The assurance paradox: When frameworks can’t keep pace with the value they’re designed to protect

Investment assurance exists for a good reason. Complex organisations making large technology commitments need structured processes to test assumptions, challenge costs, and protect public or institutional resources. These frameworks have served government, universities, health systems, and regulators for decades.

But the investment landscape they were designed for is changing, and it’s changing fast. In our recent work with a government department, a single team using AI agents identified more than 4,000 hours of recoverable staff effort per year — within four weeks, for well under $100,000. The path from concept to value was measured in weeks, not years.

This is not unusual. Functional AI prototypes are now routinely built in two to four weeks, with targeted use cases reaching production in under three months.

Before a team can pursue an opportunity like this, it typically must navigate procurement, internal assurance, and — depending on how the initiative is classified — central oversight mechanisms. The specifics differ across agencies and jurisdictions. But the underlying dynamic is consistent: assurance processes across most complex organisations are not geared to move at this speed. By the time approvals come through, a meaningful share of the value has evaporated. Sometimes the technology has moved on entirely.

A parallel world of smaller, faster technology investment has been building for some time. Cloud platforms, Software as a Service (SaaS) tools, and modular architectures created the conditions. But these struggled to gain real traction against the established investment and assurance machinery: they often ended up squeezed into the same processes as their larger counterparts, or pushed to the margins where they lacked visibility and governance.

AI has brought this shift to the forefront. The pace is now dramatically faster, the scale of opportunity larger, and the cost of delay more consequential. The lifecycle economics of many AI-enabled investments are fundamentally different from those of traditional platforms, and the mismatch between them and the assurance apparatus is widening, not narrowing.

Some jurisdictions have created alternative funding mechanisms. Victoria’s Business Acceleration Fund — including a dedicated digital and AI stream for state agencies — is one example. These are a constructive step, but tend to retain stage-based governance that can impose timelines not well matched to the speed of AI-enabled delivery. The OECD’s 2025 guide on government AI adoption makes the point directly: overly rigid guardrails cause as much harm as insufficient ones.

The aspiration for more adaptive technology delivery is not new. But while delivery practices inside teams evolved over two decades, the surrounding investment infrastructure largely did not. Budget cycles, stage-gated business cases and point-in-time assurance reviews remained sequential. And funded programmes, for the most part, delivered what they were funded for. The flexibility to fundamentally adapt scope or direction mid-flight remained limited regardless of the methodology used inside.

AI changes the equation in ways that are harder to accommodate within existing settings. The cost of useful experimentation has collapsed: a team can build, test and deploy a working AI tool for less than a business case costs to prepare and assess. The opportunity is real — and increasingly evidenced. The APS AI Plan estimates AI could lift public sector gross value added by 13 per cent by 2030, worth around $19 billion annually. IDC found organisations report an average 3.7x return on AI investments. Nous’ evaluations of AI adoption – including the whole-of-government trial into generative AI – have found substantial productivity uplifts through experimentation and innovation.

But realising that potential is far from automatic. IBM's 2025 CEO study, surveying 2,000 CEOs globally, found only a quarter of AI initiatives had delivered their expected return and only 16 per cent had scaled enterprise-wide. The constraint is rarely the technology — the operating model and assurance infrastructure have not kept pace with the opportunity. Only one in five organisations has a mature assurance model for AI, and just 55 per cent of AI value is being realised.

A cultural shift matters too. The instinct in many organisations is still to treat any AI initiative as inherently higher risk. But AI is not automatically risky. Many applications are well understood and manageable with standard controls: human-in-the-loop review, sandboxed environments, access restrictions, robust testing. Both cost and the presence of AI are poor proxies for actual risk. We need assurance professionals and leaders to build genuine literacy in what AI does and does not do, rather than defaulting to precaution.

This is perhaps the most consequential shift. AI-enabled tools have a different relationship with time than traditional technology investments. They can and should evolve or be retired when superseded, and that is a sign of good management, not project failure.

Harvey, the legal AI company, invested heavily in a custom language model that outperformed general-purpose alternatives. As foundation models rapidly improved, Harvey pivoted in 2025 to a multi-model architecture, routing work to the best model for each task. Their valuation grew from $1.5 billion to $8 billion through the pivot. The original investment was not wasted: it created value in its window. The willingness to move on extended that value rather than defending sunk costs.

