It’s becoming an increasingly common scenario: The AI pilot was, by all accounts, a success. Engineers were energized by faster cycle times, higher throughput, and better code reviews. The team was ready to scale. Then governance showed up, and everything stopped.
And once you slow down momentum on a transformation, it's expensive to start it back up.
I've seen this story play out several times in companies of various sizes and across industries. In some organizations, adoption initiatives stop completely. In others, they stall at the pilot phase until governance is fully addressed. Across the board, these teams believed that they had done everything right:
- Identified impactful use cases
- Implemented successful change management strategies
- Ran iterative pilots that quickly built momentum
- Focused on measuring outcomes
The pilot worked. So why couldn’t they scale?
The blocker most teams miss
In 2025, the dominant headline was that AI projects were failing. Many failed due to data quality issues, unclear use cases, and lack of investment.
In 2026, the story is more nuanced. AI projects are succeeding and exceeding expectations. However, a new pattern has emerged: AI projects are stalling. Teams are doing everything right, and are realizing value and seeing measurable impact. But they become blocked when governance enters the conversation. When governance shows up late, it pauses or blocks adoption completely. Questions like these are often asked too late.
- Who owns this if something breaks?
- What data is the model touching, and is any of it regulated?
- If a regulator demands an audit trail, can we produce one?
The organizations scaling AI fastest are those who start asking these questions first.
Three places the process breaks
Working with heavily regulated industries, I've observed three common failure modes from late governance planning:
Data access: A team tests an AI tool against production logs or operational data. Later, they realize the dataset includes personally identifiable information (PII). The entire solution must then be re-architected.
Ownership: A team is ready to scale their AI feature after a successful pilot. Then they realize Compliance needs sign-off, Security needs review, and Legal has concerns. No one knows who makes the final call. When there are multiple approvers, the direct owner can become unclear. Lack of ownership delays decisions and, ultimately, adoption.
Logging and auditability: Someone asks, "Who used the AI? What data was involved? What changed?" If those answers aren't available, deployment pauses. Frameworks like the EU AI Act require this level of auditability.
The uncomfortable truth about governance friction
Governance creates friction by design. You don't want to move so fast that you open yourself up to compliance violations, damage your brand, or erode customer trust.
Governance ensures you proceed safely and minimize risk. Friction intensifies as you shift right. The cost of answering governance questions and putting mitigations in place early is far smaller than the cost of scaling adoption and running into a compliance violation later. That’s a crisis you could have avoided.
Organizations that save governance for later are betting that the questions won't be complicated, that answers will already exist, and that compliance teams will move fast under pressure. I wouldn’t make those bets.
The fastest-scaling organizations treat governance as a design constraint from day one. When governance is embedded early, teams respond without scrambling, pilots scale without surprise blockers, and approvals move faster because the groundwork existed before anyone needed it.
When governance isn't embedded early, you get the sequence I keep watching: the technology is working, engineers are bought in, and momentum is real. And then everything comes to a full stop.
What "shifting governance left" actually looks like
This is a simple sequence change. It's about bringing in key players during the discovery phase of the AI transformation. These are the types of questions you should be asking before pilots launch, not after they succeed:
- What data will the model touch, and does any of it carry regulatory risk?
- Who owns accountability if something goes wrong, and how is that documented?
- How will AI interactions be logged if a regulator asks?
- What does compliance look like for this use case in this industry?
These questions will vary by industry based on risk profile. Financial services, healthcare, and the public sector each carry their own requirements. What's consistent is that the first step should always be to write down what governance looks like for the initiative before the pilot begins. Once the guardrails are transparent and in place, approvals accelerate and the team builds confidence that they won't be blocked just as they are gaining traction.
What engineering leaders should do now
If you’re currently leading an AI transformation, ask yourself one question:
When did governance enter the conversation?
If you’ve started your pilot and your answer is "we haven't addressed governance yet," that’s your signal. Engage Legal, Compliance, and Security in the discovery phase now to avoid costly delays and expedite approvals.
If you haven’t begun your pilot, good news! During my time at NIST (the National Institute of Standards and Technology), we documented non-functional requirements early on, including constraints and security requirements, from the start. That practice helped us avoid security and compliance surprises later in the software development process. The same lessons apply here.
If you're working with AI, especially in a highly regulated environment where risk matters, this shift is one of the most impactful moves you can make.
Bring these questions into the first conversation. Make it part of project kickoff. The pilots that scale are the ones where governance was in the room from the start, where the questions had answers before anyone needed them. The lost momentum is expensive. The delays are avoidable.
Next steps
Research Report: The Intelligent Software Development Era
A global survey of 3,000+ DevSecOps practitioners reveals the skills, tools, and strategies that can make or break a team’s ability to deliver more secure software faster with AI in 2026 and beyond.
Frequently asked questions
Key takeaways
- AI pilots that succeed often stall when governance enters the conversation late. Embedding governance during the discovery phase keeps momentum intact and prevents the costly restart that comes after a compliance issue or a surprise blocker at scale.
- Late governance planning typically breaks down in three places. Data access surfaces PII in production logs. Ownership stalls when Compliance, Security, and Legal all weigh in without a clear DRI. Logging fails when regulators ask for an audit trail.
- Treat governance as a design constraint from day one. Writing down what governance looks like for the initiative before the pilot starts speeds up approvals when it's time to scale and prevents teams from being blocked just as they're gaining traction.