AI Adoption Risk: It's Not All Recoverable
- David Turner

- 3 days ago
- 5 min read

The Structural Pressure to adopt
Just about every senior leader has already decided to adopt AI. They all understand the risks of not doing, and a large proportion of them understand the risks of doing so. The question some aren't asking is what happens when one of the risks becomes real, and whether they can recover from it.
The pressure to adopt is structural. If competitors automate and you do not, you carry higher costs and a narrowing margin. That logic holds. What does not hold is the assumption that all the associated risks are manageable and recoverable. They are not.
A slow erosion of margin because you automated later than a rival is painful and survivable. A data breach, a regulatory action, or a talent crisis caused by premature restructuring belongs to a different category. Some of these you do not come back from. Treating them as equivalent is a governance error.
That distinction should change what a board prioritises. Many organisations are running AI adoption as an urgent productivity initiative with compliance bolted on afterwards. That is the wrong structure when some of the AI-adoption risks in play are existential.
The AI-adoption Risks Operating in Parallel
The threat that has moved fastest is cyber. Large language models are trained on code repositories. They understand architecture, dependencies, and the points where code fails under pressure. That capability is available to anyone with a browser. Vulnerability discovery and exploitation have accelerated sharply, outpacing the security posture of most organisations. Phishing is now harder to detect because AI can replicate the register and tone of colleagues and executives with an accuracy that defeats standard checks.
Anyone running AI-assisted development knows it makes structural errors without oversight: API keys hardcoded and pushed, secrets exposed, inefficient and expensive architectures devised - the kind of mistakes a careful reviewer catches and a fast-moving team misses.
The fix is architectural. Build security into your software development lifecycle as an agent, not an audit stage. Provide explicit policy instructions within the context those agents work from. Have human experts review and approve before anything merges. A pull request that is entirely agentic is a liability waiting to be found.
Data governance has the same character: invisible until it causes damage. In the rush to connect enterprise tools to AI, some organisations have given third-party models access to personal data, contracts, and sensitive communications without revisiting their own policies. GDPR liability does not transfer because a vendor processed the data. Your DPO and CISO should have reviewed access, updated policies, and put controls in place before rollout.
There is a category of risk most governance frameworks have not caught up with. Employees building AI into personal workflows, outside any company initiative, without disclosure. They are producing more output, faster. Some of it is good. Some contains errors they did not catch. All of it was processed by a tool the organisation did not select, which means company data, including code, strategy, patents, and personal information, left the building without authorisation. A clear policy on approved tools, actively communicated and regularly updated, is the answer. A blanket ban will be ignored. Pay attention to what some have coined 'secret cyborgs' - the employees who have overnight become better writers, more productive developers, exponentially improved second-language speakers. If you haven't given them an enterprise tool wrapped in your own policies, then you need to, as the AI use isn't going away.
The profitability risk
The economic risks operate on a longer timeline but carry the same potential for irreversible damage. If your model depends on billable hours for skilled work and AI compresses that work substantially, a competitor drops their price. Then you do. Then the sector does. Sophisticated clients and procurement teams will understand your workflow is agentic before you have worked out how to respond. You cannot fix prices with competitors. What you can do is identify the value that sits above the automated layer and build a proposition around it before the margin compression forces the question. Big consultancies, legal firms and just about anyone offering knowledge-based services where Agents have replaced humans are liable to be affected by this. In all likelihood they'll need to move to outcome-based, 'neck on the block' value, as day-rates and esoteric knowledge no longer hold the value they once did.

The operational risks
The talent risk is on the verge of catching many organisations out. Where headcount has been reduced with AI utilised to cover the output, a supply-chain risk exists. Given how unprofitable the big AI vendors are (give isaiprofitable.com a look for the sheer magnitude of losses) it's entirely reasonable that we should expect increased costs in tokens, subscriptions and tools, which could easily outstrip the cost efficiencies of a restructure.
Equally the internet is full of stories about perceived degradation of quality from LLMs after an update or tweak (in fact I just cancelled my own Claude subscription after getting frustrated with it's performance of late). When you have a team of people, you can influence performance, quality and output through various management and organisational techniques. If the team is now a group of agents fundamentally controlled by a vendor, you've lost that option.
When the people who understood the edge cases, the client history, the regulatory detail, are gone, and there's no obvious replacement pipeline because the entry-level roles that used to develop that expertise have been automated away, you're stuck with the vendor and it's agents.
Treat AI as an eighty percent tool. It gets output to eighty percent complete. The remaining twenty requires human judgement, domain knowledge, and someone who can be held accountable. That is not a gap you can close with another model.
Furthermore the reputational risk from mishandling the human consequences is not a soft consideration. Duolingo's announcement of AI-driven redundancies a while back cost them subscribers and public standing that has never really recovered. The mechanism is straightforward: people who conclude a company treated its staff as a cost to be eliminated change their behaviour as customers. How you reduce headcount, retrain people, and communicate your position on AI and employment will affect your brand in ways that are slow to repair. Plan for it before you are forced to react.
The sustainability risk of AI
Finally and amongst the most existentially important, is the environmental cost. Data centres consume water and energy at scale that most AI vendors do not disclose accurately. Estimates run by the University of California last year put this at 500ml per 100-word prompt. Now multiply that by the number of users globally.
An organisation with public sustainability commitments running high-volume, poorly targeted AI workloads has a consistency problem. Investors and journalists will notice. Audit where AI is genuinely adding value. Ask your AI suppliers the same questions on sustainability you would ask any other vendor. There's no point being a B-Corp or talking up your sustainability credentials if you're wasting millions of litres of water every year.
How This Changes Governance
The organisations that manage this well are not the ones moving fastest. They are the ones that identified early which risks sit in the recoverable category and which do not, and structured their governance around that distinction before something forced the question.
David Turner is the founder of Kói, an independent strategic consultancy advising investors, founders, and boards on technology.
© Kói Holdings Ltd 2026. All Rights Reserved.


