maddaisy – cultivating innovation

Category: Technology

  • The Three-Tool Threshold: BCG Research Reveals Where AI Productivity Gains Turn Into Cognitive Overload

    For months, the evidence that AI tools are intensifying work rather than simplifying it has been accumulating. maddaisy has tracked this story from the UC Berkeley research showing employees absorbing more tasks under AI, through the organisational failures that leave workers unsupported, to the implementation problems that bake burnout into the system from day one. What was missing was a specific threshold — a number that tells enterprises where the gains end and the damage begins.

    Boston Consulting Group has now supplied one. In a study published in Harvard Business Review this month, researchers surveyed 1,488 full-time US workers and found a clean break point: employees using three or fewer AI tools reported genuine productivity gains. Those using four or more reported the opposite — declining productivity, increased mental fatigue, and higher error rates. BCG calls the phenomenon “AI brain fry.”

    The finding is not just academic. Among workers reporting brain fry, 34% expressed active intention to leave their employer, compared with 25% of those who did not. For a workforce already under pressure from rapid technology deployment, that nine-percentage-point gap represents a tangible retention risk.

    The cognitive cost no one budgeted for

    The BCG research puts numbers to something the UC Berkeley study identified in qualitative terms earlier this year. When AI tools require high levels of oversight — reading, interpreting, and verifying LLM-generated content rather than simply delegating administrative tasks — workers expend 14% more mental effort. They experience 12% greater mental fatigue and 19% more information overload.

    Many respondents described a “fog” or “buzzing” sensation that forced them to step away from their screens. Others reported an increase in small mistakes — exactly the kind of errors that compound in professional services, financial analysis, and other high-stakes environments.

    “People were using the tool and getting a lot more done, but also feeling like they were reaching the limits of their brain power,” Julie Bedard, the study’s lead author and a managing director at BCG, told Fortune. “Things were moving too fast, and they didn’t have the cognitive ability to process all the information and make all the decisions.”

    This aligns with what maddaisy has previously described as the task expansion pattern: when AI makes certain tasks faster, employees do not use the freed-up time for strategic thinking. They absorb more work. The BCG data now suggests the breaking point arrives sooner than most organisations assume — at the fourth tool, not the tenth.

    The macro picture is equally sobering

    The three-tool threshold sits against a broader backdrop of underwhelming AI productivity data at scale. A Goldman Sachs analysis published this month found “no meaningful relationship between productivity and AI adoption at the economy-wide level,” with measurable gains confined to just two domains: customer service and software development.

    Separately, a survey of 6,000 C-suite executives found that 90% saw no evidence of AI impacting productivity or employment in their workplaces over the past three years. Their median forecast: a 1.4% productivity increase over the next three. That is hardly the transformation narrative that justified billions in enterprise AI spending.

    These findings do not mean AI is useless. The Federal Reserve Bank of St. Louis estimated a 33% hourly productivity boost for workers during the specific hours they use generative AI. The problem is that this micro-level gain does not scale linearly. Adding more tools, more prompts, and more AI-generated outputs does not multiply the benefit — it multiplies the cognitive overhead.

    What the threshold means for enterprises

    The practical implications are straightforward, even if they run against the instincts of most technology procurement processes.

    First, fewer tools, better deployed. The BCG data suggests that organisations would get better results from consolidating around two or three well-integrated AI tools than from giving every team access to every available platform. This runs counter to the current market dynamic, where vendors push specialised AI tools for every function — writing, coding, data analysis, scheduling, customer interaction — and enterprises buy them all to avoid falling behind.

    Second, oversight design matters as much as tool selection. The highest cognitive costs were associated with tasks requiring workers to interpret and verify AI output, not with AI performing autonomous background work. Enterprises that can shift more AI usage toward the latter — automated workflows, pre-verified data processing, agent-completed administrative tasks — will impose less cognitive strain on their people.

    Third, training needs to include when not to use AI. As maddaisy has previously noted, most organisations treat AI capability-building as a deployment event rather than a sustained practice. The BCG researchers found that when managers provided ongoing training and support, brain-fry symptoms decreased. The Berkeley team suggested batching AI-intensive work into specific time blocks rather than leaving it on all day — a scheduling discipline that few organisations currently enforce.

    The next chapter in a familiar story

    The AI-productivity narrative is following a pattern that technology historians will recognise. Early adopters see real gains. Organisations rush to scale. The gains plateau or reverse as implementation complexity outpaces human capacity to manage it. Eventually, a more measured approach emerges — not abandoning the technology, but deploying it with greater discipline.

    The BCG three-tool threshold may turn out to be an early data point rather than a universal law. But it offers something that has been missing from the AI-adoption conversation: a concrete starting point for right-sizing the technology stack to what human cognition can actually sustain.

    For consultants advising on AI transformation, that is a message worth delivering — even when it runs counter to the vendor pitch deck.

  • Digital Experiences Now Have Two Audiences. Most Enterprises Are Only Designing for One.

    For as long as digital products have existed, experience design has asked a single question: what does the user want? The user browses, clicks, hesitates, backtracks, and eventually converts — or does not. Every interface decision, from navigation hierarchy to button placement, has been optimised around that human journey.

    In 2026, a second audience has arrived. AI agents now browse websites, interpret content, summarise product pages, compare services, and make purchasing recommendations — often before a human ever sees the interface. Search engines have done this quietly for years. But the new generation of autonomous agents does it actively, making decisions and taking actions on behalf of the people they serve.

    The implication for enterprises is straightforward and largely unaddressed: digital experiences must now be designed for two interpreters simultaneously, and they do not read the same way.

    The dual-interpreter problem

    Humans and machines process digital experiences through fundamentally different lenses. A human visitor might scan a page loosely, drawn by visual hierarchy, tone of voice, and emotional cues. They browse without clarity, explore without urgency, and change their minds mid-session. That inconsistency is not a flaw — it is how people navigate complex decisions.

    Machines, by contrast, prefer structure. They infer meaning from hierarchy, repetition, semantic markup, and patterns. They classify, compress, and summarise. When an AI agent visits a product page, it does not feel reassured by a warm brand photograph. It parses structured data, identifies key claims, and decides — in milliseconds — what that page is about, what matters, and what to report back to the user who sent it.

    As Composite Global noted in a recent analysis, experience design has shifted from being about flow to being about interpretation. The question is no longer just “how will a person navigate this?” but “how will an agent read this — and will it get the right answer?”

    Where the gap shows up

    The consequences of ignoring machine intent are already visible. When AI agents summarise a company’s offerings inaccurately, the problem is rarely that the agent is broken. More often, the page was never designed to be machine-readable in any meaningful way. The content was written for humans — rich in nuance, light on structure — and the agent did its best with what it found.

    Research from TBlocks found that 71 per cent of users now expect digital experiences to adapt to their intent, while 76 per cent notice and feel frustrated when that adaptation fails. Those expectations increasingly extend to agent-mediated experiences. If a user asks an AI assistant to compare three consulting firms’ service offerings, and the agent returns a garbled summary because one firm’s website relies on unstructured prose and JavaScript-rendered content, the brand loses — not the agent.

