[{"data":1,"prerenderedAt":524},["ShallowReactive",2],{"/en-us/the-source/authors/darva-satcher":3,"footer-en-us":32,"the-source-banner-en-us":366,"the-source-navigation-en-us":372,"the-source-newsletter-en-us":395,"authors-en-us":403,"categories-en-us":444,"darva-satcher-articles-list-en-us":445},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":9,"description":6,"extension":21,"meta":22,"navigation":23,"path":24,"seo":25,"slug":28,"stem":29,"testContent":6,"type":30,"__hash__":31},"theSourceAuthors/en-us/the-source/authors/darva-satcher.yml","Darva Satcher",null,{"layout":8},"the-source",[10,19],{"type":11,"componentName":11,"componentContent":12},"TheSourceAuthorHero",{"name":5,"role":13,"headshot":14,"config":17},"Director of Enterprise AI & Customer Outcomes, GitLab",{"altText":5,"config":15},{"src":16},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1778180758/smfhcwhfje89dg4rilld.jpg",{"gitlabHandle":18},"dsatcher",{"type":20,"componentName":20},"TheSourceArticlesList","yml",{},true,"/en-us/the-source/authors/darva-satcher",{"config":26,"title":5},{"noIndex":27},false,"darva-satcher","en-us/the-source/authors/darva-satcher","author","54OYD8TAkDT5QugsiUO-rLhPsrJhNIX6XWjA0v1bXA4",{"data":33},{"text":34,"source":35,"edit":41,"contribute":46,"config":51,"items":56,"minimal":355},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":36,"config":37},"View page source",{"href":38,"dataGaName":39,"dataGaLocation":40},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":42,"config":43},"Edit this page",{"href":44,"dataGaName":45,"dataGaLocation":40},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":47,"config":48},"Please contribute",{"href":49,"dataGaName":50,"dataGaLocation":40},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":52,"facebook":53,"youtube":54,"linkedin":55},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[57,114,171,230,298],{"title":58,"links":59,"subMenu":75},"Pricing",[60,65,70],{"text":61,"config":62},"View plans",{"href":63,"dataGaName":64,"dataGaLocation":40},"/pricing/","view plans",{"text":66,"config":67},"Why Premium?",{"href":68,"dataGaName":69,"dataGaLocation":40},"/pricing/premium/","why premium",{"text":71,"config":72},"Why Ultimate?",{"href":73,"dataGaName":74,"dataGaLocation":40},"/pricing/ultimate/","why ultimate",[76],{"title":77,"links":78},"Contact Us",[79,84,89,94,99,104,109],{"text":80,"config":81},"Contact sales",{"href":82,"dataGaName":83,"dataGaLocation":40},"/sales/","sales",{"text":85,"config":86},"Support portal",{"href":87,"dataGaName":88,"dataGaLocation":40},"https://support.gitlab.com","support portal",{"text":90,"config":91},"Customer portal",{"href":92,"dataGaName":93,"dataGaLocation":40},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":95,"config":96},"Status",{"href":97,"dataGaName":98,"dataGaLocation":40},"https://status.gitlab.com/","status",{"text":100,"config":101},"Terms of use",{"href":102,"dataGaName":103,"dataGaLocation":40},"/terms/","terms of use",{"text":105,"config":106},"Privacy statement",{"href":107,"dataGaName":108,"dataGaLocation":40},"/privacy/","privacy statement",{"text":110,"config":111},"Cookie preferences",{"dataGaName":112,"dataGaLocation":40,"id":113,"isOneTrustButton":23},"cookie preferences","ot-sdk-btn",{"title":115,"links":116,"subMenu":127},"Product",[117,122],{"text":118,"config":119},"DevSecOps platform",{"href":120,"dataGaName":121,"dataGaLocation":40},"/platform/","devsecops platform",{"text":123,"config":124},"AI-Assisted Development",{"href":125,"dataGaName":126,"dataGaLocation":40},"/gitlab-duo-agent-platform/","ai-assisted development",[128],{"title":129,"links":130},"Topics",[131,136,141,146,151,156,161,166],{"text":132,"config":133},"CICD",{"href":134,"dataGaName":135,"dataGaLocation":40},"/topics/ci-cd/","cicd",{"text":137,"config":138},"GitOps",{"href":139,"dataGaName":140,"dataGaLocation":40},"/topics/gitops/","gitops",{"text":142,"config":143},"DevOps",{"href":144,"dataGaName":145,"dataGaLocation":40},"/topics/devops/","devops",{"text":147,"config":148},"Version Control",{"href":149,"dataGaName":150,"dataGaLocation":40},"/topics/version-control/","version control",{"text":152,"config":153},"DevSecOps",{"href":154,"dataGaName":155,"dataGaLocation":40},"/topics/devsecops/","devsecops",{"text":157,"config":158},"Cloud Native",{"href":159,"dataGaName":160,"dataGaLocation":40},"/topics/cloud-native/","cloud native",{"text":162,"config":163},"AI for