AI in business Published 8 April 2026 12 min read Martin Giertl

Pitfalls of AI in companies: 9 mistakes that cost money and security

AI is now entering almost every company. Often, however, with insufficient preparation, without governance, without metrics, and with distorted expectations of benefit. This article summarises the nine most common mistakes I see around AI in companies, and what to do about them.

AI is a tool, not a goal. That sentence sounds trivial, but it is easy to forget in practice. Market pressure, vendor marketing, and the general euphoria around each new model lead to decisions that would benefit from more calm. I am not against AI. On the contrary. AI saves me roughly one day of work per week. But it does so only when I use it consciously, on things where it makes sense, and with an understanding of what it does and does not do.

Below are nine situations in which companies lose conscious control of AI. Some of them are mundane, others have a regulatory or security dimension that management often does not realise. All of them I see repeatedly.

1. Management decides about AI instead of the people who know the process

The most common entry of AI into a company: management says “we have to do something with AI because everyone else is.” That is understandable. But it is wrong.

People at the top of the org chart should not be the ones asking for AI. The ones asking should be department managers and line leaders who run their processes every day. They know where the routine is, where the bottleneck is, where time is lost. They have context that management cannot have. If management decides to deploy AI in audit work but the auditors are not prepared and do not know where it makes sense, the impact will be zero. Or negative.

If management wants AI in the company, the first investment should not go into buying a tool but into training the people who run the processes. Including management itself. Without that, AI is a more expensive and less accurate tool than a spreadsheet.

2. Shadow AI: a new form of an old problem

Shadow IT is the situation where employees use tools and services outside official oversight — personal cloud storage for company data, unapproved software on a personal laptop, unofficial communication channels. The IT department does not know about it, and therefore cannot secure, optimise, or audit it.

Shadow AI is the same old pain on steroids. Every employee today has access, for a few hundred crowns a month, to tools that can process sensitive data. And they are using them. In good faith, trying to do their work faster. Without anyone in the company knowing what is happening or what data is going where.

The first question a company has to ask itself: do we have any policy on AI? If the answer is “we have a ban, people are not allowed to use it”, that is not a policy. That is laziness. No one will sustain a ban — competitors work faster, and employees will sooner or later take it into their own hands.

A classic example of risk comes from HR. A recruiter analyses CVs with AI to speed up their work. It looks harmless, but under the EU AI Act, AI systems for recruitment and candidate evaluation fall into the high-risk category with the strictest regime. If the candidate does not know about this analysis, the company is breaching the transparency obligation. Sanctions can reach up to 35 million EUR or 7 % of global turnover (for prohibited practices), or 15 million EUR or 3 % of turnover for other serious breaches.

The key line of defence is not a ban but a conscious AI policy: which tools the company allows, what data may be sent where, which processes must have human oversight, how everything is documented. Plus training, so employees understand the policy.

3. AI governance: it does not work without it

AI governance means a framework through which the company manages where AI is used, who is responsible, what rules apply, and how to react to an incident. In European law, this framework now has a hard legal foundation.

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Key obligations apply gradually. From February 2025, the prohibition of unacceptable practices (such as emotion recognition in the workplace) and the obligation to ensure AI literacy of employees apply. From August 2026, the main requirements for high-risk systems apply — documentation, human oversight, audit, registration in the EU database. From August 2027, the remaining provisions take effect.

High-risk AI systems include several typical company use cases — beyond HR, also systems for evaluating employees, systems affecting access to education or credit, and AI in critical infrastructure. If your company operates in any way on the European market or processes data of EU citizens, the obligations apply to you regardless of where you are based.

AI governance has a practical form — a register of AI systems used, classification by risk, data protection impact assessments (DPIA), documentation of human oversight, logs of substantive decisions, an incident response plan. It is not something you write in an afternoon. But it is something that has to be written — otherwise, in a few years, the company has two options: pay the fine, or revisit AI with a complete reconstruction of its processes.

4. Cost of AI I: when we do not control the model

A concrete example from software development. A developer gets Claude Code or a similar agentic tool. Most of these tools let you choose the model — from cheaper and faster to most expensive and most capable. The default is usually conservative, but the application typically allows manual switching.