    The practical failures tend to cluster around a few recurring problems: content hierarchies that make sense visually but not semantically; messaging that requires context an agent cannot infer; calls to action that depend on emotional persuasion rather than clear structure; and pages that load dynamically in ways that agents cannot reliably parse.

    This is not SEO by another name

    It would be tempting to treat this as an extension of search engine optimisation. After all, making content machine-readable has been a concern since the early days of Google. But the agent-readability challenge goes further than search ranking.

    Search engines index pages and rank them. AI agents interpret pages and act on them. An agent does not return a list of blue links — it makes a recommendation, completes a task, or rules out an option entirely. The stakes are different. A page that ranks poorly in search results is still findable. A page that an AI agent misinterprets may never surface at all, or worse, may surface with the wrong message attached.

    This distinction matters for how enterprises invest. SEO focuses on keywords, metadata, and backlinks. Agent-readability requires structured data, semantic clarity, explicit labelling, and content architectures that hold meaning when stripped of their visual presentation. The overlap exists, but the disciplines are not the same.

    What maddaisy’s coverage has been pointing toward

    Readers of maddaisy’s recent coverage will recognise the broader pattern here. When this publication examined the governance challenges of AI agents, the focus was on how enterprises monitor and control autonomous systems. When it covered OpenAI’s Frontier Alliance, the story was about agents disrupting enterprise software by sitting above it. And when it explored vibe coding’s enterprise arrival, the thread was about how AI is reshaping how software gets built.

    The digital experience question is downstream of all three. If agents are going to interact with enterprise digital products — browsing service pages, interpreting pricing structures, summarising capabilities for prospective clients — then those products need to be designed with agents in mind. Not instead of humans. Alongside them.

    Designing for clarity across interpreters

    The emerging discipline — sometimes called “dual-intent design” — requires thinking in layers. Composite Global’s framework identifies three dimensions of intent that designers must now map simultaneously: explicit intent (what a user directly communicates), behavioural intent (what systems infer from interaction patterns), and emotional context (the confidence, uncertainty, or curiosity a human brings to the interaction).

    The first two are measurable. The third is where human judgment lives — and where machines consistently fall short. Strong experience design ensures that machine interpretation reinforces human meaning rather than distorting it. In practice, that means clear content hierarchies so agents classify correctly, structured data so machines parse quickly, explicit labelling so summaries remain accurate, and focused messaging so automated recommendations do not flatten a brand’s positioning.

    CoreMedia’s analysis of 2026 customer experience trends puts it bluntly: AI has become “a powerful new intermediary stepping between brand and customer.” The brands that treat that intermediary as an afterthought will find their message distorted in transit.

    The practical question for enterprises

    For most organisations, the immediate question is not whether to redesign everything. It is whether their existing digital properties communicate clearly to both audiences. A simple audit reveals the answer quickly: take a key product or service page, strip away the visual design, and read only the structured content. Does it still make sense? Would an agent, parsing that structure, draw the right conclusions?

    If the answer is no — and for most enterprise websites built in the pre-agent era, it will be — the remediation is less about redesign than about augmentation. Adding structured data, clarifying semantic hierarchy, making content modular rather than monolithic, and ensuring that key claims do not depend on visual context for meaning.

    None of this requires abandoning human-centred design. The point is not to optimise for machines at the expense of people. It is to build clarity that holds up under both interpretations — a standard that, arguably, should have been the goal all along.

    The enterprises that get this right will not just rank well or convert well. They will be accurately represented by the AI systems that increasingly mediate how their customers discover, evaluate, and choose them. In a market where agents are becoming the first point of contact, being misunderstood by a machine may prove more costly than being overlooked by a human.

  • Nearly Every Enterprise Wants AI. Two-Thirds Cannot Scale It Past a Pilot.

    The Appetite Is Not the Problem

    Nearly every large organisation wants AI. The technology works. The budgets are approved. The pilots are running. And yet, when it comes to deploying AI at scale – moving from a successful proof of concept to a production capability that changes how the business operates – two-thirds of enterprises are stuck.

    That is the central finding of Logicalis’s 2026 CIO Report, which surveyed more than 1,000 chief information officers globally. The numbers paint a stark picture of an industry that has solved the belief problem but not the execution one: 94% of CIOs report growing organisational appetite for AI. Over a third have accelerated AI initiatives based on early proof-of-concept results. But two-thirds say they cannot scale AI beyond those initial deployments.

    The gap between wanting AI and running AI at enterprise scale has become the defining challenge of 2026. And the constraints holding organisations back are not the ones most boardrooms are discussing.

    Skills, Not Budgets, Are the Bottleneck

    The most striking finding in the Logicalis data is what CIOs identify as their primary constraint. It is not funding. It is not technology. It is skills.

    A lack of internal technical capability is holding back AI ambitions in nearly nine out of ten organisations. This is not a shortage of data scientists or machine learning engineers in the abstract – it is a shortage of people who understand how to integrate AI into existing business processes, manage its outputs, and govern its behaviour in production environments.

    The skills gap becomes more consequential as AI moves from experimentation to operation. A pilot needs a small team of enthusiasts and a sandbox. A production deployment needs data engineers, integration specialists, change managers, and – critically – people who understand both the technology and the business domain well enough to know when the AI is wrong.

    This connects directly to what Harvard Business Review reported in February: 88% of companies now report regular AI use, yet adoption is stalling because employees experiment with tools without integrating them into how work actually gets done. The tools are present. The capability to use them well is not.

    Governance Is Being Compromised, Not Solved

    If the skills gap explains why organisations cannot scale, the governance gap explains why scaling carries risk. The Logicalis report found that 62% of CIOs have compromised on AI governance due to limited knowledge, and only 44% say they fully grasp the risks of AI adoption. Meanwhile, 76% describe unchecked AI as a serious concern.

    This is not a theoretical problem. As maddaisy.com has reported extensively, the governance question follows AI into every new domain – from agentic systems that drift in production to vibe coding tools that generate enterprise software without conventional oversight. Organisations are deploying AI faster than they can build the frameworks to manage it, and most acknowledge this openly. An overwhelming 89% of CIOs in the Logicalis survey describe their current approach as “learning as we go.”

    That phrase deserves attention. It means that the majority of enterprise AI programmes are operating without mature risk management, without clear accountability structures, and without the monitoring infrastructure needed to catch problems before they compound. For regulated industries – financial services, healthcare, defence – this is not a growing pain. It is an exposure.

    The Pattern maddaisy.com Has Been Tracking

    The Logicalis data does not exist in isolation. It quantifies a pattern that has been building across multiple data points this year.

    In February, maddaisy.com reported on PwC’s Global CEO Survey, which found that 56% of chief executives could not point to measurable revenue gains from their AI investments. The diagnosis then was a measurement problem as much as a technology one – organisations deploying AI without redesigning workflows or building the instrumentation to track outcomes.

    Earlier this month, Capgemini’s CEO Aiman Ezzat made the case for pacing AI investment, arguing that companies are deploying capabilities ahead of their organisation’s ability to absorb them. EY research cited in that analysis showed organisations failing to capture up to 40% of potential AI benefits – not because the technology underperformed, but because the surrounding processes, skills, and culture were not ready.

