Why "Move Fast and Break Things" Is the Wrong Approach to Enterprise AI

In a consumer technology context, breaking things tends to produce a visible failure that can be corrected publicly. An app crashes, a feature misbehaves, the company issues an apology. In an enterprise context, when AI breaks things, the damage is typically less visible, more consequential, and harder to repair.

AI that produces biased decisions in HR processes may discriminate against protected characteristics for months before anyone notices. The legal exposure from those decisions does not disappear when the AI is corrected. AI that mishandles customer data creates regulatory liability that can take years to resolve and produces penalties that are proportional to the duration of the breach, not just the point of discovery. AI that generates inaccurate outputs in a regulated context, financial advice, legal analysis, medical information, creates individual liability for the professionals who relied on those outputs.

The alternative to moving fast and breaking things is not moving slowly. It is moving thoughtfully, with a governance framework that allows speed where the risk is low and applies appropriate caution where the risk is high.

A risk-tiered approach to AI governance distinguishes between productivity AI (low governance overhead: personal tools that affect only the user's own work), process AI (moderate governance: tools that affect business processes and internal decision-making), and consequential AI (high governance: tools that affect decisions about customers, employees, or external parties, or that operate in regulated areas).

For productivity AI, rapid deployment with light-touch governance is appropriate. The risk of Copilot helping someone draft an email faster is low. For consequential AI, deliberate governance, including risk assessment, control design, testing, and ongoing monitoring, is a prerequisite for deployment, not a bureaucratic obstacle to it.

The organisations that are both moving quickly and governing well share several characteristics.

They have an AI policy that provides clear guidance on which AI uses require governance review and which can proceed on individual judgment. Rather than requiring approval for everything (which creates a bottleneck that slows everything) or requiring approval for nothing (which creates uncontrolled risk), they have a clear risk framework that routes decisions appropriately.

They have a rapid governance review process for moderate-risk deployments that takes days rather than months, focused on the specific risks of the deployment rather than a generic AI checklist. This requires governance capability in the first and second lines of defence, not just a central compliance team.

They monitor AI systems in production with defined metrics and thresholds that trigger investigation and intervention. Governance does not end at deployment; it is an ongoing responsibility.

Beyond the legal and regulatory arguments, there is a compelling reputational case for disciplined AI governance. Customer trust, once damaged by a significant AI failure, is expensive to rebuild. Employees who feel that AI has been used carelessly in ways that affected them are more likely to become disengaged or to become public critics of the organisation.

The organisations that are building long-term AI advantage are those that are deploying AI in ways their customers, employees, and investors can respect. Transparency about AI use, genuine human oversight of consequential AI decisions, and rapid, honest response when AI produces unexpected outcomes: these are not just governance requirements. They are competitive advantages in a world where trust in AI is still being established.