The Missing Layer
Every serious framework for enterprise AI readiness has the same shape: it’s right about the data, and it stops one floor too early. The floor below — the one nobody is naming — is where the business actually decides what is allowed to happen.
By now the headline number is famous. MIT’s Project NANDA studied enterprise generative-AI deployments through 2025 and found that the overwhelming majority, about ninety-five percent, produced no measurable return.[1] The interesting part wasn’t the failure rate. It was the cause. The models weren’t the problem. The frontier models worked fine in isolation. What failed was everything underneath: the systems didn’t retain context, didn’t fit the way work actually got done, and broke at exactly the points where they touched the real operation. NANDA called it a learning gap. I’d call it a substrate gap, and it is the most useful finding in the field, because it points the conversation in the right direction and then, like everyone else, stops just short of the thing that matters.
Here is the consensus, and the consensus is correct. Enterprise AI readiness is not mostly about models. MIT’s CISR maturity model shows that the organizations that can actually operationalize AI are the ones that already built the prerequisites: accessible data, clean APIs, simplified and automated processes, reusable architecture, decision support embedded in the flow of work.[2] Stanford’s Digital Economy Lab playbook says the same thing from the deployment side. Success depends on everything around the model: data quality, documented process, integration, permissions, exception handling, fit.[3] The data-readiness literature has spent years establishing that badly structured, inaccessible, or unsuitable data makes AI unreliable.[4] None of this is wrong. All of it is necessary.
It is also incomplete in a specific, fixable way. Every one of these frameworks treats your enterprise systems as a source: a place data comes from, to be cleaned and described and served up to a model. None of them treats your enterprise systems as an authority, a thing that has to decide, at the moment of action, what is and isn’t allowed to happen. And that distinction turns out to be the whole game, because AI doesn’t just read your substrate. It acts on it.
Observed data and live data are not the same animal
The data-readiness conversation borrowed its instincts, mostly without noticing, from science. The gold standard for making data machine-usable is the FAIR movement (Findable, Accessible, Interoperable, Reusable), and its showcase examples come from places like CERN, where physicists have published FAIR, AI-ready datasets of Higgs-boson decays so that anyone’s model can reason over them.[5] It’s beautiful work, and it’s the right model for the problem it solves. But notice what kind of data it is.
A Higgs decay dataset is a record of something that already happened. The events are frozen. Making them AI-ready means making them maximally reusable for inference. There is no such thing, in a FAIR dataset, as an operation that is not allowed, because nothing you do as a consumer can change what the data represents. You can’t make the universe inconsistent by querying it.
Enterprise data is a different animal entirely. It is not a record of something that happened out in the world. It is the live state of the business, and writing to it changes the business. When a system marks an order shipped, releases a work order, approves a payment, or moves a lot from quarantine to available, that write is not an observation. It’s an act, with consequences in inventory, in cash, in obligation, in compliance. The data is acted upon, not merely consulted.
That single difference breaks the whole “readiness equals clean, accessible data” equation. A record can be pristine by every data-quality measure and still describe something that should never have been permitted to exist. An order shipped with no payment authorization. A work order closed with an open nonconformance still attached to it. A lot that is somehow both quarantined and allocated to a customer. Two systems that each confidently report a different quantity for the same physical pallet. Every one of those records can be perfectly findable, well-typed, richly documented, and every one of them is a representation of an invalid state. Data readiness, as the field defines it, has no word for that failure, because it isn’t a property of the data sitting at rest. It’s a property of the operation that created it.
“Dirty data” is too narrow a phrase
The whole project of getting an enterprise ready for AI tends to collapse into one word: clean. Deduplicate the records. Reconcile the conflicting definitions. Fix the bad values. Corral the custom fields nobody documented. That work is real and worth doing. But “dirty data” is too narrow a phrase for the problem, because every field in a record can be contextually correct and the record can still be insufficient.
Insufficient for what? For something to act on safely. A record is a safe basis for agentic reasoning only if it tells the whole operational story: not just what the value is, but what it means, where it came from, what state it represents, what evidence supports that state, and which actions are valid because of it. Strip those away and you can be left with a record where every field is accurate and the thing is still mute about everything an agent would need to know before touching it.
That’s the gap most ERP and data-governance conversations miss. The problem was never only bad values, duplicate records, custom fields, and conflicting definitions. Those are the symptoms everyone can already see. The deeper problem is incomplete operational truth: records that are correct as far as they go and silent about the provenance, state, evidence, and constraints that would make them safe to act on. A human reading such a record fills the silence with judgment and context carried in their head. An agent fills it with a guess, and keeps moving.
The read path and the write path
Here’s the cleanest way I know to say it. There are two paths through any enterprise system. The read path is how information gets out: into a dashboard, a report, a model, an agent. The write path is how operations get in, how state actually changes.