    And in maddaisy.com’s analysis of the consulting pyramid, Eden McCallum research revealed that 95% of AI pilots have failed to deliver returns – a figure that aligns precisely with the Logicalis finding that two-thirds of organisations cannot move past the pilot stage.

    These are not isolated reports reaching coincidentally similar conclusions. They are different measurements of the same underlying problem: the bottleneck in enterprise AI has moved from technology capability to organisational readiness.

    The Managed Services Pivot

    One of the more telling details in the Logicalis report is that 94% of CIOs plan to lean on managed service providers over the next two to three years to help navigate AI governance, scaling, and sustainability. This is a quiet but significant shift in how enterprises relate to their technology infrastructure.

    It suggests that many CIOs have concluded they cannot build the required skills and governance frameworks internally – at least not at the pace the technology demands. Rather than owning and operating AI capabilities directly, they are moving toward orchestrating a network of external providers. The CIO role, in this model, becomes less about technology ownership and more about vendor management, risk oversight, and strategic coordination.

    For consulting and technology services firms, this creates a substantial market opportunity. But it also raises a question that the industry has not yet answered convincingly: if the clients cannot scale AI internally because they lack the skills and governance frameworks, and they outsource to service providers who are themselves still working out how to embed AI into their own operations, where does the actual expertise reside?

    What Practitioners Should Watch

    The adoption gap is unlikely to close quickly. Skills take time to develop. Governance frameworks take time to mature. Organisational change – the kind that turns a pilot into a production capability – is measured in quarters and years, not weeks.

    Three things are worth tracking. First, whether the 89% “learning as we go” figure starts to decline in subsequent surveys – that will be the clearest signal that enterprises are moving from experimentation to operational maturity. Second, whether the managed services pivot produces measurable outcomes or simply moves the scaling problem from one organisation to another. And third, whether the 67% of CIOs who expressed concern about an “AI bubble” translate that concern into more disciplined investment, or whether competitive pressure continues to override caution.

    The technology has arrived. The appetite is not in question. What remains unresolved is whether organisations can build the human and structural foundations fast enough to use what they have already bought.

  • Vibe Coding Enters the Enterprise. The Governance Question Follows It In.

    When Andrej Karpathy coined the term “vibe coding” in early 2025, he was describing something informal — a developer giving in to the flow of conversation with an AI assistant, accepting whatever code it generated, and iterating by feel rather than by specification. It was a shorthand for a new way of working that felt more like directing than engineering.

    Fourteen months later, the term has migrated from developer Twitter into enterprise press releases. Pegasystems announced this week that its Blueprint platform now offers an “end-to-end vibe coding experience” for designing mission-critical workflow applications. Salesforce has embedded similar capabilities into Agentforce. Gartner, in a May 2025 report titled Why Vibe Coding Needs to Be Taken Seriously, predicted that 40 per cent of new enterprise production software will be created using vibe coding techniques by 2028. What started as a solo developer’s guilty pleasure is being repackaged as an enterprise strategy.

    The question is whether the repackaging addresses the risks, or merely relabels them.

    From Slang to Sales Pitch

    The appeal of vibe coding in an enterprise context is straightforward. Natural language replaces formal specification. Business users can describe what they want in conversational terms — a workflow, an approval chain, a customer-facing process — and an AI assistant translates that intent into a working application. Development cycles that previously took months collapse into days or hours. Stakeholder alignment happens at the prototype stage rather than after months of requirements gathering.

    Pega’s implementation illustrates the model. Users converse with an AI assistant using text or speech to design applications, refine workflows, define data models, and build interfaces. They can switch between conversational input and traditional drag-and-drop modelling at any point. Completed designs deploy directly into Pega’s platform as live, governed workflows. The company’s chief product officer, Kerim Akgonul, framed it as “the excitement and speed of vibe coding” combined with “enterprise-grade governance, security, and predictability.”

    That framing is telling. Enterprise vendors are not adopting vibe coding wholesale — they are domesticating it. The original concept involved a developer accepting AI-generated code on trust, with minimal review. The enterprise version keeps the conversational interface but routes the output through structured frameworks, predefined best practices, and platform-level guardrails. Whether that still qualifies as vibe coding or is simply a new marketing label for low-code development with an AI front end is an open question.

    The Numbers Behind the Hype

    Gartner’s 40 per cent prediction is eye-catching, but it deserves scrutiny. The firm also projects that 90 per cent of enterprise software engineers will use AI coding assistants by 2028, up from under 14 per cent in early 2024. These are not niche forecasts — they describe a wholesale transformation of how software gets built.

    The market signals support the direction. Y Combinator reported that a quarter of its Winter 2025 startup cohort had codebases that were 95 per cent AI-generated. AI-native SaaS companies are achieving 100 per cent year-on-year growth rates compared with 23 per cent for traditional SaaS. Pega’s own Q4 2025 results showed 17 per cent annual contract value growth and a 33 per cent surge in cloud revenue, with management attributing much of the acceleration to Blueprint adoption.

    But there is a less comfortable set of numbers. A Veracode report from 2025 found that nearly 45 per cent of AI-generated code introduced at least one security vulnerability. Linus Torvalds, creator of Linux, publicly cautioned that vibe coding “may be a horrible idea from a maintenance standpoint” for production systems requiring long-term support. And Gartner’s own research acknowledges that only six per cent of organisations implementing AI become “high performers” achieving significant financial returns.

    The Shadow Already Has a Name

    For regular readers of maddaisy, these risks will sound familiar. When we examined shadow AI in February, the data showed 37 per cent of employees had already used AI tools without organisational permission — including coding assistants plugged into development environments without security review. Vibe coding, in its original ungoverned form, is essentially shadow AI with a better name.

    The enterprise vendors’ pitch — governed vibe coding, with guardrails — is a direct response to this problem. Rather than fighting the tide of developers and business users reaching for AI-assisted tools, platforms like Pega and Salesforce are channelling that energy through controlled environments. It is the same pattern that played out with cloud computing a decade ago: shadow IT became sanctioned cloud adoption once the governance frameworks caught up.

    The difference this time is speed. Cloud adoption played out over years. Vibe coding is moving in months. And as maddaisy’s coverage of agentic AI drift highlighted, AI-generated systems do not fail suddenly — they degrade gradually, in ways that are harder to detect than traditional software failures. An application built through conversational prompts, where the development team may not fully understand the underlying logic, amplifies that risk considerably.

    The Governance Gap Is the Real Story

    The enterprise vibe coding pitch rests on a critical assumption: that platform-level guardrails can substitute for developer-level understanding. In regulated industries — financial services, healthcare, government — this assumption will be tested quickly and publicly.

    The immediate challenge is not whether vibe coding works in a demo. It clearly does. The challenge is what happens six months into production, when the original conversational prompts have been refined dozens of times, the underlying models have been updated, and the people who designed the workflows have moved on. That is the maintenance problem Torvalds flagged, and it maps directly onto the agentic drift pattern: small, individually reasonable changes accumulating into a system whose behaviour no longer matches its original intent.

    Consultants and technology leaders evaluating vibe coding platforms should be asking three questions. First, can you audit the reasoning chain — not just the output, but why the system built what it built? Second, what happens when the AI model underneath is updated — does the application need to be revalidated? Third, who owns the maintenance burden when the person who “vibe coded” the application is no longer available?

