Why does AI fail in enterprise IT departments?

IT departments are designed to minimise risk, standardise tools, and control costs. AI requires experimentation, failure tolerance, and acceptance that nobody knows the optimal approach yet. The mandates are structurally incompatible.

What is the Classification Cascade?

The Classification Cascade is the chain reaction triggered when executives classify AI as technology rather than capability. Tech classification routes to IT governance, which applies risk protocols, which kills experimentation, which wastes the AI investment.

What is the Governance Import Tax?

The Governance Import Tax is the measurable cost that founder-operators pay when they import enterprise-scale governance processes before their organisation needs them. It eliminates the structural speed advantage that puts GP-scale operators in the minority of organisations that actually capture AI ROI.

What is the difference between the pathogen model and microbiome model for AI?

The pathogen model treats AI as a threat to contain, control, and standardise. The microbiome model treats AI as a symbiont to cultivate - something the organisation needs that processes what humans process slowly.

How should small companies govern AI without an IT department?

Replace enterprise governance with lightweight architecture: a 1-page operating agreement on data boundaries, team-level experimentation freedom, weekly 15-minute learning sessions, and the founder's direct attention to integration.

Why do smaller companies get better AI ROI than enterprises?

Only 29% of organisations see significant ROI from generative AI, despite individual productivity gains of 5x (Writer / Workplace Intelligence, 2026). Smaller organisations are structurally positioned to be in that 29%: fewer silos, faster approval cycles, and classification decisions made directly rather than through IT governance. The advantage is structural, not technological.

What did Ethan Mollick mean by de-weirding AI?

Mollick argues that the dominant corporate instinct is to make AI feel like normal IT automation - familiar, controllable, measurable. This de-weirding destroys AI's transformative potential by defaulting to automation rather than exploring augmentation.

The Classification Cascade

Why AI dies in IT departments - and why your company is immune

By Kasimir Hedstrom · May 2026 · 13 min read

Key Takeaways

The IT department is not the villain. A classification error at the executive level triggered the governance cascade that kills AI. IT was the weapon; the executive decision was the hand.
The Classification Cascade: AI classified as “technology” → IT governance → risk protocols → dead experimentation → wasted investment. One decision, five levels of consequence.
Mollick’s core argument: the instinct to “de-weird” AI by treating it as normal automation destroys the exploration that makes AI transformative. Companies default to automation (cut 30% of workforce) instead of augmentation (what becomes possible now?).
Only 29% of organisations see significant ROI from generative AI, despite individual productivity gains of 5x. The gap is governance structure, not model quality. The absence of the IT immune system IS the structural advantage.
The Governance Import Tax: the measurable cost of building enterprise governance before you need it. The moment you install the immune system, you lose the advantage.

Ethan Mollick, associate professor at the Wharton School of the University of Pennsylvania and author of “Co-Intelligence,” wrote a piece in The Economist with a headline that landed hard across the business world: the IT department is where AI goes to die.

He is right. But he is naming the symptom, not the disease.

The disease is a classification error. And it happened before the IT department ever got involved.

The Classification Error

Somewhere in the first quarter of every company’s AI story, an executive asked the obvious question: “Who handles this?”

AI is technology. Technology belongs to IT. The answer wrote itself.

That single classification decision - AI is technology, therefore IT owns it - cascaded into a governance structure that systematically prevents AI from producing value. Not because IT is incompetent. Because IT is doing exactly what it was designed to do: minimise risk, standardise tools, ensure compliance, control costs.

The IT department did not kill AI. A category error at the executive level triggered a governance cascade that killed it. IT was the weapon. The executive classification was the hand that pulled the trigger.

The error is specific and identifiable. The classification was made by what AI IS (technology) rather than what AI DOES (augments human decision-making across every function). This is the structural equivalent of sending a new doctor to the IT department because they use electronic medical records. The tool category is correct. The functional classification is catastrophically wrong.

The Cascade

Trace the chain of consequences.

AI projects lose momentum. Implementation takes too long.

Why? Because IT applies standard procurement, security review, and integration protocols. The same protocols used for ERP systems and CRM platforms. The same approval workflows that took 18 months to clear a new database vendor.

