Unblocking AI: Why 73% of orgs have stalled their Copilot rollout — and how to move forward safely

In 2025, if you want to learn about the transformative power of AI, you don’t have to look too hard. Even here on this very website, you’ll find stories such as NASA’s Earth Copilot, to make climate and geospatial data more accessible, or Ally Financial's AI-powered customer service. Everyone has an idea of what they want, it’s getting there that is challenging.

According to a recent survey we conducted, 73% of organizations in regulated industries have paused enterprise-wide rollouts of Microsoft Copilot or ChatGPT.

These organizations want to unlock the power of AI, but they're frozen by risk. A few representative samples of comments from the survey:

• “We’d love to use Copilot, but we’re just not ready.”

• “We don’t know where our sensitive data is — let alone what Copilot might access.”

• “Honestly, we don’t even know where to start.”

The good news? AI doesn’t have to wait. With the right governance measures in place, you can move faster — not slower — and roll out tools like Copilot with confidence.

The AI blockade: What’s stalling rollouts

Copilot and similar tools promise major productivity gains for organizations, providing teams with the ability to process large amounts of data quickly to surface new insights or create new content.

But IT and security leaders are hitting pause, especially in regulated industries. A Gartner survey in late 2024 found that 80% of organizations were piloting or planning to pilot Microsoft 365 Copilot, yet only 16% of those pilots had moved into production rollouts. The vast majority (60%) remain “in pilot” (see figure above), underscoring a significant gap between experimentation and full-scale adoption.  

Major roadblocks cited include security concerns, unclear ROI, and change management challenges. 52% of organizations cite worries about data exposure, “hallucinations,” or other AI errors, leading over half of them to restrict Copilot to select users or low-risk environments and even delay rollouts by several months.

Leaders have questions over how these tools will access their organizational data, especially sensitive customer data, and whether they can govern AI usage. Our research has shown that leadership are unclear about issues like:

• “What data Copilot will access”

• “How much control we have over what employees do with generative AI”

• “What if sensitive data is leaked or exposed?”

• “How will we stay compliant with emerging AI and data privacy regulations?”

Most organizations are unsure whether the default privacy settings are enabled. They can’t track where data goes. And they’re unsure if they can even audit the outputs.

This uncertainty breeds paralysis. In many cases, organizations have identified the AI tools they want to use, but the rollout is blocked until governance gaps are addressed.

Global AI adoption rates have plateaued in recent years. McKinsey’s 2023 global survey showed overall AI usage holding steady at around ~55% of organizations , and much of the growth is driven by less-regulated industries (tech, media, etc.).

In contrast, banks, government agencies, and utilities face unique hurdles that slow their AI rollouts. A mid-2024 benchmarking survey of 200 financial institutions found 75% of firms were either exploring AI or using it internally, but only 37% had actually deployed AI tools in production for internal use.

In its survey, Gartner notes that organizations with strong data governance frameworks see faster Copilot adoption and greater confidence in its outputs, yet only 27% of companies report high information-management maturity today.

AI use moves to the shadows

And while organizations flounders, employees are already using tools like ChatGPT, many times without guardrails. They feel the AI hype too, and they want to use these tools even if their organization won’t adopt them. This leads to “shadow AI”, where AI adoption is hidden from organizations.  

Governance is the key to acceleration

In most organizations, the natural instinct has been to treat governance as a blocker: something you have to “get through” before rolling out a solution like AI. Indeed, a 2024 data integrity study by Precisely and Drexel University found 62% of organizations cited lack of data governance as the primary data challenge inhibiting AI projects.

Only 25% of business leaders say their organizations are “highly prepared” to address AI governance and risk issues, according to a late-2023 Deloitte global survey. And in practice, one in five businesses had no data governance framework at all for their AI and data initiatives, according to another report from Ataccama.

There is some progress: industry forecasts suggest that by 2028, 60% of governments worldwide will have adopted formal AI risk-management frameworks to guide their AI policies, and companies are increasingly appointing Chief AI Ethics or Risk Officers to impose governance.