Coding",{"href":164,"dataGaName":165,"dataGaLocation":40},"/topics/devops/ai-for-coding/","ai for coding",{"text":167,"config":168},"Agentic AI",{"href":169,"dataGaName":170,"dataGaLocation":40},"/topics/agentic-ai/","agentic ai",{"title":172,"links":173},"Solutions",[174,178,183,188,193,197,202,205,210,215,220,225],{"text":175,"config":176},"Application Security Testing",{"href":177,"dataGaName":175,"dataGaLocation":40},"/solutions/application-security-testing/",{"text":179,"config":180},"Automated software delivery",{"href":181,"dataGaName":182,"dataGaLocation":40},"/solutions/delivery-automation/","automated software delivery",{"text":184,"config":185},"Agile development",{"href":186,"dataGaName":187,"dataGaLocation":40},"/solutions/agile-delivery/","agile delivery",{"text":189,"config":190},"SCM",{"href":191,"dataGaName":192,"dataGaLocation":40},"/solutions/source-code-management/","source code management",{"text":132,"config":194},{"href":195,"dataGaName":196,"dataGaLocation":40},"/solutions/continuous-integration/","continuous integration & delivery",{"text":198,"config":199},"Value stream management",{"href":200,"dataGaName":201,"dataGaLocation":40},"/solutions/value-stream-management/","value stream management",{"text":137,"config":203},{"href":204,"dataGaName":140,"dataGaLocation":40},"/solutions/gitops/",{"text":206,"config":207},"Enterprise",{"href":208,"dataGaName":209,"dataGaLocation":40},"/enterprise/","enterprise",{"text":211,"config":212},"Small business",{"href":213,"dataGaName":214,"dataGaLocation":40},"/small-business/","small business",{"text":216,"config":217},"Public sector",{"href":218,"dataGaName":219,"dataGaLocation":40},"/solutions/public-sector/","public sector",{"text":221,"config":222},"Education",{"href":223,"dataGaName":224,"dataGaLocation":40},"/solutions/education/","education",{"text":226,"config":227},"Financial services",{"href":228,"dataGaName":229,"dataGaLocation":40},"/solutions/finance/","financial services",{"title":231,"links":232},"Resources",[233,238,243,248,253,258,263,268,273,278,283,288,293],{"text":234,"config":235},"Install",{"href":236,"dataGaName":237,"dataGaLocation":40},"/install/","install",{"text":239,"config":240},"Quick start guides",{"href":241,"dataGaName":242,"dataGaLocation":40},"/get-started/","quick setup checklists",{"text":244,"config":245},"Learn",{"href":246,"dataGaName":247,"dataGaLocation":40},"https://university.gitlab.com/","learn",{"text":249,"config":250},"Product documentation",{"href":251,"dataGaName":252,"dataGaLocation":40},"https://docs.gitlab.com/","docs",{"text":254,"config":255},"Blog",{"href":256,"dataGaName":257,"dataGaLocation":40},"/blog/","blog",{"text":259,"config":260},"What's new",{"href":261,"dataGaName":262,"dataGaLocation":40},"/whats-new/","whats new",{"text":264,"config":265},"Customer success stories",{"href":266,"dataGaName":267,"dataGaLocation":40},"/customers/","customer success stories",{"text":269,"config":270},"Remote",{"href":271,"dataGaName":272,"dataGaLocation":40},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":274,"config":275},"GitLab Services",{"href":276,"dataGaName":277,"dataGaLocation":40},"/services/","services",{"text":279,"config":280},"Community",{"href":281,"dataGaName":282,"dataGaLocation":40},"/community/","community",{"text":284,"config":285},"Forum",{"href":286,"dataGaName":287,"dataGaLocation":40},"https://forum.gitlab.com/","forum",{"text":289,"config":290},"Events",{"href":291,"dataGaName":292,"dataGaLocation":40},"/events/","events",{"text":294,"config":295},"Partners",{"href":296,"dataGaName":297,"dataGaLocation":40},"/partners/","partners",{"title":299,"links":300},"Company",[301,306,311,316,321,326,330,335,340,345,350],{"text":302,"config":303},"About",{"href":304,"dataGaName":305,"dataGaLocation":40},"/company/","company",{"text":307,"config":308},"Jobs",{"href":309,"dataGaName":310,"dataGaLocation":40},"/jobs/","jobs",{"text":312,"config":313},"Leadership",{"href":314,"dataGaName":315,"dataGaLocation":40},"/company/team/e-group/","leadership",{"text":317,"config":318},"Handbook",{"href":319,"dataGaName":320,"dataGaLocation":40},"https://handbook.gitlab.com/","handbook",{"text":322,"config":323},"Investor relations",{"href":324,"dataGaName":325,"dataGaLocation":40},"https://ir.gitlab.com/","investor relations",{"text":327,"config":328},"Sustainability",{"href":329,"dataGaName":327,"dataGaLocation":40},"/sustainability/",{"text":331,"config":332},"Diversity, inclusion and belonging (DIB)",{"href":333,"dataGaName":334,"dataGaLocation":40},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":336,"config":337},"Trust Center",{"href":338,"dataGaName":339,"dataGaLocation":40},"/security/","trust center",{"text":341,"config":342},"Newsletter",{"href":343,"dataGaName":344,"dataGaLocation":40},"/company/contact/#contact-forms","newsletter",{"text":346,"config":347},"Press",{"href":348,"dataGaName":349,"dataGaLocation":40},"/press/","press",{"text":351,"config":352},"Modern Slavery Transparency Statement",{"href":353,"dataGaName":354,"dataGaLocation":40},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":356},[357,360,363],{"text":358,"config":359},"Terms",{"href":102,"dataGaName":103,"dataGaLocation":40},{"text":361,"config":362},"Cookies",{"dataGaName":112,"dataGaLocation":40,"id":113,"isOneTrustButton":23},{"text":364,"config":365},"Privacy",{"href":107,"dataGaName":108,"dataGaLocation":40},{"visibility":23,"title":367,"button":368},"The Intelligent Software Development Era: How AI is reshaping DevSecOps teams",{"config":369,"text":371},{"href":370},"/resources/developer-survey/","Get the research report",{"logo":373,"subscribeLink":378,"navItems":382},{"altText":374,"config":375},"the source logo",{"src":376,"href":377},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":379,"config":380},"Subscribe",{"href":381},"#subscribe",[383,387,391],{"text":384,"config":385},"Artificial Intelligence",{"href":386},"/the-source/ai/",{"text":388,"config":389},"Security & Compliance",{"href":390},"/the-source/security/",{"text":392,"config":393},"Platform & Infrastructure",{"href":394},"/the-source/platform/",{"title":396,"description":397,"submitMessage":398,"formData":399},"The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":400},{"formId":401,"skeletonFieldCount":402,"formName":344,"hideRequiredLabel":23},1077,3,{"amanda-rueda":404,"andre-michael-braun":405,"andrew-haschka":406,"ayoub-fandi":407,"bob-stevens":408,"brian-wald":409,"bryan-ross":410,"chandler-gibbons":411,"cherry-han":412,"darva-satcher":5,"dave-steer":413,"ddesanto":414,"derek-debellis":415,"emilio-salvador":416,"erika-feldman":417,"george-kichukov":418,"gitlab":419,"grant-hickman":420,"haim-snir":421,"iganbaruch":422,"james-nyika":423,"jason-morgan":424,"jessie-young":425,"jlongo":426,"joel-krooswyk":427,"josh-lemos":428,"joshua-carroll":429,"julie-griffin":430,"kristina-weis":431,"lee-faus":432,"marco-caronna":433,"michelle-gill":434,"nathen-harvey":435,"ncregan":436,"rob-smith":437,"rschulman":438,"sabrina-farmer":439,"sandra-gittlen":440,"sharon-gaudin":441,"stephen-walters":442,"taylor-mccaslin":443},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Cherry Han","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","James Nyika","Jason Morgan","Jessie Young","Joseph Longo","Joel Krooswyk","Josh Lemos","Joshua Carroll","Julie Griffin","Kristina Weis","Lee Faus","Marco Caronna","Michelle Gill","Nathen Harvey","Niall Cregan","Rob Smith","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"ai":384,"platform":392,"security":388},[446,487],{"id":447,"title":448,"body":6,"category":449,"config":450,"content":453,"description":455,"extension":21,"meta":479,"navigation":23,"path":480,"seo":481,"slug":483,"stem":484,"type":485,"__hash__":486,"date":454,"timeToRead":456,"keyTakeaways":457,"articleBody":461,"faq":462,"heroImage":478},"theSource/en-us/the-source/ai/connect-ai-tools-to-business-outcomes-a-3-layer-framework.yml","Connect AI tools to business outcomes: A 3-layer framework","ai",{"layout":8,"template":451,"featured":27,"author":28,"sourceCTA":452,"isHighlighted":27,"authorName":5},"TheSourceArticle","source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"title":448,"date":454,"description":455,"timeToRead":456,"keyTakeaways":457,"articleBody":461,"faq":462,"heroImage":478},"2026-05-26","Struggling to prove your AI investment is working? Learn how to measure what matters before you roll out any AI tool.","5 min read",[458,459,460],"High AI usage rates, completed pilots, and positive team sentiment all measure activity. They don't prove AI is driving business outcomes.","To connect AI investments to results, work backward from the business goal you want, to the drivers that move it, to the indicators that show progress.","Before deploying any AI tool, set a numerical goal, target the actual bottleneck, and baseline your indicators. Review on a cadence and pivot if nothing moves.","Plenty of AI rollouts are working. The tools get used. The pilots ship. The teams like them. The harder question, the one most measurement programs aren't built to answer, is whether any of it has changed the business.