In May 2023, engineers at Samsung used ChatGPT to debug internal source code. Within weeks, the company restricted public generative AI tools across the business, concerned about data that had already left its systems. Samsung has thousands of engineers and a dedicated security function. Many owner-managed firms have one person handling technology alongside everything else, and no written AI policy at all.
Samsung’s staff had done nothing unusual. They found a useful tool and used it the way it was designed. The gap was between tool adoption and the policies that should have preceded it. That gap appears constantly, in businesses of every size.
What counts as an AI failure in business?
The phrase “AI failure” suggests something dramatic. In owner-managed businesses, failure is far more mundane. A Capgemini survey found that only 13% of organisations successfully scale AI use cases from experiment into production. McKinsey found that large AI initiatives run 20 to 30% over budget and take 50% longer to deliver when governance is weak.
For the owner-operator, failure typically takes one of three forms: a pilot that drifts without a clear success measure, a tool that staff quietly avoid because nobody explained the point of it, or a compliance issue that surfaces months after the tool was switched on. None of these is dramatic. All cost time and money that smaller firms cannot afford to waste.
Who is actually responsible when your AI tool goes wrong?
Owner-managers sometimes assume that buying AI from a large vendor transfers the compliance risk with the subscription fee. The Information Commissioner’s Office is clear: accountability for AI decisions cannot be delegated to vendors. Whether you use Microsoft Copilot, a Google Workspace feature, or a specialist SaaS product, your business remains the data controller and carries legal responsibility for how those tools affect your staff and customers.
The ICO fined Clearview AI £7.5 million in 2022 for scraping images to build a facial recognition database without lawful basis, and ordered the deletion of UK residents’ data. In 2020, the Home Office received a formal reprimand for a visa-triage algorithm the ICO found risked discrimination and had insufficient transparency. Both cases involved organisations with legal teams. Neither is so distant from the owner-managed firm as to be irrelevant precedent.
The Financial Conduct Authority has warned that firms using AI in financial services remain fully responsible for fair treatment of customers and operational resilience, regardless of whether decisions are automated. If you are advising clients, processing financial data, or profiling customers in any way, the regulatory standard applies to your firm, regardless of whose software you bought.
Where do these failures actually show up?
Three patterns appear repeatedly across documented AI failures. Data handling that outpaces governance, where staff paste sensitive material into public AI tools without a policy in place, or personal data flows into systems without a completed Data Protection Impact Assessment. Pilots that run without a business metric attached. And delegation, where the founder hands AI to a contractor or IT function and assumes the work is done.
On data handling, the NCSC and ICO jointly warned in 2023 that feeding sensitive client data into public generative AI tools may constitute a personal data breach if data is inadvertently exposed or reused. Samsung is the visible case. In small professional service firms, the same risk applies to client records, financial data, or anything covered by a confidentiality agreement.
On pilots, Capgemini’s research found that 54% of AI projects never move past experimental stage, often because they were not tied to clear business outcomes. The pattern is recognisable: a tool gets a free trial, a few people try it, nobody measures anything, and the subscription renews for a year before anyone asks what it delivered.
On delegation, BCG research found that firms reporting significant value from AI were 2.5 times more likely to have senior leaders personally using AI tools in their own work. The founder who delegates AI entirely to a contractor risks making poor choices and missing what is actually possible.
When does a failure become a serious problem?
Severity depends on what the tool was doing and whose data it touched. A stalled pilot costs money and management attention. A data handling failure costs more. Uber agreed to pay £1.3 million in 2021 to settle a claim from drivers alleging unfair dismissal and lack of transparency in automated performance assessments. The Dutch government estimated the cost of its algorithmic child benefits scandal at over €5 billion.
For smaller UK firms, the more immediate risk sits below the headline-fine level. Hiscox found that 53% of UK SMEs experienced at least one cyber security incident in the previous 12 months, with average costs of £15,849 for those affected. AI tools that handle client data without proper access controls extend that exposure further.
Insurance adds another dimension. UK specialist insurer Mactavish has warned that mis-describing AI risks, or failing to report new automated decision-making processes, could jeopardise cyber and professional indemnity cover. The same gap in governance that draws a regulatory reprimand may also void an insurance claim.
The NCSC’s guidance on large language models is practical on day-to-day risk: do not input sensitive data into public models, apply access controls, monitor usage, and build guardrails against prompt injection. Treat them as operational basics for any firm that handles client information, regardless of technical background.
What do these failures teach operators?
The consistent lesson from documented failures is that success divides at the planning stage. Bain’s research on scaling AI found that projects tied to one to three clearly defined processes have significantly lower failure rates than broad rollouts. The firms that get real value tend to choose specific, measurable problems and work toward an answer with clear criteria before committing budget or staff time.
Starting from a real business problem is the most reliable safeguard. Pick one or two measurable issues, such as admin time or proposal turnaround, and run a four to eight week pilot against those numbers. If the metric does not move, stop the tool and stop the subscription.
Keeping the founder involved matters more than many expect. BCG’s research on AI leaders found that C-suite engagement with AI tools correlates directly with successful adoption. Owner-managers who personally try a tool for a few weeks before signing contracts make better decisions than those who rely entirely on a supplier’s demonstration.
Data handling and documentation close much of the remaining gap. Map what personal data your firm holds and how it flows into AI tools. Write a short policy on what staff may paste into public tools and when a human must remain in the loop. Keep a simple log of use cases, tools, and oversight arrangements. None of this requires a technical background. It requires the same attention any well-run business gives to operational risk.
Successful AI adoption runs on the same clarity you would apply to any other operational decision: what problem are we solving, who is accountable, what does success look like, and where does the data go. The failures covered here happened when those questions went unanswered.
