NVIDIA GTC 2025 wrapped last Friday after four days in San Jose that felt more like a technology nation-state summit than a developer conference. Twenty-five thousand attendees in person, 300,000 virtual. Jensen Huang unveiled the Blackwell Ultra GPU roadmap, Vera Rubin architecture for 2026, and a path to Feynman architecture by 2028. Personal AI computers, humanoid robot foundations, self-driving partnerships with GM and a 100,000-vehicle robotaxi fleet with Uber by 2027.
The message was unmistakable: the compute infrastructure behind AI is scaling at a pace that makes the current moment look quaint.
And on the same day that GTC's infrastructure announcements were making headlines, Gartner released a projection that puts the scale in dollar terms: $644 billion in generative AI spending globally in 2025, a 76.4% increase from 2024.
There's just one problem with this number. Almost none of it is going to governance.
The Spending Stack
Let's break down where the $644 billion is actually flowing.
The largest category is compute infrastructure — the GPUs, data centers, cloud capacity, and networking that power AI training and inference. This is where NVIDIA's GTC announcements live. Every DGX Spark, every Blackwell Ultra, every gigafactory investment is a line item in this bucket. NVIDIA alone generated over $130 billion in data center revenue in fiscal 2025.
The second category is model development and access — the costs of training proprietary models, licensing API access, and fine-tuning for specific use cases. This is where OpenAI, Anthropic, Google, and dozens of other model providers generate revenue.
The third category is application development — the tools, platforms, and services that help organizations build AI-powered products. This includes the AI coding tools (Cursor, Copilot, Claude Code), the orchestration frameworks (LangChain, LlamaIndex), and the application platforms.
The fourth category — governance, compliance, and risk management — is notable primarily for its absence from the headlines. No one at GTC announced a governance gigafactory. No one projected $644 billion in AI governance spending.
The McKinsey Reality Check
The spending asymmetry becomes even more striking when placed alongside McKinsey's latest State of AI report, published the same month.
McKinsey found that 92% of companies plan to increase AI investments over the next three years. That's nearly universal adoption intent. But only 1% of organizations consider themselves "mature" in AI deployment.
Let that ratio sink in: 92% spending more, 1% mature.
McKinsey also found that workflow redesign — not model capability — has the biggest EBIT impact. The companies generating the most value from AI aren't the ones with the most powerful models. They're the ones that have redesigned their processes around AI capabilities. And redesigning processes requires governance — understanding what the AI does, verifying it works correctly, and ensuring it operates within acceptable boundaries.
The 91-point gap between spending intent and deployment maturity isn't a capability gap. It's a governance gap. Companies are buying AI. They're not building the infrastructure to deploy it reliably.
Why Governance Spending Lags
There are structural reasons why governance spending doesn't keep pace with capability spending.
Capability spending has clear, immediate ROI narratives. "We bought GPUs and trained a model that can do X." "We deployed Copilot and our developers are 30% more productive." These are tangible, measurable, and easy to present to a board. Governance spending has less visceral narratives: "We built an audit trail that will help us demonstrate compliance if we're investigated." "We implemented verification checks that prevent failures we haven't had yet."
Prevention is always harder to fund than production. This is the fire insurance problem — nobody wants to pay for insurance until after the fire. In AI, the "fires" — compliance violations, harmful outputs, security breaches, liability incidents — are still relatively rare at the individual company level. The aggregate industry trend is alarming, but individual companies often haven't experienced enough pain to prioritize governance spending.
The governance market is fragmented and immature. The AI model market has clear leaders (OpenAI, Anthropic, Google). The compute market has a near-monopoly (NVIDIA). The governance market has dozens of startups, unclear category definitions, and no dominant player. When enterprises don't know what to buy, they defer the purchase.
The ISO 42001 Signal
One encouraging development this month: Microsoft 365 Copilot achieved ISO 42001 certification, with EY providing evaluation assistance.
ISO 42001 is the international standard for AI management systems. Its adoption is still early, but Microsoft's certification of its most widely deployed AI product sends a market signal: enterprise AI governance is becoming a certifiable capability, not just a policy aspiration.
The certification also signals something about market expectations. Microsoft doesn't pursue certifications for fun. They do it because enterprise customers are beginning to require — or will soon require — standardized evidence of AI governance practices. ISO 42001 is one of the first scalable mechanisms for providing that evidence.
For organizations evaluating their own governance maturity, ISO 42001 provides a useful framework regardless of whether you pursue formal certification. The standard covers AI risk management, documentation, monitoring, and continuous improvement — the same capabilities that the EU AI Act will require as enforcement deadlines approach.
The Kubeflow Connection
On the infrastructure side, the release of Kubeflow 1.10 this month adds an interesting data point. Kubeflow's latest version includes critical LLM operations features: hyperparameter optimization for fine-tuning, distributed training via Trainer 2.0, enhanced model registry integrations, and security improvements including rootless containers.
These are operational infrastructure capabilities — the kind of tooling that sits between raw compute and application deployment. They make AI operations more reliable, more reproducible, and more auditable. And they represent the kind of investment that governance requires: not new models, but new infrastructure for managing models responsibly.
The fact that Kubeflow is open-source and community-driven matters. It suggests that the operational infrastructure layer of AI is developing organically even when governance-specific funding is scarce. Engineering teams are building governance-adjacent capabilities because they need them for operational reliability, even if they don't label them as "governance."
Closing the Gap
The $644 billion spending figure will continue to grow. Gartner's projections are, if anything, conservative given the trajectory of enterprise AI adoption. The governance spending gap will also continue — until it doesn't.
There are two scenarios for how the gap closes.
In the reactive scenario, a series of high-profile AI failures — compliance violations, security breaches, liability verdicts — creates urgency for governance spending. Companies scramble to build governance infrastructure under pressure, paying premium prices for rushed implementations. Regulatory enforcement accelerates the timeline. This is the expensive, painful path.
In the proactive scenario, forward-thinking organizations recognize the gap early and invest incrementally. They build audit trails alongside deployments, verification systems alongside applications, and compliance infrastructure alongside capability. When the reactive moment arrives — and it will — they're prepared rather than scrambling.
For every dollar your organization spends on AI capability in 2025, ask what fraction is going to governance. If the answer is close to zero, you're betting that the gap between spending and maturity won't become a problem during your tenure. Given that McKinsey puts the maturity rate at 1% while spending intent is at 92%, that's a bet with long odds.
The $644 billion is being spent. The question is whether your governance infrastructure will be ready when someone asks what you got for it.