Most businesses buying AI tools aren't seeing a return. The reason isn't the software. It's what's missing around it.

The number nobody wants to talk about

Boston Consulting Group's 2025 Build for the Future study surveyed more than 1,
companies across 68 countries. The headline finding is uncomfortable: 60% are
achieving no material value from their AI investments, minimal revenue gains, minimal
cost savings, despite substantial spend. Only 5% are creating value at scale.
This is not a fringe view. McKinsey's State of AI 2025 report, drawn from nearly 2,
respondents across 105 countries, found that while 88% of organisations now use AI in
at least one function, only around 6% are seeing meaningful enterprise impact. An IBM
study put enterprise-wide AI ROI at 5.9% against a 10% capital investment.
So the AI budget keeps growing. The returns, for most, do not.
The question worth asking is why.

It isn't the technology

The temptation is to blame the tools. The models are immature. The vendors are over-
promising. The use cases haven't matured. There is some truth in all of that, but it isn't
the main story.
BCG's own analysis is clearer. The companies getting value from AI aren't using
fundamentally different software. They are doing three things differently around the
software:

• They redesign workflows rather than layering AI on top of old processes

• They invest in the people who use the tools, not just the tools themselves

• They build governance early, not as a brake, but as the foundation that lets
  them move

  
  

  McKinsey's data points to the same conclusion. High performers are roughly three
  times more likely to have fundamentally redesigned a workflow. They are far more likely
  to have strong senior leadership engagement on AI risk and value. And they are far more
  likely to have meaningful governance in place: policy frameworks, audit trails, defined
  accountability for who can use what, on what data, for what purpose.
  The gap between the 5% and the 60% isn't a technology gap. It's an execution gap. And
  execution depends on something most organisations have skipped.

The shadow AI problem

While leadership debates which AI platform to buy, employees have already made their
own choices.
UpGuard's 2025 research found that more than 80% of workers, including nearly 90% of
security professionals, use unapproved AI tools at work. BlackFog's 2025 survey of
2,000 UK and US employees found 86% use AI weekly for work tasks, with 49%
admitting to using tools their employer hasn't approved. MIT's State of AI in Business
2025 describes a thriving "shadow AI economy" inside companies whose official AI
programmes have stalled.
This is the part that links directly to the ROI problem. Money is being spent on enterprise
AI software. Meanwhile, the actual work is being done somewhere else, in personal
ChatGPT accounts, free tools, browser extensions, and unmanaged subscriptions. The

licensed platform sits underused. The unsanctioned tool handles the sensitive
document.
IBM's Cost of a Data Breach Report 2025 found that 20% of organisations suffered a
breach involving shadow AI in the past year, adding an average of $670,000 to the cost
of the incident. 97% of organisations that experienced an AI-related breach lacked
adequate AI access controls.
The financial picture, then, looks something like this. The business is paying for software
that staff don't fully use, while accepting risk from tools that staff use instead, with no
clear view of either. That isn't an AI strategy. It's two parallel problems that cancel each
other out.

What "buying software staff can't safely use" actually looks like

A mid-sized professional services firm signs an enterprise contract for an AI assistant.
Six months later:

• Adoption sits below 30%. Staff who tried it found the approved tool slower or less
  capable than the free version they were already using

• The information governance team has no view of which client data has been
  used in which prompts, on which platform

• One partner is concerned about a confidentiality clause in a recent matter;
  nobody can confirm whether any aspect of that matter touched an external AI
  tool

• The board asks for the ROI on last year's AI spend. Finance can show the cost.
  Nobody can show the return
  None of this is hypothetical. It is the default outcome when AI procurement runs ahead
  of AI governance. The tools were bought. The conditions for using them well were not
  built.
  This is what we mean when we say competitors are wasting their AI budget. They
  haven't bought the wrong software. They've bought software into the wrong
  environment.

