Artificial intelligence has moved decisively past the proof-of-concept stage. According to Deloitte’s latest State of AI in the Enterprise report, worker access to AI tools rose by 50% in 2025, and the share of companies running more than 40% of AI projects in full production is set to double within six months. For CFOs, General Counsel, and M&A Directors navigating digital transformation mandates, these figures are not a cause for celebration alone — they are a governance stress test arriving faster than most boards anticipated.

The Agentic AI Governance Gap: A Systemic Risk for Mid-Market Enterprises

The most consequential finding in Deloitte’s report is not the pace of adoption — it is the structural gap between deployment velocity and institutional readiness. Only one in five companies currently operates a mature governance model for autonomous agents, even as agentic AI usage is poised to surge sharply across enterprise functions including procurement, finance, legal operations, and customer engagement.

Agentic AI — systems capable of executing multi-step tasks autonomously, initiating actions, and interacting with external APIs without continuous human oversight — introduces liability exposures that traditional AI risk frameworks were not designed to address. Under the EU AI Act, which entered into force in August 2024 and applies its highest-risk provisions progressively through 2026, autonomous decision-making systems deployed in regulated contexts may qualify as high-risk AI, triggering mandatory conformity assessments, human oversight requirements, and data governance obligations.

For mid-market firms scaling quickly — often without dedicated AI legal counsel or a Chief AI Officer — this creates a compounding risk: operational exposure from ungoverned agents running in production, and regulatory exposure from non-compliance with an evolving European framework. The gap between ambition and enterprise readiness is not a technology problem. It is a governance architecture problem.

From Pilot to Scale: Why 62% of Organisations Are Not Ready

GenAI implementation has increased by 30 percentage points over the past two years, yet Deloitte’s data reveals that 62% of organisations still lack the foundational data infrastructure and operating model reengineering necessary to scale effectively. This finding should reframe how boards evaluate their digital strategy investments.

The pilot-to-scale transition is where most enterprise AI value is destroyed. Organisations that run successful pilots on clean, curated datasets frequently encounter data quality failures, integration friction, and change management resistance when they attempt to industrialise. Cloud migration programmes that were not architected with AI workloads in mind — particularly those relying on fragmented legacy ERP environments — become bottlenecks rather than enablers.

Planned AI spending is set to increase by 14% year-over-year in 2025, yet without commensurate investment in data foundations and operating model redesign, that capital is at risk of generating pilot theatre rather than measurable business outcomes. CTOs and Chief Data Officers should treat the 62% figure as a diagnostic benchmark: if your organisation cannot articulate a clear data ownership model, a model risk management policy, and a workforce enablement roadmap, scaling AI will accelerate existing operational weaknesses rather than resolve them.

Physical AI and the Next Wave of Enterprise Disruption

Beyond software-based AI, Deloitte’s report tracks a parallel trend with significant implications for industrial and logistics sectors. Physical AI — encompassing robotics, autonomous systems, and AI-driven manufacturing — has gained traction by 22 percentage points over two years. Currently, 58% of companies report limited use; that figure is projected to reach 80% adoption within two years, with Asia Pacific leading implementation at scale.

For European manufacturers and supply chain operators, this trajectory demands immediate attention within innovation management frameworks. The competitive asymmetry between early adopters and laggards in physical AI is likely to be more durable than in software AI, given the capital intensity and integration complexity involved. M&A Directors evaluating industrial targets should now incorporate physical AI capability assessments into technical due diligence protocols.

Implications for Business: Four Actions for Executive Teams

  • Conduct an agentic AI inventory now. Before the next board cycle, map every autonomous agent operating in production — including those deployed by third-party vendors — against your EU AI Act compliance obligations and existing liability frameworks.
  • Separate AI spend from AI readiness. A 14% budget increase means nothing without a parallel investment in data architecture, model governance, and operating model redesign. Require your CTO and CFO to present a joint readiness assessment alongside any AI capital allocation request.
  • Embed AI governance into M&A due diligence. Acquisition targets with ungoverned AI deployments represent contingent liability. Standard IT due diligence checklists must now include AI system inventories, training data provenance, and regulatory classification under the EU AI Act.
  • Build for physical AI disruption. European industrial boards should initiate scenario planning for a world where 80% of competitors deploy physical AI within 24 months. Waiting for proof of ROI from peers is a losing strategy in capital-intensive transformation cycles.

Key Takeaway

Deloitte’s 2026 data confirms what leading advisors have argued for two years: the constraint on enterprise AI value creation is no longer technology availability — it is institutional readiness. With agentic AI scaling into production environments governed by only one in five companies with mature oversight models, and with the EU AI Act imposing enforceable obligations on high-risk deployments, the window for reactive governance is closing. European boards that treat AI governance as a compliance checkbox rather than a strategic capability will find themselves managing both regulatory and operational crises simultaneously. The organisations that will lead are those that invest in governance architecture with the same urgency they apply to innovation management.