Almost everything the industry sells in the name of readiness lives on the read path. Semantic layers, data catalogs, metrics layers, business glossaries, knowledge graphs, BI models, governance documentation: all of them describe and contextualize what is already there. They make the substrate legible. That’s genuinely valuable. A metrics layer that guarantees every team computes “active customer” the same way kills a real and expensive class of inconsistency.
But a read-path tool acts after the data exists. It can tell you an order is shipped. It cannot have stopped the order from reaching shipped without a payment. It can surface that two systems disagree about a quantity. It cannot have refused the write that created the disagreement. The semantic layer is a lens. A lens does not hold a gate.
An invalid operation is born on the write path. It gets described, if it gets described at all, later, on the read path, by which point the ambiguity is already sitting in your substrate, and may already have been acted on. Extending “data readiness” to what I’d call operational readiness means moving the point of control from the read path to the write path: enforcing validity at the moment of the write, before it commits, instead of narrating it afterward.
Where the canon actually lives
If you’ve spent time near a real shop floor, you already know the deepest version of this problem, even if nobody named it for you.
Tom Davenport pointed at it in 1998: an enterprise system isn’t a neutral container, it’s an imposed operating model.[6] Whatever the system enforces becomes the company’s de facto way of operating, no matter what the policy binder says. And the imposed model almost never fits. The research literature has a dry word for it, “misfit,” and twenty-five years of careful work establishing that it’s structural, not a temporary implementation hiccup.[7] The system can’t represent how the work actually happens.
So the work goes somewhere else. This is the part every operator knows in their bones and most executives never see. When the official system can’t hold the truth, the truth migrates: into spreadsheets, side databases, a supervisor’s whiteboard, a planner’s head, a Slack thread between the line lead and the quality engineer. The shadow-systems literature documents this exhaustively. Shadow systems persist precisely because the official schema doesn’t cover the real work.[8] The actual operating record of the business (the canon, the thing the company really runs on) frequently does not live in the system of record at all.
For thirty years that was survivable, because a human stood in the gap. The operator who knew the work order was held for engineering review, even though the screen said in process, quietly did the right thing anyway. They carried the real canon in their head and reconciled it against the system’s fiction in real time. The system was wrong by a known, bounded, human-absorbed margin, and the business kept moving.
Now put an AI agent where that operator was standing. The agent reads in process and acts on in process. It has no whiteboard, no side spreadsheet, no fifteen years of institutional memory, no skepticism. It inherits the official system’s fiction without inheriting any of the human corrections that used to make the fiction safe. It acts on the substrate literally, at machine speed, across thousands of operations before anyone’s monitoring catches the first bad one. The misfit problem stops being an annoyance and becomes a safety problem.
The operational canon
What’s missing has a shape, and it’s worth naming precisely. Call it the operational canon: the enforceable set of
canonical entities: one authoritative definition of customer, order, part, lot, work order, so everyone and everything means the same thing by the same word;
valid states: the states each entity is actually allowed to be in;
allowed transitions: which state changes are legal, and under what conditions;
evidence requirements: the approval, measurement, or artifact a transition must carry to be valid (an evidence-bound transition can’t happen without its evidence);
shared semantics: what every attribute means, across modules and across organizational boundaries;
audit obligations: the record every operation has to leave so you can reconstruct and replay how you got to now.
The canon is not a document. It is not a glossary. It is not a model of the business that sits on a shelf describing it. It is the binding constraint set that determines what is allowed to happen inside the business: the description made executable and made to refuse what violates it. The difference between describing your business and constraining it is the entire point. A description can be perfectly true while the system keeps cheerfully accepting operations the description forbids, because nothing connects the two.
And this matters, because the centralization crowd always overreaches here: the canon does not require you to centralize all your data into one giant store. Stanford is right that federation works. What has to be singular is the authority, not the storage. You can enforce the same canonical meaning and the same validity rules at many boundaries across a federated estate. One authority, many places it’s enforced.
A lens, not a gate
The obvious objection is that we already build this. Isn’t the operational canon just a semantic layer with better PR?
No, and the reason is exact. The semantic layer, the catalog, the governance platform all live on the read path. They tell a query what a field means. They cannot refuse a write. And most governance compounds the problem by being detective: it documents the policy, monitors for violations, and remediates after the fact. That’s the dominant posture even in the strongest frameworks. NIST’s AI Risk Management Framework is built around measure and manage, around watching and responding.[9] That is exactly right for risks you can’t eliminate at the source. It is structurally useless against invalid operational state, because by the time monitoring flags the violation, the violation is already in the substrate, and an agent operating at machine speed has already built a thousand actions on top of it.
