Severe Underutilisation of AI

You recently surveyed businesses and found that the fear of risks arising from AI, coupled with a lack of understanding of AI risk management, is preventing most companies from pursuing AI use cases. Why is this happening?

When we looked at large enterprises, we saw a stark inversion of typical project prioritisation:

In most scenarios, companies go after the highest-value opportunities first. But with AI, it is almost the opposite. Companies focus on low-value, low-risk projects or even avoid AI initiatives entirely.

Only about 5-10% of potential AI use cases are actually being worked on. This hesitancy creates a massive opportunity cost—every day a company delays or slows its AI journey makes it harder to catch up.

AI capabilities are like a muscle. If companies are not actively building AI tools, they are not developing the necessary talent pool or the internal infrastructure—things like robust data systems or effective model governance. This can lead to a lasting impact on competitiveness.

Is the situation different for smaller companies?

For mid-sized companies, the problem is not just about delaying AI adoption; it is that they often do not know where to begin. They lack people with the right expertise, are unsure which technology stacks to invest in, and do not have a clear roadmap for adopting AI.

For mid-sized organisations, the issue often manifests as a lack of clarity. They jump in by using easy-to-use but expensive tools, like APIs from third-party providers, without fully understanding the hidden costs or the compliance complexities.

Others, especially on the larger end of the size spectrum, turn to large consulting firms hoping for a seal of approval. The logic is that if something goes wrong, at least they can say they used a reputable firm. But these large players can be very expensive, and sometimes they do not even have the specialised talent needed for deeper AI work. So these firms end up overpaying without necessarily getting the best solution for their needs.

How significant a cost factor is compliance?

For large enterprises, compliance can be around 7% of the entire project cost—which is extremely high.

Across the board, companies tell us that the true cost of AI is higher than anticipated.

And the return on investment into AI is still below expectations. In my experience, all companies I have worked with find that their actual return on AI investment is lower than they originally projected, especially when they factor in the hidden costs.

Framework for Smarter AI Compliance

How can organisations avoid overspending on compliance and underutilising AI?

I have developed a framework guided by the “80/20” rule to streamline compliance. Instead of using a traditional high-value-based prioritisation, I propose something called “compliance triaging.” This framework includes over two dozen factors that I consider, along with the impact of each factor and the probability of failure for each.

The company applies the most complex compliance checks to the highest-risk models—those that impact a lot of users or make critical decisions. Meanwhile, other models go through a fast-track compliance process. This way, we do not bog down every single AI use case with equally stringent checks.

Does your risk categorisation align with the EU AI Act or emerging US laws?

Yes, I take a similar approach, categorising use cases as “unacceptable risk,” “high risk,” or otherwise. But I also simplify this further by considering data quality and human impact across two dimensions. This yields four categories:

1. Low-Quality Data / Low Human Impact
2. Low-Quality Data / High Human Impact
3. High-Quality Data / Low Human Impact
4. High-Quality Data / High Human Impact

For instance, if you have low-quality data combined with high human impact, that is basically a “no-go.” It aligns closely with the “unacceptable risk” category in the EU AI Act.

When is data of “low quality”?

I break data down into five components: volume, veracity, variety, velocity, and what I call “virtuosity.”

Virtuosity includes ethical and privacy considerations—considerations like whether data contains health information and other sensitive private data, or whether the data was ethically sourced.

One should also look at how the company manages its master data, whether it has proper protocols for access, usage, and deletion.

Also, if a dataset was scraped without proper consent, I rate that data lower in quality. On the other hand, if it was collected through well-documented surveys or with full user disclosure, it ranks higher.

I also consider EU GDPR principles—data minimisation, storage limitation, informed consent, etc.—as part of the evaluation.

All these factors feed into the overall data quality assessment.

How does your framework account for model performance?

The framework considers a range of dimensions of model performance, around ten in total: robustness, accuracy, bias, security, volatility, and so forth.

Stanford’s Centre for Research on Foundational Models¹ has an excellent framework for transparency, “The Foundation Model Transparency Index,” covering 100 indicators, from data size to whether there is proper documentation for downstream use.

But from a broader perspective, I also care about volatility—how well the model generalises if the underlying data distribution shifts.² If a model’s performance changes drastically due to a slightly different data distribution, that is a red flag for instability.

Lastly, security is a key dimension in our assessments, and we score it accordingly. We consider the risk of prompt injection or data leakage. If someone can manipulate the AI system into revealing sensitive information, that is obviously a serious concern.

Implementation

How can companies benefit from such a framework?

The framework can be used to provide a comprehensive evaluation of the risk of developing or deploying a particular AI system, highlighting the model’s weaknesses and strengths, and providing an overall risk rating.

It is often the risk management or compliance teams who commission the framework. In other cases, it is the board of directors who seeks an independent assessment. Boards are realising they can no longer rely solely on management’s assurances.

To move quickly on implementation, I recommend using a prioritisation scale that ranks use cases based on potential impact. For example, a highly regulated use case, one impacting critical operations, or one that is external facing will have a different prioritisation than the one that does not touch these dimensions. Internal AI applications may still be important but often pose lower regulatory and liability risks.

‍

Jerry Gupta is a founding team member at Armilla AI, leading AI product development and insurance solutions to assess and mitigate AI-related risks. He also serves as a Faculty Advisor at the London Business School, where he teaches AI strategy for senior executives.