\n\nActivity is just activity. You measure weekly active usage (WAU) and it looks great, but quality, efficiency, and cost aren't moving.\n\nTo be clear: activity is great for learning how to use a tool, and learning by doing is valuable. But activity alone doesn't produce measurable business outcomes.\n\nA developer using AI assisted coding tools for 4 hours a day isn't automatically shipping faster, especially when the slowest part of the workflow is a manual, cumbersome code review.\n\nA support team member using agentic chat for 3 hours a day isn't closing tickets any faster if the longest delay is caused by misrouted ticket assignments. An AI agent that automatically routed tickets would have been a better investment.\n\nIn both scenarios, the activity wasn't aligned with a business outcome. AI rewards intentional, strategic choices about where to apply it.\n\n## The chain you're missing\n\nAn outcome-focused approach is where return on investment starts to show up. But because AI is so flexible, knowing where to start and what to measure isn't obvious.\n\nThink about it in three layers:\n\n* **Business goal:** The outcome that matters. Faster releases. Happier customers. Lower costs. This is the destination.  \n* **Drivers:** The levers that influence that goal. For faster releases, drivers might include development speed, quality, and team efficiency. These are the areas where change actually happens.  \n* **Indicators:** The measurable signals that show whether the drivers are moving, such as cycle time, defect rate, deployment frequency, and throughput.\n\nMany AI adoption initiatives skip straight to tool deployment, bypassing this chain completely. Teams pick a tool first instead of a driver. They measure usage when they should be measuring an indicator tied to a real driver.\n\nThe result: AI everywhere, outcomes nowhere.\n\n## Where do teams go wrong?\n\n**They optimize the wrong driver.** A team focuses on \"incident response time\" and invests in AI generated root cause analysis, but that analysis runs after the incident has closed, so it doesn’t improve incident response time. The driver they targeted wasn't tied to their goals.\n\n**They measure inputs, not indicators.** \"Our developers use AI 3 hours a day\" tells you nothing about whether cycle time dropped. Measure the thing that's actually connected to the outcome.\n\n**They don't isolate causality.** When teams make many changes at once, they can't tell which one moved the outcome. A drop in defect rate is fantastic, but was it caused by the AI testing tools, the new hire, or the refactored architecture? Without a clear hypothesis and baseline, you can't know what to double down on.\n\n**They deploy AI to individuals, not workflows.** AI unlocks individual productivity, but doesn't automatically unlock team throughput. If handoffs, approval gates, or deployment pipelines are the constraints, giving every developer an AI assistant doesn't change the system. Many systems are optimized for people, not agents.\n\n## How to fix it\n\nBefore your next AI investment, trace the chain backward:\n\n1. **Name the business goal explicitly.**  Instead of saying \"we want to improve engineering,\" try “we want to reduce time-to-production for new features by 30%.”  If you can't say it in a single sentence with a number attached, it's not a goal yet — it's a wish.  \n2. **Identify the top two or three drivers.** What actually controls that goal in your context? Talk to your team leads. Look at your data. Where is the time going? Where do defects originate? The bottleneck is usually obvious once you ask the right people.  \n3. **Define indicators before you deploy.** Decide what you'll measure to know if a driver is improving, then set the baseline before going live with the tool. Without a baseline, you'll never know if anything moved.  \n4. **Pick the AI application that targets a specific driver.** Don't choose tools based on popularity or a compelling demo. Choose the one that addresses the bottleneck.  \n5. **Review the indicators on a regular cadence.** Monthly at minimum. If the indicator isn't moving after a few weeks, pivot. The tool may not be hitting the driver, or the driver may not be the real lever. Either way, change course.