operational effectiveness &#8212; and the infrastructure to generate that evidence continuously, not just at audit time.</p><h1>The Uncomfortable Conclusion</h1><p>The compliance illusion is comfortable because it is economically rational and institutionally supported. The documentation is cheaper to produce than the control. The audit is cheaper to satisfy the regulator. The policy is easier to write than the architecture that enforces it.</p><p>What makes it an illusion &#8212; rather than simply a practical compromise &#8212; is that organisations and boards <em>genuinely believe</em> the compliance programme is managing the risk. Not as a cynical performance, but as a sincere conclusion from the evidence available to them: the audit passed, the policy was adopted, the training was completed, the score moved in the right direction.</p><p>The evidence that this belief is wrong is in the enforcement record. $3.09 billion for TD Bank. $4.6 billion in global financial penalties in 2024 alone, a 522% increase from the prior year. Eleven ASIC enforcement actions against ANZ in just over a decade, most after compliance programmes had been running for years.</p><p><em><strong>The compliance programme did not fail. The belief that the compliance programme was managing the risk &#8212; that was the illusion. And it is the one that costs the most.</strong></em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h1>References</h1><h4><strong>Academic and Theoretical Sources</strong></h4><ol><li><p><strong>Power, M. (1997). </strong><em>The Audit Society: Rituals of Verification. </em>Oxford University Press.</p></li><li><p><strong>Meyer, J.W. and Rowan, B. (1977). </strong><em>Institutionalized Organizations: Formal Structure as Myth and Ceremony. </em>American Journal of Sociology, 83(2): 340&#8211;363.</p></li><li><p><strong>European Commission (2025). </strong><em>Digital Omnibus Proposal COM(2025) 836 &#8212; proposal to defer EU AI Act Annex III high-risk obligations to December 2027. </em>19 November 2025.</p></li></ol><h4><strong>Regulatory Actions and Enforcement</strong></h4><ol><li><p><strong>US Department of Justice / FinCEN (2024). </strong><em>TD Bank Pleads Guilty to Bank Secrecy Act Violations &#8212; $3.09 billion penalty. </em>DOJ / FinCEN, October 2024.</p></li><li><p><strong>Financial Conduct Authority (UK) (2023). </strong><em>Santander UK fined &#163;107.7 million for AML failures. </em>FCA Final Notice, November 2023.</p></li><li><p><strong>Prudential Regulation Authority (UK) (2024). </strong><em>HSBC fined &#163;57.4 million for FSCS deposit protection failures. </em>PRA Final Notice, 2024.</p></li><li><p><strong>ASIC (2025). </strong><em>25-314MR Federal Court orders $250 million combined penalties against ANZ. </em>ASIC media release, 19 December 2025.</p></li><li><p><strong>APRA (2025). </strong><em>APRA accepts Court Enforceable Undertaking from ANZ and increases capital add-on to $1 billion. </em>APRA media release, 3 April 2025.</p></li><li><p><strong>Hayne, K. (2019). </strong><em>Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry: Final Report. </em>Commonwealth of Australia.</p></li></ol><h4><strong>Research and Survey Sources</strong></h4><ol><li><p><strong>PwC (2024). </strong><em>Global Compliance Survey. </em>PricewaterhouseCoopers / Compliance Week.</p></li><li><p><strong>Corporate Board Member / Diligent Institute (2025). </strong><em>GC Risk Index Q3 2025. </em>Corporate Board Member and Diligent Institute.</p></li><li><p><strong>McKinsey &amp; Company (2024). </strong><em>Compliance Benchmarks: Policies, Procedures and Active Remediation Gap. </em>McKinsey Digital.</p></li><li><p><strong>Gartner (2025). </strong><em>ERM Leader Confidence Survey. </em>Gartner Research.</p></li><li><p><strong>Fenergo (2024). </strong><em>Global AML and Compliance Fines Analysis: First Half 2024. </em>Fenergo.</p></li><li><p><strong>US Department of Justice (2023). </strong><em>Evaluation of Corporate Compliance Programs (updated September 2023). </em>DOJ Criminal Division.</p></li></ol>]]></content:encoded></item><item><title><![CDATA[The Governance Illusion]]></title><description><![CDATA[They Knew. They Always Knew. The Problem Was Never Knowledge.]]></description><link>https://dataaicontinuum.substack.com/p/the-governance-illusion</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/the-governance-illusion</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Sat, 20 Jun 2026 01:03:22 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!aLCG!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><span>In April 2025, the Australian Prudential Regulation Authority accepted a Court Enforceable Undertaking from a major Australian bank and raised the bank&#8217;s operational risk capital add-on to $1 billion.</span></p><p><span>The language APRA used was precise and deliberately uncomfortable.</span></p><blockquote><p><em><span>&#8220;Despite this programme being in place for several years, APRA has yet to observe significant improvements in the bank&#8217;s non-financial risk management.&#8221;</span></em></p></blockquote><p><span>A remediation programme had been running. Frameworks had been built. Policies had been documented. Risk committees had convened. Reports had been produced. And APRA, after reviewing it all, concluded that none of it had produced any observable improvement.</span></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!aLCG!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!aLCG!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!aLCG!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!aLCG!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!aLCG!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!aLCG!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png" width="1200" height="900" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:1086,&quot;width&quot;:1448,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:3328471,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/202788275?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!aLCG!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!aLCG!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!aLCG!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!aLCG!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F18d698e0-8e91-48ce-a57b-b111b92f3f2e_1448x1086.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p><em><strong><span>I know this because I was there.</span></strong></em></p><p><span>I joined that bank in May 2019. I left in September 2025 &#8212; the same month ASIC announced a record $250 million penalty against the bank for misconduct spanning bond markets and retail banking. During those six years, I worked on data and AI  capability inside one of Australia&#8217;s most systematically regulated financial institutions. I was vocal internally about the gap between what the documents said and what the systems actually did.</span></p><p><span>In July 2025, two months before I left, McKinsey handed APRA a root cause analysis that, in plain language, named exactly what I had spent years raising.</span></p><blockquote><p><em><span>&#8220;NFR policies and practices perceived as compliance-focused and not business-oriented.&#8221;</span></em></p><p><em><span>&#8220;Good news culture masks problems, preventing decision-makers from recognising emerging risks.&#8221;</span></em></p><p><em><span>&#8220;Reluctance to challenge and deliver bad news.&#8221;</span></em></p><p><em><span>&#8220;Mechanical delivery without sustainable outcomes.&#8221;</span></em></p></blockquote><p><span>I did not need McKinsey to tell me. The institution knew before I arrived. Their own 2018 Self-Assessment, completed as part of the post-Hayne Royal Commission process and never made public, was referenced only once in passing in Promontory&#8217;s November 2025 Establishment Report and had already identified these same weaknesses. That was seven years before McKinsey confirmed them. Seven years of knowing. Seven years of remediation programmes. One billion dollars of locked capital and a Court Enforceable Undertaking later, something finally moved.</span></p><p><span>What moved it was not better frameworks. It was the consequences.</span></p><p><span>That observation is the subject of this article. Not the bank specifically. Every institution. Every sector. And now, with particular urgency, AI governance.</span></p><h1>This Is Not a New Problem. It Is a 49-Year-Old One.</h1><p><span>The gap between governance on paper and governance in practice has a precise academic birthdate.</span></p><p><span>In September 1977, John W. Meyer and Brian Rowan published </span><em><span>Institutionalised Organisations: Formal Structure as Myth and Ceremony</span></em><span> in the </span><em><span>American Journal of Sociology</span></em><span>. Their central finding has not aged. Organisations, they argued, adopt formal governance structures not primarily for operational effectiveness, but to conform to &#8220;rationalised institutional myths&#8221; that confer legitimacy. And critically:</span></p><blockquote><p><em><span>&#8220;Because attempts to control and coordinate activities in institutionalised organisations lead to conflicts and loss of legitimacy, elements of structure are decoupled from activities and from each other.&#8221;</span></em></p></blockquote><p><strong><span>Decoupling.</span></strong><span> A formal structure adopted without being implemented. Governance that exists to be seen, not to enforce.</span></p><p><span>This is not a fringe academic observation. It is the foundational theory of a field. DiMaggio and Powell extended it into institutional isomorphism in 1983, the mechanism by which organisations converge on the same governance structures under competitive and regulatory pressure, regardless of whether those structures actually work. Bromley and Powell refined it in 2012 into two distinct failure modes: policy-practice decoupling, where policies are adopted but not implemented; and means-ends decoupling, where policies are implemented but fail to produce their intended effect.</span></p><p><span>The governance profession has had a name for this problem since before most current boards and risk executives entered the workforce. It simply never solved it.</span></p><p><span>Michael Power named the assurance profession&#8217;s contribution to the problem in 1997. His book, </span><em><span>The Audit Society: Rituals of Verification</span></em><span>, argued that the expansion of auditing had produced not substantive assurance but something more pernicious: </span><em><span>comfort production</span></em><span>. The audit process becomes</span></p><blockquote><p><em><span>&#8220;a world in itself, self-referentially creating auditable images of performance&#8221;</span></em></p></blockquote><p><span>Decoupled from the organisational processes it is meant to evaluate. What auditors produce is a reassurance signal directed at external audiences &#8212; investors, regulators, boards. Not an honest assessment of operational reality.</span></p><p><span>What Power described in 1997 is what the AI governance industry now calls governance theatre. The terminology is new. The phenomenon is not.</span></p><h1>The Frameworks Warned Against Themselves</h1><p><span>Here is the part of the history that does not get told often enough.</span></p><p><span>The major corporate governance frameworks did not miss this problem. They saw it coming and said so explicitly. They simply could not prevent it.</span></p><p><span>The </span><strong><span>Cadbury Report (1992)</span></strong><span> &#8212; which introduced the world&#8217;s first comply-or-explain governance code &#8212; explicitly warned that rule-based measures risk encouraging boards to comply with the literal text of a regulation rather than its underlying spirit. Cadbury foresaw the failure mode before the ink was dry on the code he wrote. Six years later, the </span><strong><span>Hampel Committee (1998)</span></strong><span> formally identified what it called a &#8220;box-ticking culture&#8221; and noted that institutional shareholders and proxy advisors had reduced governance evaluation to binary yes/no conformance metrics. The Combined Code that followed tried to correct it. The incentive structure was unchanged.</span></p><p><strong><span>COSO ERM (2004, revised 2017)</span></strong><span> explicitly recast enterprise risk management as a continuous discipline rather than a compliance exercise. The 2017 revision existed precisely because the 2004 version was being used as a checklist. </span><strong><span>King IV (2016)</span></strong><span> was the most direct:</span></p><blockquote><p><em><span>&#8220;It cannot be claimed that good governance is in place simply by virtue of having implemented the recommended practices or by ticking the boxes. Box-ticking compliance is one of the major stumbling blocks towards governance that adds value.&#8221;</span></em></p></blockquote><p><span>King IV said this in 2016 because every framework before it had failed to prevent it. The frameworks kept warning against the dysfunction. The dysfunction kept persisting.</span></p><p><span>The post-failure record confirms that knowledge was never the issue.</span></p><p><strong><span>Enron</span></strong><span> held six consecutive </span><em><span>Fortune</span></em><span> &#8220;Most Innovative Company&#8221; awards from 1996 to 2001. Its board was cited among the best-credentialed in corporate America. It complied with regulatory requirements nearly to the end. The board formally waived its own code of conduct to approve the CFO&#8217;s related-party transactions &#8212; an act that required explicit board approval, demonstrating full awareness that an exception was being made.</span></p><p><strong><span>The 2008 Global Financial Crisis</span></strong><span> produced regulatory frameworks with formally approved risk appetites that were systematically overridden in practice. The Senior Supervisors Group&#8217;s 2009 report found that institutional arrangements &#8220;conferred status and influence on risk takers at the expense of independent risk managers and control personnel.&#8221; Risk officers existed. They lacked authority.</span></p><p><span>And then there is the finding that closes the case.</span></p><p><span>In May 2019, APRA published an information paper covering self-assessments by 36 Australian financial institutions across banking, insurance and superannuation. The finding was unambiguous:</span></p><blockquote><p><em><span>&#8220;The majority of self-assessment findings were reported to be already known to boards and senior leadership, and some issues had been allowed to persist over time&#8230; these issues were often only prioritised when there was regulatory scrutiny or other adverse events.&#8221;</span></em></p></blockquote><p><span>Thirty-six institutions. Across multiple sectors. Already knew. Chose not to remediate. Until someone with consequences showed up.</span></p><p><span>This is not incompetence. It is the entirely rational response of agents operating inside a system that rewards the production of audit-ready documentation more reliably than it rewards the harder, more expensive, more conflict-generating work of substantive control.</span></p><h1>What Calculated Compliance Actually Looks Like From Inside</h1><p><span>McKinsey&#8217;s root cause analysis &#8212; the one shared with APRA in July 2025, the one that confirmed what a 2018 Self-Assessment had already said &#8212; named six enterprise-wide root causes of non-financial risk management failure.</span></p><p><span>Reading them now, from outside the institution, they are clear. Reading them from inside, while they were forming, they were harder to name precisely because they were the water you were swimming in.</span></p><p><span>The six causes were: culture manifesting as reluctance to challenge; capability gaps in risk expertise; blurred accountability across Lines 1 and 2; governance forums operating at an &#8220;emerging level&#8221; compounded by a good news culture; non-financial risk frameworks perceived as compliance-focused and not business-oriented; and projects delivered in a &#8220;mechanical way without sustainable outcomes.&#8221;</span></p><p><span>Four behavioural drivers underlay all six: reluctance to challenge and deliver bad news; complacency and limited self-reflection; insularity and lack of curiosity; and lack of responsiveness that allowed problems to persist and compound.</span></p><p><span>The report also noted &#8212; once, in Promontory&#8217;s Establishment Report, in a sentence that Banking Day described as the most consequential line in the document &#8212; that &#8220;these weaknesses were first identified in the bank&#8217;s 2018 Self-Assessment.&#8221;</span></p><h3><strong><span>Seven years.</span></strong></h3><p><span>The frameworks had been compliant with APRA&#8217;s requirements throughout. The remediation programmes had been documented and reported. The risk committees had met. The governance forums had convened. And the underlying weaknesses had persisted, largely unchanged, for seven years because the cost of surfacing them in a way that required substantive action exceeded the cost of documenting their being addressed.</span></p><blockquote><p><em><span>What the institution could not produce on its own &#8212; what six years of frameworks, policies, and remediation programmes could not produce &#8212; was what APRA&#8217;s billion-dollar capital add-on and a Court Enforceable Undertaking finally forced: the institutional cost of paper governance exceeding the cost of real governance.</span></em></p></blockquote><p><span>I am not describing this as an indictment of the individuals involved. The people building these frameworks, including myself, were working in good faith within a system structured to reward the appearance of control. What APRA named in April 2025 was not a personnel failure. It was a structural one. The system had been optimised for audit sign-off, not operational effectiveness, for long enough that the distinction had become invisible.</span></p><p><span>That is what calculated compliance looks like from the inside. It does not feel like evasion. It feels like governance.</span></p><h1>AI Governance Is Reproducing the Same Pattern. Faster.</h1><p><span>Between 2016 and 2020, the global AI ethics community produced 84 major governance documents. Jobin, Ienca and Vayena, writing in </span><em><span>Nature Machine Intelligence</span></em><span> in 2019, analysed them and found</span></p><blockquote><p><em><span>&#8220;a global convergence emerging around five ethical principles&#8230; with substantive divergence in relation to how they should be implemented.&#8221;</span></em></p></blockquote><p><span>Principles everywhere. Implementation nowhere. In 2019. The field was four years old and already replicating a pattern that corporate governance had been living with for four decades.</span></p><p><span>Ben Wagner named it in 2018 as </span><em><span>ethics washing</span></em><span> &#8212; the use of ethics guidelines as a marketing instrument rather than a governance framework, specifically as a strategy to pre-empt binding regulation. Brent Mittelstadt argued in </span><em><span>Nature Machine Intelligence</span></em><span> the following year that &#8220;principles alone cannot guarantee ethical AI&#8221; and that high-level principles require elaboration into mid-level norms and low-level technical requirements before they have operational purchase.</span></p><p><span>The AI governance field has been diagnosing its own paper-governance problem since before most of its frameworks were written. It has not solved it either.