What is the key factor for long-term enterprise advantage in AI beyond model access? - The key factor for long-term enterprise advantage in AI is the operational infrastructure that governs context, identity, workflow, risk, and performance, enabling dependable and secure execution of AI within business processes. While model access is becoming more commoditised, organisations that build robust operational systems around AI models will achieve durable competitive advantage.

The enterprise AI moat is moving below the model

The enterprise AI moat is moving below the model

Models and copilots still command most of the attention. But as AI moves from generating answers to executing work, durable advantage is shifting towards the infrastructure that governs context, identity, workflow, risk and performance.

Most enterprise AI investment still starts with what can be seen: a model, a copilot, a conversational interface or an agent completing a task. These capabilities matter because they make the opportunity tangible. They also make compelling demonstrations.

But a demonstration answers only the first question: can the system perform the activity? It does not show whether the organisation can let that system operate repeatedly, securely and economically inside a live business process.

That distinction is becoming decisive. The long-term enterprise AI moat is unlikely to come from model access alone. For most organisations, it will come from the operational infrastructure that turns interchangeable intelligence into dependable execution: governed context, workflow orchestration, agent identity, runtime policy, observability, evaluation and evidence.

The market is focused on the visible layer. Enterprise advantage is moving underneath it.

Model access is becoming easier to rent

Models are not becoming irrelevant. Frontier performance can still influence the quality, economics and feasibility of demanding use cases. A material capability gap may justify preferential access to a particular provider, especially in areas such as complex reasoning, coding, multimodal analysis or specialised scientific work.

The strategic problem is that access is a weak foundation for lasting differentiation when capability is becoming more portable. Stanford HAI found that the cost of querying a system performing at roughly GPT-3.5 level fell more than 280-fold between November 2022 and October 2024. It also reported that the gap between the leading closed-weight and open-weight models on one prominent leaderboard narrowed from 8.04% in January 2024 to 1.70% by February 2025.

This does not prove that every model is interchangeable. It does show why enterprises are increasingly able to treat models as selectable components rather than permanent strategic commitments. Model catalogues, routing services and abstraction layers make it easier to choose different models for different tasks, balance quality against cost and replace a provider when the economics or risk profile changes.

The consequence is subtle but important. If competitors can buy access to broadly similar model capability, the advantage moves to what each organisation builds around it: the data it can use, the decisions it can support, the actions it can take and the controls that determine how safely it can operate.

Adoption is outrunning operational maturity

Enterprise adoption is already broad, but production maturity remains uneven. McKinsey's 2025 global survey found that 88% of respondents reported regular AI use in at least one business function. Yet only about one-third said their organisations had begun scaling AI programmes across the enterprise. Twenty-three per cent reported scaling an agentic AI system somewhere in the business, usually within only one or two functions.

This gap explains why the next stage of enterprise AI looks less like a model-selection exercise and more like an infrastructure programme.

A copilot that drafts a response can remain largely contained within a user interaction. An agent that retrieves customer information, interprets policy, updates a case, triggers a refund and notifies another system crosses several operational boundaries. It needs to know which information is current, which source is authoritative, what the user is permitted to request, what the agent is permitted to do, when approval is required and how the organisation will reconstruct the action later.

Each additional permission creates a dependency. Each dependency creates a control requirement. Once AI begins acting across systems, the invisible stack becomes the product.

The operational stack is where intelligence becomes execution

The phrase “visible 10% and operational 90%” is a useful provocation, not a measured ratio. Its value is that it changes the unit of analysis. The enterprise AI stack is not simply an interface sitting on a model. It is a chain of context, decisions, actions and controls.

Four layers become especially important as AI moves into core workflows.

First, context and orchestration determine what the system knows and how work progresses. Retrieval, metadata, semantic definitions and permissions shape the information available to the model. Orchestration then coordinates model calls, deterministic business rules, application programming interfaces, human approvals, retries, exceptions and hand-offs. The model may propose the next action, but the workflow must decide whether that action is valid, reversible and complete.

Second, identity and delegated authority determine who or what is acting. Traditional identity systems distinguish people, applications and services. Agents introduce a more dynamic actor that may operate on its own behalf, on behalf of a user or as part of a business process. Microsoft and Google now provide purpose-built agent identity capabilities, allowing organisations to assign distinct identities and granular permissions rather than relying solely on shared credentials or inherited user access.

Third, runtime governance turns policy into enforceable behaviour. A policy document can state that an agent must not release a payment above a threshold or expose sensitive information. Runtime controls are what check the transaction, restrict the tool call, require approval, filter the response and record the decision. NIST's Generative AI Profile organises risk management around governing, mapping, measuring and managing risks across the AI lifecycle, while the EU AI Act places obligations on deployers of high-risk systems around human oversight, operational monitoring and log retention.

Fourth, observability and evaluation establish whether the system is working as intended. Conventional monitoring can show latency, availability and error rates. AI operations must also capture prompts, retrieved context, model responses, tool calls, policy interventions, cost, groundedness, task completion and escalation. OpenTelemetry's work on generative AI conventions is an early sign that these signals are becoming part of mainstream operational practice rather than a specialist add-on.

These layers are not separate governance overheads. Together, they are the mechanism that allows AI to participate in enterprise work.

The moat is not the tooling. It is the operating logic encoded within it

Calling operational infrastructure a moat creates an obvious challenge. Many of its components will be available from cloud providers, data platforms, workflow vendors, identity providers and specialist software companies. If every organisation can buy an AI gateway, an agent registry or an evaluation platform, why should the infrastructure itself be defensible?