\n\n## Imperfect metrics are better than no metrics at all\n\nSome drivers are genuinely hard to measure. Team efficiency, knowledge quality, and decision speed don't always produce clean metrics.\n\nStart with rough proxies like rework percentage, time in review, or number of escalations per sprint. A proxy that's imperfect but tracked is better than not having any metrics at all. You can iterate and improve on it as you learn more.\n\n## Final thought\n\nIf your AI investments aren't moving the needle, don't add more tools. Draw the chain. Find the gap. Then deploy with precision.\n\n**Goal → drivers → indicators.** That's the framework. Everything else is just noise.",[463,466,469,472,475],{"header":464,"content":465},"Why aren't AI usage metrics enough to prove ROI?","Usage rates, completed pilots, and positive team sentiment measure activity, not business outcomes. A developer using AI coding tools 4 hours a day isn't automatically shipping faster if the bottleneck is a slow code review. Activity alone doesn't move quality, efficiency, or cost.",{"header":467,"content":468},"What is the Goal, Drivers, Indicators framework for measuring AI?","It's a three-layer model for tying AI to business results. The business goal is the outcome that matters (faster releases, lower costs). Drivers are the levers that influence it (development speed, quality). Indicators are measurable signals like cycle time, defect rate, and deployment frequency.",{"header":470,"content":471},"What are the most common mistakes teams make when measuring AI impact?","Four recurring errors: optimizing the wrong driver, measuring inputs instead of indicators tied to outcomes, failing to isolate causality when multiple changes happen at once, and deploying AI to individuals rather than fixing workflow constraints like handoffs or approval gates.",{"header":473,"content":474},"How should you set a business goal before deploying an AI tool?","State it in a single sentence with a number attached. Replace vague aims like \"improve engineering\" with \"reduce time-to-production for new features by 30%.\" If you cannot quantify it, it is not a goal — it is a wish, and it will not produce measurable results.",{"header":476,"content":477},"What should you do if a driver is hard to measure?","Use rough proxies rather than skipping measurement. Team efficiency, knowledge quality, and decision speed rarely produce clean metrics, but signals like rework percentage, time in review, or escalations per sprint work as starting points. An imperfect tracked proxy beats no metric at all.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1779293790/eomltt4cosep3ofvmeaf.png",{},"/en-us/the-source/ai/connect-ai-tools-to-business-outcomes-a-3-layer-framework",{"config":482,"title":448,"description":455},{"noIndex":27},"connect-ai-tools-to-business-outcomes-a-3-layer-framework","en-us/the-source/ai/connect-ai-tools-to-business-outcomes-a-3-layer-framework","article","fXhmXSaHDG3fVQF55-C2YsucnNMef_Ko-VdTBUfsV_Y",{"id":488,"title":489,"body":6,"category":449,"config":490,"content":492,"description":494,"extension":21,"meta":517,"navigation":23,"path":518,"seo":519,"slug":521,"stem":522,"type":485,"__hash__":523,"date":493,"timeToRead":456,"keyTakeaways":495,"articleBody":499,"faq":500,"heroImage":516},"theSource/en-us/the-source/ai/the-ai-questions-nobody-asks-until-its-too-late.yml","The AI questions nobody asks until it's too late",{"layout":8,"template":451,"featured":27,"author":28,"sourceCTA":491,"isHighlighted":27,"authorName":5},"global-devsecops-report-2025",{"date":493,"title":489,"description":494,"timeToRead":456,"keyTakeaways":495,"articleBody":499,"faq":500,"heroImage":516},"2026-05-08","Late-stage governance is stalling successful AI pilots. Here's why engineering leaders should bring Legal, Compliance, and Security in from day one.",[496,497,498],"AI pilots that succeed often stall when governance enters the conversation late. Embedding governance during the discovery phase keeps momentum intact and prevents the costly restart that comes after a compliance issue or a surprise blocker at scale.","Late governance planning typically breaks down in three places. Data access surfaces PII in production logs. Ownership stalls when Compliance, Security, and Legal all weigh in without a clear DRI. Logging fails when regulators ask for an audit trail.","Treat governance as a design constraint from day one. Writing down what governance looks like for the initiative before the pilot starts speeds up approvals when it's time to scale and prevents teams from being blocked just as they're gaining traction.","It’s becoming an increasingly common scenario: The AI pilot was, by all accounts, a success. Engineers were energized by faster cycle times, higher throughput, and better code reviews. The team was ready to scale. Then governance showed up, and everything stopped.