The governance layer changes the equation

Governance, in this context, isn't paperwork. It isn't a policy PDF sitting on a shared
drive. It is the operating layer that determines whether AI investment translates into
value.
A working governance layer answers, at minimum, four questions in real time:

1. What AI is being used in this business, by whom, and on what? Without
   visibility, every other question is theoretical.

2. What is approved, what is restricted, and how do staff know the
   difference? Policy that isn't visible at the point of use isn't policy. It's
   documentation.

3. What evidence exists that staff are using AI safely and effectively? Training,
   attestation, behavioural signals, and audit trails — not as a compliance exercise,
   but as the basis for trusting AI in real work.

4. What is the business actually getting from its AI spend? Adoption data, value
   capture, risk exposure, and inaction cost — measured, not assumed.
   When those four questions can be answered, AI software becomes usable. Staff know
   what is permitted. Leadership can see where the investment is and isn't working. Risk

becomes visible early enough to manage. The shadow estate shrinks because the
sanctioned route is genuinely better.
This is the layer most businesses haven't built. It is also the layer that separates the 5%
from the 60%.

What the leaders do differently

The pattern across the BCG, McKinsey, and IBM evidence is consistent. Organisations
creating real value from AI didn't buy more AI software than everyone else. They built the
conditions for the software to work.
In practice, this looks like:

• Governance before scale. A clear, owned framework for how AI is used,
  established before significant licence commitments, not after the first incident

• Visibility over employee AI use. Knowing where shadow AI is happening and
  providing a sanctioned alternative that is genuinely better

• Training that meets staff where they are. Not a one-off course, but ongoing
  capability building tied to the specific tools and the specific work

• Measurement that includes inaction. What is it costing the business not to use
  AI in this workflow? What is it costing to use it badly?
  None of this requires waiting for AI regulation to settle, or for the next model release, or
  for the perfect platform. It can begin now, with the AI tools the business already has.

Where Turma fits

Turma exists for the conversation that comes after "we've bought some AI software." We
help businesses build the governance layer that makes that software safe to use, visible
to leadership, and capable of actually returning value.
The product suite is designed around the gap the research describes. Turma
Snapshot gives a fast, structured view of where a business currently stands, including
where shadow AI is likely operating, where governance is thin, and where the cost of
inaction is largest. Turma Assured runs the live governance environment: policies that
adapt as the market changes, evidence capture, badge status, and clear ownership of
what must happen by when. Turma Passport covers the people layer, training,
attestation, and behavioural signals that turn policy into practice.
The point isn't to slow AI adoption down. It is to make sure the investment already being
made starts to pay back.

A practical first step

If you are not certain how much of your AI budget is currently returning value, you are
not alone. The BCG number suggests most aren't. The honest first step is to find out.
A short, structured assessment can usually tell a business three things within a week:
where shadow AI is most likely concentrated, where governance gaps are creating the
largest exposure, and where the most addressable ROI lies. From there, the work is
sequencing, not rebuilding.
Turma's free Snapshot assessment is built for exactly this. It takes five to seven minutes,
and it produces a useful, honest picture of where you stand.
You can't govern what you can't see. And you can't get a return on AI software your
business isn't safely using.
The 60% is a choice. It doesn't have to be yours.

Sources

• Boston Consulting Group, The Widening AI Value Gap / Build for the Future 2025
  Global Study (n=1,250 firms across 68 countries), September 2025

• McKinsey & Company, The State of AI in 2025: Agents, Innovation, and
  Transformation (n=1,993 respondents across ~105 countries), 2025

• IBM, Cost of a Data Breach Report 2025 , in partnership with the Ponemon
  Institute

• MIT NANDA, The GenAI Divide: State of AI in Business 2025

• BlackFog / Sapio Research, Shadow AI survey, November 2025 (n=2,000 UK and
  US employees)

• UpGuard, Workplace AI Use Report, November 2025
  This article is intended as general guidance for business leaders. Where the issues
  raised intersect with regulated activity, data protection, or sector-specific obligations,
  businesses should seek advice from a qualified professional based on their own
  circumstances.