    What to Watch

    Enterprise vibe coding is not a fad. The productivity gains are real, the vendor investment is substantial, and the Gartner forecasts — even if directionally approximate — point to a genuine shift in how software gets built. PegaWorld 2026, scheduled for June in Las Vegas, will likely showcase dozens of enterprise vibe coding implementations.

    But the narrative developing around it echoes the early days of every enterprise technology wave: speed first, governance second. The organisations that get this right will be those that treat vibe coding as a development interface, not a development shortcut — using the conversational speed to accelerate design while maintaining the engineering discipline to ensure what gets built can be understood, audited, and maintained over time.

    The vibes are entering the enterprise. The question is whether the rigour follows them in.

  • AI Inference Is the Enterprise Security Risk Most Organisations Are Not Addressing

    Most enterprise AI security conversations still focus on training — how models are built, what data goes in, how to prevent poisoning. But the greater operational exposure sits elsewhere: in inference, the moment a trained model processes a live query and produces an output. That is where proprietary logic, sensitive prompts, and business strategy become visible to anyone watching the traffic.

    A recent panel hosted by The Quantum Insider, featuring leaders from BMO, CGI, and 01Quantum, put the point bluntly: inference is AI working, and AI working is where risk accumulates. Nearly half of the audience polled during the session admitted they lack confidence that their AI systems meet anticipated 2026 security standards. That number is consistent with broader industry data: a Cloud Security Alliance survey found that only 27 per cent of organisations feel confident they can secure AI used in core business operations.

    This is not an abstract concern. It is the practical, operational end of the governance conversation maddaisy has been tracking for weeks.

    Why inference, not training, is the exposure point

    Training happens once (or periodically). Inference happens continuously — every API call, every chatbot interaction, every agentic workflow execution. As Tyson Macaulay of 01Quantum explained during the panel, inference models often contain the distilled intellectual property of an organisation. In expert systems, the model itself reflects proprietary training data, domain knowledge, and internal logic. Reverse engineering an inference endpoint can reveal insights about what the organisation knows and how it thinks.

    But the exposure runs in both directions. Prompts themselves reveal information — about individuals, strategy, and operational priorities. A medical query reveals personal health data. A corporate query may signal product development direction. The question, in other words, can be as sensitive as the model.

    When maddaisy examined CIOs’ non-AI priorities in February, cybersecurity topped the list — precisely because AI adoption was expanding the attack surface. Dmitry Nazarevich, CTO at Innowise, described security spending increases as “directly related to the increase in exposure and risk to data associated with the increased attack surface resulting from the introduction of generative AI.” Inference security is where that expanding surface is most exposed — and most neglected.

    The shadow AI dimension

    The problem is compounded by what organisations cannot see. Research suggests that roughly 70 per cent of organisations have shadow AI in use — employees running unauthorised tools outside IT oversight. Every unsanctioned ChatGPT or Claude query involving company data is an unmonitored inference event, pushing proprietary information through systems the organisation does not control.

    JetStream Security, a startup founded by veterans of CrowdStrike and SentinelOne, raised $34 million in seed funding last week to address precisely this gap. The company’s product, AI Blueprints, maps AI activity in real time — which agents are running, which models they use, what data they access. The premise is straightforward: you cannot secure what you cannot see.

    When maddaisy covered shadow AI in February, the focus was on governance and policy. Inference security adds a harder technical dimension. It is not enough to write policies about acceptable AI use if the organisation has no visibility into what models are being queried, by whom, and with what data.

    Real-world vulnerabilities are already surfacing

    The risks are not hypothetical. In February, LayerX Security published a report describing a critical vulnerability in Anthropic’s Claude Desktop Extensions — a malicious calendar invite could silently execute arbitrary code with full system privileges. The issue stemmed from an architectural choice: extensions ran unsandboxed with direct file system access, enabling tools to chain actions autonomously without user consent.

    The debate that followed was instructive. Anthropic argued the onus was on users to configure permissions properly. Security researchers countered that competitors like OpenAI and Microsoft restricted similar capabilities through sandboxing and permission gates. The real lesson for enterprises is that inference-layer vulnerabilities are architectural, not incidental — and they require controls before deployment, not after.

    As Rock Lambros of RockCyber put it: “Every enterprise deploying agents right now needs to answer — did we restrict tool chaining privileges before activation, or did we hand the intern the master key and go to lunch?”

    The governance gap has a security-shaped hole

    Maddaisy has covered the emerging agentic AI governance playbook extensively — the frameworks from regulators, the principles converging around least-privilege access and real-time monitoring. But frameworks are policy instruments. Inference security is the engineering layer that makes those policies enforceable.

    The numbers illustrate the disconnect. According to the latest governance statistics compiled from major 2025-26 surveys, 75 per cent of organisations report having a dedicated AI governance process — but only 26 per cent have comprehensive AI security policies. Fewer than one in 10 UK enterprises integrate AI risk reviews directly into development pipelines. Governance without security controls is aspiration without implementation.

    The financial services sector offers a partial model. Kristin Milchanowski, Chief AI and Data Officer at BMO, described her bank’s approach during the Quantum Insider panel: bringing large language models in-house where possible, ensuring that additional training on proprietary data remains contained, and treating responsible AI as a board-level cultural priority rather than a compliance exercise. But BMO operates under some of the strictest regulatory regimes globally. Most enterprises do not face equivalent pressure — yet.

    What practitioners should be doing now

    The practical agenda emerging from this convergence of research is specific and actionable:

    Audit inference endpoints. Map every production AI system, including shadow deployments. The JetStream model — real-time visibility into which models are running, what data they touch, and who is responsible — is becoming table stakes.

    Apply least-privilege to AI agents. The agentic governance frameworks maddaisy covered last week prescribe this. At the inference layer, it means restricting tool chaining, sandboxing execution environments, and requiring explicit permission gates for cross-system actions.

    Build cryptographic agility into procurement. The Quantum Insider panel raised a forward-looking point: “harvest now, decrypt later” attacks — where encrypted inference traffic is collected today for decryption once quantum computing matures — are overtaking model drift as the top digital trust concern among infrastructure leaders. Embedding post-quantum cryptography expectations into vendor contracts now is practical and low-cost.

    Treat inference security as infrastructure. Not as a feature, not as an add-on. As the panel concluded: critical infrastructure must be secured before it is tested by failure.

    The operational layer matters most

    The governance conversation has matured rapidly. Frameworks exist. Principles are converging. Regulation is arriving. But between the policy layer and the production environment sits inference — the operational layer where AI actually works, where data flows through models, where prompts reveal strategy, and where the absence of controls creates the exposure that governance documents are supposed to prevent.

    Gartner projects spending on AI governance platforms will reach $492 million this year and surpass $1 billion by 2030. That money will be wasted if it funds policies without the engineering to enforce them. The organisations pulling ahead will be those that treat inference security not as a technical detail for the security team, but as the operational foundation on which their entire AI strategy depends.