</span></p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span>&lt; 30%</span></strong></h1><p style="text-align: center;"><span>of US federal AI governance mandates were actually implemented</span></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">Lawrence et al., AIES 2023</span></em></p></div><p><span>The major frameworks, examined against the paper-versus-practice distinction, are honest about their limits if you read them carefully. The </span><strong><span>NIST AI Risk Management Framework (2023)</span></strong><span> is voluntary, not certifiable, and explicitly not a specification for runtime controls. Koch (2026) demonstrated that governance standards, including the NIST AI RMF, &#8220;do not by themselves yield implementable runtime guardrails&#8221;. An organisation can complete every documentation requirement in the framework while its deployed AI agent operates without a single enforceable control at runtime.</span></p><p><strong><span>ISO/IEC 42001 (2023)</span></strong><span> is the strongest current standard &#8212; certifiable and explicit in requiring evidence of live control, not just documented policy. It is still a management system standard. It specifies what must be governed. It does not specify how enforcement is technically implemented.</span></p><p><span>The </span><strong><span>EU AI Act (2024)</span></strong><span> is binding. It is also slipping. The Commission missed its 2 February 2026 deadline for Article 6 guidance. In November 2025, it tabled the Digital Omnibus proposing to defer Annex III high-risk AI obligations to December 2027. CEN/CENELEC&#8217;s harmonised technical standards &#8212; the documents that would translate legal requirements into testable technical controls &#8212; were due in April 2025 and are now expected no earlier than the end of 2026. As of March 2026, only 8 of 27 EU Member States had fully designated competent national authorities.</span></p><p><span>The most sophisticated AI governance regulatory instrument in the world is, in operational terms, currently producing implementation documentation rather than implementing it.</span></p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span>1%</span></strong></h1><p style="text-align: center;"><span>of organisations consider their AI governance mature &#8212; largely because they have not addressed dynamic risks in deployed systems</span></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">Lawson et al., 2025</span></em></p></div><p><span>Lawrence et al., writing in the proceedings of AIES 2023, found that fewer than 30 per cent of US federal AI governance mandates had been implemented, attributing the failure primarily to &#8220;bureaucratic capacity gaps &#8212; insufficient expertise, leadership and personnel&#8221; &#8212; and to regulatory mandates too vague to act on.</span></p><p><span>The pattern is not difficult to see. It is the same pattern. It is just running faster, on systems that can act in milliseconds, in organisations that have inherited the compliance-first methodology of the GRC profession without inheriting its hard-won lessons about why that methodology keeps failing.</span></p><h1>What AI Has That Traditional Governance Never Did</h1><p><span>Here is where the argument shifts.</span></p><p><span>Traditional corporate governance had no equivalent of a runtime control plane. Enforcement meant after-the-fact audit, regulatory action, and litigation &#8212; all retrospective, all operating on timescales measured in months or years. The gap between a governance failure and its detection was wide enough to drive a remediation programme through.</span></p><p><span>AI governance has something different. It has a parallel technical lineage, from ML safety, adversarial robustness, DevSecOps and access governance, that makes governance enforceable at the point of action, not at the point of audit.</span></p><p><span>Runtime guardrails intercept model inputs and outputs in real time. Runtime authorisation layers evaluate whether a proposed agent action has the structural right to execute before executing it. Policy-as-Code systems translate governance norms into machine-readable constraints evaluated deterministically at execution time. Cryptographic audit architectures generate tamper-proof evidence as a natural byproduct of enforcement, not as a separately produced document.</span></p><p><span>Lavi (2026) formalised the core distinction as the </span><strong><span>Right-to-Act protocol</span></strong><span>: a non-compensatory decision boundary in which, if any required structural constraint fails, execution halts &#8212; full stop. Not a weighted risk score where a high confidence rating can compensate for a failed control. A hard blocker. This is the logical structure that traditional governance, with its materiality thresholds, compensating controls and risk appetite tolerances, was architecturally incapable of producing.</span></p><p><span>Koch&#8217;s layered translation method (2026) operationalises the gap between governance intent and runtime enforcement by compiling governance objectives into design-time constraints, runtime mediation layers, and assurance feedback loops. The governance document is the input, not the output, of a control design process.</span></p><blockquote><p><em><span>&#8220;An organisation can satisfy a governance framework while its deployed agent still lacks meaningful runtime controls.&#8221; Koch (2026), arXiv:2604.05229</span></em></p></blockquote><p><span>The technical architecture exists. The question is whether organisations adopt it or use it as the raw material for more sophisticated-sounding documentation.</span></p><h1>What Changes the Verdict</h1><p><span>The research finding I am most confident in is this: the gap between governance on paper and governance in practice is not an epistemic failure. It is a structural one. The institutional environment systematically rewards the production of governance documentation over the implementation of governance controls, and rationally-acting organisations respond accordingly.</span></p><p><span>The fix is not better frameworks. Every decade produces better frameworks. The fix is changing what the institutional environment rewards.</span></p><p><span>These are the specific developments that would constitute evidence that AI governance is breaking the pattern rather than repeating it:</span></p><ul><li><p>EU AI Act enforcement actions that turn on runtime failures, not documentation gaps. Until a regulator penalises an organisation specifically because its AI system acted without enforceable controls, not because its documentation was incomplete, there is no enforcement precedent that distinguishes paper governance from operational governance.</p></li><li><p>Procurement standards require runtime evidence packs. When enterprise and government buyers require suppliers to produce signed runtime decision logs, continuous monitoring telemetry, and live test results as qualification conditions &#8212; rather than governance policy documents &#8212; the economics shift.</p></li><li><p>Assurance firms<span>&#8217;</span> pricing effectiveness testing. The audit economics that Power described in 1997, the firm paid to produce comfort rather than substantive assurance, have not changed. They will change when buyers pay for live system testing rather than document review.</p></li><li><p>CEN/CENELEC technical standards that translate legal requirements into testable controls, on time. The EU AI Act&#8217;s compliance regime is currently a statement of what must be governed, not a specification of what must be tested.</p></li></ul><p><span>Until these materialise, the honest verdict is that AI governance is producing better-branded documentation about implementation rather than implementation itself.</span></p><h1>The Question Nobody Is Asking</h1><p><span>ASIC Chair Joe Longo said something at the September 2025 press conference announcing the bank&#8217;s $250 million penalty that has stayed with me.</span></p><blockquote><p><em><span>&#8220;We have been here before with them. The bank has a history of non-compliance in market matters.&#8221;</span></em></p></blockquote><p><span>Eleven ASIC proceedings in just over a decade. A 2018 Self-Assessment identified the same weaknesses that McKinsey confirmed in 2025. A remediation programme running since 2019 that produced no observable improvement in non-financial risk management. A billion dollars of capital locked up.</span></p><p><span>And the response &#8212; a comprehensive Root Cause Remediation Plan, seven workstreams, Board-approved, quarterly reporting to an independent reviewer, written attestation from Accountable Persons once remediation is complete.</span></p><p><span>More documentation. More attestations. More governance frameworks. To fix the failure of the last governance frameworks.</span></p><div class="pullquote"><p><span>The bank&#8217;s chair said in April 2025: </span><em><span>&#8220;The bank understands that with issues of such importance, we will be measured by what we do, not what we say.&#8221;</span></em></p></div><p><span>That sentence contains, without apparently intending to, the entire argument of this article. Governance that is measured by what you do requires that what you do is observable, enforceable, and consequential. It requires that someone with authority &#8212; a regulator, a buyer, a board &#8212; can verify the doing, not just the saying.</span></p><p><span>The AI governance industry is, right now, producing a great deal of talk. The frameworks are proliferating. The principles are converging. The certifications are being pursued. The roadmaps are being published.</span></p><p><span>The question nobody is asking is the one that a non-executive director asked about the 43-page AI governance framework in an earlier piece in this series.</span></p><blockquote><p><em><span>&#8220;If the CEO came to you tomorrow and said we need to move faster on AI because the competitor down the street just announced something &#8212; what exactly does this framework prevent?&#8221;</span></em></p></blockquote><p><span>If your answer involves a policy document rather than an architecture, you have built governance. You have not built control.</span></p><p><span>The distinction has been named, diagnosed, theorised and documented for 49 years. The consultants know it. The regulators know it. The frameworks know it &#8212; they say so explicitly, in the text.</span></p><p><span>What changes is not more knowledge. What changes is the cost of paper governance exceeding the cost of real governance. Regulators can create that cost. Buyers can create that cost. Boards &#8212; if they understand what they are actually approving &#8212; can create that cost.</span></p><p><span>Until someone does, the governance illusion will persist. Better branded, more technically sophisticated, more expensively certified.</span></p><p><strong><span>But still an illusion.</span></strong></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h1>References</h1><h4><strong><span>Academic and Theoretical Sources</span></strong></h4><ol><li><p><strong><span>Meyer, J.W. and Rowan, B. (1977). </span></strong><em><span>Institutionalized Organizations: Formal Structure as Myth and Ceremony. </span></em><span>American Journal of Sociology, 83(2): 340&#8211;363.</span></p></li><li><p><strong><span>DiMaggio, P.J. and Powell, W.W. (1983). </span></strong><em><span>The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields. </span></em><span>American Sociological Review, 48(2): 147&#8211;160.</span></p></li><li><p><strong><span>Power, M. (1997). </span></strong><em><span>The Audit Society: Rituals of Verification. </span></em><span>Oxford University Press.</span></p></li><li><p><strong><span>Bromley, P. and Powell, W.W. (2012). </span></strong><em><span>From Smoke and Mirrors to Walking the Talk: Decoupling in the Contemporary World. </span></em><span>Academy of Management Annals, 6(1): 483&#8211;530.</span></p></li><li><p><strong><span>Wagner, B. (2018). </span></strong><em><span>Ethics as an Escape from Regulation: From Ethics-Washing to Ethics-Shopping? </span></em><span>In Being Profiled: Cogitas Ergo Sum. Amsterdam University Press.</span></p></li><li><p><strong><span>Jobin, A., Ienca, M. and Vayena, E. (2019). </span></strong><em><span>The Global Landscape of AI Ethics Guidelines. </span></em><span>Nature Machine Intelligence, 1: 389&#8211;399.</span></p></li><li><p><strong><span>Mittelstadt, B. (2019). </span></strong><em><span>Principles Alone Cannot Guarantee Ethical AI. </span></em><span>Nature Machine Intelligence, 1: 501&#8211;507.</span></p></li><li><p><strong><span>Lawrence, R. et al. (2023). </span></strong><em><span>Exploring AI Governance in U.S. Federal AI Directives. </span></em><span>Proceedings of AIES &#8217;23. ACM.</span></p></li><li><p><strong><span>Lawson, C. et al. (2025). </span></strong><em><span>State of AI Governance Maturity. </span></em><span>Industry survey report, 2025.</span></p></li><li><p><strong><span>Koch, C. (2026). </span></strong><em><span>From Governance Norms to Enforceable Controls: A Layered Translation Method for Runtime Guardrails in Agentic AI. </span></em><span>arXiv:2604.05229. April 2026. [Preprint &#8212; not peer-reviewed.]</span></p></li><li><p><strong><span>Lavi, G. (2026). </span></strong><em><span>Right-to-Act: A Pre-Execution Non-Compensatory Decision Protocol for AI Systems. </span></em><span>arXiv:2604.24153. April 2026. [Preprint &#8212; independent researcher, not peer-reviewed.]</span></p></li></ol><h4><strong><span>Governance Frameworks and Standards</span></strong></h4><ol><li><p><strong><span>Cadbury, A. (1992). </span></strong><em><span>Report of the Committee on the Financial Aspects of Corporate Governance. </span></em><span>Gee Publishing / London Stock Exchange.</span></p></li><li><p><strong><span>Hampel, R. (1998). </span></strong><em><span>Committee on Corporate Governance: Final Report. </span></em><span>Gee Publishing.</span></p></li><li><p><strong><span>COSO (2004; revised 2017). </span></strong><em><span>Enterprise Risk Management &#8212; Integrating with Strategy and Performance. </span></em><span>Committee of Sponsoring Organizations of the Treadway Commission.</span></p></li><li><p><strong><span>King IV Report on Corporate Governance for South Africa (2016). </span></strong><span>Institute of Directors in Southern Africa.</span></p></li><li><p><strong><span>Senior Supervisors Group (2009). </span></strong><em><span>Risk Management Lessons from the Global Banking Crisis of 2008. </span></em><span>Financial Stability Forum.</span></p></li><li><p><strong><span>NIST (2023). </span></strong><em><span>AI Risk Management Framework 1.0. </span></em><span>National Institute of Standards and Technology, U.S. Department of Commerce.</span></p></li><li><p><strong><span>ISO/IEC 42001:2023. </span></strong><em><span>Artificial Intelligence &#8212; Management System. </span></em><span>International Organization for Standardization.</span></p></li><li><p><strong><span>EU Artificial Intelligence Act (2024). </span></strong><span>Regulation (EU) 2024/1689 of the European Parliament and of the Council. Official Journal of the European Union.</span></p></li><li><p><strong><span>Regulatory and Institutional Sources</span></strong></p></li><li><p><strong><span>APRA (2019). </span></strong><em><span>Self-Assessments of Governance, Culture and Accountability: Information Paper. </span></em><span>Australian Prudential Regulation Authority, 22 May 2019.</span></p></li><li><p><strong><span>APRA (April 2025). </span></strong><em><span>APRA accepts Court Enforceable Undertaking from ANZ and increases capital add-on to $1 billion. </span></em><span>APRA media release, 3 April 2025.</span></p></li><li><p><strong><span>ASIC (September 2025). </span></strong><em><span>25-201MR ANZ admits widespread misconduct and agrees to pay $240 million in penalties. </span></em><span>ASIC media release, 15 September 2025.</span></p></li><li><p><strong><span>ASIC (December 2025). </span></strong><em><span>25-314MR Federal Court orders $250 million combined penalties against ANZ. </span></em><span>ASIC media release, 19 December 2025.</span></p></li><li><p><strong><span>ANZ / McKinsey (November 2025). </span></strong><em><span>Root Cause Analysis Summary. </span></em><span>Published 14 November 2025. anz.com.au</span></p></li><li><p><strong><span>Promontory (November 2025). </span></strong><em><span>Independent Review of ANZ&#8217;s Root Cause Remediation Plan: Establishment Report. </span></em><span>Published 14 November 2025. anz.com.au</span></p></li><li><p><strong><span>Oliver Wyman (April 2025). </span></strong><em><span>Global Markets Business Review. </span></em><span>Published 3 April 2025. anz.com.au</span></p></li><li><p><strong><span>Banking Day (November 2025). </span></strong><em><span>&#8216;Root-cause&#8217; spotlight darkens ANZ. </span></em><span>bankingday.com, 16 November 2025.</span></p></li><li><p><strong><span>European Commission (November 2025). </span></strong><em><span>Digital Omnibus Proposal COM(2025) 836. </span></em><span>Proposal to defer EU AI Act Annex III high-risk obligations to December 2027, 19 November 2025.</span></p></li></ol>]]></content:encoded></item><item><title><![CDATA[The Sovereignty Illusion]]></title><description><![CDATA[Why data residency, alliance membership, and vendor contracts won't save you when the letter arrives]]></description><link>https://dataaicontinuum.substack.com/p/the-sovereignty-illusion</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/the-sovereignty-illusion</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Wed, 17 Jun 2026 12:15:26 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!gxVq!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>A few weeks ago, I was writing <em><a href="https://dataaicontinuum.substack.com/p/you-didnt-buy-ai-you-bought-a-dependency">You Didn&#8217;t Buy AI. You Bought a Dependency</a>.</em> &#8212; an article about pricing, habit formation, and the quiet jurisdictional risk buried inside every frontier AI contract. Somewhere in the middle of drafting it, I found myself constructing a hypothetical. What would actually happen, I asked myself, if a foreign government simply decided to switch the models off? Not gradually, through pricing pressure or market withdrawal, but overnight, as warfare &#8212; with a directive and a deadline and no consultation with the organisations that had built their operations on top of these tools?</p><p>I kept the hypothetical out of the final piece. It felt too speculative. Too convenient an illustration. I filed it away as a scenario worth watching, not one worth publishing.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!gxVq!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!gxVq!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 424w, https://substackcdn.com/image/fetch/$s_!gxVq!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 848w, https://substackcdn.com/image/fetch/$s_!gxVq!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 1272w, https://substackcdn.com/image/fetch/$s_!gxVq!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!gxVq!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png" width="1200" height="904.9861495844875" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:1089,&quot;width&quot;:1444,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:3018233,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/202421781?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!gxVq!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 424w, https://substackcdn.com/image/fetch/$s_!gxVq!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 848w, https://substackcdn.com/image/fetch/$s_!gxVq!