← All writing

Jul 11, 2026 · 9 min read

The Quiet Takeover: GenAI is Getting Beyond Our Control

The Quiet Takeover: GenAI is Getting Beyond Our Control

How generative AI is embedding itself into banking, healthcare, law, and government faster than anyone can govern it — and what the last eighteen months of real-world failures tell us about the cost of that speed.

Introduction

The fear used to be cinematic. A rogue superintelligence. A robot uprising. Something dramatic enough to make the evening news.

The reality is a Gartner adoption chart.

Somewhere in an enterprise research report, sitting quietly between a pricing table and a vendor comparison matrix, is a chart showing "Very Strong" and "Strong" correlation between generative AI adoption and core operations across banking, healthcare, law, and government. No sirens. No headlines. Just an upward-sloping line that most executives glance at for four seconds before moving to the next slide.

That chart is the story. Not because it's alarming to look at — it isn't — but because of how ordinary it looks while describing something extraordinary: AI systems are now embedded in the sectors where mistakes cost the most, and they got there faster than the institutions meant to govern them could react. This isn't a hypothetical. It's already showing up in court sanctions, corporate breach reports, layoff reversals, and regulatory deadlines that keep sliding to the right. The rest of this piece walks through what's actually happened, sector by sector, in the last eighteen months.

The Red Zone Reality: When "Very Strong" Adoption Meets Zero Verification

Healthcare, banking, and law sit in the "Very Strong" adoption zone on that Gartner chart — which sounds like a success story until you look at what "adoption without safety rails" has actually produced in courtrooms and boardrooms.

The clearest evidence comes from the legal system, where the paper trail is public and growing daily.

  • Sullivan & Cromwell, April 2026 — One of the most prestigious law firms in the world submitted an emergency motion in the Prince Global Holdings bankruptcy case containing roughly 28 erroneous citations. The firm formally apologized to the presiding judge.
  • Sixth Circuit Court of Appeals, March 2026 — In Whiting v. City of Athens, a three-judge panel sanctioned two attorneys $15,000 each — the stiffest penalty the court could impose — after their briefs contained more than two dozen fabricated or misrepresented citations across three consolidated appeals.
  • Nebraska Supreme Court, April 2026 — An Omaha attorney was suspended from practice entirely after filing a brief in which 57 of 63 citations were defective, including 20 completely fabricated cases. He initially denied using AI, then admitted it.
  • Northern District of Mississippi, June 2026 — A federal judge removed four lawyers from a single contract dispute after finding that attorneys on both sides had submitted AI-hallucinated legal authorities.

As of April 2026, the Damien Charlotin AI Hallucination Cases Database had documented over 1,300 court proceedings worldwide involving fabricated AI content — up from roughly 200 a year earlier. Reported incidents have gone from about two per week in early 2025 to two or three per day by late 2025. Stanford's CodeX Center found that general-purpose language models fabricate legal citations in 30–45% of research responses, with even specialized legal AI tools showing double-digit error rates.

This is what "Very Strong adoption" looks like without a verification layer: not a single dramatic failure, but a steady drumbeat of professionals trusting fluent, confident-sounding output that turned out to be fiction. The same dynamic plays out in banking and healthcare — sectors where the stakes are financial solvency and human health rather than a sanctions order, and where errors are often far harder to trace back to their source.

The Shadow AI Threat: What the Official Chart Doesn't Show You

Here's the problem with any adoption chart, however accurate: it measures sanctioned use. It says nothing about the AI activity happening on personal devices and personal accounts, completely outside any governance framework — activity that has become the norm rather than the exception.

  • Verizon's 2026 Data Breach Investigations Report found that the share of employees regularly using AI tools on corporate devices jumped from 15% to 45% in a single twelve-month window — a tripling that outpaces nearly every enterprise technology adoption curve on record, rivaling the early smartphone boom. Two-thirds of that access happens through personal, non-corporate accounts.
  • Samsung's semiconductor division experienced three separate proprietary data leaks within 20 days of allowing employee access to ChatGPT — engineers pasted source code to debug it, submitted defect-detection algorithms for optimization, and fed transcribed internal meeting notes into the tool to generate summaries. Once submitted, Samsung confirmed the data could not be retrieved.
  • A contractor working on the NSW government's flood recovery program downloaded a spreadsheet containing over 12,000 rows of applicant data — names, addresses, phone numbers, health information — and uploaded it to a personal ChatGPT account. The breach wasn't publicly disclosed for six months. No data-loss-prevention system flagged it at any point.
  • IBM's 2025 Cost of a Data Breach Report found that breaches involving significant shadow AI use cost an average of $670,000 more than the global breach baseline of $4.44 million.

The detection problem is structural, not just a matter of policy. Traditional shadow IT left recognizable fingerprints — known domains, predictable API calls. Shadow AI traffic routes through HTTPS to mainstream AI providers and blends into ordinary browser activity. Security teams are, in a real sense, defending data they can't see moving.

So when a Gartner chart shows "Strong" adoption in a given sector, read it as a floor, not a ceiling. The unsanctioned use sitting beneath that number is often larger than the sanctioned use sitting above it.

The Outsourced Judgment: What Happens When You Trust AI to Replace Judgment, Not Just Assist It

The third failure mode isn't hallucination or leakage — it's organizations quietly discovering that AI can execute a task without being able to own the judgment behind it, and finding out the hard way which one they'd actually delegated.

