Enterprise adoption of artificial intelligence accelerated sharply in 2025, with worker access to AI tools rising 50% year-on-year according to Deloitte’s 2026 State of AI in the Enterprise report. Yet the same research exposes a structural fault line: only 20% of organisations have mature governance frameworks in place for autonomous, agentic AI systems — precisely the category projected to see the sharpest growth in deployment over the coming 24 months. For European executives navigating digital transformation under an increasingly demanding regulatory environment, this gap is not an operational inconvenience. It is a strategic liability.

The Governance Deficit: Why Agentic AI Changes the Risk Calculus

Traditional enterprise AI — recommendation engines, predictive analytics, process automation — operates within defined parameters and human oversight loops. Agentic AI is categorically different. These systems plan, execute multi-step tasks, interact with external services, and make consequential decisions with minimal human intervention. Microsoft’s recent launch of the Agent Factory framework within Azure AI Foundry, built on Model Context Protocol support, signals that the infrastructure for enterprise-grade agentic deployment is already here. The governance architecture, in most organisations, is not.

For General Counsel and compliance officers, this matters acutely in the European context. The EU AI Act, which began phased enforcement in 2024 and reaches full applicability in August 2026, imposes explicit obligations on providers and deployers of high-risk AI systems — including requirements for human oversight, logging, transparency, and conformity assessments. Agentic systems operating in HR, credit decisioning, legal review, or supply chain management will frequently fall within high-risk classifications. Deploying them without mature governance is not merely a reputational risk; it carries direct regulatory exposure.

Boards should be asking their technology and legal leadership a pointed question: Do we have a documented, tested governance framework for every agentic AI system currently in production or pilot? For 80% of enterprises, the honest answer is no.

Sovereignty, Open Source, and the Infrastructure Realignment

Alongside the governance gap, the Deloitte data reveals a significant strategic reorientation in how enterprises are building their AI foundations. Over 50% of organisations now use open-source AI models, driven by priorities around data sovereignty and cost efficiency rather than reliance on proprietary platforms. Simultaneously, 52% of executives are prioritising data sovereignty and local cloud strategies — a trend with particular resonance in Europe, where GDPR, the Data Act, and sector-specific regulations in financial services and healthcare create genuine constraints on cross-border data flows.

This shift has direct implications for digital strategy and cloud migration decisions. The era of defaulting to a single hyperscaler’s proprietary AI stack is giving way to a more architecturally deliberate approach: sovereign cloud infrastructure, open-weight models fine-tuned on proprietary data, and managed services to bridge the capability gap where internal talent is scarce. The Microsoft-OpenAI deal restructuring — removing capital constraints and transitioning OpenAI toward a public benefit corporation with an eye toward IPO to fund $1.4 trillion in infrastructure commitments — underscores that the hyperscalers are not retreating. They are doubling down. European enterprises must decide, deliberately and soon, where they sit on the sovereignty-capability spectrum.

Legacy systems remain the most persistent structural obstacle: 45% of data and AI strategies are materially challenged by technical debt, slowing the pace of transformation and increasing the cost of compliance. Organisations that defer modernisation in favour of point-solution AI deployments are compounding this problem, not resolving it.

Implications for Decision-Makers: From Ambition to Accountable Deployment

The Deloitte findings, taken together with the regulatory and market context, point to a clear set of priorities for C-suite and board-level leaders:

  • Governance before scale: Establish an AI governance committee with cross-functional representation — legal, technology, risk, and business leadership — before expanding agentic AI deployments. Define accountability lines, escalation protocols, and audit mechanisms aligned with EU AI Act requirements.
  • Conduct an agentic AI inventory: Many organisations do not have a complete picture of where autonomous AI agents are operating, including in shadow IT and vendor-embedded systems. A structured inventory is the prerequisite for any credible risk management posture.
  • Formalise your sovereignty position: Data localisation and open-source AI adoption are not purely technical decisions — they carry strategic, legal, and competitive dimensions. CFOs and CTOs should align on a documented cloud and AI sourcing strategy that explicitly addresses sovereignty requirements.
  • Address legacy debt as a strategic priority: Incremental AI investment layered on unreformed legacy infrastructure delivers diminishing returns. Boards should demand a clear roadmap for core system modernisation, with managed services as a bridge where full transformation timelines are extended.

Key Takeaway

The central challenge for enterprise leadership in 2025–2026 is not AI ambition — that is in abundant supply. It is the disciplined alignment of innovation management, governance infrastructure, and regulatory readiness with the pace of deployment. In a European operating environment where the AI Act is live, data sovereignty expectations are hardening, and agentic systems are moving from pilot to production, the organisations that will lead are those that treat governance not as a constraint on digital transformation, but as its essential foundation.