AI Ate the Keyboard. Now It Has to Eat the Queue.
Software stopped being the limiting factor. Process didn't. In biopharma and any patient-facing industry, the queue is the patient.
Jack Hanlon, who leads GenAI Media at Meta, posted this on LinkedIn:
"The first time you see an engineer build something in 45 minutes that would have taken a week a year ago, but then see it not ship for another 6 weeks, you will be radicalized."
He's describing Meta, a consumer tech company. The review stack he lists is the load every build carries before it ships: Strategy, Product, Design, Engineering, Privacy, Legal, Accessibility, Comms. It's also not close to what biopharma and patient-facing R&D organizations ask of an AI build.
In biopharma and adjacent patient-facing industries, add data privacy impact assessment, security review, AI governance review, IT architecture review, change-management approval, procurement, legal redline, regulatory sign-off. If patient data is anywhere in the lifecycle, add clinical safety review. Each gate is serial. Each gate is three weeks minimum. Six in sequence is half a year before anything ships. You've done paperwork.
The numbers back this up across every regulated sector, not just pharma. Enterprise SaaS procurement runs a median 170 days; complex solutions hit eleven-and-a-half months. SOC 2 Type II audits take six to twelve months end-to-end. Federal contractors face 12-18 month FedRAMP authorization cycles before a system can sit on a government network. Banks run AI governance committees on top of model-risk committees on top of vendor-risk committees, each stack inherited from a different decade of incident response. MIT NANDA's "GenAI Divide" report found 95% of enterprise AI pilots deliver zero P&L impact, across thirty to forty billion dollars of spend. That's not a build problem. The build works. The build sits in a queue.
This accelerated review pathway can exist. It can work. It will take herculean levels of structural redesign and a lot of organizational political capital to land. And the pattern isn't a pharma problem. It's the shape of every regulated industry trying to ship AI in 2026. Pharma's version is the sharpest because patients are downstream of the delay, but the argument is universal.
Every gate exists for a reason. Most got written after a real incident. Someone's data got exposed. A launch communication went sideways. A model made a biased call in production. The answer isn't to kill them. The answer is that every one of them was designed for a world where building the software was the slow, expensive, irreversible part. Whether you wrote the code yourself or bought it from a vendor who wrote it, software was the thing the calendar bent around. That world is gone. AI didn't just speed up typing. It turned the whole build, your own code and the vendor's both, into the fast part. The review cycle was calibrated for the old critical path. The critical path moved. The calendar didn't.
Hanlon's three confrontations are right. Process architecture is the speed limit. Too many orgs treat every process as sacred. AI should be eating process, not just coding. The patient-facing version is sharpest, because the delay shows up downstream as patient time.
This Has Happened Before
DevOps didn't land in 2015 as a philosophy. It landed when development got fast enough that deployment became the jam. "Development teams could complete features in days, but getting those features deployed took weeks." That's the DevOps.com retrospective on the pre-CI/CD era. Swap "deployed" for "procurement-approved" and you have a 2026 AI program, sentence for sentence.
Then security became the jam. DevSecOps. Then infrastructure and developer experience became the jam. Platform Engineering. Internal Developer Platforms. Each compression moved the bottleneck one layer further from the keyboard. Each shift spawned a category, a toolchain, a set of jobs, a conference circuit.
Bottleneck migration is a law. Compress one layer and the adjacent layer becomes the bottleneck by definition. Whatever used to be the tall pole is now almost all of the remaining pole.
AI compressed the build layer, writing software and buying it both. Everything adjacent to the build is now the bottleneck. The reviewers, the committees, the approvals, the procurement track, the vendor security questionnaire, the model evals nobody scoped time for. All of it. DevOps took twelve years to run the full cycle. Nobody has twelve years.
Shadow AI Is the Tell
Gartner's 2025 numbers are the signal. 98% of organizations report unsanctioned AI use. 69% report evidence of prohibited public GenAI use inside their walls. 49% expect a shadow AI incident within twelve months.
The default read calls shadow AI a governance failure. A discipline problem. Employees not following the rules. That read is backwards. Shadow AI is the system telling you the official process layer already failed an internal cost-benefit test. Employees measured the queue, measured their quarterly objectives, and decided the queue costs more than the risk of getting caught.
That's the market voting. When 98% of your workforce is routing around your approval process, you don't have a discipline problem. You have an economics problem. The process priced itself out.
A fair counter to all of this: maybe the 95% pilot failure isn't a process problem. Maybe it's a pilot-selection problem. Most enterprise AI pilots fail because they were the wrong pilot to run, picked for board optics or executive curiosity rather than real workflow pain. Speeding up bad pilots faster doesn't help anyone.
That argument is partially right. The data is harder than that. The same MIT report that flagged the 95% number also found the highest ROI was in back-office automation, exactly the work that sits behind procurement, vendor security, and compliance queues. The pilots that fail include some bad picks. They also include good picks that died in queue. You can have a pilot-selection problem and a process problem at the same time, and most enterprises do.
Process Protects Patients. Except When It Doesn't.
Biopharma's review gauntlet was written in blood. Good Clinical Practice, Good Laboratory Practice, Good Manufacturing Practice. Patients got hurt. Rules got written. Every review, every sign-off, every three-week queue descends from that inheritance.