Because the durable value does not sit only in the generic product. It sits in the enterprise-specific operating logic configured through it.

A competitor can buy the same orchestration engine. It cannot quickly reproduce the way an organisation has mapped its processes, resolved its data definitions, designed its permission boundaries, encoded its risk appetite and accumulated evidence about which controls work. It cannot instantly recreate domain-specific evaluation datasets, exception patterns, approval thresholds or the relationships between customer context and operational action.

These assets compound. Every governed workflow can create reusable integration patterns. Every incident can improve an evaluation set. Every approved policy can become a machine-enforceable control. Every trace can add to an evidence history that helps the organisation change models without losing operational confidence.

That is a stronger source of switching cost than a prompt library or a preferred model endpoint. It is also closer to the way enterprise advantage has accumulated in previous technology cycles: not through access to servers, containers or APIs in isolation, but through the operating systems, controls and processes built around them.

The market is already signalling this shift. Microsoft describes Agent 365 as a control plane for observing, governing and securing agents. Databricks positions Unity AI Gateway as a central control plane for model and Model Context Protocol traffic. ServiceNow's AI Control Tower is designed to discover, observe, govern, secure and measure AI across enterprise systems. Google's Gemini Enterprise Agent Platform combines agent identity, a registry, a gateway, runtime services and security controls. These are vendor claims rather than neutral proof of category ownership, but taken together they show where major platforms expect enterprise demand to move.

Control should accelerate innovation, not compete with it

The strategic tension is often presented as a choice between innovation and control. That is the wrong design problem.

Weak control slows innovation because every production decision becomes a bespoke negotiation. Teams do not know which data they may use, which actions are allowed, which risks require escalation or what evidence is needed for approval. Governance arrives late, security reviews repeat the same questions and successful pilots wait for an operating model that was never designed.

Excessive control creates a different failure. If every low-risk action requires committee approval, the organisation turns governance into latency. People bypass the process, agent development moves into unmanaged environments and control becomes more theoretical as compliance with it falls.

The better objective is programmable control: standard patterns that allow teams to move quickly inside defined boundaries. Low-risk assistance can run with sampling and quality monitoring. Recommendations that influence consequential decisions can require traceability and human validation. Actions involving payments, privileged access, regulated decisions or external commitments can use explicit thresholds, separation of duties and approval gates.

This approach also reflects the security reality of agentic systems. The UK National Cyber Security Centre argues that large language model systems are inherently susceptible to confusion between trusted instructions and untrusted content. Where a model can call tools or APIs, deterministic safeguards must constrain what it can do rather than relying only on the model to identify malicious instructions.

Control, properly designed, is not the brake on enterprise AI. It is what makes repeatable speed possible.

Leaders need an operational AI agenda

The immediate leadership task is not to buy every emerging layer or build a monolithic control plane. It is to identify which operational capabilities must be common across the enterprise and which should remain specific to a business domain.

A practical agenda begins with five decisions.

  • Map AI actions, not only AI tools. An inventory should record which systems generate content, make recommendations or execute actions. The level of autonomy, data sensitivity, reversibility and potential impact should determine the control model.
  • Give every consequential agent an identity and an owner. Leaders should be able to answer who sponsors the agent, which workflow it belongs to, what it may access, which actions it may take and how its authority can be revoked. Shared credentials and ambiguous ownership will not scale.
  • Instrument the whole workflow. Monitoring only the model response misses the sources, tool calls, policy checks, approvals and downstream effects that determine the business outcome. Observability should connect technical behaviour to task completion, cost, quality and risk.
  • Separate commodity infrastructure from proprietary operating logic. Organisations will usually be better served by buying baseline model access, gateways, telemetry and identity services. They should retain control of domain semantics, evaluation criteria, approval rules, risk thresholds and the orchestration of strategically important workflows.
  • Fund the capability as a shared product. A central AI platform team can provide common patterns for identity, evaluation, observability, security and deployment. Business teams should own use-case outcomes, process design and domain accountability. Risk, legal and internal audit should shape evidence requirements early rather than assess the system only after it has been built.

This is not an argument for constructing the full operational stack before deploying any AI. Investment should follow risk and value. A drafting assistant does not need the same control architecture as an agent authorised to alter a customer account. The principle is proportionality: build enough infrastructure for the decisions and actions the system is permitted to take.

The strategic advantage will belong to the best-run AI systems

There is a credible counterargument to the thesis. Major platforms may absorb most operational capabilities, making governance, observability and agent identity standard features rather than separate sources of advantage. Frontier models may also retain meaningful performance gaps in the most valuable use cases.

Both outcomes are plausible. Neither removes the enterprise-specific work.

Bundled tooling can reduce implementation effort, but it cannot decide an organisation's authority model, define its trusted context, redesign its workflows or determine which outcomes justify autonomy. Better models can expand what is technically possible, but they do not establish who is accountable when the system acts.

The next enterprise AI divide will therefore be less about who can access intelligence and more about who can operate it well. Leaders should judge their AI readiness by the quality of the surrounding system: whether context is governed, actions are bounded, behaviour is observable, controls are enforceable and value can be traced through the workflow.

The model may remain the most visible part of enterprise AI. It is unlikely to remain the most defensible.

AEO/GEO: The enterprise AI moat is moving below the model