Improved AI can reduce firm deployment when weak governance forces broader authority exposure, creating a 'deployment paradox' where capability gains fail to translate into productive use; stronger governance that cuts breach losses restores deployment, while externalities make social under-use more pervasive.

Main Finding

When organizational governance lags AI capability (a “governance–capability gap”) and more capable systems are deployed with greater authority exposure, improving AI capability can paradoxically reduce a firm’s optimal deployment. The paper’s analytical model shows that under high conditional breach-loss environments, capability-linked authority exposure increases the security burden faster than productivity gains, so firms (even after optimally increasing security spending) choose to deploy less. Strengthening governance (reducing conditional loss) or decoupling capability from authority exposure restores the usual positive relationship between capability and deployment.

Key Points

• Deployment paradox: Better AI (higher capability θ) can lead to lower optimal deployment α when (i) capability is bundled with greater authority exposure a(θ) and (ii) conditional breach losses λ are large enough that the marginal security cost exceeds the marginal productivity benefit.
• Endogenous risk: Unlike canonical models (e.g., Gordon & Loeb), the firm’s technology choice α jointly determines both attack surface (breach probability) and conditional loss (via authority exposure), creating feedbacks that generate the paradox.
• Security discount: Optimal deployment is strictly below the no-risk (productivity-only) benchmark; the shortfall grows with breach-loss magnitude λ and with the degree to which exposure rises with capability (a′(θ)).
• Governance as enabler: Investments that reduce λ (better containment, data segmentation, least-privilege design) shrink or eliminate the paradox region; decoupling capability from operational exposure (making a′(θ) ≈ 0) removes the sign reversal.
• Externalities widen the problem: If breaches impose external social losses, the socially optimal deployment is constrained in a larger set of environments than the private optimum, making governance and regulation more salient.
• Boundary conditions: When the loss environment is mild or governance maturity catches up, higher capability monotonically increases deployment as in standard models.

Data & Methods

• Approach: A parsimonious analytical model with two firm decision variables: deployment intensity α ≥ 0 and security investment d ≥ 0. The firm maximizes expected profit accounting for productivity, convex deployment costs, security spending, and expected breach losses.
• Key variables and functions:
  • θ > 0: AI capability (increases productive value per unit deployed).
  • µ > 0: Organizational readiness/complements (raises productivity without increasing exposure).
  • a(θ): authority-exposure index (monotone nondecreasing; baseline a(θ)=θ) — captures the governance–capability gap (capability–damage bundling).
  • λ > 0: conditional breach-loss magnitude (reflects inherited containment architecture; treated as exogenous within the decision period).
  • Breach probability: modeled as α/(α + d) (attack surface increases with α; mitigated by d).
  • Conditional loss: L(α, θ) = λ α a(θ) (baseline linear in α and a(θ)).
  • Profit objective (baseline): π(α,d) = (θ + µ)α − α^2/2 − [α/(α + d)]·[λ α a(θ)] − d.
• Solution strategy: Solve for interior first-order conditions in α and d; derive comparative statics in θ, λ, µ, and a(·). Identify regions of parameter space where ∂α/∂θ < 0 (deployment paradox) versus ∂α/∂θ > 0.
• Robustness / extensions: Paper analyzes elasticity variations (a(θ)=θ^γ), alternative specifications, and shows how results depend on slopes/elasticities. Appendices discuss interpretations of λ as inherited and the limits of within-period adjustment.
• Empirical grounding: Motivating statistics and examples from industry surveys and incidents (e.g., IBM Security 2024–2025 breach cost figures, Cloud Security Alliance 2026 survey on AI privileges, Anthropic 2025 incident) are cited to justify the governance–capability gap and the economic magnitudes motivating the model; the paper is primarily theoretical rather than empirical.

Implications for AI Economics

• For managers: Governance maturity (access control, least-privilege policies, containment, data segmentation) is not just a compliance cost but a critical determinant of whether capability improvements translate into productive deployment. Firms facing high conditional loss should prioritize structural governance (reducing λ and decoupling a(θ) from θ) before deeply embedding higher-capability systems.
• For investors and strategists: Observed slower or reduced deployment of frontier AI by firms in high-loss sectors (healthcare, finance) may reflect rational responses to capability–damage bundling, not simple technology lag. Valuation and adoption forecasts should incorporate governance maturity and conditional-loss exposure.
• For policy and regulators: Because breach externalities expand the socially constrained region, policy interventions (standards for access controls, incentives/subsidies for containment investment, liability rules) can increase socially optimal deployment of capable AI. Regulators should focus on governance standards that decouple capability from authority exposure.
• For empirical researchers: Testable predictions include (a) negative or non-monotone correlation between capability increases and deployment intensity in high-loss industries or firms with weak governance; (b) larger deployment shortfalls where authority exposure rises more steeply with capability; (c) governance investments that reduce conditional loss should increase deployment and shrink the paradox region. Useful data sources: breach cost databases (e.g., IBM reports), industry surveys on AI privileges (CSA, vendor incident disclosures), firm-level measures of deployment intensity and access-control maturity.
• For theory: The paper highlights the importance of endogenizing the loss environment when studying technology adoption under risk. Future models can extend to dynamic governance investment, strategic adversaries, multi-period learning about λ, heterogeneous firms, and market/insurance mechanisms to internalize externalities.

Limitations worth noting: single-period framing with λ treated as slow-moving/exogenous; specific functional forms (e.g., α/(α+d) breach probability, linear loss in a(θ)) for analytical tractability; adversary behavior and strategic attacker responses are not modeled explicitly. These present clear directions for empirical calibration and dynamic extensions.