// Part Two · Chapter 5

Governance-First Models

Why ~70% of AI pilots die before production.

The 70% Problem

Every enterprise knows the AI graveyard — the shelf of "promising pilots" that died in proof-of-concept, the budget spent on experiments that never shipped. The root cause is always a governance gap. Not a model gap. Not a data gap. A governance gap.

Architecture Decision Records (ADRs)

Every production AI system needs an ADR library. Capture why you made every significant choice. It is your proof of rigor for regulators — and your institutional memory when the team turns over.

The 6 Pipes, Enforced

Governance-first isn't a policy document — it's six enforcement layers wired into the runtime:

Pipe 1 — Constrained Identities. Least-privilege service accounts; no agent inherits human access. Prevents an oversized blast radius when an agent misbehaves or is prompt-injected.

Pipe 2 — Attributable Actions. Every call, path, and output logged to an append-only ledger; traceable in under 30 seconds. Ends the "we don't know why it did that" audit failure.

Pipe 3 — Human-in-the-Loop Gates. High-stakes actions block until a human authorization token clears. Stops irreversible, legally binding actions without oversight.

Pipe 4 — Kill Threshold Monitoring. Cost, velocity, and error telemetry with automatic suspension on breach. Caps runaway loops and cost spirals.

Pipe 5 — Legacy Insulation. Legacy systems wrapped behind API gateways; the core is never touched directly. AI that can't integrate with legacy never ships.

Pipe 6 — Learning Loop. Every incident and override updates the ADR library. Institutional memory; the system improves instead of rotting.

Pipes 1–4 are the Non-Negotiables for any agentic deployment; 5–6 make it survive a real enterprise.

Compliance Mapping: Regulations → Architecture