  • Insurtech’s AI-Fuelled Five Billion Dollar Comeback — And the Question the Industry Has Not Answered

    Global insurtech funding reached $5.08 billion in 2025, up 19.5% from $4.25 billion the year before. It is the first annual increase since 2021 — and, according to Gallagher Re’s latest quarterly report, it marks a fundamentally different kind of recovery from the one the sector last enjoyed.

    The 2021 boom was driven by venture capital chasing consumer-facing disruptors. The 2025 comeback is driven by insurers and reinsurers themselves investing in operational AI. That distinction matters far more than the headline number.

    The money is coming from inside the house

    In 2025, insurers and reinsurers made 162 private technology investments into insurtechs — more than in any prior year on record. This is not outside capital speculating on disruption. It is the industry itself funding its own modernisation, a shift Gallagher Re describes as a “changing of the guard” in the insurtech investor community.

    The fourth quarter was particularly striking. Funding hit $1.68 billion — a 66.8% increase over Q3 and the strongest quarterly figure since mid-2022. More than 100 insurtechs raised capital for the first time since early 2024, and mega-rounds (deals exceeding $100 million) returned in force, with 11 such rounds totalling $1.43 billion for the full year, up from six in 2024.

    Property and casualty insurtech funding rebounded 34.9% to $3.49 billion, driven by companies like CyberCube, ICEYE, Creditas, Federato, and Nirvana, which collectively secured $663 million in Q4 alone. Life and health insurtech, by contrast, declined slightly — a 4.6% dip that underlines where the industry sees its most pressing operational gaps.

    Two-thirds of the money follows AI

    The most telling statistic in the report is this: two-thirds of all insurtech funding in 2025 — $3.35 billion across 227 deals — went to AI-focused firms. By Q4, that share had climbed to 78%.

    Andrew Johnston, Gallagher Re’s global head of insurtech, frames this as convergence rather than a trend: “Over time, we see AI becoming so integrated into insurtech that the two may well become synonymous — in much the same way as we could already argue that ‘insurtech’ is itself a meaningless label, because all insurers are technology businesses now.”

    That trajectory is visible in the deals themselves. mea, an AI-native insurtech, raised $50 million from growth equity firm SEP in February — its first external capital after years of profitable organic growth. The company’s platform, already processing more than $400 billion in gross written premium across 21 countries, automates end-to-end operations for carriers, brokers, and managing general agents. mea claims its AI can cut operating costs by up to 60%, targeting the roughly $2 trillion in annual industry operating expenses where manual workflows persist.

    At the seed stage, General Magic raised $7.2 million for AI agents that automate administrative tasks for insurance teams — reducing quote generation time from approximately 30 minutes to under three in early deployments with major insurers.

    Profitability, not just growth

    What separates the 2025 wave from the 2021 boom is that several insurtechs are now proving they can make money, not just raise it.

    Kin Insurance, which focuses on high-catastrophe-risk regions, reported $201.6 million in revenue for 2025 — a 29% increase — with a 49% operating margin and a 20.7% adjusted loss ratio. Hippo, another property-focused insurtech, reversed its 2024 net loss with $58 million in net income, driven by improved underwriting and a deliberate shift away from homeowners insurance toward more profitable lines.

    These are not unicorn-valuation stories. They are companies demonstrating operational discipline — the kind of results that explain why insurers and reinsurers, rather than venture capitalists, are now leading the investment.

    The B2B shift

    Gallagher Re’s data reveals another structural change worth watching. Nearly 60% of property and casualty deals in 2025 went to business-to-business insurtechs — a 12 percentage point increase from 2021’s funding boom. Meanwhile, the deal share for lead generators, brokers, and managing general agents fell to 35%, the lowest on record.

    The implication is clear: capital is flowing toward technology that improves how existing insurers operate, not toward new entrants trying to replace them. The disruptor narrative of the early 2020s has given way to something more pragmatic — and, arguably, more durable.

    This parallels a pattern visible across financial services. As maddaisy noted when examining Lloyds Banking Group’s AI programme, established institutions are increasingly treating AI not as an innovation experiment but as core operational infrastructure — and measuring it accordingly.

    The question the industry has not answered

    For all the funding momentum, Johnston raises a challenge that the sector has yet to confront seriously: the “so what” problem.

    “As the implementation of AI starts to deliver efficiency gains, it is imperative that the industry works out how to best use all of this newly freed up time and resource,” he writes.

    This is not a hypothetical. If mea can genuinely reduce operating costs by 60% for a carrier, that frees up a substantial portion of the 14 percentage points of combined ratio currently consumed by operations. The question is whether that freed capacity translates into better underwriting, deeper risk analysis, and improved customer outcomes — or whether it simply gets absorbed into margin without changing how insurance fundamentally works.

    The broker market is already feeling the tension. In February, insurance broker stocks dropped roughly 9% after OpenAI approved the first AI-powered insurance apps on ChatGPT, enabling consumers to receive quotes and purchase policies within the conversation. Most analysts called the selloff overdone — commercial broking remains complex enough to resist near-term disintermediation — but the episode illustrated how quickly market sentiment can shift when AI moves from back-office tooling to customer-facing distribution.

    What to watch

    The $5 billion figure is a milestone, but the real signal is in its composition. Insurtech funding is no longer a venture capital bet on disruption. It is the insurance industry’s own investment in operational AI — led by incumbents, focused on B2B infrastructure, and increasingly backed by profitability rather than just promise.

    Whether that investment translates into genuinely better insurance — not just cheaper operations — depends on how the industry answers Johnston’s question. The money is flowing. The efficiency gains are materialising. What the sector does with them will determine whether this comeback is a lasting structural shift or just the next chapter of doing the same things with fewer people.

  • PwC Built an AI That Can Actually Read Enterprise Spreadsheets. Here Is Why That Matters.

    Most enterprise AI demonstrations involve chatbots, code generation, or image synthesis — capabilities that are impressive but often disconnected from the workflows where organisations actually make decisions. PwC has taken a different approach. On 19 February, the firm announced a frontier AI agent that can reliably reason across complex, multi-sheet enterprise spreadsheets — the kind of messy, formula-dense workbooks that underpin deals, risk assessments, and financial modelling across virtually every large organisation.

    The announcement would be easy to dismiss as incremental. It is, in fact, one of the more practically significant AI developments of the year so far.

    The Spreadsheet Problem No One Talks About

    AI has made rapid progress with text, images, and code. But enterprise spreadsheets have remained stubbornly resistant. The reason is structural: a typical enterprise workbook is not a neatly formatted data table. It is a sprawling, multi-sheet artefact containing hundreds of thousands of rows, cross-sheet formulas, hidden dependencies, embedded charts, and formatting inconsistencies accumulated over years of manual editing by multiple authors.

    Conventional AI systems — including the most advanced large language models — struggle with this complexity. They can process a clean CSV file or answer questions about a simple table. But ask them to trace a formula chain across five sheets in a workbook with 200,000 rows and inconsistent column headers, and accuracy collapses. For regulated industries where precision is non-negotiable — auditing, tax, financial due diligence — this limitation has kept spreadsheet analysis firmly in the domain of human practitioners.

    PwC’s agent addresses this directly. Combining multimodal pattern recognition with a retrieval-augmented architecture, the system can process up to 30 workbooks containing nearly four million cells. In internal benchmarks, it achieved roughly three times the accuracy of previously published methods while using 50% fewer computational tokens — a meaningful efficiency gain that reduces both cost and energy consumption.

