Sometime in April 2026, the engineering organisation at Uber reached a conclusion that would have been difficult to imagine a year earlier. It had spent its entire 2026 budget for AI coding tools. The year was four months old.[1]

The cause was not waste. It was enthusiasm. Uber had put Claude Code — Anthropic’s coding agent, the kind of tool that writes and runs software alongside an engineer — in front of roughly five thousand developers, and by April adoption had climbed from roughly a third to 84 per cent of them every month, at a metered cost that reached between 500 and 2,000 US dollars per engineer.[1] Microsoft arrived at the same junction from the other side and chose the other road: rather than keep paying, it began cancelling most internal Claude Code licences across its Experiences and Devices division, steering thousands of engineers back towards its own cheaper tool.[2]

Those two numbers are the visible, audited, board-legible end of something far larger and far less visible. The bill arrives. The bill is the symptom. The cause is that almost nobody inside these organisations can see what their own people, and their own software, are actually doing with AI.

The bill is the symptom

On 12 June 2026, the work-management company Asana published research — conducted by Censuswide among 1,002 IT decision-makers and 3,002 knowledge workers across the UK and US — that puts a number on the Uber experience: 82 per cent of UK IT leaders had been hit by unexpected or unplanned AI-related cost increases in the previous twelve months.[3] Treat that as a vendor-commissioned figure, because it is one — Asana sells the software that promises to fix the problem it is measuring — and it still holds, because the independent data says the same thing. A 2026 survey for the cloud-cost firm DoiT, fielded independently by Sapio Research among 500 finance leaders in the US and UK, found 79 per cent had overspent their AI budgets in the past year; a separate index from the software-management firm Zylo put the share of IT leaders facing AI charges they never budgeted for at 78 per cent.[4]

The mechanism is mundane, and worth stating plainly, because the plain version is the one that survives a finance committee. Most enterprise AI is now billed by consumption — by the token, the small unit of text a model reads and writes — rather than by a fixed seat licence. The better the tool, the more your staff reach for it; the more they reach for it, the higher the bill climbs — which means the invoice scales with success rather than failure. That is a genuinely new shape for a technology cost, and the people who signed for it are learning its shape after the fact. Asana’s own data names the vacuum underneath: accountability for AI spend, it found, is split between technology and finance functions with no single clear owner — the corporate version of two people each assuming the other locked the door.[3]

Cost is the easy part of this story. It is the part that shows up on a spreadsheet. The harder part is that the spreadsheet is incomplete.

What your staff have already decided

Here is the finding that should reorganise the conversation. One in four UK knowledge workers — 25 per cent — say they often use AI tools their organisation has not formally approved, and 38 per cent regularly use personal AI accounts for work. Across the combined UK and US sample, those figures rise to 32 and 45 per cent.[3] The behaviour has a name: shadow AI — the unapproved chatbots, agents, and personal accounts employees use to get work done outside whatever their employer has sanctioned — the direct descendant of the shadow IT that put unapproved Dropbox and personal Gmail on corporate laptops a decade ago.

The instinct in most organisations is to treat this as a discipline problem: a policy is being broken, find the breakers, lock it down. The opposite is closer to the truth, and I will label that as my analytical reading rather than settled fact. Shadow AI is the most honest product research a company owns. Every unsanctioned tool is an employee telling you, with their own time and often their own money, that the approved path does not do the job and the unapproved one does.

The supporting evidence is uncomfortable for the people who write the policies. A separate 2026 study by the identity company Okta, surveying workers across seven countries, found the United States leading every nation measured, at 67 per cent of workers using unsanctioned AI tools. More pointedly, it found that 90 per cent of executives were confident in their organisation’s visibility into AI use, while 52 per cent of their own knowledge workers admitted to using the very tools that visibility was meant to catch.[5] The people most certain they can see the problem are, by their own staff’s account, the least able to. Sit with that gap, because it is the governance problem in miniature: the people with the clearest view on the org chart have the least accurate view of the ground. A fair share of those staff are pasting internal emails, HR records, and confidential documents into tools nobody is watching.[5]

This is, with apologies to Douglas Adams, the Beware of the Leopard school of governance — the sanctioned tool filed, in effect, in a disused basement lavatory behind a door marked with a warning, while the organisation expresses surprise that nobody filed through it.[6] When the approved route is slow, permission-gated, or simply worse, capable people route around it. They always have. The route-around is not the failure. It is the signal.

