Why One of My Agencies Survived and the Other Collapsed (And What Shadow AI Has to Do With It)

For nearly fifteen years, I ran two agencies simultaneously in South Africa.

Same co-founder. Same industry. Same market timing.

One survived a crisis that should have killed it. The other collapsed despite commercial success.

The difference wasn't talent, clients, or market position. The difference was governance—and whether we'd built it before we needed it.

2014. A major multinational client froze all supplier payments during an internal investigation. We were cleared of any wrongdoing, but we were caught in the blast radius.

Millions of rands frozen. Millions in supplier commitments already made. The payment freeze lasted over a year.

XEIOH survived. My pharmaceutical agency. Separate legal entity. Diversified client base. Documented processes that let the team operate independently. Financial governance that kept the books clean enough to weather scrutiny.

Zonke collapsed. My go-to-market agency. Client concentration had been invisible during growth—it became fatal under pressure. There was no documentation to demonstrate our position. No pre-made decisions about exposure limits. No governance that could protect us from a crisis we didn't cause.

I'm still paying that debt today.

XEIOH was process-driven from day one. My co-founder came from clinical research. When we won Roche, their vendor audit forced us to formalise everything—HR policies, data handling, version control, quality management systems. A TÜV-accredited auditor inspected our operations.

We had to answer: "What if one of us got hit by a bus tomorrow?"

That felt like bureaucracy. During growth, those documented processes seemed like overhead. Extra time. Extra cost. Extra friction.

Zonke was different. Fast, opportunistic, relationship-driven. My co-founder there resisted structure. Processes lived in people's heads. Approvals happened verbally. The business grew rapidly because the market rewarded speed.

Both approaches worked—until they didn't.

During normal operations, Zonke's informality was an advantage. We moved faster. We closed deals quicker. We adapted to opportunities without waiting for process approvals.

But when the crisis hit, that speed became fragility.

XEIOH had systems that could operate under pressure. Documented workflows that didn't require my constant involvement. Financial boundaries that had been decided in advance, not during panic.

Zonke had relationships and institutional knowledge locked in people's heads. When pressure mounted, there was nothing written down to fall back on. No documented decisions.

The business collapsed because informal governance doesn't scale under conditions you don't control.

UK agencies are facing a similar invisible risk right now. Not client concentration—AI concentration.

Microsoft UK research from October 2025 found that 71% of UK employees use unapproved AI tools at work. Fifty-one percent do so weekly.

Twenty people on your team? Fourteen are using tools you haven't approved. Right now.

And according to Veritas Technologies, seven to eight of them are actively pasting confidential data into those tools—customer information, strategic documents, competitive intelligence—without employer knowledge.

They're not being reckless. They're being productive. AI tools solve immediate problems. They speed up grunt work. They improve output quality.

Just like Zonke's informal governance worked perfectly well during growth.

But here's what the 71% statistic means in practice:

Every time an employee pastes UK client data into a consumer AI tool, three GDPR breaches occur simultaneously. International data transfer without approved mechanisms. Purpose limitation violations when data trains commercial models. Unauthorised sub-processor usage without client consent.

The ICO can fine up to £17.5 million or 4% of global turnover—whichever is higher. IBM's 2025 Cost of Data Breach Report attributes 20% of all data breaches to shadow AI, adding an average £670,000 in remediation costs.

That doesn't include the commercial cost of losing enterprise clients who discover your governance gaps during vendor due diligence.

Your team has already decided AI tools are valuable. They're using them to work faster and produce better outputs.

What your team hasn't decided—because they can't without leadership direction—is how to use AI within boundaries that protect the agency from cascade risk.

That's the same choice I faced with XEIOH and Zonke. Build governance before you need it, or discover its absence when something breaks.

Pharmaceutical clients forced XEIOH to build governance early. That felt like friction. It turned out to be survival insurance.

Zonke never felt that pressure until it was too late. By the time the crisis hit, we couldn't retrofit governance fast enough.

Shadow AI is the same pattern. During normal operations, ungoverned AI usage feels like innovation. Your team is moving faster. Clients are happy. The risks feel abstract.

But the moment a client asks about your AI governance during vendor due diligence—or the ICO investigates a data breach—you need documented answers to three questions:

Most agencies can't answer the first question. They know about enterprise tools. They don't know about the personal ChatGPT accounts, the browser extensions, the mobile apps.

Without governance, you're building on Zonke's foundation. Fast, informal, relationship-driven—until something breaks.

The agencies that survive the next five years won't be the ones that avoid AI. They'll be the ones that govern it deliberately.

Here's what you can do this week:

Monday morning standup: Ask your team one question: "What AI tools are you using for work?" Don't punish honesty. You need visibility before you can build governance.

That's how governance starts. Not with compliance frameworks or vendor audits.

With one honest conversation about what's already running.

The crisis doesn't announce itself. It's already forming in the gap between what you think is running and what's actually running.