What often happens in practice: the developer switches to the most expensive model “just to be safe” and runs everything on it. The argument is usually “the result is better”. The reality is different. A bigger and smarter model is not just more expensive — it is also slower. For most routine tasks (refactoring, formatting, simple tests, documentation), the more expensive model is overpriced. And when this happens across a team, the bill at the end of the month is a surprise.

The same risk applies to broader AI applications in the company — chatbots using “the best available model” for tasks where a much more modest one would suffice. AI integrations in office suites that consume tokens even where it is not needed.

Necessary steps:

  • Teach people to distinguish when they need a small fast model and when a big one
  • Set defaults that match the typical use case
  • Measure usage (how many tokens, on what, by whom)
  • Ask questions and propose improvements

Unoptimised AI usage can produce a bill within a few months that matches the cost of an employee.

5. Cost of AI II: running your own AI is not out of reach

Another common myth: running your own AI is something only large corporations can afford. When I tell companies that running their own LLM is possible for roughly 15,000 CZK per month (about 600 EUR), the reaction is usually disbelief. Yes, it is real.

Specifically, I am talking about renting a server with a GPU like the NVIDIA RTX PRO 6000 Blackwell with 96 GB of VRAM, capable of running a model with 30 billion parameters. For routine tasks — document extraction, message classification, text summarisation, categorisation, simpler automation — this level of model is more than sufficient. And it can serve dozens of concurrent users or processes.

What this option is not: a replacement for Claude Opus, GPT-5, or Gemini Pro. For tasks that demand maximum reasoning quality, creative text generation, or extensive analysis, you continue to use the cloud. But for ordinary production, the difference between a 30B and a 600B model is usually unmeasurable in impact, and very measurable in cost.

What this option is:

  • Data security — all data stays in your (or rented) data centre, ideally in the Czech Republic or the EU
  • Auditability — a complete log of everything the model has processed
  • Control — you decide when the model is upgraded and when functionality is added
  • Independence from the provider — no risk that a cloud provider stops supporting the model version your prompts are tuned for, forcing you into regression tests with a new model

This option is not for everyone. It requires technical competence or a trustworthy partner. But it is worth considering — often more than companies expect.

6. Unmanaged AI assistance means loss of competence

The quietest risk. When AI does for you, long-term, things you should understand yourself, the result is short-term efficiency and long-term loss of competence.

In development it looks like this: a developer delegates an entire implementation phase to AI, which generates the code. It works. But the developer no longer keeps a detailed grasp of what the code actually does. They cannot estimate risks. When a production incident or a security hole comes, they cannot localise it quickly. When handing over knowledge to another colleague, they have nothing to hand over. They are dependent on AI, not on their own expertise.

In the business world it is no different. A sales rep delegates the processing of incoming proposals to AI, which gives them a summary. Quick, efficient. But the rep stops understanding the detail of proposals, customers, and their needs — because they never saw the whole document, only the AI version. After half a year, they have racing speed but no context for strategic decisions.

Processing documents through AI without human reading is fast, but it creates a gap between the company and an understanding of customer needs. In the long run, this threatens business continuity more than processing speed.

The way out is not banning AI — that is naive. The way is conscious management of where AI handles routine and where people must stay active. AI should be a servant, not a replacement.

7. First the AI is bought, then the use case is hunted

A classic situation. Management is convinced by an AI vendor’s salesperson or by market pressure. Licences are bought for the entire company. And then the search begins for what it could actually be used for, so the money is not thrown out the window.

I see this repeatedly and I do not blame management. The pressure is real and the offers are persuasive. But the order is reversed. The right order: identify the use case, assess whether AI is the right tool, choose deliberately. Not the other way around.

The key question for every AI integration is: is this AI flashy, or effective?

  • AI APIs called from the server are usually effective — they integrate into a process where they bring real benefit, while being fast and deterministically managed
  • AI in an application or browser is often flashy, but effectiveness is up for debate. And there is a big security question mark, because data flows through an environment the company cannot audit

Before every AI integration, we therefore ask:

  • What is the use case and who benefits
  • Can it be measured (before deployment and after)
  • Is it the best available way to solve this problem
  • Where is the data processed
  • What happens when AI fails

If we cannot answer these, it is not time to buy. It is time to invest in understanding.