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 1272w, https://substackcdn.com/image/fetch/$s_!gxVq!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d426e4-cbba-48ac-af94-ed92e06b2bb3_1444x1089.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>On Friday, 12 June 2026, I stopped filing it away.</p><p>At 5:21 pm Eastern Time, the United States Commerce Department issued an export control directive to Anthropic requiring the immediate suspension of all access to Claude Fable 5 and Claude Mythos 5 for any foreign national &#8212; anywhere in the world, including non-American employees inside Anthropic&#8217;s own offices. Unable to verify user nationality in real time, which is technically impossible for a consumer-facing API, Anthropic disabled both models globally for every customer within hours of receiving the directive. No advance notice. No transition period. No consultation with the organisations that had built production systems on top of these tools.</p><p>I had written that article to prepare this audience for a dependency they might not yet have named. I did not expect to be writing a follow-up three weeks later, given the scenario that had arisen.</p><p>API calls began returning errors. Pipelines stopped. Workflows halted. And hundreds of organisations across Australia, the EU, South Korea, India, Japan, and Singapore discovered something that their AI strategies had not prepared them for: access is not control, and access can be revoked at 5:21 pm on a Friday by a government you did not elect, enforcing a law you cannot override, on a timeline of approximately four hours.</p><p>This is not a story about Anthropic. It is a story about a structural assumption that most organisations made without realising they were making it &#8212; and what it now costs to hold it.</p><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">The Dependency Nobody Named</span></strong></h1><p><span>In May of this year, I wrote that the generative AI industry had not raised its prices. It had done something more disorienting: it had lowered them while making you spend more, because the habit was the product. The subsidised access period was not generous. It was a land grab. The organisations that built workflows on it without understanding were discovering the pricing terms.</span></p><p><span>The Fable Ban reveals the other side of the same dependency &#8212; not the financial one, but the jurisdictional one.</span></p><p><span>When you access a frontier AI model through an API, you are not buying software. You are consuming a service hosted on infrastructure located in a foreign jurisdiction, operated by a company subject to that jurisdiction&#8217;s laws, whose continued availability to you depends entirely on the alignment of foreign policy, national security priorities, and the relationships between your government and theirs. You did not sign a contract with the US Commerce Department. But you built on infrastructure that is subject to its authority.</span></p><p><span>According to Anthropic&#8217;s public statement on the directive, the company received the order at 5:21 pm Eastern Time and was not provided with any specific technical details regarding the national security concern. The directive covered not just users located outside the United States, but all foreign nationals wherever they were &#8212; including Anthropic&#8217;s own non-American staff. To comply, Anthropic had no option but to disable both models for every user on Earth. Other Claude models &#8212; Opus 4.8, Sonnet, Haiku &#8212; were unaffected. Only the two most capable ones disappeared.</span></p><p><span>The organisations that found out were the ones whose production systems stopped working. That is a governance failure. Not Anthropic&#8217;s. Theirs.</span></p><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">72 Hours</span></strong></h1><p><span>This is how long it took from the launch of Fable 5 to its global deactivation. Three days.</span></p><p><span>Fable 5 and Mythos 5 are not separate architectures. According to Anthropic&#8217;s launch documentation, they are the same underlying model &#8212; the same weights, the same Mythos-class capability positioned above the Opus tier &#8212; sold as two products differentiated only by the presence or absence of a safety classification layer. Fable 5 was the public version, with classifiers that blocked queries in cybersecurity, biology, and chemistry domains and fell back to Claude Opus 4.8 when triggered. Anthropic reported that this fallback occurred in fewer than 5% of sessions. Mythos 5 was the same model, with those classifiers lifted in specific areas, distributed only to vetted cyber defenders and critical infrastructure operators through Project Glasswing.</span></p><p><span>The capability that triggered the ban was not a novel exploit. According to Anthropic&#8217;s statement, the US government cited a technique in which asking Fable 5 to read a codebase and suggest fixes caused the model to produce vulnerability analyses beyond what the classifiers were designed to allow. Anthropic contested the characterisation. It noted that the same capability was available from other models, including OpenAI&#8217;s GPT-5.5, and that cybersecurity professionals used equivalent analysis daily in defensive work. According to Axios&#8217;s reporting, Commerce Secretary Howard Lutnick issued the directive after another company claimed it had jailbroken Mythos &#8212; and after the administration had unsuccessfully tried to get Anthropic to delay the launch.</span></p><p><span>The legal mechanism used is worth noting precisely because it will be used again. The Bureau of Industry and Security&#8217;s &#8220;is informed&#8221; letter immediately imposes an export licence requirement, without notice-and-comment rulemaking. It was built to restrict microchip sales to China. It has now been applied to a software-delivered API service consumed by organisations in forty countries. That is new legal territory, and the precedent stands regardless of whether access is restored.</span></p><blockquote><p><em><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Export-control machinery built for microchips and weapons is now being pointed at a deployed consumer model. According to legal commentary in Lawfare and Tech Policy Press, this is new territory with no settled process behind it. Model recalls may become normal, and the prospect is now a live risk factor in any future AI vendor listing and in any enterprise procurement decision.</span></em></p></blockquote><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">72</span></strong></h1><p style="text-align: center;"><strong><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Hours from Fable 5&#8217;s public launch to global deactivation</span></strong></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">Commerce Department directive issued 12 June 2026 at 5:21 pm ET</span></em></p></div><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">What &#8220;Sovereign AI&#8221; Actually Requires</span></strong></h1><p><span>The phrase &#8220;sovereign AI&#8221; has been circulating in policy documents and strategy decks for two years. In most of those documents, it means something vague &#8212; a combination of data localisation, domestic compute investment, and aspirations about home-grown capability. The Fable Ban has made it specific.</span></p><p><span>According to an analysis published by The Conversation in the days following the ban, genuine AI sovereignty requires four distinct and non-substitutable things. First, data sovereignty: data is physically stored within the jurisdiction and is subject to its laws. Second, compute sovereignty: data centres under domestic control, not merely domestic location. Third, model sovereignty: AI capability that does not depend on a foreign provider. Fourth, policy sovereignty: the ability to set domestic rules rather than inheriting another country&#8217;s export controls by default.</span></p><p><span>Most of the organisations currently claiming &#8220;sovereign AI&#8221; have the first and partial elements of the second. They have essentially none of the third or fourth. And the Fable Ban is a precise demonstration of what that gap costs.</span></p><p><span>Australia is the clearest example. Microsoft&#8217;s A$25 billion infrastructure commitment and AWS&#8217;s A$20 billion commitment deliver data residency &#8212; data sitting in Sydney. They do not deliver sovereignty. Data in an AWS Sydney data centre still runs on a US-company infrastructure subject to US export law. According to Macquarie Technology Group&#8217;s Head of Industry and Policy, Jamie Morse, &#8220;access to critical AI capabilities is increasingly governed by sovereign authority rather than markets or partnerships. Systems that rely on access instead of control will inherently be vulnerable to sovereign intervention.&#8221;</span></p><p><span>That is the distinction boards need to understand. Data residency and model sovereignty are categorically different things. The Fable Ban collapsed the gap between them in about four hours.</span></p><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">Alliance Membership Is Not an Exemption</span></strong></h1><p><span>This is the finding that should concern Australian and European boards most.</span></p><p><span>Australia is a Five Eyes member. It is an AUKUS partner. Its intelligence services cooperate daily with US counterparts. Its defence relationship with Washington is among the closest in the world. None of that mattered. Australian users lost access to Fable 5 and Mythos 5 in the same way as users in nations with no alliance relationship. The directive operated on the nationality of individual users, not on the geopolitical alignment of governments.</span></p><p><span>According to the Australian Strategic Policy Institute&#8217;s analysis published on 16 June 2026, &#8220;the suspension of Fable 5 and Mythos 5 is particularly instructive. Within 72 hours of the 9 June release, the US government issued an export-control directive requiring Anthropic to restrict foreign nationals&#8217; access to these models. The practical effect, the company said, was that it had to disable access globally for all users to ensure compliance, meaning a leading-edge AI capability, available to enterprises and governments worldwide, was removed from the market by sovereign decision.&#8221;</span></p><p><span>EU nations fared no differently. German developers, French security researchers, Dutch compliance teams &#8212; all received the same 403 Forbidden error. The EU had gained access to Mythos earlier in June after protracted negotiations. None of that access survived Friday afternoon. According to EUobserver&#8217;s commentary, &#8220;the US government&#8217;s decision to block non-US citizens from accessing Anthropic&#8217;s most advanced AI models shows how much Europe is at the mercy of foreign governments and companies.&#8221;</span></p><p><span>The proposed solution emerging from the G7 summit on 15-17 June &#8212; a &#8220;trusted partners&#8221; framework that would give vetted allied nations access to US frontier models &#8212; should be read with clarity. It is not a sovereign solution. It is the formalisation of US frontier AI as a geopolitical bargaining chip, with access conditional on ongoing alignment and revocable when that alignment shifts. An organisation or nation that accepts &#8220;trusted partner&#8221; status as a substitute for model sovereignty has traded one form of dependency for a more explicit one.</span></p><blockquote><p><em><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">The Five Eyes partnership did not prevent Australia losing access to Fable 5. What makes anyone confident it would prevent the next directive?</span></em></p></blockquote><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">70%</span></strong></h1><p style="text-align: center;"><strong><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Share of the EU&#8217;s cloud market held by AWS, Azure, and Google Cloud</span></strong></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">TechRadar, citing CISPE analysis, June 2026</span></em></p></div><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">The Sovereignty Washing Problem</span></strong></h1><p><span>The European Commission&#8217;s response has been the most institutionally elaborate. The Cloud and AI Development Act, proposed on 3 June 2026 &#8212; nine days before the ban &#8212; establishes a four-tier sovereignty assurance framework, an Open Source First procurement principle, and a &#8364;2 billion investment envelope for sovereign cloud infrastructure. According to the Cloud Security Alliance&#8217;s analysis of CADA, the framework introduces &#8220;the first EU-wide, four-tier sovereignty assurance framework for cloud and AI services, unifying into a single legislative instrument what had previously been fragmented across national sovereign cloud programmes&#8221;.</span></p><p><span>The ambition is real. The gap between the ambition and the structural reality is also real, and the European cloud industry is naming it.</span></p><p><span>24 European cloud CEOs wrote to EU Tech Sovereignty Executive Vice-President Henna Virkkunen, warning of what they called &#8220;sovereignty washing&#8221; &#8212; the risk that CADA allows American hyperscalers to continue driving their dominance by satisfying tier requirements through EU-located subsidiaries while ultimate control and legal jurisdiction remain in the United States. According to TechRadar&#8217;s reporting, AWS, Azure, and Google Cloud collectively account for approximately 70 per cent of the EU&#8217;s cloud market, and Microsoft has explicitly stated it cannot fully guarantee EU data sovereignty because it must comply with US legal orders.</span></p><p><span>That last sentence is the core issue. A data centre in Frankfurt operated by a US company subject to US export law is not Level 3 sovereignty under any meaningful definition of the term. It is Level 1 at best, with a flag on the building.</span></p><p><span>The compute arithmetic compounds the problem. The United States accounts for approximately 80% of global AI compute capacity. Europe hosts around 5%. According to analysis from Julio Romo&#8217;s AI sovereignty commentary published on 14 June 2026, the EU announced a &#8364;47 billion AI investment programme at the start of 2026, while US firms are projected to invest over $650 billion in AI development in the same period. That gap is not closing at any meaningful speed. CADA&#8217;s ambition to triple EU data centre capacity by 2036 is a necessary commitment on a fifteen-year timeline in a domain where the strategic consequences are arriving on a fifteen-day timeline.</span></p><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">The China Paradox</span></strong></h1><p><span>There is an unintended consequence of the Fable Ban that receives too little attention in Western commentary, and it matters enormously for non-US organisations evaluating their sovereign AI response.</span></p><p><span>China&#8217;s AI sector was essentially unaffected. Chinese entities had no access to Fable 5 or Mythos 5 to lose &#8212; domestic policy already prohibits or heavily restricts foreign cloud and AI providers for data involving critical systems. What the ban does for China is accelerate the attractiveness of Chinese AI alternatives to every other country in the world.</span></p><p><span>According to Stocktwits reporting on 15 June 2026, Zhipu AI surged 32.8% on the Hong Kong Stock Exchange after releasing GLM-5.2, declaring publicly that &#8220;cutting-edge intelligence should not belong to only a few, nor should it be withdrawn at any time.&#8221; Chinese open-weight models &#8212; DeepSeek R1, Alibaba&#8217;s Qwen, Moonshot&#8217;s Kimi &#8212; accounted for 17.1% of global downloads in 2025, surpassing the US share of 15.8%, making them the most widely adopted open-weight models in the world.</span></p><p><span>The appeal is structural. A self-hosted open-weight model cannot be remotely deactivated by a foreign government&#8217;s administrative directive. The kill-switch risk that materialised on 12 June simply does not apply when you physically possess and control the model weights. That is a genuinely compelling sovereignty argument.</span></p><p><span>It is also, as Nikhil Narendran of Trilegal articulated in India&#8217;s economic press following the ban, a trap. According to Business Standard&#8217;s reporting, Narendran&#8217;s warning was direct: &#8220;If India merely responds to American dependency by rushing into Chinese dependency, we haven&#8217;t achieved sovereignty. We have merely changed our landlord&#8221;. A Chinese open-weight model carries its own opacity risks, its own questions about training data, and its own exposure to the political priorities of a different government. The argument for self-hosted open-weight models is an argument for models you can independently audit and verify &#8212; not models whose training lineage traces to a state-backed research ecosystem with its own alignment incentives.</span></p><blockquote><p><em><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Sovereignty is not about which foreign dependency you prefer. It is about eliminating foreign dependency from your most critical AI workloads.</span></em></p></blockquote><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">80%</span></strong></h1><p style="text-align: center;"><strong><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Share of global AI compute capacity held by the United States</span></strong></p><p style="text-align: center;"><em><span data-color="rgb(136, 136, 136)" style="color: rgb(136, 136, 136);">Analysis cited in Julio Romo, &#8220;The AI Sovereignty Wake-Up Call,&#8221; 14 June 2026</span></em></p></div><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">What Organisations Should Do &#8212; And What Will Not Help</span></strong></h1><p><span>I want to be specific here because I have sat through enough boardroom AI conversations to know that vague recommendations generate process without changing posture.</span></p><p><span>Multi-provider routing is the immediate structural hedge. A multi-provider AI gateway that can shift queries to alternative providers or local models when an external API is unavailable converts a geopolitical outage into a configuration change. According to Truefoundry&#8217;s operational analysis of the ban, teams that owned their inference stack continued to run. Teams that had hard-coded against a single provider&#8217;s API string did not. This is the most tractable near-term action for any organisation that currently runs production AI workloads with a single external provider.</span></p><p><span>Contract renegotiation is overdue and underestimated. Standard AI vendor terms treat government export control directives as force majeure, legally excusing the vendor from performance while leaving the customer bound to payment commitments. That clause needs to be renegotiated in every significant AI vendor agreement. Sovereign-conscious contract structures exclude regulatory deactivation from force majeure definitions, require the vendor to obtain the necessary export permits, and establish pro rata refund mechanisms for deactivation events. According to legal analysis published by Bristows LLP on 14 June 2026, the Fable Ban makes these provisions non-negotiable rather than merely preferable in any future enterprise AI contract.