Digital Transformation

Data Governance as the Real AI Blocker - What Critical Infrastructure Organisations Need to Get Right First

Blue icon of a person with a gear, representing user settings or account configuration.
Pamela Sengupta
Blue calendar icon with a grid representing days and two rings at the top.
July 1, 2026

Every large organisation evaluating AI investment arrives at the same point eventually. The models are available. The platforms are mature. The use cases are well-documented. And yet the initiative stalls, delivers far less than anticipated, or gets quietly shelved. The reason, in the vast majority of cases, is not the technology. It is the data.

For critical infrastructure operators, this challenge is more acute than almost anywhere else. Decades of operational history, multiple generations of IT systems, complex legacy estates, and strict regulatory obligations create a data environment that is genuinely difficult to govern. Before any meaningful AI deployment can deliver reliable results, that foundation has to be addressed. Not patched. Not worked around. Properly addressed.

The organisations that are generating real, measurable returns from AI in 2025 and 2026 share one characteristic: they treated data governance as a strategic investment before committing to AI deployment, not as an afterthought triggered by the first failure.

The Scale of the Problem: What the Data Actually Shows

The evidence on AI project failure is consistent across multiple independent sources and it points to the same root cause. MIT's Project NANDA, covering over 300 enterprise AI initiatives, found that 95 per cent of organisations deploying generative AI saw zero measurable financial return. RAND Corporation research shows that more than 80 per cent of AI projects fail to reach meaningful production deployment, roughly twice the failure rate of traditional IT projects. S&P Global's 2025 survey found that 42 per cent of companies abandoned most of their AI initiatives that year, up from 17 per cent the year before.

The failure mode is consistent. A pilot succeeds because it runs on curated data, in a controlled environment, with manual workarounds smoothing over the rough edges. When the organisation tries to scale that pilot into production, it encounters the actual data estate: fragmented systems, inconsistent definitions, missing historical records, and format mismatches that make the clean demo dataset unrecognisable. The model was never the problem. The data feeding it was.

The quality-performance relationship

A 2025 study on data quality and machine learning performance found a nearly 10 percentage-point decline in model accuracy at just 20% data pollution. That pattern held consistently across classification, regression, and clustering tasks. Poor data does not just slow AI down. It makes it unreliable, and unreliable AI destroys the organisational trust needed for adoption.

BARC's 2025 research found that data quality issues more than doubled as the top obstacle to AI project success year on year, reaching 44 per cent of respondents. That figure was 19 per cent in 2024. The industry is learning, slowly, that the AI conversation is inseparable from the data conversation.

Why Critical Infrastructure Faces This Challenge More Than Most

The data governance challenge is universal across large enterprises, but critical infrastructure operators face a version of it that is structurally more difficult. Several factors compound the problem in ways that generic AI frameworks do not account for.

  1. Legacy system depth: Energy, utilities, transport, and network operators have operational technology environments that predate modern data standards by decades. Sensor data, maintenance records, and operational logs often exist in formats that were never designed for interoperability.
  1. Organisational complexity: Large infrastructure organisations typically have multiple business units, separate IT and operational technology teams, and decades of acquisitions or restructuring that left data ownership fragmented and inconsistently defined.
  1. Regulatory constraints: Regulated sectors operate under compliance obligations that impose strict requirements on data handling, retention, and access. These constraints affect how quickly data architecture can be changed and increase the cost of getting governance decisions wrong.
  1. Security sensitivity: Infrastructure organisations face elevated threat profiles. Any data governance approach must account for the fact that data catalogues, lineage maps, and access logs are themselves sensitive assets in environments targeted by sophisticated actors.
  1. Long asset lifecycles: Unlike software businesses, infrastructure operators manage physical assets with 20 to 40 year operational lifespans. The data associated with those assets spans multiple systems, multiple generations of tooling, and often multiple ownership changes.

The result is an environment where the standard enterprise advice to build a data lake and iterate simply does not apply. The starting point is typically messier, the constraints are tighter, and the consequences of deploying AI on unreliable data are harder to contain.

