Why the most consequential work still runs by hand.

Adoption is no longer the story. By the 2024 count, most large organisations had put generative AI to work somewhere: drafting, summarising, answering. The story now is where it isn’t: the desk where an action carries legal or financial weight. The right-party check on a collections call. The hardship response on a delinquent account. The wording of a default notice. That work still moves at the speed of a person, because the cost of getting it wrong is not a typo. It is a regulator.

Use is high. Value is not.

McKinsey’s 2024 state-of-AI survey found 65% of organisations regularly using generative AI, yet only about 5% attributed more than a tenth of their EBIT to it, and inaccuracy was the harm respondents most often said they had already hit. The tools spread fast and the returns did not follow. The pattern is consistent: AI lands easily where a mistake is cheap, and stalls where it is not.

That picture has a darker companion. MIT’s NANDA initiative reported in 2025 that around 95% of enterprise generative-AI pilots delivered no measurable return, a figure worth treating as directional rather than precise but one that rhymes with what every operations leader already feels. The demos work. The deployments don’t.

The compliance ceiling

Watch where the pilots die. Gartner expects at least 30% of generative-AI projects to be abandoned after proof-of-concept by the end of 2025, and forecasts that more than 40% of agentic-AI projects will be cancelled by the end of 2027, citing costs, unclear value and inadequate risk controls. In regulated operations, that last clause is the whole story. A proof-of-concept can show a model drafting a perfect hardship letter. It cannot, by itself, show that the letter was permitted to be sent: to this borrower, on this account, under today’s rule, with consent on file.

So the project hits a wall the slide deck never mentioned. The model can act; nobody can prove the action was allowed before it happened. And in work governed by law, an explanation produced afterward is not the same thing as permission produced beforehand. The compliance team is right to say no.

Prove the action, then take it

The way through the ceiling is not a better model. It is a different order of operations. Move the check in front of the action: test every proposed step against law, policy, consent and context before it can fire, and let nothing through that doesn’t clear. What passes carries its reasoning with it; what fails never happens.

That is the discipline KrimOS is built on: validated before it acts. It is also why automation finally reaches the consequential desk: not because the work got less risky, but because the risk is now resolved up front, on the record, where a regulator can read it. The gap between where AI is and where it matters closes the moment proof comes first.