Why those protocols? Because all technology is managed this way. IT has a governance framework built over decades for a specific purpose: managing technology risk. AI was classified as technology. Therefore AI inherits the framework.

Why that classification? Because the first executive to encounter AI asked “what department handles new tech?” The default answer is IT. No other department has the structural mandate to evaluate, procure, secure, and deploy technology.

And underneath that: the classification was made at the category level rather than the capability level. AI was sorted by what it IS (a technology product) rather than what it DOES (amplifies human judgment, automates workflows, generates creative outputs, processes language). The category demanded one governance path. The capability demanded an entirely different one.

Five levels. One root cause. A single question asked at the wrong level of abstraction produced a cascading governance failure that costs enterprises billions in unrealised AI value.

The De-Weirding Problem

Mollick’s argument goes deeper than “IT is the wrong department.” He identifies the psychological mechanism: de-weirding.

The dominant instinct across the corporate world is to de-weird artificial intelligence. Sand down its strange edges. Turn it into a familiar productivity tool. Make it legible to existing management frameworks. Slot it into existing processes with existing KPIs and existing reporting structures.

This instinct is understandable. It is also destructive.

The de-weirding impulse produces a specific failure: companies default toward automation rather than augmentation. When leaders see 30% productivity gains, their instinct is to cut 30% of workforce. What is hard - and requires genuine imagination - is asking: what becomes possible when a single programmer can write 100x more code?

No vendor can answer that question, Mollick argues. No consultant has a playbook. The hard strategic work of reimagining what an organisation could become is precisely the work that de-weirding allows companies to avoid.

The IT department is the institutional embodiment of de-weirding. Its mandate - standardise, secure, control - is the operational expression of the instinct to make AI familiar. When AI arrives in IT, it gets de-weirded by default. It becomes “another tool in the tech stack” rather than “a capability that might restructure how every team works.”

The firms that smooth out AI’s oddities will veer toward automation and layoffs because that is all they can see. Those willing to sit with the discomfort of a technology nobody fully understands can find ways to make their people and organisations capable of things that were impossible a year ago.

The classification error is not just administrative. It is existential. It determines whether AI becomes a cost-reduction tool or a capability multiplier.

Why the Immune System Is Not the Enemy

Here is where most commentary on this topic goes wrong.

The response to “IT kills AI” is typically “take AI away from IT” or “bypass IT governance.” This is a category error of its own. The IT governance function exists for genuine reasons. Remove it entirely and you get chaos.

The biological parallel is precise and instructive.

Your immune system exists to protect you from foreign bodies - bacteria, viruses, parasites, damaged cells. It distinguishes self from non-self and destroys what does not belong. This function is essential to survival. Without it, every infection would be fatal.

But the immune system can also attack beneficial foreign substances. Autoimmune diseases occur when the system fails to distinguish threats from nutrients. The mechanism for tolerance - the ability to accept beneficial non-self - breaks down.

In the body, immune tolerance is maintained through two mechanisms:

Central tolerance: During development, immune cells that would attack the body’s own tissues are eliminated before they mature. The system is trained, at the point of origin, to recognise what belongs.

Peripheral tolerance: Outside the development organs, regulatory T cells (Treg cells) actively suppress immune responses against beneficial substances. They maintain tolerance in real-time by distinguishing genuine threats from harmless or helpful foreign material.

The organisational parallel:

Central tolerance is what happens when AI is classified correctly from the start. If the executive team classifies AI as “capability” rather than “technology” at the point of entry, it never routes to IT governance. The immune system never encounters it as a foreign body. This is the GP’s structural advantage - you make the classification directly.

Peripheral tolerance is what mature organisations need to develop: governance mechanisms that can distinguish AI uses that genuinely threaten security and compliance (and should be blocked) from AI uses that augment capability (and should be cultivated). Regulatory T cells for AI adoption.

The goal is not destroying the immune system. The goal is teaching it to distinguish threats from nutrients.

Two Models: Pathogen vs. Microbiome

The Pathogen Model (Enterprise Default)

AI is a foreign body that entered the organism. It must be:

Contained (sandbox environments, limited deployment)
Controlled (approval gates, usage policies, centralised access)
Standardised (one approved tool, one approved use case, one approved workflow)
Monitored (usage tracking, compliance reporting, risk assessment)

IT governance is the immune system. Its job is to prevent the pathogen from spreading uncontrolled through the organisation. Every AI interaction is a potential infection vector.