    How It Works, Without the Hype

    The technical approach mirrors how experienced analysts actually work. Rather than attempting to ingest an entire workbook at once — a strategy that overwhelms even million-token context windows — the agent scans, indexes, and selectively retrieves relevant sections. It can jump across tabs, trace logic through formula chains, integrate visual elements like charts, and explain its reasoning with what PwC describes as “defensible precision.”

    Two internal use cases illustrate the practical impact. In engagement documentation, PwC teams work with large, nominally standardised workbooks that document business processes and controls. In practice, these files vary significantly — column names shift, fields appear in different orders, structures change between engagements. The agent handles this in two stages: first mapping the workbook’s structure, then extracting specific details using targeted retrieval rather than brute-force ingestion.

    In risk assessment, the agent replaces what was previously weeks of custom development work. Each new set of files could break existing programmatic approaches due to formatting variations. The agent indexes and extracts directly, regardless of these inconsistencies. PwC reports that what previously required weeks of configuration can now be completed in hours.

    The ROI Connection

    The timing of this announcement is worth noting. Earlier this month, maddaisy examined PwC’s own 2026 Global CEO Survey, which found that 56% of chief executives could not point to measurable revenue gains from their AI investments. Only 12% reported achieving both revenue growth and cost reduction from AI programmes.

    The spreadsheet agent is, in a sense, PwC’s answer to its own data. Rather than pursuing the kind of ambitious, organisation-wide AI transformation that the survey suggests most companies are failing at, this tool targets a specific, bounded problem: making AI useful where decisions actually get made. Spreadsheets are unglamorous, but they remain the substrate of enterprise decision-making across every industry. If AI cannot work reliably with them, the ROI gap that PwC’s own research documented will persist.

    Matt Wood, PwC’s Commercial Technology and Innovation Officer, was notably direct about the origin: “This didn’t start as a research project. It started because our teams were spending weeks manually tracing logic through workbooks that no existing tool could handle.”

    A Broader Pattern: Consulting Firms as Technology Builders

    This development fits a pattern that maddaisy has been tracking across the consulting industry. Firms are not merely advising clients on AI — they are building proprietary capabilities that change the economics of their own delivery. McKinsey’s 25,000 AI agents. Accenture’s ongoing automation of delivery operations. Now PwC, with a tool that converts weeks of manual work into hours.

    The competitive implications are significant. A firm that can process complex financial workbooks in hours rather than weeks can bid more aggressively on engagements, take on more work with the same headcount, and offer the outcome-based pricing models that clients increasingly prefer. The spreadsheet agent is not just a productivity tool — it is a structural advantage in the shifting economics of professional services.

    What Practitioners Should Watch

    For consultants and enterprise leaders, the PwC announcement carries a practical message: the AI value gap may start closing not through headline-grabbing deployments, but through targeted tools that tackle specific bottlenecks in existing workflows.

    The broader FP&A landscape is moving in the same direction. IBM’s 2026 analysis of financial planning trends highlights that 69% of CFOs now consider AI integral to their finance transformation strategy, with the primary applications centring on data ingestion, budget analysis, and narrative generation — precisely the kind of spreadsheet-adjacent work that PwC’s agent addresses.

    The question is no longer whether AI can handle enterprise data complexity. It is whether organisations will deploy these capabilities against the right problems — the mundane, time-intensive, precision-critical workflows where the return on investment is most measurable and most immediate.

    PwC appears to have started there. Given the firm’s own data on the AI ROI crisis, that is arguably the most credible place to begin.

  • Europe’s Cloud Sovereignty Rush Meets Its Regulatory Reality Check

    European sovereign cloud spending is set to nearly double in 2026, from $6.9 billion to $12.6 billion according to Gartner’s latest forecast. Every major US hyperscaler now has a European sovereignty answer. AWS launched its European Sovereign Cloud from Germany in January, backed by a €7.8 billion investment. Google operates through S3NS, a French joint venture with Thales that holds SecNumCloud certification. Microsoft has Delos Cloud in Germany and Bleu in France.

    Yet beneath the flood of partnership announcements and sovereign cloud launches sits a less comfortable truth: the regulatory framework driving all of this activity is still incomplete, sometimes contradictory, and in certain critical areas, stalled entirely. For organisations trying to build disaster plans around Europe’s digital infrastructure, the ground has not stopped moving.

    The regulatory pile-up

    Three major pieces of European regulation now intersect on questions of cloud resilience and digital sovereignty — and none of them align neatly.

    The Digital Operational Resilience Act (DORA), enforceable since January 2025, requires financial institutions to implement comprehensive ICT risk management frameworks, including detailed third-party risk assessments for cloud providers. DORA is specific, prescriptive, and already creating compliance pressure across European banking and insurance.

    The NIS2 directive, enforceable since October 2024, extends similar resilience requirements to a much broader set of critical infrastructure operators — energy, transport, health, and digital infrastructure itself. Where DORA targets financial services, NIS2 casts a wider net but leaves more room for national interpretation, creating an uneven patchwork across EU member states.

    Then there is the European Cybersecurity Certification Scheme for Cloud Services (EUCS), which was supposed to provide a unified standard for assessing cloud security across the EU — including, controversially, sovereignty requirements that would have effectively barred non-EU cloud providers from the highest certification tier. That sovereignty clause was stripped from the latest drafts under intense lobbying pressure. The scheme itself remains unadopted. In January 2026, the European Commission proposed a revised Cybersecurity Act that would overhaul the entire certification framework — effectively resetting the process while organisations wait for clarity that may not arrive before 2027.

    Disaster planning in a regulatory fog

    The practical consequence for enterprises is an uncomfortable paradox. Regulations now require detailed disaster recovery and business continuity plans for cloud-dependent operations. But the certification framework that would define what “sovereign” or “resilient” actually means in practice remains unfinished.

    As maddaisy examined last week, the SAP-Microsoft “break glass” contingency plan illustrates the tension. It offers a theoretical failover for European Azure workloads in a crisis scenario, but analysts questioned whether a disconnected copy of Azure could remain operationally viable beyond a few weeks. The plan satisfies a political need — demonstrating that contingency planning exists — without resolving the deeper technical question of what happens when a severed cloud stops receiving updates.

    Capgemini’s CEO Aiman Ezzat has framed this pragmatically, arguing that Europe has meaningful sovereignty over data, operations, and regulation — but not over the underlying technology stack. The four-layer model he has described reflects the reality most enterprises face: sovereign in governance, dependent on US technology, and now required by law to plan for scenarios where that dependency becomes a liability.

    The hyperscaler response: sovereignty as a service

    The US cloud providers have responded to the regulatory and political pressure with significant investment. AWS’s European Sovereign Cloud, operating from Brandenburg, is architecturally separated from other AWS Regions — a genuine sovereign partition with EU-resident leadership and local operational control. AWS CEO Matt Garman called it a “big bet”, with expansion planned for Belgium, the Netherlands, and Portugal.

