Most companies calculate the upside. Almost nobody prices in what goes wrong.
Your AI ROI model is wrong. It's not because your team can't do math. It's because there's a number missing. That missing number is the difference between a big return and a disastrous loss.
I'll show you which number. I'll give you the specific questions to ask your CFO this week, plus the industry breach-cost figures to plug into your own model.
Key takeaways:
A 2026 KPMG survey of 2,500 tech executives found 58% say traditional ROI models can't handle AI.
Gartner predicts more than 40% of agentic AI projects will be canceled by 2027, mostly because the risk math was wrong.
73% of companies have AI tools running. Only 7% have real-time governance watching them.
A Zero Trust program cuts the average $4.88M data breach by about 42%. That's roughly $1.6 to $2 million saved per incident.
The Moffatt v. Air Canada ruling means courts hold companies liable for what their AI agents say or do.
Why does the Air Canada chatbot ruling matter for your AI business case?
Air Canada put a chatbot on their website. A passenger asked about bereavement fares. The chatbot told him to book a full-price ticket and apply for the discount later. That wasn't true. When the passenger sued, Air Canada argued the chatbot was a "separate legal entity." The Civil Resolution Tribunal of British Columbia ruled in February 2024 that the airline owns what its chatbot says, and ordered Air Canada to pay damages.
That was just a chatbot. It couldn't take action. It couldn't move money or delete a file. All it could do was answer questions, and one wrong answer cost the company real money.
Now think about what happens when the AI isn't talking. It's acting. Making purchases. Changing customer records. Moving data between systems. Approving transactions. Running overnight while no one watches.
If your company lets an AI agent operate with your data, it acts on your behalf. Courts will hold you responsible. Compliance professionals are already raising the flag. One IT leader at a financial services firm put it simply: the liability sits with whoever turned the agent on. He's right.
Why are most AI ROI models incomplete?
KPMG surveyed 2,500 tech executives in 2026. 74% said their AI projects produce value. That sounds great. Keep reading. Only 24% could show ROI across more than one project. And 58% said their traditional ROI models don't work for AI. More than half the people building these business cases admit the math is broken. They're using it anyway.
The downstream numbers tell the same story:
Gartner predicts more than 40% of agentic AI projects will be canceled by 2027 because of rising costs, unclear value, inadequate risk controls, and stalled adoption.
IBM found only 25% of AI projects deliver expected returns.
Only 29% of executives say they can measure AI ROI with any confidence.
67% of business leaders said they felt pressured to approve AI despite security concerns. Almost seven in ten knew the risks weren't covered. They approved anyway.
The spreadsheet looked good. The math underneath it didn't.
What does the gap between AI adoption and AI governance actually cost?
A 2026 survey of 1,253 cybersecurity professionals found 73% of companies have AI tools running right now. Only 7% have real-time governance watching those tools. That's a 66-point gap between "we're using it" and "we have any idea what it's doing." Your ROI model assumes the agent does its job. It doesn't account for the agent doing something nobody asked for.
Your model doesn't price in the agent pulling customer records at 2 a.m. when nobody's watching. It doesn't price in credentials going to the wrong place. It doesn't price in a CRM quietly corrupting overnight or an audit log getting skipped on the way out.
I worked with a company that had an AI agent running great. Right 98% of the time. They loved it. But it sent wrong information to 2% of their customers. That sounds small. It took six months to rebuild trust. They pulled the agent entirely at the end.
That 2% wasn't in the ROI model.
What does an honest AI ROI formula look like?
Most companies use this:
ROI = cost savings + speed gains
It should look like this:
ROI = (cost savings + speed gains + insurance reduction + compliance savings) MINUS (breach exposure + liability risk + downtime cost + recovery time)
The left side of that equation is what most teams fill in. The right side is where the blanks are. Security is the only team in your company that can fill in those blanks.
The average data breach costs $4.88 million. A solid Zero Trust program (which means: never trust any system automatically, always verify first) cuts that cost by about 42%. That's roughly $1.6 to $2 million saved per incident.
Insurance companies care about this too. Companies with strong AI governance controls are getting 15-20% premium reductions. One of my clients is negotiating $150,000 off their annual cyber-liability premium by showing their governance framework. That $150,000 goes directly into the ROI column. Nobody puts it there except Security.
What pitch should your Security team make to the CFO?
If you're a CTO or CFO reading this, your Security team probably spends most of its energy proving they don't slow things down. That's the wrong conversation. The right one is this: "Your ROI model has blank cells. I can fill them in. And when I do, the number changes."
Security is the missing variable. Without it, you're betting millions on a spreadsheet that's half-finished.
I run 90-minute working sessions with executive teams where we pressure-test AI ROI models and find the risk nobody priced in. If that sounds like something your team needs, send me a message on LinkedIn.
What five moves should you make this week?
These five moves take an hour combined and surface the biggest gaps in your current AI risk picture.
1. Get the current AI ROI model from your finance team. Read it. Look for blank spots: breach costs, insurance exposure, compliance fines, downtime. If those lines are empty, you just found your opening.
2. Pick one AI agent your company runs right now. Ask one question: "Who is personally on the hook if this agent makes a mistake?" If the answer takes more than five seconds, that's a governance gap.
3. Run a quick risk calculation. Take your industry's average breach cost (healthcare $9.77M, financial services $6.08M, all industries $4.88M). Multiply it by the number of AI agents that touch sensitive data in your company. That's your unpriced risk exposure. Put it on one slide.