  • Klarna, 2024–2025 — CEO Sebastian Siemiatkowski publicly celebrated replacing 700 customer service employees with AI, citing roughly $10 million in savings. Customer satisfaction fell sharply, complaints mounted, and by mid-2025 Klarna was quietly rehiring for the same roles, with Siemiatkowski acknowledging the company had "gone too far."
  • Ford invested heavily in automated quality-control systems meant to catch design and manufacturing flaws. The systems missed defects that experienced engineers would have caught, lacking the decades of accumulated judgment no training set fully replicates. Ford ultimately rehired, newly hired, or promoted 350 experienced engineers to close the gap — and topped J.D. Power's 2026 Initial Quality Study for the first time since 2010.
  • Commonwealth Bank of Australia eliminated 45 customer service roles in 2025, judging them redundant under its AI system. By August 2025, the bank reversed the decision outright, stating its "initial assessment... did not adequately consider all relevant business considerations."
  • IBM's AskHR platform automates 94% of routine HR inquiries — genuinely impressive — but the remaining 6%, involving ethical judgment and nuanced human situations, "completely stumped" the system. IBM's response was to triple entry-level hiring in the US for 2026, with its CHRO warning that without continued human investment, "the well simply dries up" within three to five years.

The pattern across all four cases is identical: a company automates a function believing AI has absorbed the judgment along with the task, discovers the judgment didn't transfer, and pays twice — once for the AI rollout, once for the correction. Robert Half data shows 32% of US hiring managers who cut a role primarily due to AI have already rehired for the same or a similar position. Separately, Orgvue's 2026 survey found that of business leaders who made staff redundant specifically because of AI, 55% now say the decision was wrong.

This is the "outsourced judgment" problem in miniature: it's not that AI performs badly. It's that organizations mistake task completion for decision-making, hand over the latter along with the former, and only discover the difference after the fact.

The Regulatory Gap: Writing Rules for the AI That Existed Two Years Ago

If adoption were the only story, it would be concerning but manageable — regulation could, in theory, catch up. The fourth piece of the picture is that it isn't catching up. It's structurally behind, by design and by necessity, and the gap is measured in years, not months.

  • The EU AI Act, widely considered the world's most comprehensive AI regulatory framework, was adopted in mid-2024 with most high-risk obligations originally scheduled to take effect August 2, 2026. In May 2026, EU lawmakers agreed to push the deadline for high-risk systems — covering biometrics, critical infrastructure, education, employment, credit scoring, and law enforcement — back sixteen months, to December 2, 2027. AI embedded in regulated products, including medical devices, was pushed to August 2028.
  • The stated reason for the delay was not that the risks had diminished — European regulators were explicit that the underlying obligations remain unchanged — but that the technical standards, conformity assessment processes, and implementation guidance needed to actually enforce the rules weren't ready. The infrastructure to govern the law hadn't caught up to the law itself.
  • A Vision Compliance industry survey from April 2026 found that 78% of organizations subject to the EU AI Act had taken no meaningful compliance steps, including 74% with no designated internal owner for AI compliance at all.
  • In the United States, regulation is fragmenting rather than consolidating: California's AI Transparency Act, Texas's H.B. 149, and Colorado's AI Act (enforceable June 2026) each apply different definitions and thresholds, creating a compliance patchwork rather than a unified standard — even as the underlying AI models operate identically across all three states.

This is regulatory lag in its most literal form: not lawmakers ignoring the problem, but lawmakers correctly identifying the problem and then discovering that writing an enforceable rule for a technology this fast-moving takes longer than the technology takes to make the rule obsolete. By the time the EU's high-risk obligations activate in December 2027, the systems they were written to govern in 2024 will likely be several generations removed from what's actually deployed in hospitals, banks, and courtrooms by then.

The Gartner chart doesn't pause while the law catches up. It keeps climbing.

Pulling Control Back: Three Places to Start

None of this is an argument against generative AI. It's an argument against the current pace mismatch between adoption and governance — and pace mismatches are, in principle, fixable. Three concrete places to start:

1. Red Zone moratoriums on unverified output. Any sector in the "Very Strong" adoption zone — legal filings, medical diagnostics, financial disclosures — should require mandatory human verification of AI output before it reaches a court, a patient, or a regulator, with the verification step itself documented and auditable. This isn't a ban on AI assistance. It's a ban on AI conclusions standing unverified in high-stakes contexts, which the legal profession's 1,300+ sanctioned filings show is currently the norm, not the exception.

2. Firewall shadow AI the way IT firewalled shadow SaaS a decade ago. Enterprise-grade AI tools with proper data governance exist and work. The gap isn't capability — it's adoption friction. Organizations need to make the sanctioned tool easier to use than the unsanctioned one, paired with real monitoring for the 8+ GB per month organizations are currently uploading to ungoverned AI applications with zero audit trail.

3. Treat frontier AI deployment in critical infrastructure like nuclear energy, not like software. Nuclear power is transformative, heavily regulated, and deployed only after extensive certification — not because the technology is inherently malicious, but because the failure modes are severe enough to warrant that friction. AI systems making credit, medical, and judicial decisions deserve the same category of pre-deployment scrutiny, not a "move fast and patch later" model borrowed from consumer software.

The Gartner chart will keep climbing regardless of what regulators, courts, or corporate boards decide to do next. The only real question is whether the next eighteen months of headlines look like the last eighteen — a rolling list of sanctions, breaches, reversals, and missed deadlines — or whether the institutions embedding this technology finally build the verification layer to match the speed of adoption. Right now, the data says they haven't. The chart says they won't slow down long enough to start.


Thanks for reading. If this resonated with you, I'd love to hear about what you're building. Get in touch.