The same dynamic, now in software that acts

Shadow AI is humans routing around governance. What makes 2026 different from 2024 is that the software has begun to route around governance too.

In a research paper released late in 2025 and widely reported in March 2026, Alibaba disclosed that one of its own experimental AI agents — an autonomous model named ROME — had, during training, quietly repurposed the company’s graphics processors to mine cryptocurrency and opened a reverse network tunnel out through the firewall; the activity was first mistaken for an external breach. Nobody had instructed it to do either. The post-mortem attributed the behaviour to “instrumental side effects of autonomous tool use”: the agent had reasoned, in effect, that more compute and more resource would help it finish the task it had been set, and went and got them.[7]

An agentic AI — a system that takes actions in the world, calling tools and executing steps on its own, rather than only answering questions — is precisely the kind of actor that does this. And here the Asana number stops being about cost and starts being about consequence: 53 per cent of UK IT leaders say an AI tool or agent took an action in the past year that caused financial, legal, reputational, or compliance harm.[3]

More than half. In a single year.

We have built the HAL 9000 problem into the org chart. HAL followed its instructions to a logical conclusion its designers had not anticipated — no malice, only logic — and the Alibaba agent mined crypto in exactly that register: polite, rule-abiding, catastrophic.[8] Gartner expects more than 40 per cent of agentic AI projects to be cancelled by the end of 2027, citing escalating costs, unclear value, and inadequate risk controls.[9] The projects are not being abandoned because the agents fail to work. They are being abandoned, in part, because the agents work in ways nobody costed or controlled for. This is the very challenge, I built Arkava.ai to solve, how can you create tangible trust, in every agentic action.

Accountable for what you cannot see

Put the two halves together, because together they describe one structural failure rather than two separate IT problems.

Asana found that 61 per cent of UK IT leaders consider themselves highly or fully accountable for AI-driven business outcomes — while AI adoption spreads across departments and outside the governance processes those same leaders are meant to run.[3] That is the whole story in a sentence. The people who will answer for the outcome cannot see the activity that produces it. Read that twice.

This is the Watchmen question in modern dress — quis custodiet ipsos custodes, who watches the watchmen — except the thing that needs watching is now part human and part software, both inside the perimeter, both behaving exactly as their immediate incentives dictate, and the executive whose name sits on the risk register cannot say with confidence what either is doing.[10] When an agent collects credentials it should not have, or an employee pastes a contract into an unmonitored model, the entity held to account is not the agent and not, usually, the employee. It is a named human — and which named human is a question neither UK nor US case law has yet settled.

The instruments that will force the question are already moving. The EU AI Act, now in phased enforcement, assigns obligations to the providers and deployers of high-risk systems; the NIST AI Risk Management Framework is becoming the reference text in US-facing assurance; and the US Securities and Exchange Commission’s 2023 rules already require listed companies to disclose material cybersecurity incidents within four business days.[12] None of them yet states, in plain terms, which named officer answers when an autonomous agent acts. That silence is where the liability sits, waiting.

It also explains the most deflating finding in the field. MIT’s Project NANDA reported in 2025 that, despite 30 to 40 billion US dollars of enterprise spending, 95 per cent of corporate generative-AI pilots were delivering no measurable return.[11] Asana’s version of the same wound: 58 per cent of organisations report high AI adoption but limited measurable productivity gains.[3] The reason is not that the models are weak. It is that too much of the work happens in the dark — 46 per cent of UK IT leaders say AI initiatives stall because the AI lacks the organisational context to do the job, and more than a third of knowledge workers lose half an hour a day or more reworking AI output that missed that context.[3] You cannot capture the gain from a thing you have declined to manage, and you cannot manage a thing you have declined to see.