</span></p><p><span>Data residency is necessary but insufficient. This cannot be repeated enough. Foreign hyperscaler data centres on domestic soil provide data location, not sovereignty. If your &#8220;sovereign AI&#8221; strategy consists of ensuring your data sits in a local AWS availability zone, the Fable Ban has demonstrated that this provides no protection against a US export control directive.</span></p><p><span>Self-hosted open-weight models for sovereignty-critical workloads. For government, defence, critical infrastructure, and regulated financial services &#8212; any workload where a four-hour outage with no recourse is operationally or legally unacceptable &#8212; the only structural hedge is physical control of the model layer. This means self-hosted, auditable, open-weight models running on infrastructure you control. The capability gap relative to frontier closed models is real and should be acknowledged honestly. But it is a capability trade-off you choose, not a kill switch someone else holds.</span></p><p><span>Rebuilding your vendor contracts will not address the fundamental vulnerability. I want to name this directly. Contract reform, data localisation, and multi-provider routing are all necessary responses to the Fable Ban. None of them addresses the underlying strategic reality: as long as your most capable AI workloads depend on frontier models that you do not control, you are one foreign government directive away from the same outcome. The Fable Ban is not the last instance of this mechanism. It is the demonstration case. The policy apparatus that produced it exists and will be used again.</span></p><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">The Deeper Failure</span></strong></h1><p><span>The Fable Ban will eventually be resolved. Access to these models will likely be restored, with conditions &#8212; a vetting layer, additional safeguards, a narrower distribution model. The operational disruption will end.</span></p><p><span>The structural failure it revealed will not resolve on its own.</span></p><p><span>For years, the AI governance conversation in Australia, the EU, and across Asia has treated sovereignty as a long-run policy objective &#8212; important, worth investing in eventually, something to address after the more immediate question of how to deploy AI effectively and at scale. The Fable Ban compressed that timeline in a single Friday afternoon.</span></p><p><span>The organisations that build genuine sovereign capability &#8212; domestic compute, model-layer control, auditable open-weight alternatives for critical workloads, contractual structures that allocate export-control risk correctly &#8212; will carry a structural resilience advantage that compounds as geopolitical AI fragmentation continues. The organisations that treat sovereignty as data residency plus a long-run government policy aspiration will find themselves having this same conversation again. Probably at shorter notice.</span></p><p><span>According to The Conversation&#8217;s analysis published days after the ban, &#8220;to prepare for the future, Australia needs a strategy for its own sovereign AI. This can&#8217;t be a distant aspiration: it needs to be an operational plan with named owners, timelines and budget&#8221;.</span></p><p><span>That framing applies equally to every non-US organisation that lost access to Fable 5 last weekend.</span></p><p><span>The question boards need to answer is not whether they have an AI strategy. It is whether that strategy would have survived Friday afternoon &#8212; and what it will take to ensure the next one does.</span></p><blockquote><p><em><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">The era of assuming uninterrupted, globalised access to frontier AI has ended. The organisations that treat that assumption as history rather than policy will be the ones still running when the next letter arrives.</span></em></p></blockquote><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div class="pullquote"><p style="text-align: center;"><em><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">The Data-AI Continuum explores the strategic and governance dimensions of AI at the intersection of boardrooms, policy, and practice.</span></em></p></div><h1><strong><span data-color="rgb(27, 42, 74)" style="color: rgb(27, 42, 74);">References</span></strong></h1><ul><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Anthropic. (2026, June 12). Statement on the US government directive to suspend access to Fable 5 and Mythos 5. anthropic.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Australian Strategic Policy Institute. (2026, June 16). To maintain access to frontier AI, decide where independence matters most. The Strategist. aspistrategist.org.au</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Axios. (2026, June 12). Scoop: Trump admin blocks foreign access to Anthropic&#8217;s most powerful AI. axios.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Bristows LLP. (2026, June 14). Anthropic suspends access to Fable and Mythos models: implications for AI sovereignty and contracts. Inquisitive Minds. inquisitiveminds.bristows.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Business Standard. (2026, June 15). Fable 5 shutdown exposes geopolitics of AI access, risks of dependence. business-standard.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Cloud Security Alliance AI Safety Initiative. (2026, June 6). EU CADA: Enterprise sovereignty compliance for cloud AI. labs.cloudsecurityalliance.org</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">EUobserver. (2026, June 15). Digital sovereignty: safeguarding the European model in the age of the tech coup. euobserver.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Macquarie Technology Group, J. Morse. (2026, June 16). Cited in: Export control restrictions on Anthropic show frontier AI models are strategic assets. Stocktwits/Benzinga. stocktwits.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Mirage News / The Conversation. (2026, June 17). The US government can shut off access to AI at will. What does this mean for Australia? miragenews.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Romo, J. (2026, June 14). Anthropic&#8217;s Fable 5 Ban: The AI sovereignty wake-up call. twofourseven.co.uk</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">TechRadar. (2026). Dozens of European cloud CEOs call for real tech sovereignty ahead of Cloud and AI Development Act. techradar.com</span></p></li><li><p><span data-color="rgb(74, 85, 104)" style="color: rgb(74, 85, 104);">Truefoundry. (2026, June 15). The Fable 5 &amp; Mythos 5 ban: Why you need a multi-provider AI gateway. truefoundry.com</span></p></li></ul>]]></content:encoded></item><item><title><![CDATA[We Keep Calling It the Wrong Thing]]></title><description><![CDATA[Digital transformation.]]></description><link>https://dataaicontinuum.substack.com/p/we-keep-calling-it-the-wrong-thing</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/we-keep-calling-it-the-wrong-thing</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Wed, 03 Jun 2026 23:30:42 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!94in!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p><em>Digital transformation. AI transformation. We have been naming the symptom and ignoring the disease. What organisations actually need &#8212; and almost none have built &#8212; is something harder, quieter, and far more generative: a transformation of thinking.</em></p></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!94in!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!94in!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!94in!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!94in!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!94in!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!94in!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png" width="1200" height="900" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:1086,&quot;width&quot;:1448,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:2633670,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/200534889?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!94in!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 424w, https://substackcdn.com/image/fetch/$s_!94in!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 848w, https://substackcdn.com/image/fetch/$s_!94in!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 1272w, https://substackcdn.com/image/fetch/$s_!94in!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F44f4da0c-a64e-492d-a999-0f8896d50ca4_1448x1086.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>It was a strategy offsite. One of those two-day affairs in a regional retreat where the real decisions get made in the margins of the formal programme. I was there in an advisory capacity, and for most of the first morning, the conversation tracked exactly as you would expect: digital transformation roadmap, AI use cases, data platforms, vendor selection.</p><p style="text-align: justify;">Then a quiet executive &#8212; head of operations, twenty-two years with the organisation &#8212; asked a question that stopped the room.</p><p style="text-align: justify;">&#8220;We spent four years on digital transformation. Then we spent two years on AI transformation. We changed the systems. We changed the tools. We changed the org chart. But I still see the same decisions being made in the same ways for the same reasons. What exactly did we transform?&#8221;</p><p style="text-align: justify;">Nobody had a clean answer.</p><p style="text-align: justify;">I have thought about that question many times since. Because it is not just the right question for that organisation. It is the right question for the whole industry. And the honest answer &#8212; the one the data actually supports &#8212; is uncomfortable: most organisations have transformed their technology stack while leaving their thinking almost entirely untouched.</p><p style="text-align: justify;">That is not a cultural problem. It is not a change management problem. It is a cognitive and epistemological problem. And until we name it correctly, we will keep designing programmes that address the wrong layer.</p><h1>The Failure Rate Nobody Interrogates</h1><p style="text-align: justify;">Let me start with a statistic that almost everyone in this space has quoted at some point and almost no one has examined.</p><p style="text-align: justify;">&#8220;Seventy per cent of transformation programmes fail.&#8221; You have probably said it in a presentation. I have said it in presentations. It appears in McKinsey decks, BCG reports, Kotter keynotes, and roughly ten thousand LinkedIn posts per quarter. It has the ring of settled empirical fact.</p><p style="text-align: justify;">It is not a settled empirical fact.</p><p style="text-align: justify;">The figure traces back to a 1993 book &#8212; Reengineering the Corporation, by Michael Hammer and James Champy &#8212; in which Hammer described it as, in his own words, &#8220;our unscientific estimate&#8221; of the rate at which reengineering efforts (not all transformations, specifically reengineering) failed to meet their targets. He disowned it two years later. John Kotter, the other most-cited source, did not actually state &#8220;seventy per cent&#8221; in his famous 1995 HBR essay. He generalised from observation of a hundred-odd companies and arrived at the number later, in a 2008 book. Nobody has ever done the rigorous peer-reviewed study that would make the figure defensible.</p><blockquote><p><em><strong>A field that advocates data-driven decision-making has recycled a contested statistic for thirty years without examining its provenance. That is not an irony. That is a demonstration of the exact problem.</strong></em></p></blockquote><p style="text-align: justify;">What we do have is BCG&#8217;s transparent survey of nearly 900 transformation programmes, which found that only around 30 per cent met or exceeded their target value and produced sustainable change. That is the honest number. And it has not improved over three decades of technological advancement, billions spent on consulting, and an entire industry of transformation methodologies.</p><p style="text-align: justify;">The tools have transformed. The failure rate has not moved.</p><p style="text-align: justify;">That stability across three technological waves is not a technology problem. If it were a technology problem, better technology would have fixed it. The problem is underneath the technology.</p><h1>What the AI Numbers Actually Show</h1><p style="text-align: justify;">The AI transformation data is younger but follows the same trajectory.</p><p style="text-align: justify;">According to McKinsey&#8217;s 2025 State of AI survey of nearly two thousand organisations across a hundred and five countries, eighty-eight per cent were using AI in at least one function. Impressive adoption numbers. Then the follow-through: only thirty-nine per cent reported any measurable enterprise-level EBIT impact. And the organisations capturing significant value &#8212; five per cent or more of EBIT attributed to AI &#8212; accounted for roughly six per cent of the sample.</p><p style="text-align: justify;">MIT&#8217;s Project NANDA published an analysis in mid-2025 that found that approximately 95 per cent of enterprise generative AI pilots produced no measurable P&amp;L return. The study was based on three hundred publicly disclosed AI initiatives, fifty-two structured interviews, and over a hundred and fifty senior-leader survey responses. Lead researcher Aditya Challapally was direct about the cause: it was not model quality, not regulation, not talent scarcity. He called it a learning gap &#8212; organisations deploying AI on top of unchanged mental models and unchanged workflows.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>~95%</strong></h1><p style="text-align: center;">of enterprise GenAI pilots produced no measurable P&amp;L impact.</p><p style="text-align: center;"><em>MIT Project NANDA, 2025.</em></p></div><p style="text-align: justify;">According to a July 2024 Gartner press release, at least 30% of generative AI projects would be abandoned after proof of concept by the end of 2025. Later data suggested the actual abandonment rate was closer to fifty per cent.</p><p style="text-align: justify;">I want to be careful here, as I always try to be with industry statistics. The MIT figure has been contested &#8212; critics called the study&#8217;s sample too small to be representative. The Gartner forecast was a prediction, not a measurement. BCG and McKinsey have structural incentives to frame AI adoption as a crisis requiring their intervention. I have written before about the importance of reading research against its source.</p><p style="text-align: justify;">But here is what is difficult to argue with: the best-resourced organisations in the world, with access to the best AI models, consultants, and data, are largely failing to capture the value they expected. Not in every case. Not uniformly. But persistently, at scale, across industries and geographies.</p><p style="text-align: justify;">That is not a technology problem. The technology has never been better. Something else is not working.</p><h1>The Layer Nobody Is Working On</h1><p style="text-align: justify;">In the late 1970s, a Harvard professor named Chris Argyris spent years trying to understand why intelligent, capable professionals failed to learn from experience. His answer was both precise and devastating.</p><p style="text-align: justify;">He called it single-loop learning: the correction of errors within an existing set of governing assumptions. The analogy is a thermostat. It detects that the room is too cold and turns up the heating. It is correcting an error. But it never asks whether seventy degrees is the right target. It never examines the assumption that generated the target in the first place.</p><p style="text-align: justify;">Most transformation programmes, Argyris would have observed, are thermostats.</p><p style="text-align: justify;">They measure adoption rates. They track tool usage. They report on deployment progress. They correct errors in implementation. They do all of this within a set of governing assumptions &#8212; about how decisions should be made, where human judgment sits relative to algorithmic recommendation, what expertise means, what accountability looks like &#8212; that they never examine, never surface, and never challenge.</p><blockquote><p><em><strong>Double-loop learning is when you question the assumption that generated the problem, not just the problem itself. Almost no transformation programme is designed to do this.</strong></em></p></blockquote><p style="text-align: justify;">Argyris&#8217;s most uncomfortable finding was that skilled professionals are often the hardest to reach with double-loop learning. Success insulates them. When their self-image is challenged, they resort to what he called defensive reasoning &#8212; arguing, reframing, blaming external circumstances. Not because they are bad people, but because it is structurally what expertise-as-identity produces.</p><p style="text-align: justify;">Read that against the McKinsey finding that the single strongest predictor of EBIT impact from AI is workflow redesign &#8212; not model selection, not data quality, not deployment speed. Workflow redesign. And yet only twenty-one per cent of organisations using generative AI had redesigned at least some workflows. Nearly eighty per cent were layering AI on top of existing processes.</p><p style="text-align: justify;">Layering AI on top of existing processes is the organisational expression of single-loop learning. You are correcting the speed of a decision without examining whether the decision itself is right. You are automating a process without first asking whether it should exist. You are deploying capability into a cognitive architecture built for a different era and expecting it to drive transformation.</p><p style="text-align: justify;">It will not.</p><h1>The Cognitive Offloading Trap</h1><p style="text-align: justify;">There is a distinction I have been using in advisory conversations recently that I want to put on the record because I think it names something happening at scale that organisations are not equipped to see.</p><p style="text-align: justify;">It is the distinction between cognitive offloading and cognitive outsourcing.</p><p style="text-align: justify;">Cognitive offloading is healthy. It is using technology to free up mental bandwidth &#8212; to reduce the cognitive load of routine informational tasks so that attention can be directed to what matters most. Writing tools that handle formatting. Search tools that surface relevant context. Data pipelines that automate cleaning. These amplify human judgment without replacing it.</p><p style="text-align: justify;">Cognitive outsourcing is different. It is the passive abdication of the cognitive process itself &#8212; accepting AI output without analytical filter, without verification, without the friction of genuine evaluation. The convenience is real. The seduction is understandable. And the consequence, over time, is the gradual erosion of the very faculties that make human oversight of AI meaningful.</p><p style="text-align: justify;">According to a 2025 study by researchers at Microsoft and Carnegie Mellon University, published in the proceedings of CHI, the premier human-computer interaction conference, a survey of three hundred and nineteen knowledge workers found that higher confidence in generative AI was associated with less critical thinking, while higher self-confidence was associated with more critical thinking. AI use was shifting the nature of cognitive engagement from original reasoning toward verification, integration, and what the researchers called task stewardship &#8212; checking, not thinking.