Result: AI adoption stalls. 79% of organisations face challenges adopting AI (Writer / Workplace Intelligence, 2026 Enterprise AI Adoption Survey). Only 28% of AI infrastructure projects fully deliver returns (Gartner, April 2026). The immune system is working perfectly - it is killing the foreign body as designed.

The Microbiome Model (The Alternative)

Your gut contains trillions of organisms that are technically foreign. Your immune system does not attack them. It cultivates them. Because they are not threats - they are symbionts. They digest what you cannot digest alone. They produce vitamins you cannot synthesise. They protect against genuine pathogens by occupying the ecological niche.

AI in a well-designed organisation is a microbiome:

Cultivated (experimentation encouraged, diverse applications explored)
Integrated (embedded in workflows rather than isolated in sandboxes)
Adaptive (allowed to evolve as teams discover what works)
Symbiotic (processing what humans process slowly, enabling what humans cannot do alone)

The governance question shifts from “how do we control this?” to “how do we cultivate this while maintaining basic safety?” The answer: proportional governance. Lightweight review for low-risk uses (summarisation, drafting, analysis). Full review for high-risk uses (client-facing, financial, regulatory). The immune system learns what to tolerate.

The GP Structural Advantage

If you run a 5 to 25 person company, you do not have an IT department.

This is not a weakness. It is a structural immunity to the Classification Cascade.

You do not have the cascade because you make the classification directly. When AI arrives, you - the founder, the operator - decide what it is and where it goes. You can classify it as capability from day one. You can skip the governance structures that would slow experimentation. You can let every team member experiment and learn from the results weekly.

The data supports this. Only 29% of organisations see significant ROI from generative AI, despite individual productivity gains of 5x across the workforce (Writer / Workplace Intelligence, 2026 Enterprise AI Adoption Survey). The structural profile of that 29%: fewer silos, faster approval cycles, and decision-makers who classify AI directly rather than routing it through governance frameworks designed for a different function. The structural advantage IS the absence of the immune system that kills AI in larger organisations.

The GP's AI advantage is not technological. It is organisational. The absence of the classification cascade is worth more than any model upgrade. Speed of integration beats capability of tool.

Gartner places 2026 in the “Trough of Disillusionment” for enterprise AI. 57% of leaders who reported AI failures said they expected too much, too fast. But the failure mode is not “AI cannot deliver.” The failure mode is “governance prevented AI from being tested long enough to learn what it can deliver.”

You are structurally immune to that failure mode. Unless you infect yourself.

The Governance Import Tax

The danger for the founder-operator is not that AI is hard. It is that you import enterprise governance before you need it.

Name the cost: The Governance Import Tax.

The Governance Import Tax is the measurable delta between your current speed-of-integration advantage and the reduced speed that results from importing governance structures designed for organisations ten times your size.

The moment you:

Create an AI committee with approval authority
Require formal procurement review for AI tool adoption
Hire someone whose primary function is AI governance rather than AI capability
Impose centralised prompts managed by a single team
Require security review for every new AI use case regardless of risk level

…you have voluntarily installed the immune system that kills AI in enterprises. You have imported the Classification Cascade into an organisation that was structurally immune to it.

Many growing businesses make this mistake. They import enterprise-scale processes before they need them - and in doing so, eliminate the structural advantage that was producing their superior returns. The governance that makes sense at 500 employees is a tax at 15 employees. The review process that prevents catastrophic errors at scale prevents learning at startup speed.

Countermeasures: What to Build Instead

The answer is not zero governance. Shadow AI is a real risk: only 36% of companies have formal AI governance frameworks in place (Zylo), leaving the majority operating without structural safeguards. Data leaks, hallucinated outputs in client-facing materials, vendor lock-in, and regulatory exposure are live risks for the ungoverned majority.

The answer is proportional governance - enough structure to prevent genuine harm, not enough to prevent learning.