\n\nAnd once you slow down momentum on a transformation, it's expensive to start it back up.\n\nI've seen this story play out several times in companies of various sizes and across industries. In some organizations, adoption initiatives stop completely. In others, they stall at the pilot phase until governance is fully addressed. Across the board, these teams believed that they had done everything right:\n\n1. Identified impactful use cases\n2. Implemented successful change management strategies\n3. Ran iterative pilots that quickly built momentum\n4. Focused on measuring outcomes\n\nThe pilot worked. So why couldn’t they scale?\n\n## The blocker most teams miss\n\nIn 2025, the dominant headline was that [AI projects were failing](https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/). Many failed due to data quality issues, unclear use cases, and lack of investment.\n\nIn 2026, the story is more nuanced. AI projects are succeeding and exceeding expectations. However, a new pattern has emerged: AI projects are _stalling_. Teams are doing everything right, and are realizing value and seeing measurable impact. But they become blocked when governance enters the conversation. When governance shows up late, it pauses or blocks adoption completely. Questions like these are often asked too late.\n\n- Who owns this if something breaks?\n- What data is the model touching, and is any of it regulated?\n- If a regulator demands an audit trail, can we produce one?\n\nThe organizations scaling AI fastest are those who start asking these questions first.\n\n## Three places the process breaks\n\nWorking with heavily regulated industries, I've observed three common failure modes from late governance planning:\n\n**Data access**: A team tests an AI tool against production logs or operational data. Later, they realize the dataset includes personally identifiable information (PII). The entire solution must then be re-architected.\n\n**Ownership**: A team is ready to scale their AI feature after a successful pilot. Then they realize Compliance needs sign-off, Security needs review, and Legal has concerns. No one knows who makes the final call. When there are multiple approvers, the direct owner can become unclear. Lack of ownership delays decisions and, ultimately, adoption.\n\n**Logging and auditability**: Someone asks, *\"Who used the AI? What data was involved? What changed?\"* If those answers aren't available, deployment pauses. Frameworks like the [EU AI Act](https://artificialintelligenceact.eu/the-act/) require this level of auditability.\n\n## The uncomfortable truth about governance friction\n\nGovernance creates friction by design. You don't want to move so fast that you open yourself up to compliance violations, damage your brand, or erode customer trust.\n\nGovernance ensures you proceed safely and minimize risk. Friction intensifies as you shift right. The cost of answering governance questions and putting mitigations in place early is far smaller than the cost of scaling adoption and running into a compliance violation later. That’s a crisis you could have avoided.\n\nOrganizations that save governance for later are betting that the questions won't be complicated, that answers will already exist, and that compliance teams will move fast under pressure. I wouldn’t make those bets.\n\nThe fastest-scaling organizations treat governance as a design constraint from day one. When governance is embedded early, teams respond without scrambling, pilots scale without surprise blockers, and approvals move faster because the groundwork existed before anyone needed it.\n\nWhen governance isn't embedded early, you get the sequence I keep watching: the technology is working, engineers are bought in, and momentum is real. And then everything comes to a full stop.\n\n## What \"shifting governance left\" actually looks like\n\nThis is a simple sequence change. It's about bringing in key players during the discovery phase of the AI transformation. These are the types of questions you should be asking before pilots launch, not after they succeed:\n\n- What data will the model touch, and does any of it carry regulatory risk?