</p><p style="text-align: justify;">This is not a new phenomenon. The engineering literature has been documenting automation bias, the tendency to over-rely on automated systems at the expense of contradictory information from other sources, even when those sources are correct, since at least the late 1990s. According to Parasuraman and Manzey&#8217;s major integrative review published in Human Factors in 2010, automation complacency degrades failure detection, is found in both naive and expert participants, and cannot be overcome with simple practice.</p><blockquote><p><em><strong>The same quality that makes generative AI commercially attractive &#8212; fluent, confident outputs at speed &#8212; is what makes epistemic vigilance harder to maintain. A wrong answer delivered with confidence is more dangerous than a wrong answer delivered with hesitation.</strong></em></p></blockquote><p style="text-align: justify;">There is a deeper version of this concern that Michael Polanyi named in 1966, long before anyone was worried about AI. Genuine expertise, he argued, is substantially non-codifiable &#8212; rooted in embodied practice, accumulated pattern recognition, and the kind of contextual judgment that resists explicit articulation. He called it tacit knowledge. &#8220;We know more than we can tell.&#8221;</p><p style="text-align: justify;">When professionals over-rely on AI systems, they are not merely accepting specific wrong answers. They are systematically trading the development of tacit, experiential knowledge for the consumption of explicitly generated text. Over time, this degrades the cognitive substrate that makes human oversight meaningful. Governance becomes theatre when the humans reviewing AI outputs have atrophied the domain expertise required to evaluate them.</p><p style="text-align: justify;">I have seen this in practice. I sat in a risk review meeting where an AI-generated analysis was presented to the committee. It was well-structured, internally consistent, and completely wrong on the key assumption. Nobody caught it &#8212; not because the people in the room were incompetent, but because nobody had done the underlying reasoning independently. They had outsourced the thinking and retained only the checking. And checking without thinking is not an oversight. It is the appearance of oversight.</p><h1>Keeping the Guard Is Not What You Think It Means</h1><p style="text-align: justify;">When I say we need to keep the guard, I am not arguing for scepticism of AI. I am not arguing for slowing down. I am not describing the posture of a cautious laggard who needs to be convinced.</p><p style="text-align: justify;">I am describing something much more specific and much more active: the disciplined exercise of human judgment in the presence of systems that are enormously useful and fundamentally untrustworthy in specific, consequential ways.</p><p style="text-align: justify;">Hannah Arendt was not writing about artificial intelligence when she developed her analysis of the banality of evil &#8212; her conclusion that the most catastrophic failures of institutional decision-making arise not from malice but from thoughtlessness, the absence of the reflective pause that separates execution from judgment. But the structural argument is identical. An organisation that deploys AI systems without cultivating the capacity to question, verify, and override them has not avoided the abdication of judgment. It has automated it.</p><p style="text-align: justify;">The cognitive scientist Gary Klein developed what he calls a pre-mortem: before a decision is executed, the team imagines that it has already failed and works backward to understand what went wrong. It is a structured method for compelling the slow, effortful thinking that Daniel Kahneman calls System 2 in Thinking, Fast and Slow into a process that would otherwise default to the fast, automatic, bias-prone System 1. The point is not pessimism. The point is that epistemic vigilance does not arise naturally under time pressure. It must be designed in.</p><blockquote><p><em><strong>Epistemic vigilance is not a constant state of suspicion. It is the embedding of structured opportunities for critical engagement at the moments when the cost of getting it wrong is highest.</strong></em></p></blockquote><p style="text-align: justify;">Philip Tetlock spent decades studying forecasting and found something remarkable, documented in Superforecasting, his 2015 book with Dan Gardner: the people who consistently outperformed professional intelligence analysts &#8212; even those with access to classified information &#8212; shared a specific cognitive profile. They were actively open-minded. They were comfortable with uncertainty. They made granular probability estimates rather than confident predictions. And they changed their minds when evidence required it. These are not innate traits. They are habits. They are learnable. They are measurable.</p><p style="text-align: justify;">The organisations capturing significant value from AI are not the ones with the best models. According to McKinsey&#8217;s data, the high performers are more than three times more likely to have defined processes for determining when model outputs require human validation. They have built the epistemic vigilance into the workflow rather than leaving it to individual discretion at the moment of decision, when cognitive depletion and time pressure make it least likely to occur.</p><h1>The Agentic Inflection Point</h1><p style="text-align: justify;">There is a governance dimension to this argument that has become acute in the past twelve months and that I have written about in previous issues of this publication: the shift from generative AI to agentic AI.</p><p style="text-align: justify;">In the generative era, the primary governance concern was systems saying the wrong thing &#8212; hallucinating, generating harmful content, leaking intellectual property. Serious risks, but risks that could largely be addressed within existing compliance frameworks.</p><p style="text-align: justify;">In the agentic era, the concern shifts categorically. The risk is no longer about systems saying the wrong thing. It is about systems doing the wrong thing &#8212; executing unintended transactions, misusing credentials, operating autonomously beyond the boundaries of their sanctioned authority. According to McKinsey&#8217;s 2026 AI Trust Maturity Survey, knowledge and training gaps were the single greatest barrier to responsible AI governance, and this gap was widening rather than closing.</p><p style="text-align: justify;">The same survey found that approximately 58 per cent of office workers use unapproved AI tools &#8212; shadow AI &#8212; bypassing corporate governance controls, compromising data security, and generating operational risk that the organisation cannot see, quantify, or address.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>58%</strong></h1><p style="text-align: center;">of office workers use unapproved AI tools, bypassing governance controls.</p><p style="text-align: center;"><em>McKinsey AI Trust Maturity Survey, 2026.</em></p></div><p style="text-align: justify;">As I have written before, you cannot govern what you cannot see. Shadow AI is what happens when official governance structures fail to accommodate the cognitive needs of the workforce. It is not primarily a security problem. It is what happens when an organisation asks people to do double-loop thinking within a single-loop framework &#8212; and they find a way around it.</p><p style="text-align: justify;">The organisations that will govern agentic AI effectively are not the ones that tighten access controls and issue more policy documents. They are the ones that have built the cultural and cognitive conditions under which people feel safe enough to use sanctioned tools, smart enough to evaluate AI outputs critically, and empowered enough to raise concerns when something is wrong.</p><p style="text-align: justify;">That is a cognitive transformation. It does not come from a compliance programme.</p><h1>The Third Transformation</h1><p style="text-align: justify;">Digital transformation rewires how work gets done. AI transformation rewires what gets done and who &#8212; or what &#8212; does it.</p><p style="text-align: justify;">The transformation almost nobody is undertaking rewires how people think about what they are doing and why. It is neither digital nor artificial. It is human. And it is the one without which the other two cannot sustain their value.</p><p style="text-align: justify;">I want to be precise about what this looks like in practice, because &#8220;transformation of thinking&#8221; is the kind of phrase that can mean everything and therefore nothing.</p><p style="text-align: justify;">It means building probabilistic reasoning into decision culture &#8212; not asking &#8220;is this AI recommendation right?&#8221; but &#8220;under what conditions is this recommendation likely to be right, and what is the cost of the cases where it is not?&#8221;</p><p style="text-align: justify;">It means developing what Dave Snowden calls an attitude of wisdom in his Cynefin framework &#8212; confident action combined with genuine, non-performative doubt. Not the paralysis of constant second-guessing, and not the recklessness of unconditional trust, but the calibrated engagement of a person who knows both the power and the limits of the tool in their hands.</p><p style="text-align: justify;">It means designing what cognitive researchers call the quality of struggle into learning and development &#8212; not optimising solely for convenience and speed, but ensuring that professionals are genuinely building the tacit knowledge that makes their judgment worth having.</p><p style="text-align: justify;">And it means leaders modelling this publicly. Not just endorsing AI in the town hall. Using it, being visible about its limitations, changing their minds in front of their teams when the evidence requires it, and creating the psychological safety within which people can say &#8220;the model got this wrong&#8221; without it being career-limiting information.</p><blockquote><p><em><strong>The most dangerous sentence in most AI transformation programmes is not wrong. It is silent. It is the absence of anyone asking: what are we assuming here, and should we be assuming it?</strong></em></p></blockquote><p style="text-align: justify;">According to Carol Dweck&#8217;s research on organisational mindset cultures, published in the Harvard Business Review in 2014, employees in growth-mindset organisations were forty-nine per cent more likely to say their organisation fostered innovation and sixty-five per cent more likely to say it supported risk-taking. The mindset is set by leaders. Not by the values statement on the wall. By what leaders do when they are wrong, how they respond when their assumptions are challenged, and whether they treat uncertainty as a threat to manage or a condition to navigate.</p><p style="text-align: justify;">That is the transformation that creates the conditions for everything else.</p><h1>What I Tell Boards</h1><p style="text-align: justify;">When I sit down with a board that is genuinely trying to understand its AI governance obligations &#8212; and I have increasingly more of those conversations &#8212; I eventually get to a question that I find changes the texture of the discussion.</p><p style="text-align: justify;">It is not: what AI tools have you deployed?</p><p style="text-align: justify;">It is not: have you met the regulatory requirements?</p><p style="text-align: justify;">It is not: what is your AI strategy?</p><p style="text-align: justify;">It is this: when was the last time someone in this organisation changed their mind about something important because of what an AI system showed them, rather than despite it?</p><p style="text-align: justify;">The question sounds philosophical. It is not. It is a diagnostic. An organisation where AI changes minds has built the cognitive integration required for transformation. People are engaging with the outputs analytically, not performatively. The technology is affecting the thinking, not just the doing.</p><p style="text-align: justify;">An organisation where AI generates outputs that everyone processes around &#8212; producing the work required to satisfy the requirement, then making the decision they were going to make anyway &#8212; has not transformed anything. It has added a step.</p><p style="text-align: justify;">Most organisations, when pressed honestly, are in the second category.</p><p style="text-align: justify;">The fix is not a new AI platform. It is not a governance framework &#8212; though governance matters enormously, and I have spent significant time on it in previous issues of this publication. It is not a training programme, though targeted development is part of the answer.</p><p style="text-align: justify;">The fix is a sustained, deliberate, and somewhat uncomfortable process of making assumptions visible, questioning them at the level that matters, and building the institutional habits that allow the organisation to keep doing this as the technology continues to evolve.</p><p style="text-align: justify;">It is, in a word, thinking.</p><p style="text-align: justify;">Not smarter tools. Not faster processing. Not better data. Thinking.</p><p style="text-align: justify;">The organisations that will look back in five years and say that AI transformation worked are not the ones that deployed it first. They are the ones who thought about it well &#8212; and kept thinking even when the thinking was difficult.</p><h2><em><strong>A Note on the Evidence</strong></em></h2><p style="text-align: justify;">As I noted in the section on the BCG and McKinsey statistics, when I cite industry data, I try to name the source and its commercial context. The McKinsey 2025 State of AI figure (survey n=1,993 across 105 nations) and the BCG transformation analysis (approximately nine hundred programmes) are among the more methodologically transparent data points in this literature. The MIT NANDA 95% figure is directionally significant but should be read as an indicative finding from a limited sample &#8212; 300 disclosed initiatives, 52 interviews, 153 survey responses &#8212; not as a precise market measurement.</p><h1><strong>References</strong></h1><ol><li><p>Argyris, C. (1977). Double loop learning in organizations. Harvard Business Review, 55(5), 115&#8211;125.</p></li><li><p>Argyris, C. (1991). Teaching smart people how to learn. Harvard Business Review, May&#8211;June.</p></li><li><p>BCG (2020). Flipping the Odds of Digital Transformation Success. Boston Consulting Group.</p></li><li><p>Dweck, C.S. (2014). How companies can profit from a &#8216;growth mindset.&#8217; Harvard Business Review, November.</p></li><li><p>Gartner (2024, July 29). Gartner Predicts 30% of Generative AI Projects Will Be Abandoned After Proof of Concept By End of 2025. Press release. Analyst: Rita Sallam.</p></li><li><p>Hammer, M., &amp; Champy, J. (1993). Reengineering the Corporation: A Manifesto for Business Revolution. HarperBusiness.</p></li><li><p>Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux.</p></li><li><p>Kotter, J.P. (1995). Leading change: Why transformation efforts fail. Harvard Business Review, March&#8211;April.</p></li><li><p>Lee, H.-P., Sarkar, A., Tankelevitch, L., Drosos, I., Rintel, S., Banks, R., &amp; Wilson, N. (2025). The impact of generative AI on critical thinking: Self-reported reductions in cognitive effort and confidence effects from a survey of knowledge workers. Proceedings of CHI 2025, Article 1121. https://doi.org/10.1145/3706598.3713778</p></li><li><p>McKinsey &amp; Company (2025). The State of AI in 2025: Agents, Innovation, and Transformation. Survey: n=1,993, 105 nations, June&#8211;July 2025.</p></li><li><p>McKinsey &amp; Company (2026). State of AI Trust in 2026: Shifting to the Agentic Era. AI Trust Maturity Survey.</p></li><li><p>MIT Project NANDA &#8212; Challapally, A., Pease, C., Raskar, R., &amp; Chari, P. (2025). The GenAI Divide: State of AI in Business 2025. Massachusetts Institute of Technology. Reported in Fortune, 18 August 2025.</p></li><li><p>Parasuraman, R., &amp; Manzey, D.H. (2010). Complacency and bias in human use of automation: An attentional integration. Human Factors, 52(3), 381&#8211;410.</p></li><li><p>Polanyi, M. (1966). The Tacit Dimension. Doubleday.</p></li><li><p>Snowden, D.J., &amp; Boone, M.E. (2007). A leader&#8217;s framework for decision making. Harvard Business Review, November.</p></li><li><p>Tetlock, P.E., &amp; Gardner, D. (2015). Superforecasting: The Art and Science of Prediction. Crown Publishers.</p></li><li><p>Weick, K.E. (1993). The collapse of sensemaking in organizations: The Mann Gulch disaster. Administrative Science Quarterly, 38(4), 628&#8211;652.</p></li></ol><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[You Didn't Buy AI. You Bought a Dependency.]]></title><description><![CDATA[On habit formation, subsidised dependency, and the bill you didn't see coming.]]></description><link>https://dataaicontinuum.substack.com/p/you-didnt-buy-ai-you-bought-a-dependency</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/you-didnt-buy-ai-you-bought-a-dependency</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Sat, 23 May 2026 10:16:48 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Bwzg!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p><strong>The generative AI industry has not raised its prices. It has done something far more disorienting: it has lowered them while making you spend more.</strong></p></div><p style="text-align: justify;">This is not a contradiction. It is the most deliberate pricing manoeuvre in the history of enterprise software, and most of the organisations absorbing the impact have not yet recognised what is happening to them.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Bwzg!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Bwzg!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Bwzg!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Bwzg!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Bwzg!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Bwzg!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:3814633,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/198945932?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Bwzg!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Bwzg!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Bwzg!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Bwzg!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3107fae6-4524-4ffb-8a9f-a3ce011a2144_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p style="text-align: justify;">According to TokenMix&#8217;s analysis of API pricing history, the cost of running GPT-4-class intelligence has fallen roughly 10-fold since OpenAI&#8217;s launch in March 2023 &#8212; from $30 per million input tokens to approximately $2.50 by mid-2026. Budget tiers have fallen by 50- to 100-fold. Google, AWS, and every major infrastructure provider have cut GPU rental rates. On the unit-price graph, generative AI is one of the most deflationary technology markets in recent memory.</p><p style="text-align: justify;">And yet the finance teams reviewing AI invoices in mid-2026 are not seeing deflation. They are seeing bills that have grown 8- to 10-fold on the same workflows that cost a fraction of that 18 months ago. According to Fortune&#8217;s reporting in May 2026, using AI agents at scale has already become more expensive than paying human employees for equivalent tasks. According to The Information, Uber&#8217;s CTO reported that his organisation burned through its entire 2026 AI coding tools budget in four months.