This pattern is becoming pervasive. Gartner predicts 40 per cent of enterprise applications will embed AI agents by end of 2026, up from less than 5 per cent in 2025. Yet it warns that more than 40 per cent of those projects may be scrapped by 2027. Building, using, and deliberately retiring an AI-enabled capability in nine months is not a failure. It is efficient resource allocation. Assurance must accommodate investments that are designed to be temporary, monitoring ongoing value, triggering review when value degrades, and managing graceful retirement as actively as deployment.

If the investment pattern is changing, assurance must change with it. Current approaches are predominantly cyclical and point-in-time: gateway reviews at defined stages, annual budget submissions, periodic confidence assessments. These have legacy characteristics that served well in a world of multi-year programmes, but they are not the only way to provide rigorous oversight. The shift is toward continuous, outcome-based assurance.

Continuous monitoring does not mean less rigour. It means more current, more relevant information, and the ability to respond to emerging issues as they arise rather than at the next scheduled checkpoint. Outcome-focused assurance asks whether an investment is delivering expected results safely and responsibly, rather than whether it has completed prescribed steps. When outcome measures are clear, the path to achieving them can be adaptive without weakening accountability.

Risk calibration means the intensity of oversight reflects the actual risk – data sensitivity, automation of decisions affecting people, regulatory exposure – not simply the budget. And reversibility matters: investments that can be stopped or changed quickly carry different risk from those that lock in long-term commitments.

Together, risk profile and reversibility create a spectrum of proportionate assurance. At one end, rapid, reversible, lower-risk investments need baseline standards and visibility, but assurance that enables rather than gates. In the middle, AI-augmented operational processes and integration projects need structured oversight proportionate to their specific risks, with checkpoints tied to value delivery rather than calendar intervals. At the other end, large, irreversible, higher-risk programmes still warrant rigorous assurance – gateway reviews, independent scrutiny, formal benefits management – though even here, delivery should be tranche-based.

The visibility mechanism matters. A static register of AI initiatives that people resent maintaining will not work. The goal is a living portfolio view that teams actively engage with because it connects them to support, shared learnings and proportionate guidance. Organisations need to make the visible path easier and more attractive than the invisible one, or shadow development will fill the gap.

Important foundations are being laid. The DTA’s AI impact assessment tool, the National AI Centre, and bodies like the NSW Office of AI have produced valuable guidance that did not exist 18 months ago. The question now is whether these tools are deployed in ways that enable proportionate, adaptive assurance, or whether they risk becoming additional layers that default to the sequential, checklist-based practices they were designed to move beyond.

Within organisations, the practical starting point is to map your current investment portfolio against a risk-and-reversibility spectrum. Where are you applying heavyweight assurance to lightweight investments? Where do you have visibility gaps? Where are teams already moving faster than your assurance can keep up with? The answers point to where change is most urgent.

Across organisations, the learnings from early AI-enabled investments need to be shared. What assurance approaches are proving proportionate? What controls work for different risk profiles? Too many organisations are solving the same problems in isolation. Nous’ own work on evaluation in digital assurance has explored how continuous evaluation can be embedded into delivery as a complement to traditional stage-gated review — this thinking applies directly to the challenge we are describing here.

Assurance must build the muscle for managed impermanence. Not every investment is meant to last. Monitoring ongoing value, triggering review when value degrades, and managing graceful retirement need to become as routine as managing deployment.

The practical frameworks that make proportionate assurance real are still emerging. But many organisations are already on this journey. Teams across government, higher education and health are experimenting with AI, running pilots, and finding practical ways to deliver value. Much of this is working well at the individual initiative level. The challenge comes as AI gains traction and organisations move from isolated experiments to doing bigger and more consequential things, embedding AI into operational processes, scaling across teams, connecting capabilities together. That is the point at which proportionate assurance shifts from a ‘nice to have’ to a necessity, and where organisations that have built the muscle early will be materially better positioned than those still relying on legacy approaches.

Get in touch to discuss how your organisation can adapt assurance for the pace of AI-enabled change.

Connect with Michael Rathjen and Will Prothero on LinkedIn.

This is the first article in our two-part series on AI assurance. Read the second part here.