So the missing piece isn’t a better description and it isn’t better monitoring. It’s runtime authority: enforcement bound to the moment an operation is attempted. I’ve taken to calling the mechanism Operational Policy Enforcement: the thing that evaluates each attempted operation against the canon and rejects the invalid ones, at the boundary, before they commit, before any agent or workflow or report can propagate the ambiguity downstream. State validity is gated, so invalid states aren’t even representable. Evidence-bound transitions can’t fire without their evidence. Rejection happens at ingress, not in a nightly cleanup. And because every committed operation leaves an immutable, ordered record (this is the old, sound idea behind event sourcing[10]), audit and replay stop being features you bolt on and become properties of the substrate itself.
The payoff is a single sentence: validity gets enforced before propagation. That’s the one promise a lens can never make and a gate always can.
Why agents change the math
You can run a sloppy substrate for a long time if a careful human is the one acting on it. Three things about agentic AI take that slack away at once.
Agents act on the write path: they don’t just consume the substrate and hand a human an answer, they initiate operations, create records, trigger transitions. That’s precisely the path the readiness frameworks are silent about. Agents take the substrate literally and have no second channel. Whatever the data says is, for the agent, true, and whatever the system permits is, for the agent, allowed; the human workaround that used to correct the fiction was never written into anything the agent can reach. And agents act at machine speed and scale, which collapses the only thing that made after-the-fact governance survivable. The gap between a bad operation and its consequences used to be hours or days, long enough for detection to win the race. For an agent it’s milliseconds, and detection loses.
Stack those together and the conclusion is hard to avoid. Without enforceable canon, AI doesn’t resolve operational ambiguity. It amplifies it, acting faster and more literally on a substrate that already tolerates invalid action, with the human who used to absorb the damage now removed from the loop. With enforcement, the same agent operates inside validated boundaries: it cannot create an invalid state, cannot skip required evidence, and leaves a replayable trail of everything it did. The capability isn’t diminished. It’s finally safe to deploy, because the guarantee comes from the substrate, not from the model’s good intentions. A surprising amount of what people file under “AI alignment” is, at the enterprise level, not a question of trusting the agent to behave. It’s a question of building a substrate that doesn’t depend on the agent behaving.
Here’s the failure in one line. Give an agent a substrate full of correct-but-incomplete records (records that never carried their provenance, their state, their evidence, the constraints on what they license) and it will not stop to tell you what’s missing. It will reason over the absent context and call the result intelligence.
What we’re building
This is an architectural argument, not a pitch, and it can be implemented more than one way: build the canon and enforcement into the system of record itself; stand an enforcement layer beside an ERP you can’t replace; run a pre-migration diagnostic that surfaces the latent canon hiding in your existing data and workarounds; extend your AI-readiness assessment from data properties down to operational-state validity; or gate the specific channels through which agents and integrations write.
For what it’s worth, this is the stack we’re building at Mimir Labs: a governance-native ERP (Yggdrasil) built around an enforced canonical model with a runtime constraint engine (Operational Policy Enforcement), a diagnostic that reads your existing systems and surfaces the canon already implicit in them (Ratatosk), and Jormungandr, that same enforcement turned into a standalone product for the systems you can’t rip out. I mention it only as proof the pattern is buildable. The argument doesn’t depend on any of it, and someone could build the same idea in a completely different shape.
The one-sentence version
Enterprise AI readiness is not mainly a model problem, and the best researchers already know that. It is not only a data problem either, though the data-readiness people have correctly diagnosed a big piece of it. It’s an operational architecture problem. The ground your AI stands on has to do more than serve clean, well-described data for reading. It has to refuse, at the moment of action, what should never happen, because your AI is going to act on that ground and inherit whatever it permits.
Clean data is necessary. It is not sufficient. Until operational truth becomes executable, until validity is enforced at the door instead of described after the fact, enterprise AI stays fragile, and not because the models are weak. Because the floor underneath them never learned how to say no.
Sources
MIT Project NANDA, The GenAI Divide: State of AI in Business 2025 (2025). The widely-cited finding that roughly 95% of enterprise GenAI pilots delivered no measurable ROI, attributed to a “learning gap” rather than model capability.
MIT Center for Information Systems Research (CISR), Enterprise AI Maturity Model (2024). AI capability as the cumulative output of prior enterprise capabilities: data access, APIs, process simplification and automation, reusable architecture, embedded decision support.
Stanford Digital Economy Lab, The Enterprise AI Playbook (2025). Success depends on the conditions around the model; favors federated architecture over forced centralization.
Data-readiness-for-AI literature, building on N. D. Lawrence, “Data Readiness Levels” (2017), and subsequent surveys: poorly structured, inaccessible, or unsuitable data renders AI unreliable or unsafe.
M. D. Wilkinson et al., “The FAIR Guiding Principles for scientific data management and stewardship,” Scientific Data 3 (2016); and the FAIR, AI-ready Higgs-boson decay datasets released via the CERN Open Data effort.