What Data Governance Actually Means in This Context

Data governance is often treated as a compliance function: a set of policies, a committee, and a catalogue that satisfies auditors. In the context of AI readiness, it is something more operational. Gartner's definition of AI-ready data is specific: data that is aligned to specific use cases, actively governed at the asset level, supported by automated pipelines with quality gates, and continuously quality-assured. The word continuously is where most organisations fall short.

Traditional data management runs on reporting cadences: quarterly audits, annual governance reviews, monthly pipeline checks. AI models in production need data quality signals measured in hours. That mismatch is where most AI data quality problems originate. The governance framework has to be built for the tempo of AI, not the tempo of compliance.

In practical terms, AI-ready data governance for a critical infrastructure organisation requires four things to be true simultaneously:

1. Data discovery and inventory: the organisation knows what data exists, where it lives, and what condition it is in. This sounds basic. In a large infrastructure estate spanning operational technology, corporate IT, and cloud environments, it is frequently not the case.

2. Domain ownership: specific people or teams are accountable for the quality and currency of specific data domains. Governance without ownership is a policy document, not a control. Appointing data stewards for the domains that matter most to AI use cases is the mechanism that makes accountability real.

3. Classification and sensitivity labelling: data is labelled by sensitivity, regulatory status, and business criticality. This is the foundation for access control, and it is also the mechanism that allows AI systems to operate within defined boundaries without requiring manual oversight of every data interaction.

4. Lineage and auditability: the organisation can trace where data originated, how it has been transformed, and where it has been consumed. For regulated environments, this is a compliance requirement. For AI deployment, it is also a quality assurance mechanism. If an AI output is wrong, lineage is what allows the team to identify where in the data pipeline the problem originated.

The Connection Between Data Governance and AI Security

In critical infrastructure environments, the data governance conversation and the AI security conversation are not separate. They are the same conversation approached from different directions.

An AI system that operates on ungoverned data is an AI system with an undefined boundary. It does not know what it should and should not access, because no one has told it. An AI system with an undefined boundary is an AI system that is difficult to secure, difficult to audit, and difficult to explain to a regulator or a board.

The UK Information Commissioner's Office published guidance in 2026 mapping AI-driven attack categories directly onto existing data protection obligations, treating AI security as a present-day data protection duty. For organisations in the UK regulated sector, this is not a future consideration. It is a current compliance requirement. An AI agent accessing regulated data without an audit trail, purpose binding, or a defined access boundary is not just ungoverned. It may be non-compliant.

The EU AI Act dimension

The EU AI Act's high-risk provisions, which include AI systems used in critical infrastructure management, require documented governance evidence: how the system works, what data it accesses, what decisions it influences, how it is monitored, and what human-oversight mechanisms exist. Data governance is the foundation on which all of that documentation rests.

Microsoft's Data Governance Stack for AI-Ready Organisations

For organisations operating on Microsoft 365 and Azure, there is a mature and increasingly integrated set of tools designed specifically to address AI-readiness governance. Understanding how these components fit together is essential for any organisation planning to move from AI experimentation to reliable production deployment.

Microsoft Purview is the central governance platform. It provides automated scanning and cataloguing of data assets across Azure, AWS, on-premises systems, and over 200 connected sources. It captures metadata, classification, and lineage without moving the data. Its sensitivity labelling capability allows organisations to define and enforce access boundaries that apply consistently across human users and AI agents. Crucially, Purview for Agent 365 extends the full governance stack to cover AI agents, assigning risk levels to agents, providing AI observability alerts for unexpected behaviour, and preventing agents from accessing or transmitting data beyond their permitted scope.

Microsoft Fabric brings together data engineering, analytics, and governance in a unified platform. The integration between Fabric and Purview means that governance controls established in Purview apply automatically to data workloads running in Fabric, without requiring separate policy implementation in each environment. This matters in large organisations where data governance often breaks down at the boundary between the governance team's tooling and the data team's tooling.