\n- Who owns accountability if something goes wrong, and how is that documented?\n- How will AI interactions be logged if a regulator asks?\n- What does compliance look like for this use case in this industry?\n\nThese questions will vary by industry based on risk profile. Financial services, healthcare, and the public sector each carry their own requirements. What's consistent is that the first step should always be to write down what governance looks like for the initiative before the pilot begins. Once the guardrails are transparent and in place, approvals accelerate and the team builds confidence that they won't be blocked just as they are gaining traction.\n\n## What engineering leaders should do now\n\nIf you’re currently leading an AI transformation, ask yourself one question:\n\nWhen did governance enter the conversation?\n\nIf you’ve started your pilot and your answer is \"we haven't addressed governance yet,\" that’s your signal. Engage Legal, Compliance, and Security in the discovery phase now to avoid costly delays and expedite approvals.\n\nIf you haven’t begun your pilot, good news! During my time at NIST (the National Institute of Standards and Technology), we documented non-functional requirements early on, including constraints and security requirements, from the start. That practice helped us avoid security and compliance surprises later in the software development process. The same lessons apply here.\n\nIf you're working with AI, especially in a highly regulated environment where risk matters, this shift is one of the most impactful moves you can make.\n\nBring [these questions](https://handbook.gitlab.com/handbook/customer-success/governance-question-bank/) into the first conversation. Make it part of project kickoff. The pilots that scale are the ones where governance was in the room from the start, where the questions had answers before anyone needed them. The lost momentum is expensive. The delays are avoidable.",[501,504,507,510,513],{"header":502,"content":503},"Why do successful AI pilots fail to scale?","Successful AI pilots often stall when governance enters the conversation late. Teams identify use cases, run iterative pilots, and measure outcomes effectively, but adoption gets blocked when questions about data access, ownership, and auditability arise after the pilot succeeds rather than before it begins.",{"header":505,"content":506},"What does \"shifting governance left\" mean in AI adoption?","Shifting governance left means embedding governance as a design constraint from day one, bringing Legal, Compliance, and Security into the discovery phase rather than after pilots launch. It involves documenting what governance looks like for the initiative before the pilot begins to accelerate approvals.",{"header":508,"content":509},"Where does late governance planning typically break down?","Late governance planning breaks down in three places: data access (AI tools tested against production logs containing PII), ownership (unclear directly responsible individual when Compliance, Security, and Legal all weigh in), and logging and auditability (inability to produce audit trails when regulators ask).",{"header":511,"content":512},"What governance questions should teams ask before launching an AI pilot?","Teams should ask: What data will the model touch, and does any carry regulatory risk? Who owns accountability if something goes wrong? How will AI interactions be logged for regulators? What does compliance look like for this use case in this industry?",{"header":514,"content":515},"Why does AI governance create friction by design?","Governance friction prevents compliance violations, brand damage, and erosion of customer trust. The cost of answering governance questions and implementing mitigations early is far smaller than the cost of scaling adoption and encountering a compliance violation later, which creates an avoidable crisis.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1778249052/ln8kocjozolm9hfhbcl0.png",{},"/en-us/the-source/ai/the-ai-questions-nobody-asks-until-its-too-late",{"config":520,"title":489,"description":494},{"noIndex":27},"the-ai-questions-nobody-asks-until-its-too-late","en-us/the-source/ai/the-ai-questions-nobody-asks-until-its-too-late","mK9XTnnOtNCSVa9kX_v4OFUNMtex-BVEz1Px35VEy64",1781392782787]