Governance Sold Separately
Enterprise AI ships with controls built in. Everyone else rents the capability and builds the rest, or goes without.
The AI market consolidated around the enterprise in the past year. Anthropic launched legal-specific agents built with Harvey, LexisNexis, Thomson Reuters, and KPMG. The major model developers all now sell enterprise platforms with dedicated deployment teams, and the professional services giants resell them wrapped in implementation engagements. The capability that two years ago lived in a chat window now arrives at large companies as managed infrastructure.
This is usually told as a story about who gets the best models. The more consequential story is about who gets the controls, because the same consolidation that delivers capability to everyone delivers governance to only one tier of buyer.
What the enterprise buyer actually gets
Strip the branding off an enterprise AI deployment and a large share of what the price buys is governance. Admin consoles that decide who can use what. Audit logs recording what was asked and produced. Single sign-on tied to the identity system, so access ends when employment does. Data residency commitments, training-data exclusions, and contractual terms negotiated by a procurement team with leverage. Usage analytics that show the company its own AI footprint without anyone running a survey. Sometimes indemnities, sometimes evaluation rights, always a named account team to call when the model misbehaves.
None of that is intelligence. All of it is control, and the enterprise buyer inherits it as a product feature, pre-built, before a single employee runs a prompt.
What everyone else gets
The mid-market company runs largely the same underlying models through consumer and prosumer subscriptions, AI features switched on inside tools bought for other purposes, and free tiers that employees signed up for themselves. The capability gap between this stack and the enterprise stack is smaller than the pricing suggests, and on some days it is zero.
The control gap is total. The click-through terms disclaim everything and were never negotiated. There is no admin console because there is no deployment, just accounts. The audit log does not exist. The usage analytics do not exist. The company’s AI footprint is whatever it happens to be, visible to no one, governed by terms nobody read.
Capability got democratized. Control did not, and the difference between those two curves is where the mid-market now sits.
Accountability never scaled down
The uncomfortable half of this market structure is that the parties asking governance questions do not grade on company size or software tier.
The EU AI Act places obligations on the company deploying a system regardless of headcount. The insurer’s application asks how AI is used and controlled, and the questionnaire sent to a 150-person company looks a lot like the one sent to a 5,000-person company. The enterprise customer running vendor diligence asks every supplier the same questions, because their risk team wrote one form. The plaintiff’s lawyer reconstructing how a decision was made does not adjust the discovery requests for the defendant’s revenue.
A mid-market company therefore faces enterprise-grade questions while holding consumer-grade tooling, and the gap between the question and the available answer is its problem alone. The vendor whose terms disclaimed everything is not in the room.
Built rather than inherited
The enterprise buyer inherits governance from procurement. The mid-market company has one other path: construct it.
Constructed governance is the set of decisions, ownership assignments, and records that enterprise tooling automates, rebuilt at a scale a smaller company can actually run. Which tools are in use and which are sanctioned, decided rather than discovered after the fact. What data each tool may touch, decided rather than assumed. Who answers for AI-assisted output, named rather than implied. What gets reviewed and how the review is recorded, written down rather than remembered.
None of this requires the enterprise tier or the enterprise price. It requires deliberateness, and it requires an owner, because constructed governance differs from inherited governance in exactly one way that matters: nobody ships it to you. It exists only if someone inside the company builds it, and at most mid-market companies that someone has not been named.
The credential nobody prices
There is a commercial upside hiding in this, and it is underused.
When an enterprise customer sends its AI diligence questionnaire to ten mid-market vendors, most of the answers that come back are improvised. The vendor that returns specific answers, this tool, this data boundary, this owner, this review record, reads as a different class of company, and reads that way precisely because the customer knows what those answers cost to produce. Clean governance answers from a company without an enterprise budget signal management quality the way audited financials once did for companies too small to be public.
The same dynamic runs through acquisitions and insurance. Diligence is a comparison exercise, and the comparison set is full of shrugs.
What this adds up to
The market structure is now legible. Capability is rented by everyone. Control is sold to the few. The remainder either build the control layer themselves or operate without one, and the regulators, insurers, customers, and courts asking the questions do not care which tier anyone bought.
For the company under 1,000 people, the governance that enterprises receive as a line item has to be made, and made governance has one requirement that purchased governance hides: a person who owns it. When the questionnaire arrives, which answer does your company give?