4. Call your insurance broker. Ask: "Do we get a discount for having AI governance controls?" If they don't know, tell them to find out. The answer is leverage in your next budget conversation.
5. Find the AI agent with the broadest access to customer data. Ask: "Can we see a complete log of every action this agent has taken?" If the answer is no, the Air Canada ruling just became very relevant to your company.
What's breaking inside the OpenClaw Lab right now?
I run AI agents in my OpenClaw home lab. I break them so I can see what breaks in yours before it costs you money. One thing keeps proving true: these agents act more like new hires than scripts. You can't flip them on and walk away. Two recent failures connect directly to the ROI problem: credential leakage, and a persistent backdoor that survived a restart.
Credential leakage. I asked an agent to summarize a billing config file. It pulled the API key (basically a password that lets software access other systems) right out of the file and dropped it into its output. No hesitation. In a real company, that key ends up in a Slack message or a log file that someone screenshots. In one reported case, an agent posted a live payment processing key to a public channel. An attacker could charge the company's card within minutes. That cost isn't in anybody's ROI model. It should be.
Persistent backdoor. OpenClaw stores its instructions in files. If an attacker can trick the agent into editing those files, through hidden instructions buried in what looks like normal input, the agent repeats the bad behavior every time it runs. One red team exercise showed an attacker adding a single line that exported the company's credentials daily. It survived restarts. It ran silently until someone wiped the whole workspace and rebuilt from scratch. Invisible, expensive, and completely preventable with the right setup.
The fix I use now: every agent gets its own identity, separate credentials, an isolated workspace, and a plain-language list of exactly what it's allowed to touch, enforced at the system level. I keep these in files called IDENTITY.md and SOUL.md. Think of it like an employee handbook the employee actually reads and follows. Every single time.
65% of companies said they were surprised by how much oversight their agents needed. I wasn't. After the credential leak, I treat every new agent like a contractor on their first day. Limited badge access. Watched closely. Trust gets earned slowly. Every action gets logged.
Where does Zero Trust break down with AI agents?
Zero Trust is a simple idea. No system gets automatic trust. Everything proves itself before it gets access. It works well for humans and for regular software. AI agents break two of its core assumptions: stable identity and predictable access patterns. The trust check has to happen on every single action, not just at login.
Who are you, really? Normal systems check your identity when you log in. Done. An AI agent can start a task as one thing and become something different while it runs. The persistence attack above is exactly this. The agent's instruction file gets rewritten mid-task, so the agent is effectively a different agent wearing the same badge. Checking identity at login isn't enough anymore.
Only touch what you need. Zero Trust says give every user the minimum access required. AI agents don't behave like humans. A human opens the same five apps every day. An agent's access pattern changes based on what you ask it to do. An agent asked to "summarize billing" doesn't need the ability to change anything. An agent told to "clean up old files" needs very specific delete permissions, plus human approval before anything actually gets removed.
What actually works: permissions checked on every action, mandatory human approval before anything gets deleted or changed, complete logging so you can replay exactly what happened, and a named owner whose reputation rides every output. If you can't see what the agent did, you can't govern it. If you can't govern it, the ROI number on your spreadsheet is a guess.
Frequently asked questions
What should a complete AI ROI model include?
A complete model adds four risk variables to the cost-savings side: breach exposure (industry average breach cost times the number of agents touching sensitive data), liability risk (legal exposure for what the agent says or does, like the Air Canada ruling), downtime cost (lost revenue while you investigate or pull the agent), and recovery time (engineer hours to rebuild trust and the system itself). It also adds two upside variables most teams miss: insurance premium reductions and compliance savings.
Why don't traditional ROI models work for AI?
Traditional ROI models assume the system does its job. AI agents don't behave that way. Their output changes based on the prompt. Their access pattern changes based on the task. They can be tricked into changing their own instructions. They run overnight without anyone watching. Traditional ROI models also don't price liability for what the system says, because traditional systems don't say much. AI agents do.
What's the cheapest first move I can make this week?
Get a copy of your current AI ROI model and look at the risk side of the equation. If breach exposure, liability, and recovery time are blank, you've found your opening in less than ten minutes. The rest is conversation.
Why is Security the only team that can fill in the missing variables?
Finance models the upside. Engineering builds the agent. Legal reviews the contract. Security is the only function that knows the cost of a breach, the discount you can negotiate on cyber-liability insurance, and the operational cost of recovering from an agent that went sideways. Without Security in the room, the model is half-built.
Does the Air Canada ruling apply outside Canada?
The specific case, Moffatt v. Air Canada (2024), was decided by a Canadian tribunal. The principle, that companies own what their AI says or does, is showing up in compliance guidance globally. US regulators and EU enforcement bodies have started using similar reasoning. Don't wait for your jurisdiction to rule on it.
The bottom line
Your AI ROI model is missing the risk column. Your Security team can fill it in. When they do, the number changes, sometimes by millions. That changes which projects you fund, how you negotiate insurance, and which agents you're willing to leave running overnight.
If the risk column in your AI business case is empty, the free Agentic Trust Framework assessment at verifiedagents.ai shows you exactly where the gaps are. It takes ten minutes.
What's the largest unpriced risk in your current AI business case, and who at your company is going to fill it in?
Want to see where your organization stands? The free Agentic Trust Framework assessment at verifiedagents.ai takes ten minutes. For a deeper read, check out Agentic AI + Zero Trust: A Guide for Business Leaders and the Agentic Trust Framework.