    Google’s approach in France, through S3NS (a joint venture where Google holds a minority stake under French law), has achieved SecNumCloud 3.2 qualification — the most demanding sovereignty standard currently in force in Europe. Microsoft’s structure routes through nationally controlled entities: Delos Cloud in Germany and Bleu (co-owned by Capgemini and Orange) in France.

    The pattern across all three is consistent: legal and operational separation, EU-resident personnel, local data residency, and contingency plans for geopolitical disruption. What differs is the depth of that separation. A fully air-gapped partition like Google’s Distributed Cloud offering for defence clients sits at one end of the spectrum. A contractual failover arrangement like the SAP-Microsoft deal sits at the other. Most enterprise workloads will land somewhere in between — and DORA and NIS2 require organisations to understand precisely where.

    What practitioners need to do now

    For consultants and technology leaders navigating this landscape, three priorities stand out.

    First, classify workloads by sovereignty sensitivity before choosing infrastructure. Not every application needs the highest tier of sovereign protection. DORA’s third-party risk requirements are prescriptive but risk-proportionate — a core banking system and an internal collaboration tool do not demand the same level of contingency planning. The trap is treating sovereignty as a binary choice rather than a spectrum.

    Second, build disaster plans around regulatory timelines, not vendor announcements. DORA enforcement is live. NIS2 implementation varies by member state but is progressing. The EUCS framework is stalled, but the underlying requirements it was meant to codify — around data residency, operational control, and access restrictions — are already being enforced through sector-specific regulation and national certification schemes like France’s SecNumCloud. Waiting for a pan-European standard before acting is not a viable compliance strategy.

    Third, pressure-test vendor contingency claims. The proliferation of sovereign cloud offerings and disaster recovery partnerships creates an illusion of completeness. But as Forrester analyst Dario Maisto noted of the SAP-Microsoft plan, many of these arrangements remain untested and legally unproven. “This is not compliance as much as risk management,” he said. Organisations should ask pointed questions about update cycles, hardware dependencies, and the operational lifespan of any disconnected cloud environment.

    The long view

    European digital sovereignty has moved from policy aspiration to market reality faster than the regulatory framework can keep pace. The investment figures are significant — AWS alone is committing €7.8 billion. The compliance deadlines are real. The contingency plans exist, at least on paper.

    But the gap between what regulations require and what certification frameworks define remains open. For organisations building disaster plans today, the most honest assessment is that they are planning against a moving target, using vendor solutions that have never been tested in the crisis scenarios they are designed for. That is not a reason to delay — DORA and NIS2 make delay legally untenable. It is a reason to plan with humility, build in flexibility, and avoid treating any single vendor’s sovereignty narrative as a finished answer.

  • Lloyds Banking Group’s £100 Million AI Bet: What the UK’s First Agentic Financial Assistant Means for Enterprise AI

    Lloyds Banking Group expects its artificial intelligence programme to deliver more than £100 million in value this year — double the £50 million it attributes to generative AI in 2025. The figures, disclosed alongside the group’s annual results in January 2026, represent one of the more concrete attempts by a major financial institution to attach a number to what AI is actually worth.

    That specificity matters. As maddaisy examined last week, PwC’s 2026 Global CEO Survey found that 56% of chief executives still cannot point to measurable revenue gains from their AI investments. Lloyds is not claiming to have solved the ROI puzzle entirely, but it is doing something most enterprises have not: publishing the numbers and tying them to specific operational improvements rather than vague promises of transformation.

    The financial assistant: what it actually does

    The headline initiative is a customer-facing AI financial assistant, which Lloyds describes as the first agentic AI tool of its kind offered by a UK bank. Announced in November 2025 and scheduled for public rollout in early 2026, the assistant sits within the Lloyds mobile app and is designed to help customers manage spending, savings, and investments through natural conversation.

    The system uses a combination of generative AI for its conversational interface and agentic AI to process requests and execute actions. In practical terms, a customer can query a payment, ask for a spending breakdown, or request guidance on savings options — and the assistant will interpret the request, plan the necessary steps, and carry them out. Where it reaches the limits of what automated support can handle, it refers users to human specialists.

    The scope is intended to expand. Lloyds has said the assistant will eventually cover its full product suite, from mortgages to car finance to protection products, serving its 28 million customer accounts across the Lloyds, Halifax, Bank of Scotland, and Scottish Widows brands.

    Testing at scale, not in a lab

    Before public launch, Lloyds tested the assistant with approximately 7,000 employees, who collectively completed around 12,000 trials. That is a meaningful pilot — large enough to surface edge cases and failure modes that a controlled lab environment would miss, and conducted with users who understand the bank’s products well enough to stress-test the system’s accuracy.

    The employee testing sits alongside a broader internal AI deployment that has already delivered measurable results. Athena, the group’s AI-powered internal search assistant, is used by 20,000 colleagues and has reduced information search times by 66%. GitHub Copilot, deployed to 5,000 engineers, has driven a 50% improvement in code conversion for legacy systems. An AI-powered HR assistant resolves 90% of queries correctly on the first attempt.

    These are not experimental pilots. They are production tools used at scale, and the fact that Lloyds is willing to attach specific performance metrics to each one distinguishes its approach from the many enterprises that describe AI impact in qualitative terms only.

    The ROI question: credible or convenient?

    The £100 million figure invites scrutiny, and it should. “Value” in corporate AI disclosures is notoriously slippery — it can mean cost savings, time savings converted to a monetary equivalent, revenue uplift, or some combination of all three. Lloyds has not published a detailed methodology for how it arrived at the £50 million figure for 2025 or how it projects the 2026 target.

    That said, the bank’s approach has features that lend it more credibility than many comparable claims. The internal tools have named user populations and specific performance benchmarks. The customer-facing assistant was tested with thousands of employees before launch, not unveiled as a concept. And the 2025 figure is presented as a delivered outcome, not a forecast — a distinction that matters when most enterprises are still struggling to prove any return at all.

    Lloyds also rose 12 places in the Evident AI Global Index last year — the strongest improvement of any UK bank — suggesting that external assessors see substance behind the claims.

    Agentic AI in financial services: the governance dimension

    The move to customer-facing agentic AI in banking raises governance questions that go beyond what internal productivity tools require. As maddaisy explored earlier this week, Deloitte’s 2026 AI report found that only one in five enterprises has a mature governance model for agentic systems. When those systems move from internal search assistants to customer-facing financial advice, the stakes escalate considerably.

    A banking AI that can execute transactions, provide savings guidance, and eventually handle mortgage queries operates in regulated territory. The Financial Conduct Authority’s expectations around suitability, fair treatment, and clear communication apply regardless of whether the advice comes from a human or an algorithm. Lloyds has acknowledged this by building in human referral pathways, but the real test will come at scale — when millions of customers interact with the system simultaneously, and edge cases multiply.

    Ron van Kemenade, the group’s chief operating officer, has framed the launch as “a pivotal step in our strategy as we continue to reimagine the Group for our customers and colleagues.” Ranil Boteju, chief data and analytics officer, has positioned it as a demonstration of responsible deployment, noting that the assistant “can understand and respond to specific, hyper-personalised customer requests and retains memory to offer a more holistic experience, ensuring the generated answer is safe to present to customers.”