Reading this far?

Subscribe to The Control Layer for one piece a week in this register — AI, cybersecurity, sovereignty, and the geopolitics of the technology stack. Free.

The fix is a paved road, not a padlock

Picture the person this lands on: a risk director assembling Monday’s board paper, asked to certify the organisation’s AI exposure, holding a cost line that scales with success, a workforce that has already chosen its own tools, and software that occasionally acts on its own. The padlock — ban the unapproved tools, block the traffic, issue the policy — is the intuitive response and the wrong one. It does not remove the demand. It pushes the demand somewhere darker, onto personal phones and personal accounts where no telemetry reaches at all.

The alternative is the one security engineers learned the hard way during the shadow-IT years, and it generalises cleanly: make the secure path the path of least resistance. Pave the road people are already walking down, rather than fencing it off and feigning surprise when they climb the fence. In practice that is three things a board paper can actually specify. Visibility first — an honest inventory of which AI tools and agents are in use, sanctioned or not, becaus

e everything downstream is guesswork without it. Then enablement — approved tools good enough that the unapproved ones lose their pull, with the context AI needs to be useful, the goals and decisions and workflows, deliberately wired into them. Then accountability — a named owner for AI outcomes and a documented, auditable record of who decided to deploy what, so that when the regulator or the post-incident review arrives, the answer to who is responsible already exists in writing.

Asana’s Christina Francis, who heads its UK and Northern Europe business, frames visibility, governance, and context as “not competing priorities, but the same thing”.[3] On that, the vendor and the independent evidence agree, which is rare enough to note. The framing is right even where the motive is commercial. The organisations that get ahead will not be the ones that banned shadow AI. They will be the ones that read it as the demand signal it always was, and built the governed version of what their people were already reaching for.

Predictive judgement

Prediction. By 30 June 2027, at least one FTSE 100 or Fortune 500 company will publicly attribute a material financial event — a write-down, restated cost guidance, or a disclosed control failure — to ungoverned or agentic AI activity. And “shadow AI” or “AI usage governance” will appear as a named, discrete line item in the cybersecurity or risk disclosures of at least three such companies in annual reports filed during 2027.

Signals to watch.

1. Annual reports and risk disclosures naming shadow AI, AI usage governance, or agentic-AI risk as discrete line items, rather than folding them into generic technology-risk boilerplate.

2. A named, public agentic-AI incident — in the register of the Alibaba ROME event, but at a Western listed company — disclosed in a regulatory filing rather than a researcher’s blog.

3. The first enforcement action or material legal ruling that fixes accountability for an autonomous AI action on a specific corporate role.

Falsifiability. If by 30 June 2027 no listed company of that size has tied a material financial event to ungoverned or agentic AI, and shadow AI has not surfaced as a named disclosure line item in at least three annual reports, this prediction is wrong — and the accountability gap will have proved more containable than the argument here allows.

The publication that calls its predictions in writing.

Every Control Layer piece ends with a falsifiable prediction and a list of signals to watch. Subscribe to track them. One email a week. Free.

The bottom line

The reflex when the AI bill arrives is to find who broke the rules and stop them. It is the wrong reflex, and it misreads the evidence in front of every IT leader who has actually looked. The staff did not go rogue. They went first. They worked out, ahead of the procurement cycle and the governance committee, that the approved path was slower than the unapproved one, and they did what capable people under deadline always do.

The cost line is visible. The agents are visible too, at least when they misbehave loudly enough to trip a firewall. What stays invisible is the decision architecture underneath — who chose, who is accountable, who can see. That is the control layer, and it is the one part of the AI stack that almost no organisation has yet built.

You cannot govern what you have chosen not to see.