Together, these platforms enable the three principles that security-conscious organisations are converging on for AI governance: identity and access discipline applied to both human and non-human actors; continuous observability across agent behaviour and data interactions; and tamper-evident audit logging that supports both internal accountability and external regulatory review.

The Organisational Challenge Is as Real as the Technical One

Technology alone does not solve data governance. Every practitioner who has worked through a large-scale governance programme will say the same thing: the hard part is not the tooling. It is the organisation.

Data governance requires clear decisions about who owns what. In large infrastructure organisations with matrix structures, multiple IT teams, and historical reluctance to centralise data ownership, those decisions are politically difficult. They involve redistributing accountability for assets that teams have been managing informally for years. No platform resolves that without leadership commitment and a clear mandate from the top.

The organisations that make progress take a staged approach. They identify the specific data domains that matter most to their highest-priority AI use cases. They appoint stewards for those domains and give them a narrow, achievable brief: improve data quality for this one use case, build the governance model, prove it works. That creates the proof of concept for governance as well as for AI, and it generates the momentum to extend the approach across the wider estate.

The 2025 CDO Study from IBM found that 43 per cent of chief operations officers identify data quality issues as their most significant data priority. Over a quarter of organisations estimate they lose more than five million dollars annually due to poor data quality, with some reporting losses of 25 million or more. The cost of the status quo is real. The governance investment pays for itself before AI enters the picture.

What Good Sequencing Looks Like in Practice

The right order of operations for an infrastructure organisation approaching AI readiness through a data governance lens is consistent across organisations that have done it well:

1. Current-state assessment first: Understand the actual data landscape before designing a governance framework. What systems exist, what data they hold, how it is currently managed, and where the highest-risk quality gaps are. This is the diagnostic that everything else is built on.

2. Define the governance council: Establish clear ownership at the organisational level, with representation from IT, security, compliance, and the business units that will be using AI. Governance without cross-functional ownership does not hold under operational pressure.

3. Start with the domains that matter most: Rather than attempting enterprise-wide governance before any AI deployment, identify the two or three data domains most critical to the first AI use cases and govern those properly first. This produces early wins and a replicable model.

4. Build quality gates into pipelines before connecting AI: Data quality monitoring should be in place before AI systems start operating on that data, not added retrospectively when outputs start raising questions.

5. Extend governance to cover AI agents explicitly: as AI deployment scales, governance frameworks that were designed for human data access need to be extended to cover non-human actors. The tooling exists. The governance design needs to keep pace.

This is not a slow approach. Organisations that have done it well complete a meaningful initial governance foundation in three to six months. What they avoid is the far longer and more expensive process of retrofitting governance onto an AI deployment that has already created compliance exposure or eroded user trust.

How VE3 Approaches Data Governance for AI Readiness?

VE3 works with large organisations that are serious about moving AI from pilot to production. Our starting point is not the AI platform. It is the data foundation. We conduct structured diagnostic assessments that give organisations a clear, evidence-based picture of their current governance maturity, the specific gaps most likely to block AI value delivery, and a practical roadmap to address them.

As a Microsoft-aligned partner with deep expertise in Purview, Fabric, and the broader Azure data architecture stack, we implement governance frameworks that are designed to scale. Our approach is delivery-led, meaning we build working governance infrastructure, not frameworks that sit in a document.

For organisations in regulated sectors, we understand the compliance constraints that shape what is and is not possible, and we design governance approaches that satisfy regulatory requirements while enabling the AI investment that leadership is rightly being asked to justify. The data governance conversation and the AI business case conversation are the same conversation. We help organisations have both at once.

Woman sitting on couch wearing a white cable-knit sweater and blue jeans, holding a phone with one hand.
  • © 2026 VE3. All rights reserved.
LinkedIn logo in white on a gray circular background.Facebook social media icon with white f on a gray circular background.Gray circle with white X symbol, indicating a close or cancel button.Gray play button icon within a rounded square with a subtle drop shadow on a white background.