</p><p style="text-align: justify;">Both things are true simultaneously. The unit price fell. The bill rose. Understanding why and what to do about it is the most important strategic question in enterprise technology right now.</p><h1><strong>The Habit Was the Product</strong></h1><p style="text-align: justify;">To understand where we are, you have to start not with pricing models but with a precedent from the early internet. In 1999, Microsoft launched .NET Passport with a simple strategic thesis: establish yourself as the default infrastructure layer, subsidise adoption until the habit forms, then extract value from the resulting dependency. The logic was textbook platform economics. The execution failed catastrophically. According to Network World&#8217;s reporting, major partners &#8212; Monster.com, eBay, Expedia &#8212; defected one by one because users simply did not choose where they transacted based on which login service was supported. The habit never formed deeply enough to create real switching costs.</p><p style="text-align: justify;">Facebook Connect, launched eight years later, succeeded for a reason that is directly relevant to what AI vendors are doing today. According to identity infrastructure analysts at the time, it offered not just a login mechanism but the social graph &#8212; years of relationships, content history, and personal context that users had voluntarily constructed and that lived, irretrievably, inside Facebook&#8217;s infrastructure. Switching away did not mean changing a password. It meant losing something that felt irreplaceable.</p><p style="text-align: justify;">The leading AI vendors are trying to build the cognitive equivalent of that social graph. Persistent memory, custom instructions, embedded workflow integrations, conversation history, agent configurations, and prompt libraries. Every session you complete with ChatGPT, every codebase Claude has seen, every research thread Perplexity has mapped &#8212; these are the switching costs being constructed right now, before the pricing lever is pulled further.</p><p style="text-align: justify;">The subsidy period was not generous. It was a land grab. According to venture capital tracking data, AI startups attracted over $211 billion in 2025 alone &#8212; nearly half of all global venture investment. Q1 2026 added a further $178 billion. These were not investments in profitable businesses. They were, in economic terms, the purchase of user dependency at scale.</p><blockquote><p style="text-align: justify;"><em>The flat-rate unlimited AI subscription was never a sustainable product. It was an acquisition mechanism. The organisations that built their workflows on it without understanding this are now discovering the terms.</em></p></blockquote><h1><strong>Three Forces Making Your Bill Larger</strong></h1><p style="text-align: justify;">The mechanism by which unit-price deflation coexists with bill inflation is not mysterious, but it is systematically underanalysed. Most of the enterprises I speak with have identified at most one of the three forces at work.</p><p style="text-align: justify;">The first is agentic loop multiplication. According to Goldman Sachs Research&#8217;s &#8220;Decoding the Agentic Economy&#8221; report, published in May 2026, global token demand is forecast to grow 24-fold by 2030 to 120 quadrillion tokens per month. That growth is not coming from more users sending more chat messages. It is coming from autonomous agent networks that recursively plan, call tools, evaluate intermediate outputs, and iterate &#8212; generating token volumes that can be a hundred times greater than a simple interaction for the same user intent. According to Ethan Ding&#8217;s widely circulated July 2025 analysis, the length of a task that AI can complete has been doubling every six months. A Deep Research run today costs approximately $1 in compute. A 24-hour autonomous agent run projected for 2027 is estimated at $72 per user per day. No flat subscription model survives that arithmetic.</p><p style="text-align: justify;">The second force is tokeniser variance &#8212; a factor that receives almost no attention in standard pricing discussions but can be decisive in multilingual deployments. According to RWS&#8217;s 2026 analysis of enterprise AI scaling costs, there is up to a 450% cost variance between tokeniser architectures for the same semantic content. A global retailer processing 50,000 daily queries across English, Spanish, and Tamil will spend $15,000 annually with an efficient tokeniser and nearly $32,000 with an inefficient one, with Tamil inputs representing just 10% of query volume, driving the majority of the difference. Most organisations deploying AI across multilingual workforces do not know which situation they are in.</p><p style="text-align: justify;">The third force is the structural replacement of flat-rate billing with consumption pricing. According to FinTech Weekly&#8217;s reporting, Cursor&#8217;s June 2025 shift from 500 requests per month to a $20 credit pool triggered a wave of user complaints documenting 20- to 70-fold increases in effective monthly spend &#8212; on an unchanged sticker price. Anthropic added weekly rate limits to Claude Code in July 2025, citing &#8220;unprecedented demand since launch&#8221;. The product promise did not change. The economic reality did.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>24&#215;</strong></h1><p style="text-align: center;">forecast growth in global AI token demand by 2030</p><p style="text-align: center;"><em>Goldman Sachs Research, Decoding the Agentic Economy, May 2026</em></p></div><h1><strong>The Unit Economics That Do Not Add Up</strong></h1><p style="text-align: justify;">Here is the number that should be on every CFO&#8217;s radar right now.</p><p style="text-align: justify;">According to reporting by Where&#8217;s Your Ed At, OpenAI&#8217;s adjusted operating margin in Q1 2026 was negative 122%. That means the company lost $1.22 for every dollar of revenue it generated, implying a quarterly cash burn of approximately $7 billion. According to HSBC&#8217;s 2026 analysis, OpenAI faces a cumulative funding shortfall of $207 billion through 2030.</p><p style="text-align: justify;">And yet OpenAI&#8217;s revenue is growing. According to Bloomberg, Anthropic&#8217;s annual run-rate revenue reached thirty billion dollars in April 2026. According to TechCrunch, ChatGPT has nine hundred million weekly active users. These are not failing companies. They are companies running the most expensive customer acquisition programme in the history of enterprise software, backed by infrastructure commitments that dwarf anything the technology industry has previously attempted.</p><p style="text-align: justify;">According to Goldman Sachs Research&#8217;s &#8220;Tracking Trillions&#8221; report, cumulative AI infrastructure investment between 2026 and 2031 is projected at $7.6 trillion. Oracle is reportedly constructing approximately $348 billion in data centre capacity contingent on OpenAI achieving $75 billion in annual revenue. Microsoft&#8217;s Azure cloud backlog of $625 billion has 45% tied to OpenAI commitments &#8212; a concentration that erased $440 billion in Microsoft&#8217;s market capitalisation in a single session when disclosed.</p><blockquote><p style="text-align: justify;"><em>The infrastructure has been built. The commitments have been made. The economics require that prices rise. The only open question is how quickly, and whether the habit is deep enough to survive the transition.</em></p></blockquote><p style="text-align: justify;">According to IBM&#8217;s Institute for Business Value, compute costs across enterprise AI deployments rose 89% between 2023 and 2025, and every executive surveyed reported postponing or cancelling at least one generative AI initiative as a result. That figure is the leading indicator. The moment when executives start cancelling live production deployments rather than shelving pilots has not yet arrived at scale. But the trajectory is clear.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>&#8722;122%</strong></h1><p style="text-align: center;">OpenAI&#8217;s adjusted operating margin in Q1 2026</p><p style="text-align: center;"><em>Where&#8217;s Your Ed At, citing leaked financial data, 2026</em></p></div><h1><strong>A Ceiling Nobody Is Pricing In</strong></h1><p style="text-align: justify;">There is a constraint on AI scaling that receives almost no coverage in standard pricing analyses: physical limits. Energy, water, and carbon are not abstractions. They are operating costs that are already influencing deployment decisions and regulatory timelines.</p><p style="text-align: justify;">According to the International Energy Agency, data centre electricity demand is projected to nearly double, from approximately 415 terawatt-hours in 2024 to 945 terawatt-hours by 2030, with AI-accelerated servers driving consumption growth at 30 per cent annually. According to UNESCO&#8217;s 2026 AI report, a single Sora 2 video generation burns one kilowatt-hour of electricity, consumes four litres of water, and emits 466 grams of carbon dioxide. The AI industry&#8217;s energy consumption in 2025 emitted carbon equivalent to New York City&#8217;s entire annual emissions.</p><p style="text-align: justify;">According to IBM&#8217;s data, 42 per cent of surveyed executives have been forced to re-examine their carbon-reduction pledges as a direct result of AI infrastructure commitments. The EU AI Act&#8217;s energy reporting requirements &#8212; fully applicable from August 2026 &#8212; are about to make these costs a board-level governance matter rather than an engineering consideration.</p><p style="text-align: justify;">According to UNESCO&#8217;s modelling, small changes in model architecture and query routing can reduce energy use by up to 90%. That finding points toward efficiency as the sustainable path &#8212; and it has a direct practical implication. Organisations building model-routing architectures that match task complexity to model capability are not just cutting their AI bills. They are building a structural advantage that compounds as consumption pricing becomes the norm.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>89%</strong></h1><p style="text-align: center;">rise in compute costs across enterprise AI deployments between 2023 and 2025</p><p style="text-align: center;"><em>IBM Institute for Business Value, 2026</em></p></div><h1><strong>The Floor That Changes Everything</strong></h1><p style="text-align: justify;">The sustainability of any premium pricing depends on the quality of available alternatives. In generative AI, that floor is being actively constructed &#8212; and it is closer than most organisations realise.</p><p style="text-align: justify;">According to VentureBeat&#8217;s reporting, DeepSeek&#8217;s V3.2 experimental model cut API pricing to less than $0.03 per million input tokens &#8212; approximately 96% below comparable Western reasoning model pricing. DeepSeek V4-Flash is available at $0.14 per million input tokens. According to Menlo Ventures&#8217; 2025 mid-year data, eight of the top ten enterprises by API spend already mix at least one open-weight model with proprietary frontier models to manage costs.</p><p style="text-align: justify;">The on-premises economics have shifted materially with the arrival of Nvidia&#8217;s Blackwell generation hardware. According to Lenovo&#8217;s 2026 TCO White Paper, a configuration of eight B300 Ultra GPUs delivers a five-year total cost of approximately $1 million, compared with an equivalent AWS bill of $6.2 million, an 84% saving at sustained utilisation. Translated into per-token economics, that is $4.74 per million tokens on-premises against $29.09 on AWS &#8212; a 6:1 cost advantage for organisations with the volume to justify it.</p><p style="text-align: justify;">The threshold matters. Below approximately $50,000 per month in frontier API spend, cloud flexibility and the absence of MLOps overhead still dominate. Above it, the hardware economics are too compelling to ignore. And as agentic consumption grows, more organisations will cross that threshold than currently expect to.</p><blockquote><p style="text-align: justify;"><em>According to Menlo Ventures, enterprises choose frontier models and pay to stay on the frontier despite 10-fold annual cost decreases. That behaviour tells you that performance, not price, is the dominant enterprise purchase criterion &#8212; for now.</em></p></blockquote><h1><strong>Habit Formation With a Ceiling</strong></h1><p style="text-align: justify;">Consumer markets tell a different story from enterprise markets, and it is worth separating them clearly.</p><p style="text-align: justify;">According to TechCrunch, ChatGPT reached nine hundred million weekly active users by February 2026. According to Google&#8217;s I/O 2026 announcements, Gemini exceeded nine hundred million monthly users. The scale of consumer engagement is not in question. The monetisation rate is.</p><p style="text-align: justify;">According to a16z&#8217;s State of Consumer AI 2025, only 9% of consumers pay for more than one AI subscription across ChatGPT, Gemini, Claude, and Cursor. According to Arcade&#8217;s subscription retention analysis, ChatGPT Plus holds at 71%, Claude Pro at 62%, Gemini Advanced at 60%, and Perplexity Pro at 49%. According to MIT Technology Review, a &#8220;QuitGPT&#8221; campaign in February 2026 attracted 17,000 sign-ups, citing both pricing and governance concerns. According to Bloomberg, European ChatGPT subscription spending stalled from May 2025 onwards.</p><p style="text-align: justify;">These are not catastrophic numbers. But they are inconsistent with the narrative of unlimited consumer willingness to absorb price increases. The market is bifurcating: a small cohort of heavy users migrating to $200 power tiers, a large cohort gravitating toward $8 ad-supported tiers, and a squeezed middle at $20 that is more price-sensitive than vendors have historically assumed.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>9%</strong></h1><p style="text-align: center;">of consumers pay for more than one AI subscription</p><p style="text-align: center;"><em>Andreessen Horowitz, State of Consumer AI 2025</em></p></div><h1><strong>Passport or Connect? The Outcome Is Still Unresolved</strong></h1><p style="text-align: justify;">The decisive question &#8212; whether generative AI ends up like .NET Passport or Facebook Connect &#8212; depends on a single variable: whether the workflow lock-in being constructed now is deep enough to survive the pricing transition already underway.</p><p style="text-align: justify;">The Connect outcome requires that switching from one AI platform to another becomes genuinely costly &#8212; not just inconvenient. According to Platformer&#8217;s Casey Newton, writing about OpenAI&#8217;s October 2025 Developer Day, what OpenAI is attempting is &#8220;the same thing that Facebook executives did nearly two decades ago: can this service grow so important that it becomes a front door to the rest of the web.&#8221;</p><p style="text-align: justify;">The Passport outcome is the alternative: a platform with enormous user numbers, insufficient monetisation, collapsing partner confidence, and infrastructure commitments that cannot be sustained by the revenue base. According to analyst Ed Zitron&#8217;s review of OpenAI&#8217;s leaked financial data, the concern is precisely that: a service without a killer workflow application deep enough to justify the valuation, in a market where the open-source alternative is closing the capability gap at pace.</p><p style="text-align: justify;">According to McKinsey&#8217;s State of AI 2025 survey, 88% of organisations use AI in some capacity, but only approximately one-third are scaling it, and only 39% report any enterprise-level EBIT impact. According to Gartner&#8217;s July 2024 research, 30% of generative AI proof-of-concept projects were predicted to be abandoned by the end of 2025. Both of those findings point toward a market still in early habit formation rather than deep lock-in. The window for vendors to deepen their moats before pricing pressure arrives is narrowing.</p><blockquote><p style="text-align: justify;"><em>According to Gartner, thirty percent of generative AI proof-of-concept projects will be abandoned after proof of concept. The habit, in most organisations, has not yet formed deeply enough to be called a moat.</em></p></blockquote><h1><strong>What This Means If You Are Leading AI in an Enterprise</strong></h1><p style="text-align: justify;"><strong>If you are a CIO or CFO: </strong>the single most important action right now is to renegotiate any AI API contract signed before mid-2024. According to TokenMix&#8217;s pricing data, organisations on 2024 contracts are paying an average of 2.8 times the current market rate for equivalent capability. Quarterly price-reset clauses, model-routing flexibility provisions, and the right to substitute open-weight models for commodity tasks without contractual penalty should be non-negotiable in any renewal.</p><p style="text-align: justify;"><strong>If you are building AI products or platforms: </strong>the priority is a model-routing architecture before you are forced into one by cost pressure. Match model capability to task complexity automatically. Route commodity tasks &#8212; summarisation, classification, basic generation &#8212; to the cheapest capable model. Reserve frontier models for tasks where the performance gap is demonstrable and the value is measurable. According to Gartner&#8217;s analysis, organisations deploying systematic routing can reduce controllable AI spend by up to 30%. That is not an optimisation. That is a structural cost advantage in a market where AI bills are compounding.</p><p style="text-align: justify;"><strong>If you are a board member or executive sponsor: </strong>demand outcome metrics, not activity metrics. According to McKinsey, only 39% of organisations report enterprise-level EBIT impact from AI. Ask your AI leadership which workflows have delivered measurable P&amp;L impact and which are still in the habit-formation phase. The answer will tell you whether you are building a genuine capability or accumulating a well-intentioned cost base.</p><p style="text-align: justify;"><strong>If you are evaluating on-premises infrastructure: </strong>the economics are compelling above $50,000 per month in Frontier API spend. According to Lenovo&#8217;s 2026 TCO analysis, the five-year saving against cloud at sustained utilisation is 84%. Model conservatively at four years of hardware useful life. The constraint is MLOps capability, not hardware availability. Invest in that capability now, because the organisations that have it when agentic consumption scales will carry a durable cost advantage over those who do not.</p><h1><strong>The Real Question</strong></h1><p style="text-align: justify;">The pricing increase is real. The infrastructure commitment is real. The regulatory pressure is real. None of that is in dispute.</p><p style="text-align: justify;">But the question worth sitting with is this: in your organisation, is your AI spend buying a deeply embedded capability that would be genuinely costly to switch away from &#8212; or is it buying access to a service that your competitors could replicate with a different vendor in six weeks?