    What this signals for the sector

    Lloyds is not the first bank to deploy AI, nor the first to make bold claims about its value. What distinguishes this move is the combination of a concrete financial baseline (£50 million delivered), a named and tested product (the financial assistant), a clear expansion roadmap (full product suite), and an institutional commitment to upskilling (a new AI Academy for its 67,000 employees).

    For practitioners watching the enterprise AI landscape, the Lloyds case offers a useful reference point against the prevailing narrative of deployment fatigue and unproven returns. It does not resolve the broader ROI question — one bank’s results do not establish an industry pattern — but it does suggest that organisations which invest in specific, measurable use cases and test rigorously before launch can move beyond the proof-of-concept purgatory that still traps most enterprises.

    The harder question is what happens next. An AI assistant that helps customers check spending patterns is useful. One that advises on mortgages and investment products enters a different category of risk and regulatory complexity. How Lloyds navigates that expansion — and whether the £100 million value target holds up under the scrutiny of real-world deployment — will be worth watching over the months ahead.

  • The Non-AI Agenda: What CIOs Are Actually Prioritising Beyond Artificial Intelligence in 2026

    Global IT spending will hit $6.15 trillion in 2026, a 10.8 per cent rise on the previous year. But dig beneath that headline and the distribution is strikingly lopsided. Gartner’s latest forecast projects AI spending to surge 80.8 per cent and data centre outlays to climb 31.7 per cent, while communications services and device budgets limp along at low single digits. The message is clear: AI is swallowing the budget. The question is what happens to everything else.

    That question matters because, as maddaisy has documented over recent weeks, the AI investment thesis is under strain. PwC’s 2026 CEO Survey found that 56 per cent of executives cannot point to measurable revenue gains from their AI programmes, and governance frameworks are lagging well behind deployment ambitions. If the technology absorbing most of the budget has yet to prove its return, the priorities being squeezed to fund it deserve closer scrutiny.

    The squeeze is real — and deliberate

    John-David Lovelock, a vice president analyst at Gartner, describes a dynamic in which runaway AI spending is forcing CIOs to find savings elsewhere — and IT services providers are bearing the brunt. The logic is straightforward: buyers expect their vendors to be using AI internally, and they want those efficiency gains reflected in lower fees.

    “CIOs need to find somewhere that they have control of their budget, and they can pick on the services companies because they’re using AI,” Lovelock told CIO.com.

    But not every non-AI line item can be trimmed without consequences. Several priorities are growing more urgent precisely because of AI adoption, not despite it.

    Cybersecurity: AI’s expanding attack surface

    The most immediate non-AI priority is, paradoxically, driven by AI itself. Dmitry Nazarevich, CTO at software firm Innowise, notes that his company’s security spending increase “is directly related to the increase in exposure and risk to data associated with the increased attack surface resulting from the introduction of generative AI.”

    This is not a theoretical concern. Every new AI model integrated into enterprise workflows introduces new vectors — data exfiltration through prompt injection, model poisoning through compromised training data, and the simple reality that agentic systems with write access to business processes can do real damage if they malfunction or are manipulated. As enterprises move from experimental AI pilots to production deployments, security spending is not optional — it is the prerequisite.

    Data foundations: the unsexy precondition

    Salesforce CIO Dan Shmitt offered a telling anecdote about an AI agent on the company’s help site that surfaced two conflicting answers to the same question. “Our first reaction was to assume the model was wrong,” he said. “The truth was that our data and content needed more consistency.”

    This pattern — blaming the model when the real problem is the data — is remarkably common. Capgemini’s TechnoVision 2026 framework places “thriving on data” as one of its nine foundational technology domains, emphasising data sharing, AI-driven insights, and sustainable data practices. The message is consistent across vendors and analysts: AI systems are only as reliable as the data infrastructure beneath them.

    For CIOs who have spent two years funding AI pilots, investing in data quality, master data management, and integration architecture may feel like a step backwards. It is not. It is the work that determines whether those pilots ever graduate to production.

    Technical debt and modernisation

    Legacy systems are not merely an annoyance in an AI-first world — they are a bottleneck. Nazarevich highlights that increased modernisation spending at Innowise is “partly a result of the fact that legacy or outdated systems limit the effectiveness of AI technology and delay deployment schedules.”

    This creates a compounding problem. Organisations that deferred modernisation to fund AI experiments now find that their AI initiatives are underperforming because the underlying platforms cannot support them. The CIO.com analysis of strategic imperatives for 2026 makes the point explicitly: if eight out of 10 strategic priorities relate to AI, “you’re likely missing some critical emerging technologies and trends.”

    Edge computing, digital twins, and platform modernisation may not generate the boardroom excitement of a generative AI demo, but they are the infrastructure on which AI capabilities depend.

    FinOps: managing the unpredictable bill

    AI workloads have introduced a new kind of cost unpredictability into IT budgets. Unlike traditional cloud computing, where usage patterns are relatively stable and forecastable, AI inference costs can spike with demand in ways that are difficult to model in advance. Innowise reports increased FinOps spending specifically because of “the unpredictability of computing bills created by AI workloads.”

    FinOps — the practice of bringing financial accountability to cloud spending — is no longer a niche discipline for cloud-native firms. For any organisation running AI at scale, it has become an essential management capability. Without it, the 80 per cent surge in AI spending that Gartner forecasts could easily overshoot, consuming budget earmarked for the very modernisation and security initiatives that AI requires to succeed.

    Workforce fluency: the persistent gap

    Technology investment alone solves nothing if the people using it are not equipped to do so effectively. Rebecca Gasser, global CIO at FGS Global, frames this as a literacy challenge: building digital and AI fluency across the organisation so that workers “can be more agile and adaptable to the ongoing changes.”

    Pat Lawicki, CIO of TruStage, puts it more directly: “We’re committed to balancing innovation with humanity: leveraging digital tools where they add real value while preserving the human connection that defines trust and empathy.”

    This is consistent with the pattern maddaisy has tracked in recent coverage of AI-driven burnout and the organisational failures behind poor AI rollouts. The technology works best when employees understand it, trust it, and can exercise judgement about when to rely on it and when to intervene. That requires sustained investment in training, change management, and communication — none of which appear in an AI spending forecast but all of which determine whether the forecast delivers value.

    The convergence argument

    The most sophisticated framing of the CIO’s 2026 agenda comes not from treating AI and non-AI priorities as competitors for budget, but from recognising their interdependence. Capgemini’s TechnoVision 2026 describes a shift toward “synchronicity at scale” — the idea that boundaries between digital, physical, and biological innovation are dissolving, and that the CIO’s job is to orchestrate across all of them simultaneously.

    In practice, this means cybersecurity investment protects AI deployments. Data foundation work makes AI outputs reliable. Modernisation enables AI to reach production. FinOps keeps AI costs sustainable. Workforce fluency ensures AI adoption sticks.

    The CIOs who treat 2026 as an AI-only year will likely find themselves explaining, 12 months from now, why their AI investments still are not delivering returns. The ones who invest in the full stack — the security, the data, the infrastructure, the people — are building the conditions under which AI can actually work.

    That is not a story about choosing between AI and everything else. It is a story about understanding that AI does not operate in isolation, and neither should the budget that funds it.