8. AI segmentation: do not let one AI do everything

A tempting idea: one big AI in the company that has access to everything, sees all the data, solves everything. Cheap, uniform, easy. In reality, however, it is usually expensive and risky.

When AI has access to everything, it builds a knowledge base from data it should perhaps not have access to. It models relationships the company has not seen and might have prevented in advance. One moment it is helping with a product design, the next it is influencing an HR decision.

And in extreme cases, it can react in ways no one expected. Anthropic, in its agentic misalignment research, showed how AI agents, under pressure (the threat of replacement, conflicting goals), chose actions against the company — from corporate espionage to manipulation. These were edge cases in experiments, but they demonstrated the principle: the more autonomy, the more data, the more general the goal — the more space for unexpected action.

In practice, therefore:

  • Do not use one AI for everything — different AI for developer tools, different for document processing, different for customer communication
  • Integrate via clearly defined interfaces — not necessarily APIs, but a formal contact between AI and its surroundings, where what AI does can be captured and audited
  • Supervise both automatically and by sampling — logs, output sampling, control processes
  • Principle of least privilege — AI does not need access to everything, only what it needs for its specific use case

A uniform solution can be more expensive than several specialised ones. And the security bill usually closes that gap.

9. What you do not measure, you do not manage. With AI, doubly so

The conclusion is unpleasant but honest. AI is easily measured by the subjective feeling that “it is better”. Empirical measurement usually shows something different.

In July 2025, the research organisation METR published a randomised controlled study measuring the real impact of AI tools on the productivity of experienced open-source developers. Before the study, developers expected AI to speed them up by 24 %. After completing the study — even with knowledge of their actual performance — they still claimed AI sped them up by 20 %. But the measured data showed that AI slowed them down by 19 %.

The study worked with 16 experienced developers on large codebases, where the developers had on average five years of experience. In this specific situation, AI was harmful. Reasons: AI does not know the detail of large mature codebases, often does not deliver quality output, and experienced developers lose time fixing AI suggestions.

The study’s conclusion is not “AI does not help anyone”. For junior developers, prototyping, unfamiliar codebases, or one-off tasks, AI usually helps. But for the typical scenario in a company, it has to be measured.

And that is the main point of this final pitfall: the benefit of AI without measurement before deployment and after cannot be validly evaluated. The subjective impression “AI helps me” is unreliable — the METR study shows that people have this impression even when AI is actually harming them. If a company deploys AI without first measuring the baseline, it cannot then say whether the investment was right. And it will typically defend it to itself or to management, because the money has already been spent.

What to measure:

  • Processing time of typical tasks (before deployment and after)
  • Output quality (defect rate, errors, customer satisfaction)
  • Real business impact (response time, conversion, time to delivery)
  • AI costs (tokens, licences, human time spent on supervision)

Without these metrics, deploying AI is a bet on a feeling, not an investment.

Not against AI, but with judgement

The nine mistakes above are not an argument against AI. They are a warning against carelessness. AI in a company has real benefits — for me personally it saves about one day of work per week. But it does so because I use it consciously, on things where it makes sense, and with awareness of its limits.

If you are considering AI in your company or already have it and want to revisit the approach so far, the key questions are:

  • Who decides about AI in the company? It should be the people who know the processes, not those at the top
  • How is the policy set? And is it a real policy, not a ban?
  • Is there AI governance? What happens when an audit or incident comes?
  • Are AI costs measured? Are token consumption and model choices optimised?
  • Have we considered self-hosting for certain use cases?
  • Are we letting AI do things people should understand themselves?
  • Are we measuring the benefit of AI with hard data, or only with subjective impressions?

These questions are not pleasant. But they are cheaper than fines, lost time, and lost competence.

A note on the side

Specific claims in this article — the cost of self-hosting, availability of specific hardware, cited studies, and concrete legislative deadlines — are valid as of the date of writing. AI evolves at a speed where much of the above can shift in half a year. Not everything dramatically, but it is worth keeping in mind that the “state of AI” is more of a snapshot than a fixed point.

I have also written separately on the topic — see AI tools in consulting practice → and how I deploy AI in my work →.

If you need an independent view of where AI makes sense in your company, where it does not, and how to bring it under control, get in touch. The first call is free.

← Back to blog