</p><p style="text-align: justify;">Because if it is the latter, the pricing pressure your vendors are building toward will arrive before the lock-in does. And the organisations that have not built the routing intelligence, the on-premises optionality, and the outcome measurement capability to respond will find themselves in exactly the position that Microsoft&#8217;s Passport partners found themselves in 2004: paying for a dependency they built on someone else&#8217;s strategic timeline.</p><blockquote><p style="text-align: justify;"><em>The era of unlimited flat-rate AI is over. The era of usage-priced intelligence has begun. Enterprises that deliberately navigate this transition will carry a structural cost advantage over those that do not.</em></p></blockquote><h1><strong>References</strong></h1><ol><li><p>Andreessen Horowitz 2025, <em>State of consumer AI 2025: product hits, misses, and what&#8217;s next</em>, Andreessen Horowitz, Menlo Park.</p></li><li><p>Arcade 2026, <em>AI subscription retention analysis 2025&#8211;26</em>, Arcade, San Francisco.</p></li><li><p>Bloomberg 2026, &#8216;Anthropic tops $30 billion run rate, seals Broadcom deal&#8217;, <em>Bloomberg</em>, 6 April.</p></li><li><p>Bloomberg 2026, &#8216;European ChatGPT subscription spending data&#8217;, <em>Bloomberg</em>, May&#8211;June.</p></li><li><p>Ding, E 2025, &#8216;Tokens are getting more expensive&#8217;, <em>Substack</em>, 28 July, viewed May 2026, &lt;ethanding.substack.com&gt;.</p></li><li><p>FinTech Weekly 2025, &#8216;Cursor faces backlash over Pro plan pricing shift&#8217;, <em>FinTech Weekly</em>, June.</p></li><li><p>Fortune 2026, &#8216;Microsoft reports are exposing AI&#8217;s real cost problem: using the tech is more expensive than paying human employees&#8217;, <em>Fortune</em>, 22 May.</p></li><li><p>Gartner 2024, &#8216;Gartner predicts 30% of generative AI projects will be abandoned after proof of concept&#8217;, Gartner, Stamford, July.</p></li><li><p>Goldman Sachs Research 2026, <em>Decoding the agentic economy</em>, Goldman Sachs, New York, May.</p></li><li><p>Goldman Sachs Research 2026, <em>Tracking trillions: the assumptions shaping the scale of the AI build-out</em>, Goldman Sachs, New York, May.</p></li><li><p>HSBC 2026, <em>OpenAI funding shortfall analysis</em>, HSBC Global Research, London.</p></li><li><p>IBM Institute for Business Value 2026, <em>The hidden costs of AI: how generative models are reshaping corporate budgets</em>, IBM, Armonk.</p></li><li><p>International Energy Agency 2024, <em>Energy and AI</em>, IEA, Paris.</p></li><li><p>Lenovo 2026, <em>ThinkSystem SR675 V3 TCO white paper: on-premise vs cloud generative AI total cost of ownership, 2026 edition</em>, Lenovo, Beijing.</p></li><li><p>McKinsey &amp; Company 2025, <em>State of AI global survey 2025</em>, McKinsey &amp; Company, New York.</p></li><li><p>Menlo Ventures 2025, <em>2025 mid-year LLM market update</em>, Menlo Ventures, Menlo Park.</p></li><li><p>MIT Technology Review 2026, &#8216;A QuitGPT campaign is urging people to cancel their ChatGPT subscription&#8217;, <em>MIT Technology Review</em>, 10 February.</p></li><li><p>Network World 2005, &#8216;eBay drops Microsoft&#8217;s Passport&#8217;, <em>Network World</em>, December.</p></li><li><p>Newton, C 2025, &#8216;OpenAI&#8217;s platform play&#8217;, <em>Platformer</em>, 6 October, viewed May 2026, &lt;platformer.news&gt;.</p></li><li><p>RWS 2026, <em>How scaling enterprise AI with the wrong LLM could cost you</em>, RWS Group, Chalfont St Peter.</p></li><li><p>TechCrunch 2025, &#8216;Anthropic unveils new rate limits to curb Claude Code power users&#8217;, <em>TechCrunch</em>, 28 July.</p></li><li><p>TechCrunch 2026, &#8216;ChatGPT reaches 900M weekly active users&#8217;, <em>TechCrunch</em>, 27 February.</p></li><li><p>The Information 2026, &#8216;Uber CTO AI budget statement&#8217;, <em>The Information</em>, April.</p></li><li><p>TokenMix 2026, <em>AI API pricing history: GPT-4 $60 to GPT-5.4 $15 (50x drop)</em>, TokenMix, viewed May 2026, &lt;tokenmix.ai&gt;.</p></li><li><p>UNESCO 2026, <em>AI large language models: new report shows small changes can reduce energy use by 90%</em>, UNESCO, Paris.</p></li><li><p>VentureBeat 2026, &#8216;DeepSeek&#8217;s new V3.2-Exp model cuts API pricing in half to less than 3 cents per 1M input tokens&#8217;, <em>VentureBeat</em>, May.</p></li><li><p>Zitron, E 2026, &#8216;OpenAI had a negative 122% non-GAAP operating margin in Q1 2026&#8217;, <em>Where&#8217;s Your Ed At</em>, viewed May 2026, &lt;wheresyoured.at&gt;.</p></li></ol><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[The Atomic Story]]></title><description><![CDATA[The Board Don't Want Your Arc. They Want Your Point.]]></description><link>https://dataaicontinuum.substack.com/p/the-atomic-story</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/the-atomic-story</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Sat, 23 May 2026 01:25:57 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!fOrp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p><em>Why data storytelling belongs in town halls, not boardrooms &#8212; and what to use instead</em></p></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!fOrp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!fOrp!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!fOrp!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!fOrp!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!fOrp!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!fOrp!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png" width="1200" height="800.2747252747253" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:971,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:2278272,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/198913759?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!fOrp!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!fOrp!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!fOrp!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!fOrp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd723abe3-51b6-470b-a42f-017836448fa7_1536x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p><strong>Data storytelling has become the dominant language of the analytics profession.</strong></p><p>A thriving ecosystem of books, certification programmes, and Tableau dashboards has spent two decades teaching analysts how to build beautiful narrative arcs around their numbers. The implicit promise is that a well-told data story will move decision-makers.</p><p>The empirical reality is that the decision-makers those stories are aimed at are reading their board packs at 30 pages an hour &#8212; and still leaving half the material unread.</p><p>According to Board Intelligence and the Chartered Governance Institute UK and Ireland, based on reporting from more than 1,000 organisations, the average board pack grew by 30 per cent between 2019 and 2024. Only 1% of organisations rate their materials as excellent&#8212;68% rate them as weak or poor. The irony is stark: organisations have invested massively in data capability. The output has grown longer, not sharper.</p><h3>This is not a design problem. It is a category error.</h3><h1>The Story You Were Taught to Tell Was Built for the Wrong Room</h1><p>The data storytelling canon &#8212; Cole Nussbaumer Knaflic&#8217;s Storytelling with Data, Brent Dykes&#8217;s Effective Data Storytelling, Nancy Duarte&#8217;s sparkline structures &#8212; shares a coherent and compelling pedagogical framework. Lead with a hook. Build rising tension. Deliver the resolution.</p><p>The problem is the audience&#8217;s assumption buried inside that framework. It assumes someone is willing to traverse setup, rising action, and resolution before receiving the conclusion. It assumes time for what researchers call narrative transportation &#8212; the psychological state of story immersion. It assumes, in Duarte&#8217;s own words, that the audience is the hero of the idea.</p><p>Senior executives are not passive heroes awaiting narrative revelation. They are active decision-makers under severe time pressure, processing information top-down and outcome-first.</p><p>According to Porter and Nohria&#8217;s landmark CEO time-use study, which tracked 27 large-company CEOs over 13 weeks, CEOs work 62.5 hours per week and spend 72 per cent of that time in meetings. Only 28 per cent of their working time is spent alone. As Tom Gentile, then CEO of Spirit AeroSystems, put it in the accompanying Harvard Business Review interview, board, investor, and media obligations take an inordinate amount of time, and schedule requests fill up faster than anyone anticipates.</p><p>According to Microsoft&#8217;s 2025 Work Trend Index, people using Microsoft 365 are interrupted on average every two minutes by meetings, emails, or notifications. Fifty-two per cent of leaders describe their work as chaotic and fragmented. According to Deloitte&#8217;s 2025 Global Human Capital Trends research, executives spend 41 per cent of their time on work that does not contribute to organisational value creation.</p><p>A narrative that takes 20 minutes to traverse its arc is asking for the scarcest resource in the organisation.</p><h1>Why Storytelling Actively Works Against You in the Boardroom</h1><p>The cognitive case against universal data storytelling is not a stylistic preference. It is structural.</p><p>According to Sweller&#8217;s cognitive load theory, working memory has a strict bottleneck. As Cowan&#8217;s revised research demonstrates, the human mind can actively process only three to five chunks of information simultaneously. Every element of narrative scaffolding &#8212; character, context, rising tension, dramatic revelation &#8212; consumes a chunk that cannot be used for decision-relevant information. For a CFO who has lived the credit cycle for thirty years, the analyst&#8217;s carefully constructed arc is noise. Only the residual, the delta, and the recommendation are signals.</p><p>The dual-process problem is worse. According to Kahneman&#8217;s dual-process framework, under time pressure and decision fatigue, executives default predominantly to fast, associative System 1 thinking rather than the slow, deliberative System 2 thinking that good capital allocation demands. According to Green and Brock&#8217;s foundational research in the Journal of Personality and Social Psychology, narrative transportation &#8212; the state of being absorbed in a story &#8212; is defined in part by reduced counterarguing. The very property that makes storytelling effective for belief change also makes it epistemically dangerous for decision support. A beautifully constructed story can hide an ugly residual.</p><p>Tufte&#8217;s analysis of the Columbia Space Shuttle Accident Investigation found exactly this: hierarchical narrative-flavoured slides had actively obscured the engineering signal that should have prompted intervention.</p><blockquote><p><em>The boardroom&#8217;s job is to counterargue. A format designed to suppress that function is not a communication strategy. It is a liability.</em></p></blockquote><p>And the empirical evidence on storytelling&#8217;s supposed advantages is more sobering than the practitioner canon admits. According to Zdanovic and colleagues&#8217; 2022 experimental study, there are no significant differences in recall between traditional visualisations and data storytelling visualisations &#8212; directly contradicting the claim that stories are dramatically more memorable in analytical contexts. According to Shao and colleagues&#8217; CHI 2024 study involving 103 participants, excessive storytelling elements, particularly text-heavy embellishments, can hinder performance on simpler tasks.</p><h1>What Boards Actually Asked For &#8212; and Nobody Delivered</h1><p>Governance research is direct about what senior leaders want. According to PwC&#8217;s board communication guidance, executives typically have only 10 to 20 minutes on the board agenda, should focus on two or three key messages, and must front-load the headline. According to the Governance Institute of Australia&#8217;s guidance on board papers, the executive summary should appear on the first page and enable directors to ascertain the key information and actions required readily.</p><p>The communications discipline has known this for decades. Barbara Minto developed the Pyramid Principle at McKinsey in the 1960s &#8212; answer first, supported by three to four MECE arguments, validated by evidence &#8212; because, as Minto noted, executives are perpetually short on time, are used to processing lots of information quickly, and get impatient when they feel like someone isn&#8217;t getting to the point. The U.S. Army formalised Bottom Line Up Front in Army Regulation 25-50 in 1988 &#8212; core conclusion in the opening sentence, 300-word ceiling for emails, subject lines as mini-BLUFs &#8212; because the military discovered that narrative scaffolding costs lives when decisions are urgent.</p><p>As Jeff Bezos put it in his 2004 internal email banning PowerPoint from Amazon&#8217;s S-Team meetings, the reason writing a four-page memo is harder than writing a 20-page PowerPoint is that the narrative structure of a good memo forces better thought and better understanding of what&#8217;s more important than what, and how things are related.</p><p>According to Axios&#8217;s Smart Brevity, which is based on University of Maryland eye-tracking research, the average piece of digital content receives 26 seconds of attention. The Smart Brevity format &#8212; strong-verb headline, why it matters in two sentences, essential context &#8212; achieves approximately a 40 per cent reduction in reading time while improving comprehension of the key point.</p><p>The military figured it out. McKinsey figured it out. Amazon figured it out. Journalism figured it out. The data profession has not.</p><h1>Introducing Atomic Storytelling</h1><p>The discipline I am calling <strong>Atomic Storytelling</strong> is not a new idea. It is what the best executive communicators have practised intuitively, without a name. The name matters because naming a discipline is the first step to teaching it.</p><p>An Atomic Story is not a shorter version of a data story. It is a structurally different object: the minimum of narrative required to transmit a decision-relevant insight, with full analytical depth available on demand. The atomic metaphor is deliberate. An atom is not a fragment of a molecule; it is a complete, stable unit that carries all the essential properties of the element. An Atomic Story is complete &#8212; it contains a bottom line, context, an implication, and an ask &#8212; but it is not elaborate. It is dense, not truncated.</p><p>Here is what one looks like in practice:</p><blockquote><p><em>We are broadly on plan, but one issue now requires board attention. Gross margin is tracking below target because input costs have persisted longer than expected. If unchanged, this creates a financial risk of approximately $4.2M over the next two quarters. Management has identified three corrective actions and recommends accelerating the supplier renegotiation to protect margin without affecting headcount. Today, we need the board to endorse that course so we can move before the June contract window closes.</em></p></blockquote><p>That is 79 words. It contains a situation, a signal, an implication, a recommendation, and a time-bounded ask. It is a complete story. It is just not a slow one.</p><p>According to Reyna and colleagues&#8217; fuzzy-trace theory, advanced judgment and decision-making under uncertainty relies not on verbatim detail but on gist &#8212; the essential categorical meaning of information. On plan or off plan. Manageable or escalating. Act now or wait. Atomic Storytelling is explicit gist engineering. According to processing-fluency research by Brinol, Tormala, and Petty, messages that are easier to parse feel more credible and more immediately actionable &#8212; provided they are not simplistic to the point of distortion. An Atomic Story is neither complex nor simplistic. It is precise.</p><h1>A Diagnostic Tool: The Insight Compression Ratio</h1><p>A useful metric for evaluating any executive communication is what I call the <strong>Insight Compression Ratio</strong>: the number of decision-relevant insights delivered per unit of cognitive load imposed. Full-arc data storytelling inflates the denominator at senior levels, where narrative scaffolding displaces the germane processing that actually produces decisions. Atomic storytelling inverts that trade.</p><p>Practically, an ICR audit asks three questions of any board or ExCo paper. How many words are before the bottom line is stated? How much of the document is context-setting versus implication-and-action? Could a director who read only the first page make the required decision? If the answer to the third question is no, the ICR is failing.</p><h1>The Right Format for the Right Room</h1><p>Atomic Storytelling is not an argument against narrative. It is an argument for narrative discipline &#8212; knowing when to use the full arc, and when to compress it.</p><p>Full data storytelling belongs in genuine storytelling contexts. Change management and cultural transformation, where belief change at scale is the goal and counterarguing is the obstacle. Investor relations and capital markets communications, where the equity story is the product itself. Town halls and all-hands, where engagement and memorability dominate over binary decision-making. External reporting &#8212; ESG, annual reviews &#8212; where communities of readers approach the material with time and genuine interest.</p><p>These contexts share three properties: the audience has time; the goal is belief or behaviour rather than a discrete decision; and the cost of System 1 acceptance is low or even desirable. None of those properties holds in the ExCo paper with a 15-minute agenda item, or the board risk update, competing with 225 other pages for four hours of director attention.</p><p>The practical operating model for any analytics function is a tiered stack. Atomic Story &#8212; 50 to 150 words &#8212; as the default entry point for all board papers, ExCo submissions, risk alerts, and escalations. Structured memo &#8212; two to six pages &#8212; for high-stakes decisions where the executive needs the causal chain and the options. Pyramid deck &#8212; eight to twelve slides &#8212; for senior management briefings where visual anchoring aids alignment. Full data story &#8212; conference or workshop format &#8212; for functional and operational audiences with time, curiosity, and appetite for the analytical journey.</p><p>The same insight, packaged at all four tiers as standard workflow. Built atom-first, because building the atom disciplines the analysis before it disciplines the communication.</p><h1>A Note for Australian Financial Services Leaders</h1><p>For data and AI leaders working within APRA-regulated entities, Atomic Storytelling carries a governance dimension that goes beyond communication efficiency. According to APRA&#8217;s CPS 230 on Operational Risk Management and ASIC&#8217;s guidance on board information obligations, structured, auditable, recommendation-first communication is not simply good practice &#8212; it is what the regulatory architecture implicitly demands.</p><p>Compressed, decision-explicit papers are more straightforward to audit. They are more traceable &#8212; what was communicated to whom and when &#8212; and less susceptible to the retrospective narrative rationalisation that regulatory post-mortems routinely expose. When communication fails in a regulated environment, it is rarely the data that fails first. It is the translation.</p><h1>The Question Worth Asking Before Your Next Board Paper</h1><p>The question that every data leader should ask before building any executive communication is not: Is this a good story? Is this the right format for this room?