But this “governance as obstacle” mindset is backwards. Governance is the accelerator.

When it comes to AI, the organizations that are moving forward are the ones that are putting the right foundations in place:

• AI governance committees to create policies and frameworks.

• Data classification and access controls to know what’s sensitive and where it lives.

• Clear accountability around what data is safe for AI use, and who’s responsible for enabling it.

Most importantly, they’re recognizing that you can’t govern what you can’t see. That’s where platforms like RecordPoint come in.

AI governance with RecordPoint

This all sounds good in theory, but how does it work in practice? Let’s take a look at a real RecordPoint customer and their AI governance journey.  

The customer is a public body that manages, protects, and promotes the historic environment in their region. Their staff are pushing to have Microsoft Copilot rolled out, and they have begun internal testing, but the broader roll out has been blocked due to the following concerns:  

• The customer manages a vast amount of sensitive information classified as Official, Secret, and Top Secret, along with regulated PII within their SharePoint environment. They do not want this information exposed to Copilot at all but are concerned at their ability to protect the “crown jewels”.

• There’s a lack of confidence in existing permissions — raising fears that Copilot could surface data to users who shouldn’t have access.  

• Leaders worry that staff might make decisions based on incorrect or unauthorized AI-generated insights.  

• Staff maturity and understanding of AI risks remain a concern, adding to hesitation around a full-scale rollout.  

Their biggest blockers? Unclear access controls, compliance risks, and potential exposure of classified data — all preventing the customer from leveraging Copilot’s full potential.

With RecordPoint AI Governance

Now, the customer is taking a measured, secure approach to rolling out Microsoft Copilot — using RecordPoint AI Governance to ensure data security, compliance, and control. Here’s how:  

• Data classification & tagging – the customer has been able to categorize their data by department (e.g., finance) and tag sensitive information as Official, Secret, or Top Secret — ensuring Copilot doesn’t access restricted content.  

• Detecting sensitive information – By integrating RecordPoint Signals, the customer can now automatically detect British and customer-specific PII before it ever reaches Copilot, preventing exposure of regulated or classified data. They are looking forward to being able to mask this data in the future.  

• Sanctioned data sets for AI – AI Governance allows them to create officially sanctioned data sets that filter out PII, sensitive information, and outdated or invalid reference documents — ensuring Copilot only accesses trusted, compliant data.  

• Granular access controls – With group and user-specific access controls, the customer ensures that employees only see AI-generated insights from data they are authorized to access — eliminating the risk caused by oversharing.  

• Automated AI data governance policies – Instead of manual document-by-document reviews, the customer now applies AI Governance policies automatically to all newly created data, ensuring ongoing compliance without operational bottlenecks.  

Looking ahead – they're excited about future AI Governance capabilities, including self-service data sets for end users — allowing teams to curate AI training data while maintaining strict policy enforcement aligned with HES’s governance standards.  

With RecordPoint AI Governance, this customer is turning its AI security and compliance challenges into a strategic advantage — enabling safe, scalable adoption of Copilot without compromising data integrity, privacy, or trust.  

RecordPoint’s AI Governance solution

RecordPoint’s AI Governance solution is designed specifically to help regulated organizations move forward safely with tools like Copilot. We help you:

• Identify sensitive or regulated data across your environment.

• Classify and curate safe datasets for AI access.

• Generate audit trails and policy enforcement to control what AI can access.

• Produce documentation to support GDPR, CCPA, and other emerging AI regulations.

• Operate AI with confidence, knowing your governance posture is solid.

This isn’t about slowing down AI. It’s about gaining the power of productivity promised by AI — securely, responsibly, and faster than your competitors.

Learn more

You don’t need to choose between innovation and control. With the right governance in place, AI can be deployed safely, even in the most regulated industries.

The risk isn’t moving too fast. The real risk is waiting too long — and falling behind.

Ready to unblock AI and accelerate Copilot with confidence? Explore RecordPoint’s AI Governance solution or [book a demo] to see how we can help.

‍