The 1-Page Operating Agreement

Replace the enterprise AI policy (typically 20-40 pages) with a single page that answers four questions:

What data can never go into AI systems? (client financial data, medical records, passwords, proprietary algorithms)
What outputs require human review before external use? (anything client-facing, anything legal, anything financial)
What is the escalation path when AI produces something concerning? (who to tell, what to do)
What is the experimentation freedom? (everything not listed above is open for experimentation)

This takes 30 minutes to write and covers 90% of real risk.

Team-Level Experimentation Freedom

Every team member can adopt, test, and integrate AI tools for any task not covered by the four questions above. No approval required. No procurement process. No IT review. The constraint is the operating agreement, not a gate.

Weekly 15-Minute Learning Sessions

One question per week, answered by everyone: “What did you try with AI this week, and what did you learn?” This produces institutional learning without institutional bureaucracy. Discoveries propagate. Failures are shared before they compound.

Proportional Security Review

Low-risk uses (internal summarisation, drafting, analysis, brainstorming): no review. Medium-risk uses (client communication drafts, published content, financial projections): human review before deployment. High-risk uses (automated client interactions, financial transactions, regulatory filings): full review with explicit sign-off.

The gradient matters. Treating all AI use as high-risk produces the enterprise failure mode at GP scale.

Founder’s Direct Attention

The single most important governance mechanism for a 5-25 person company: the founder actively uses AI systems themselves. Not delegated to a team. Not managed through reports. Direct, daily use that builds intuition about what AI can and cannot do in this specific business context.

This produces something no governance framework can substitute: judgment born from direct experience. When the founder understands AI’s capabilities and limitations firsthand, governance decisions become precise rather than defensive.

The Pattern Underneath

I recognise this structural pattern because I have experienced it in a radically different context.

In 2008, facing paralysis from the neck down, and again in 2011, paralysed from the navel down with breathing compromised, every standard protocol was inadequate. The medical system applied its normal governance: standardised treatments, standard timelines, standard recovery expectations. These protocols were designed for the average case. They were not designed for mine.

The frameworks that actually worked were the ones I built myself - adapted to my specific situation, iterated daily, unconstrained by protocols designed for a different patient. The recovery was not a governance problem. It was a capability problem that required freedom to experiment within basic safety constraints.

The same structural logic applies here. AI in your organisation is not a governance problem. It is a capability problem. Treating it as governance guarantees the outcome Mollick describes: de-weirded, de-fanged, and ultimately useless. Treating it as capability - with lightweight safety constraints and maximum experimentation freedom - gives you the advantage your enterprise competitors cannot structurally access.

The Classification Cascade is not inevitable. It is a choice that looks like a default.

Conclusions

The IT department is not the problem. The classification error at the executive level is the problem. IT is executing its mandate correctly - the mandate is misapplied.
The Classification Cascade has five levels. Each level feels rational in isolation. The chain produces a structural failure that no individual decision-maker intended.
De-weirding is the psychological mechanism. The instinct to make AI familiar and controllable produces default-to-automation rather than explore-augmentation. Mollick’s insight is that the discomfort of not knowing is where the value lives.
The GP is structurally immune - until they voluntarily import the cascade by building enterprise governance at startup scale.
The Governance Import Tax is measurable. Every governance mechanism you add that slows experimentation without preventing genuine harm is a direct tax on your structural advantage.
Proportional governance is the answer. Not zero governance (chaos). Not enterprise governance (cascade). A 1-page agreement, team-level freedom, weekly learning, and proportional security review.

One Diagnostic

Ask this question at your next team meeting:

If a team member found an AI tool that would save them 5 hours per week, how many approvals would they need before they could start using it?

If the answer is zero (within the operating agreement boundaries): you have preserved your structural advantage.

If the answer is one: you have minimal governance. Watch whether that single gate creates a bottleneck.

If the answer is more than one: you have begun importing the Classification Cascade. The immune system is installed. The clock is running on your structural advantage.

The classification error is reversible. But only if you catch it before the cascade completes.

How sovereign is your AI adoption architecture?

The Sovereignty Index measures 10 structural dimensions of operational independence - including governance design and integration speed. Discover whether your current structure is building advantage or importing tax.

Take the Sovereignty Index

AI StrategyOrganisational DesignFounder OperationsGovernance