Thirty Years of Governance Tools. Same Failure Rate. What Are We Missing?
The Paradox
This week we mapped the AI governance landscape: $1.4 billion in acquisitions, runtime enforcement shipping from multiple vendors, hyperscalers adding native governance controls, analysts publishing taxonomies, CISOs building governance committees. The tooling has never been more abundant, more funded, or more sophisticated.
And yet.
The historical data tells a story the vendor announcements don't. It's a story worth reading carefully, because the pattern it reveals isn't about AI. It's about something older and more stubborn.
The Baseline: Three Decades of IT Project Governance
In 1994, the Standish Group published its first CHAOS report, surveying thousands of IT projects across public and private sectors. The findings were stark: only 16.2% of software projects delivered on time and on budget. A full 31.1% were canceled outright. The remaining projects were "challenged" — over budget, past deadline, or delivering less than promised.
The report catalyzed an industry response. Project management methodologies matured. Agile emerged as a corrective to waterfall rigidity. DevOps compressed feedback loops. Cloud infrastructure reduced provisioning timelines from months to minutes. Governance, risk, and compliance platforms proliferated. Billions were invested in tooling designed to make projects succeed.
By 2012, Standish reported improvement: 37% of projects succeeded, 42% were challenged, and 21% failed. Progress.
Then the gains stalled. The 2015 CHAOS report found 71% of projects failed to meet their revised criteria of on time, on budget, and with satisfactory results. By 2020, the numbers settled into what appears to be a structural equilibrium: 31% successful, 50% challenged, 19% failed. Statistically indistinguishable from the mid-2000s.
Three decades. Multiple methodology revolutions. An entire industry of project governance tooling. And the success rate hovers around one in three.
The AI Layer: Worse, Not Better
Now layer AI projects on top of this baseline.
MIT's Project NANDA, published in mid-2025, surveyed 300-plus AI deployments and found only about 5% of generative AI pilots achieved rapid revenue acceleration. The remaining 95% stalled, delivering little to no measurable impact on the bottom line.
The RAND Corporation's analysis puts the broader AI project failure rate at over 80% — roughly double the failure rate of non-AI IT projects.
S&P Global's 2025 survey of over 1,000 enterprises across North America and Europe found 42% of companies scrapped most of their AI initiatives that year, up sharply from 17% the prior year. The average organization abandoned 46% of AI proof-of-concepts before reaching production.
Gartner projects 80% of data and analytics governance initiatives will fail by 2027, citing lack of connection to business outcomes. Separately, Gartner predicts organizations will abandon 60% of AI projects unsupported by AI-ready data through 2026. And over 40% of agentic AI projects are expected to be canceled by end of 2027 for lack of risk controls.
BCG reported in late 2024 that 74% of companies had yet to show tangible value from AI. By mid-2025, McKinsey found over 80% of organizations reporting no meaningful enterprise-wide impact despite AI adoption.
These aren't fringe studies. MIT, RAND, S&P Global, Gartner, BCG, McKinsey — the most authoritative voices in enterprise technology and strategy converge on the same conclusion: the vast majority of AI implementations fail to deliver intended value.
The Uncomfortable Overlay
Place these two datasets side by side and the picture gets uncomfortable.
IT project governance tooling has matured continuously since the 1990s. Methodologies have evolved through waterfall, agile, SAFe, DevOps, and platform engineering. Monitoring, observability, CI/CD, and automated testing have eliminated entire categories of technical failure. GRC platforms from ServiceNow, RSA Archer, OneTrust, and IBM OpenPages provide structured risk management, policy libraries, and audit workflows. Enterprise architecture tools from Ardoq, LeanIX, and MEGA offer metamodel-driven visibility into systems and dependencies.
The tools improved. The success rate didn't — not meaningfully, not durably.
And now, AI governance is following the same trajectory. The vendor landscape is active. The funding is real. The products are shipping. Runtime enforcement, structured inventories, policy-as-code engines, agent controls — the tooling layer is forming faster than it did for traditional IT governance.
If the pattern holds, the tooling will mature. Adoption will grow. And the failure rate will settle into its own equilibrium — stubbornly resistant to the tools designed to reduce it.
What the Data Suggests
The consistent failure rates across three decades and multiple technology waves suggest the binding constraint isn't tooling. It's something upstream of tooling.
The Standish Group's own analysis points in this direction. Across all editions of the CHAOS report, the top success factors are remarkably consistent: user involvement, executive support, and clear statement of requirements. These are human and organizational factors, not technical ones. The projects that succeed aren't the ones with better project management software. They're the ones where the right people defined the right requirements with sufficient clarity before building started.
Gartner's AI-specific analysis reinforces this. Their prediction that 60% of AI projects unsupported by AI-ready data will be abandoned isn't about model quality or compute infrastructure. It's about whether the foundational information — the data, the rules, the constraints, the domain knowledge — was in a usable state before the AI system tried to consume it.
The RAND Corporation's taxonomy of AI failure causes is even more explicit: misaligned business objectives, unrealistic expectations, poor data infrastructure, and organizational disconnects appear more frequently than model failures or compute limitations.
The tools keep getting better. The failure rates don't move. The variable that tools don't address — the upstream clarity of what's being governed, built, or deployed — appears to be the one that determines outcomes.
The Question
This isn't an argument against governance tooling. The tools are necessary. Runtime enforcement is better than advisory-only documentation. Structured inventories are better than spreadsheets. Policy-as-code is better than policy-as-prose.
But the historical record raises a question the market hasn't fully reckoned with: if better tools were the answer, shouldn't we know by now?
Thirty years of data suggests the gap isn't between "governed" and "ungoverned." It's between organizations that achieved upstream clarity about what they're building, why, and within what constraints — and organizations that skipped that step and hoped tooling would compensate.
The AI governance market is building the best enforcement infrastructure the industry has ever had. The question worth sitting with is whether enforcement is the constraint — or whether something else, something the tools assume is already in place, is the thing that's actually missing.
The Market Map is published every Friday on the NPM Tech blog. It wraps the week's signals — from AI failure analysis to governance trends to market movements — into the broader picture of where enterprise AI is heading.
Missed this week? Start with Tuesday's Natural Selection, then Wednesday's Grep 'n Guess, and Thursday's State of the Industry for the full arc.