</p><p>For most rooms at the top of the organisation, the answer is an Atomic Story &#8212; the whole narrative, compressed to the size of the decision it must serve. The full story is still there. The analysis is still rigorous. The depth is still available on demand. The atom is its front door.</p><p>Data storytelling gave the analytics profession a powerful and necessary tool. The problem is not the tool. It is the room that keeps getting taken into.</p><h3><strong>Put it in its rightful room.</strong></h3><p><em>This article draws on research developed in the forthcoming academic-practitioner paper &#8220;Atomic Storytelling: The Right Format for the Right Room&#8221; by Dr M Maruf Hossain, PhD, GAICD.</em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[The Analytics Arm That Never Carved]]></title><description><![CDATA[Why the rise of the CAIO says more about CDAO failure than AI progress]]></description><link>https://dataaicontinuum.substack.com/p/the-analytics-arm-that-never-carved</link><guid isPermaLink="false">https://dataaicontinuum.substack.com/p/the-analytics-arm-that-never-carved</guid><dc:creator><![CDATA[M Maruf Hossain, PhD, GAICD]]></dc:creator><pubDate>Wed, 20 May 2026 09:57:19 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Vc9-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><strong>Every few years, the enterprise C-suite invents a new title to solve a problem it created for itself.</strong> The Chief Digital Officer was supposed to drive transformation. The Chief Data Officer was supposed to make data a strategic asset. The Chief Data and Analytics Officer was supposed to do both. And now &#8212; with boardrooms from Sydney to Singapore scrambling to appoint Chief AI Officers &#8212; we are watching the same pattern play out again.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Vc9-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Vc9-!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Vc9-!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Vc9-!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Vc9-!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Vc9-!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:2793695,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://dataaicontinuum.substack.com/i/198535068?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Vc9-!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Vc9-!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Vc9-!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Vc9-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6450df74-074a-4ae7-9952-2c92857e80c8_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>But here is what nobody is saying loudly enough: the CAIO role is not a natural evolution of enterprise AI maturity. In most organisations, it is a distress signal. It means the CDAO did not finish the job.</p><p style="text-align: justify;">That is a hard thing to say. But it is also, I believe, the most useful thing to say &#8212; because if we misdiagnose the cause, we will keep repeating the structural mistake.</p><h1><strong>Let the CDO Off the Hook &#8212; But Not the CDAO</strong></h1><p style="text-align: justify;">Before we assign blame, we need to be precise about which role failed. The original Chief Data Officer was never built for this moment. The CDO emerged from the post-financial-crisis regulatory environment &#8212; a defensive, custodial function designed to ensure data quality, governance, and compliance. Its success metrics were audit readiness and data trust. Commercial growth was never in the job description.</p><p style="text-align: justify;">So when people argue that CDOs failed to capture the AI agenda, they are right &#8212; but it is the wrong indictment. You cannot fail at something you were never asked to do.</p><blockquote><p><em>The CDO was never holding the AI agenda. The structural failure belongs to the CDAO.</em></p></blockquote><p style="text-align: justify;">The CDAO is a different story. That role &#8212; which first emerged when Chris Mazzei became the first known holder of the title at EY in 2014 &#8212; was explicitly designed to merge defensive data management with offensive analytics. One arm governing the data estate. The other arm drives analytics into business outcomes. Two arms, equal length, equal strength.</p><p style="text-align: justify;">The problem is that most CDAOs let one arm atrophy.</p><p style="text-align: justify;">They over-indexed on governance, platforms, and compliance. They reported to the CIO and got treated as a technology subfunction. They let vendor sales cycles steer their agenda toward platform investments rather than business problems. And critically, they failed to connect analytics to P&amp;L outcomes in language that boards and business unit leaders could act on.</p><p style="text-align: justify;">That last failure is the one that matters most. Because a CDAO who cannot show the commercial return on their analytics investment cannot credibly claim ownership of the ML models, the MLOps pipeline, or &#8212; when the wave arrived &#8212; the LLMs and agentic systems sitting on top of them.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>30%</strong></h1><p style="text-align: center;">of CDAOs cite the inability to measure data, analytics and AI impact on business outcomes as their top challenge</p><p style="text-align: center;"><em>Gartner CDAO Agenda Survey, 2025</em></p></div><p style="text-align: justify;">That statistic should stop every data leader in their tracks. Thirty per cent of CDAOs &#8212; in a survey of 504 executives &#8212; admit they cannot measure what they produce. That is not a technical problem. That is an existential one.</p><h1><strong>Who Owns the LLM? The Question Nobody Answered in Time</strong></h1><p style="text-align: justify;">The arrival of large language models forced a question that most organisations were structurally unprepared for: Is an LLM an IT asset or a data asset?</p><p style="text-align: justify;">The honest answer is that it is both &#8212; and that ambiguity is exactly where the CDAO should have planted a flag. Instead, many CDAOs stood back while the CTO or CIO claimed the infrastructure, and the new CAIO claimed the strategy. The CDAO was left holding the governance brief for a system they did not own.</p><p style="text-align: justify;">The JPMorgan Chase example is instructive here. At JPMorgan, Global CIO Lori Beer oversees the integration and deployment of the LLM Suite, managing security protocols, system compatibility, and compliance architecture. The data and analytics function leverages the outputs. The LLM Suite is expected to deliver up to USD 2 billion in value, particularly in fraud prevention. But notice the structure: the CIO owns the asset. The CDAO uses the outputs. That separation happened because nobody drew the line early enough.</p><blockquote><p><em>The CDAO&#8217;s legitimate claim is over the data that trains, grounds, and governs the LLM &#8212; not over the LLM as an infrastructure asset. The failure arises when CDAOs attempt to claim neither.</em></p></blockquote><p style="text-align: justify;">CDAOs who built strong ML teams and owned the MLOps pipeline were positioned to extend naturally into LLMOps as generative AI matured. Those who did not are now facing a capability gap that is very difficult to close once a board has already invested in a CAIO appointment to fill it.</p><p style="text-align: justify;">The lesson is not that CDAOs should have owned the LLM. The lesson is that CDAOs who owned the full analytics value chain &#8212; from data through ML through production models &#8212; were never going to need a CAIO in the first place.</p><h1><strong>The Numbers Are Alarming &#8212; and Clarifying</strong></h1><p style="text-align: justify;">The data on CAIO adoption across APAC tells a story that is moving faster than most executives realise.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>83%</strong></h1><p style="text-align: center;">of organisations in India have already appointed a Chief AI Officer</p><p style="text-align: center;"><em>AWS &amp; Access Partnership Generative AI Adoption Index, October 2025</em></p></div><p style="text-align: justify;">India is the most CAIO-saturated market in the region &#8212; and arguably the world. Named appointments include leaders at Motilal Oswal Financial Services, Jindal Steel and Power, and Mirae Asset Global Investments. Notably, Jindal&#8217;s CAIO appointment was a former Chief Data Officer hired specifically into the AI role &#8212; an explicit CDO-to-CAIO career transition that tells you everything about how boards are repositioning the data-to-AI journey.</p><p style="text-align: justify;">Australia is moving differently, but no less decisively. The federal government&#8217;s APS AI Plan, released in November 2025, mandates that every Commonwealth department and agency appoint a Chief AI Officer at a senior executive level by 31 July 2026. According to iTnews, fourteen surveyed federal entities plan to fill the role from existing senior staff, which means Australia&#8217;s public sector is, in effect, asking its most senior data and technology leaders to absorb the AI mandate rather than hire a new one.</p><p style="text-align: justify;">Singapore is taking the regulatory route. The IMDA released the world&#8217;s first Model AI Governance Framework for Agentic AI in January 2026, creating a governance architecture that implicitly calls for a named AI executive independent of delivery functions.</p><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>17%</strong></h1><p style="text-align: center;">of APAC organisations have a CAIO &#8212; the highest rate of any global region &#8212; vs. 14% in EMEA and 11% in North America.</p><p style="text-align: center;"><em>Foundry State of the CIO, 2025</em></p></div><p style="text-align: justify;">And globally, according to IBM&#8217;s 2026 C-suite study, 76% of organisations now have a CAIO office &#8212; up from 26% the prior year. Gartner&#8217;s Jonathan Tabah is more cautious, noting that the role is unlikely to go mainstream outside of organisations at the forefront of AI innovation. But even the cautious read confirms the direction of travel.</p><h1><strong>The CAIO Needs the CDAO to Succeed</strong></h1><p style="text-align: justify;">Here is the irony that most CAIO appointment announcements skip over: the Chief AI Officer cannot do their job without top-notch data governance. And top-notch data governance is &#8212; or should be &#8212; the CDAO&#8217;s core product.</p><p style="text-align: justify;">Generative AI and agentic systems do not run on clean tabular data. They run on documents, transcripts, emails, and unstructured content that is exponentially harder to govern, secure, and trace. Without robust data quality frameworks, metadata management, access controls, and privacy protections, AI models will hallucinate, leak sensitive information, and fail regulatory scrutiny.</p><p style="text-align: justify;">As one data leader put it in a Gartner community discussion: &#8220;You can have innovation and get more intelligent about your data &#8212; but data governance is at the core.&#8221; Gartner&#8217;s own analysis from the 2026 Data and Analytics Summit went further, warning that the ungoverned semantic layer is becoming the new ungoverned data lake &#8212; organisations building AI on top of unvalidated semantic structures are, in effect, constructing intelligence on sand.</p><blockquote><p><em>The CAIO who arrives without a world-class data foundation is like a racing driver handed a car with no fuel quality standards. Fast, dangerous, and ultimately grounded.</em></p></blockquote><p style="text-align: justify;">This dependency is the survival mechanism for CDAOs who are paying attention. The CAIO needs you. Own that dependency explicitly. Make the data foundation non-negotiable &#8212; not as a governance gate, but as an enabler of AI velocity.</p><p style="text-align: justify;">There is also a structural argument here that I have made elsewhere: the CAIO, when a separate role is warranted, belongs in the risk function rather than the technology function. The CAIO&#8217;s mandate is governance and oversight &#8212; ensuring AI systems operate within acceptable boundaries, with appropriate human control and accountability. That is a risk mandate, not a build mandate. Embedding the CAIO within the technology hierarchy creates the same conflict of interest that would arise if the internal audit reported to the CEO of the business it reviews.</p><p style="text-align: justify;">The CTO builds. The Chief Risk Officer oversees risk. The CAIO sits within the risk architecture to ensure the organisation can govern AI with independence and credibility. Australia&#8217;s APS AI Plan reflects exactly this logic, distinguishing between the CAIO (adoption and strategy) and a separate AI Accountable Official (governance and risk compliance).</p><h1><strong>Three Paths. One Is Fading.</strong></h1><p style="text-align: justify;">Based on the evidence &#8212; and on what I am seeing in conversations with data and AI leaders across financial services, telco, and government in APAC &#8212; the CDAO archetype is splitting into three distinct trajectories. Gartner has identified similar patterns in their research.</p><ol><li><p><strong>The Pioneer CDAIO.</strong> This leader has maintained both arms of the mandate &#8212;governing the data estate and driving analytics into commercial outcomes &#8212; and is now naturally absorbing AI&#8212;no separate CAIO needed. The title evolves to Chief Data, Analytics and AI Officer. The Lloyds Banking Group appointment of Sameer Gupta &#8212; a twelve-year DBS Bank veteran &#8212; as Chief Data and AI Officer in 2026 is a live example of this archetype in global financial services.</p></li><li><p><strong>The Connector CDAO + CAIO.</strong> Two roles, working as peers under the CEO or COO. The CDAO owns the data and analytics foundation. The CAIO owns the AI strategy and risk. This works when the CAIO sits in risk rather than technology and when both leaders are bound to a shared scorecard &#8212; data trust, model readiness, workflow adoption, and P&amp;L impact tracked jointly. Without that shared accountability, this structure produces turf wars.</p></li><li><p><strong>The Expert D&amp;A Leader.</strong> A technically strong but strategically invisible data function embedded under the CIO. Governance is solid. Analytics adoption is modest. Business alignment is weak. This archetype is what Gartner had in mind when it predicted that 75% of CDAOs not seen as essential to their organisation&#8217;s AI success will lose their C-level status by 2027. For this cohort, that prediction is not hyperbole.</p></li></ol><div class="callout-block" data-callout="true"><h1 style="text-align: center;"><strong>75%</strong></h1><p style="text-align: center;">of CDAOs not seen as essential to AI success will lose their C-level status by 2027</p><p style="text-align: center;"><em>Gartner CDAO Agenda Survey, 2025</em></p></div><p style="text-align: justify;">The historical parallel is worth noting. The CDO role was repeatedly predicted to die from 2018 onward. Instead, according to Wavestone&#8217;s AI and Data Leadership Executive Benchmark Survey, CDO and CDAO adoption grew from 12% of large organisations in 2012 to 84.3% in 2025. The role did not die. It transformed. The current moment is a moment of transformation, not an extinction moment &#8212; but only for those who move.</p><p style="text-align: justify;">According to the Gartner Evanta 2026 CDAO Leadership Perspectives survey of more than 350 data executives, the top three CDAO priorities for 2026 are strengthening data and AI governance, driving data-driven culture, and &#8212; most tellingly &#8212; maximising business and monetisation value, which jumped 22 places in the ranking from the previous year. CDAOs are finally putting commercial accountability at the top of the list. The question is whether that shift comes fast enough.</p><h1><strong>What This Means If You Are a Data or AI Leader in APAC</strong></h1><p style="text-align: justify;">The intelligence activation challenge of the next decade is too consequential for the C-suite to leave the ownership question unresolved. Here is what I think the evidence demands:</p><p style="text-align: justify;"><strong>If you are a CDAO who owns analytics end-to-end: </strong>do not wait for a CAIO to be appointed above you. Rebrand proactively. Build the LLMOps capability. Own the AI governance framework. Make the data foundation for AI your most visible deliverable. The Pioneer CDAIO archetype is available to you &#8212; but it requires moving now, not after the board announcement.</p><p style="text-align: justify;"><strong>If you are a board or CEO considering a CAIO appointment: </strong>ask first whether your data foundations are ready. A CAIO without a world-class data function is an expensive exercise in governance. If your CDAO has the commercial instinct and the AI vision, evolve the role rather than duplicating it. If they do not, be honest about that &#8212; and structure the CAIO within risk, not technology.</p><p style="text-align: justify;"><strong>If you are an incoming CAIO: </strong>recognise that your success depends entirely on the data governance infrastructure you do not own. Make your priority a genuine partnership with the CDO or CDAO &#8212; not a territorial negotiation. The AI models are only as good as the data they run on.</p><p style="text-align: justify;"><strong>If you are a CIO or CTO watching this debate: </strong>the LLM integration question is legitimately yours. Own the infrastructure. But do not mistake infrastructure ownership for AI strategy ownership. The strategy belongs with whoever can connect data to commercial outcomes &#8212; and that should not be an IT conversation.</p><h1><strong>The Real Question</strong></h1><p style="text-align: justify;">The rise of the Chief AI Officer is real. The APAC adoption numbers are real. The regulatory mandates in Australia and Singapore are real. None of that is in dispute.</p><p style="text-align: justify;">But the question worth sitting with is this: in your organisation, is the CAIO appointment a signal of strategic ambition &#8212; or a signal that the CDAO never finished building the analytics arm?</p><p style="text-align: justify;">Because if it is the latter, the CAIO will face the same structural problem the CDAO faced. They will own a title, a mandate, and a set of expectations &#8212; and they will be sitting on a data foundation that was never designed to support them.</p><blockquote><p><em>The most likely long-term outcome is not two roles. It is one &#8212; a Pioneer CDAIO who owns the full intelligence value chain from data through analytics through AI, reports to the CEO, governs with the rigour of a risk function, and demonstrates value in the commercial language of P&amp;L.</em></p></blockquote><p style="text-align: justify;">The organisations that design toward that endpoint deliberately &#8212; rather than arriving at it through territorial conflict and role duplication &#8212; will build faster, govern better, and waste less.</p><p>The intelligence activation challenge of the next decade is too consequential for the C-suite to leave the ownership question unresolved. <strong>Resolve it now.</strong></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://dataaicontinuum.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading The Data-AI Continuum! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item></channel></rss>