The Record
None of this is theoretical. The evidence is coming from the field, not from sceptics.
South Africa’s own numbers make the point first. World Wide Worx’s SA Generative AI Roadmap 2025 found that 67% of large local enterprises now use generative AI, up from 45% a year earlier – but fewer than one in seven have an organisation-wide strategy for it, and only 13% have proper guardrails in place. Adoption has run well ahead of governance, into what the study calls a regulatory and ethical vacuum.
The international evidence points the same way. A widely cited – and much debated – MIT study last year found that roughly 95% of enterprise generative-AI initiatives delivered no measurable return, and traced the failures not to the models, which are genuinely capable, but to how poorly the tools were wired into the work around them. McKinsey puts firmer numbers on the same gap: almost nine in ten organisations now use AI, yet only about 6% report a material impact on the bottom line. Gartner has reported that data oversharing pushed around 40% of organisations to delay their Copilot rollouts by three months or more, and counts permission sprawl among the leading security risks of the technology.
The pattern is consistent. Where AI disappoints, the model is rarely the problem. The foundation underneath it is. And where AI delivers, the same foundation is the reason – the estate is the lever either way.
Which makes the most common response – buy more licences, widen the rollout, drive harder for adoption – exactly backwards. You cannot buy your way out of a data problem by deploying more of the tool that exposes it.
Microsoft has read the same evidence, and its own deployment guidance is sequenced accordingly. Its blueprint for a secure Copilot rollout sets the order plainly: remediate oversharing, put guardrails in place, then meet your regulatory obligations. Before value, before rollout, fix the permissions. Prune the stale content. Govern the estate. Only then switch on.