AI Is Free Until It Is Not: The Governance Risk of Operational Dependency
- Dr Janka Rodziewicz

- Jun 18
- 6 min read
Why boards and leadership teams need to treat AI adoption as an operational dependency risk, not just a productivity opportunity.

The closer I get to the operational reality of AI, the more it starts to feel like a classic risk management case study. Not because AI is not genuinely useful. Used well, it can support thinking, drafting, analysis, planning and communication. It can help organisations and individuals move faster. But the more regularly AI tools become part of daily work, the more visible another issue becomes.
Dependency.
At first, many AI tools feel easy to adopt. They are accessible, impressive and often comparatively cheap. Sometimes they are free at the point of use. Sometimes they sit inside tools people already use. Sometimes they begin as experiments, pilots or informal productivity aids.
Then, they become part of the workflow. A report is easier to draft with them. A briefing is faster to structure. A spreadsheet is simpler to analyse. Before long, the organisation is not merely using a tool; it is starting to redesign work around it. While, the individual is expected to work at the pace that AI has enabled as the norm.
Dependency changes the supplier relationship
One of the oldest operational lessons is that a supplier relationship changes once dependency forms.
The switching costs rise - The disruption risk rises - The tolerance for price increases rises with it.
This is not unique to AI. A tool begins as convenient. Then it becomes familiar. Then it becomes embedded. Then it becomes difficult to remove without operational pain. At that point, the supplier has gained leverage.
The organisation may still technically have a choice, but in practical terms that choice has become harder, slower and more expensive to exercise. This is why planning for that at the starting point of adopting AI, i.e. now, is essential.
AI may accelerate the usual dependency problem
AI creates a particular challenge because it does not always remain neatly within the boundaries of a single system in the way supplier dependencies generally have in the past. Increasingly, organisations are using AI, the same AI, across reporting, communications, research, analysis, customer service, governance support, risk assessment and operational decision making. That means AI can become woven into the way the organisation thinks, not just the way it stores information or completes administrative tasks.
This matters. It matters in many, many ways, but here I am focusing on dependency.
If an organisation redesigns processes around a particular AI platform, it may gradually lose the internal habits, capability and confidence to work without it. If staff become dependent on one tool for analysis, drafting or decision support, the organisation may not immediately notice the capability it is no longer maintaining.
The risk is as much akin to the loss of a key staff member that you have come to depend on as it is to supplier dependency; without the human connection and ability to make them feel valued elements to help keep a key member of staff.
That is not a reason to completely avoid AI, but it is a reason to govern it properly.
The risk is not that AI has a price
One of the comments on my original post on this made the point very clearly: “AI is not free. The costs are likely to rise. The risk is real.” That observation is key because organisations often treat digital adoption as though the early cost is the real cost. It rarely is. The real cost may appear later, when the tool is embedded, the data is inside the system, staff expect it to be available, processes depend on it, and alternative routes have not been maintained. At that point, a price increase is not simply a procurement issue. It is an operational resilience issue.
The questions are not only, “Can we afford this licence?”, but:
What happens if the price changes significantly?
What happens if access is restricted?
What happens if the terms of service change?
What happens if the provider changes strategic direction?
What happens if the tool becomes unavailable during a critical process?
What capability are we retaining in house?
What do we need to be able to do without this system?
Those are governance questions, not technology questions.
Free tools can create expensive dependencies
Free or low-cost tools are particularly interesting from a risk perspective because they reduce the friction of adoption. Nobody needs to approve a major procurement exercise. Nobody needs a long business case. Nobody necessarily thinks of it as infrastructure. The tool simply starts being used. This has been seen with AI not only in the swift uptake of use, but the speed with which organisations have had to bring in AI policies due to staff using them without organisational approval or steer.
That can be useful; innovation often begins informally and organisations need space to experiment. However, informal adoption becomes risky when nobody is tracking what has become operationally important (and, when it comes to AI adoption, when data protection and copyright seems to have been forgotten in all the excitement).
Governance structures, missions and incentives can change
AI suppliers are not static institutions. Their ownership, governance, commercial models, strategic priorities and incentives can evolve. That is true of many suppliers, but it matters especially where a provider becomes deeply embedded in organisational workflows.
The questions for boards and leadership teams are not whether a supplier is good or bad. That is too simplistic. They are whether the organisation understands the assumptions it is making about that supplier:
Is the organisation assuming the product will remain affordable?
Is it assuming access will remain stable?
Is it assuming data use, privacy terms or functionality will not materially change?
Is it assuming the provider’s incentives will remain aligned with the organisation’s needs?
Is it assuming there will always be a practical alternative?
If those assumptions are not being named, they are not being governed.
Risk management is not a barrier to innovation
Another comment on my post made an important point: good risk management encourages us to consider the unthinkable and be more creative in our responses. That is exactly right. Too often, risk management is treated as the part of governance that slows everything down, but done well, risk management gives organisations more options.
If a board understands the dependency risk, it can decide how much exposure it is willing to accept. It can diversify tools. It can negotiate terms more carefully. It can protect critical data. It can retain internal capability. It can set thresholds for review. It can define which uses of AI are low risk, which are sensitive, and which require stronger oversight.
That does not stop innovation. It makes innovation safer, more deliberate and more resilient.
Mature AI adoption needs proportionate oversight
The point is not that every use of AI requires a full board paper. The point is that organisations should distinguish between casual use, helpful productivity use and operational dependency. A staff member using AI to help brainstorm ideas is one kind of risk. A team using it to draft routine communications is another. An organisation relying on it for reporting, analysis, casework, customer interaction, governance papers or decision support is something more significant. The deeper the dependency, the more considered the governance should be.
The questions boards should be asking
Boards and senior teams do not need to become AI experts to govern AI adoption well.
They do, however, need to ask sensible questions.
Where are we currently using AI?
Which uses are informal, and which are becoming operationally important?
What data is being entered into AI systems?
What decisions are being influenced by AI generated outputs?
What human review remains in place?
What would happen if access stopped tomorrow?
What would happen if the price doubled?
What alternatives exist?
What internal capability do we need to retain?
How are we keeping staff informed, skilled and appropriately cautious?
Who owns AI governance inside the organisation?
Dependency should be designed, not discovered by accident
Some dependency is acceptable. Organisations cannot avoid relying on suppliers, systems or platforms. Nor, often, should they try to build everything themselves.
The issue is whether dependency is understood, chosen and managed.
A mature organisation can say:
We know where AI is being used.
We know which uses matter operationally.
We know what risks we are accepting.
We know what safeguards are in place.
We know what we would do if the supplier, price, access or terms changed.
We know what capability we need to keep inside the organisation.
That is a very different position from discovering, too late, that a tool has become essential without anyone having made a conscious decision to depend on it.
The real governance test
AI may be free at first. It may be cheap for longer than expected. It may also remain valuable, useful and entirely worth paying for. However, good governance does not rest on the hope that favourable conditions will continue indefinitely; it asks what would happen if they do not.
That is the heart of the issue.
AI adoption should not be driven by fear, hype or passive dependency. It should be shaped by purpose, risk appetite, operational resilience and clear accountability.