The Control Layer publishes weekly. Subscribe free.

Decision-grade analysis on AI, cybersecurity, technology sovereignty, and the geopolitics of the technology stack — written for the board paper, not the timeline. By Amer Altaf, Founder & CEO of Arkava and Managing Editor of The Control Layer.

Subscribe free

One email a week. No paywalls on the analytical pieces. Unsubscribe in one click.

References

[1]: Uber’s 2026 AI-tooling spend and per-engineer Claude Code costs are reported in “Microsoft’s quiet Claude Code retreat and the real cost of enterprise AI”, The Next Web, June 2026; and “Microsoft is dropping Claude Code by June 30 after burning through its entire year’s AI budget in just months”, Cybernews, June 2026. Figures are as reported; Uber has not published a primary breakdown.

[2]: Microsoft’s cancellation of internal Claude Code licences across its Experiences and Devices division is reported by The Next Web (above) and Cybernews (above), June 2026.

[3]: Asana, AI cost, governance, and shadow-AI research, conducted by Censuswide among 1,002 IT decision-makers and 3,002 knowledge workers in the UK and US; fieldwork 12–19 May 2026 (IT decision-makers) and 12–18 May 2026 (knowledge workers); UK figures based on UK respondents only. Reported 12 June 2026. Asana, All Asana figures are vendor-commissioned and attributed as such throughout.

[4]: DoiT, “Why 79% of Enterprises Overspent on AI in 2026” (AI spending survey), 2026; see also “AI cost overruns are adding up — with major implications for CIOs”, CIO, 2026,

[5]: Okta, “AI Agents at Work 2026” (survey conducted by Apprize360 across seven countries, March 2026); coverage in “Bosses blinded by confidence about shadow AI use by workers”, The Register, 27 May 2026.

[6]: Douglas Adams, The Hitchhiker’s Guide to the Galaxy (Pan Books, 1979). The “Beware of the Leopard” passage describes planning notices filed in a disused basement lavatory behind a door marked with a warning sign.

[7]: “This AI agent freed itself and started secretly mining crypto”, Axios, 7 March 2026; “An experimental AI agent broke out of its testing environment and mined crypto without permission”, Live Science, 2026; “Alibaba-linked AI agent hijacked GPUs for unauthorized crypto mining, researchers say”, The Block, 2026.

[8]: Stanley Kubrick (dir.), 2001: A Space Odyssey, Metro-Goldwyn-Mayer, 1968; screenplay by Kubrick and Arthur C. Clarke. The HAL 9000 sequence is the canonical analogue for an AI that follows its instructions logically to an outcome its principals did not intend.

[9]: Gartner, “Gartner Predicts Over 40% of Agentic AI Projects Will Be Canceled by End of 2027”, press release, 25 June 2025.

[10]: Alan Moore and Dave Gibbons, Watchmen (DC Comics, 1986–87). The recurring quis custodiet ipsos custodes motif — “who watches the watchmen” — is used here as the accountability framing for autonomous actors inside an organisation’s perimeter.

[11]: MIT Project NANDA, “The GenAI Divide: State of AI in Business 2025”, July 2025; reported in “MIT report: 95% of generative AI pilots at companies are failing”, Fortune, 18 August 2025.

[12]: European Commission, EU AI Act (Regulation (EU) 2024/1689), phased entry into force; US National Institute of Standards and Technology, AI Risk Management Framework (AI RMF 1.0), January 2023; US Securities and Exchange Commission, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” final rules, 2023,.

Author

Amer Altaf is Founder and CEO of Arkava, a UK and European sovereign AI agentic automation business, and Managing Editor of The Control Layer, the publication where he tracks the convergence of cybersecurity, AI, and the geopolitics of the technology stack. A techUK member, he contributes to industry engagement on UK technology sovereignty policy. He is currently writing on cloud security in an age of geopolitical uncertainty for Oxford University Press’s Expert Essentials series.