The reflex response to "AI is slow to ship" is "good, that's how we keep patients safe." It sounds unanswerable. It isn't.
Process was built to protect patients. When process is the thing blocking patient-helping AI from shipping, it stops protecting patients. It protects itself.
Not shipping AI is not a neutral, safe choice. It has a cost. The cost lands on patients too.
Every week of review on a regulatory drafting agent is a week a safety narrative gets written the slow way. Novo Nordisk's NovoScribe rollout cut clinical study report drafting from fifteen weeks with over fifty medical writers to ten minutes with three. The work moved. The submission queue didn't. Every week of governance queue on a tool like that is real human time that wasn't spent on the submission, real submission time that wasn't spent reaching patients.
Every month a vendor security review stalls on a literature retrieval agent is a month oncology scientists read abstracts by hand. The responder-subgroup signal sits in a PDF nobody opened.
Every quarter a leadership group debates a two-speed governance design is a quarter trial protocols get mapped by hand, deviations get triaged out of a Teams channel, the first patient at the first site doses later than they would have.
Meanwhile, the deployments ship. Cleveland Clinic, NHS England, the VA, and 75% of US hospitals are running AI in clinical workflows today. The teams that wired governance early are in production. The teams still debating are watching.
Most governance agendas debate the wrong question. Not "is this AI safe enough to ship," but "is the delay we're about to impose smaller than the harm we're trying to prevent." Both sides of that ledger have a body count. Only one gets counted.
AI Eats Its Own Governance Layer
The governance layer isn't a coding problem, and that's the part most "AI accelerator" pitches miss. It's legal redline, procurement of the services the agents will consume, vendor security, the privacy review, the model evals, the benchmark sign-off. None of that is typing. All of it is the build now, and all of it queues.
Organizations have answered by standing up governance as elaborate as the thing it governs. Sanofi has publicly documented a multi-stage setup: a Responsible AI Working Committee, an Interim Responsible AI Governance body, an AI agent named Plai sitting in on every drug-progression decision. Other large pharmas, banks, and federal contractors run variations of the same shape; the public documentation lags Sanofi's. Ethan Mollick names why it decides everything. "The moderating factor is no longer individual ability or even AI capability. It is organizational structure, policy, and the way leaders choose to approach AI." The constraint isn't the model. It's the layer wrapped around the model.
Which is exactly the layer AI can eat. Hanlon's third point is the one most readers stop quoting before the punchline:
"Have the AI traverse your codebase and collect your evidence for the privacy review and have another AI grade the privacy review. They go back and forth until (a) they need human intervention because they are stuck or (b) they need humans to look at the final results and sign off on the right path forward."
That's the whole answer, and it generalizes past the codebase. Every gate in the gauntlet has the same shape: forty hours of evidence assembly, then a fifteen-minute judgment call. The privacy review is fourteen pages of data flow that already lives in the repo, the retention policies, the IAM config. The vendor questionnaire is two hundred SOC 2 controls a lead engineer maps by hand against an attestation report nobody re-read. The procurement intake is free-text someone retypes against master agreement terms a sourcing lead has memorized. The model eval is a benchmark suite someone runs once and pastes into a slide. The regulatory submission is fifteen weeks of medical writers stitching prior submissions into a new narrative. The judgment is fifteen minutes. The forty hours is the queue.
The human doesn't leave the privacy review. The human finally opens a pre-assembled package instead of staring at a blank template with half the source material missing. The reviewer still reviews. The reviewer is finally reviewing the only part of the work that ever needed a reviewer.
AI has eaten the keyboard. It hasn't eaten the queue.
That's the argument in one sentence. The keyboard compressed two years ago. The queue hasn't. Until it does, every "AI accelerator" announcement is a faster typewriter feeding the same backlog.
The Reviewer Is the Project
There's a catch built into all of this. The people whose work the AI must eat are the same people who must approve the AI eating their work. Legal reviews the legal agent. Procurement approves the procurement agent. InfoSec signs off on the InfoSec agent.
The reviewer is the subject of the review. The incentives don't line up. Pretending they do is how an org burns eighteen months and ships nothing.
The first week of agent output will be embarrassingly wrong, and that isn't the agent's fault. The process has never been written down in a way a machine can act on. The DPIA "template" is really a set of in-head judgments held by a senior person who onboarded in 2014 and knows which questions matter. Turning that into prompts, policies, and machine-readable rubrics is the institutional work, and there's no shortcut around it. That IS the project. The catch is that the people best positioned to codify their judgment are the ones whose standing rests on it staying in their heads. The org design that works makes the codified version the asset and leaves the committee to ratify it. Most enterprises don't run that design yet.
The ones that do compress the queue start in the same place, and it's never a model. They map the gauntlet, then fund an agent for a single gate, picked where the work is repetitive and the inputs already live somewhere a machine can read. Privacy review first, its answers mostly sitting in the repo and the IAM config. Vendor security next, the same shape with messier inputs. Regulatory drafting last, after the pattern has proven itself on something lower-stakes than an FDA filing. It holds at one gate, run for two months and watched for what it gets wrong. It breaks at three at once.
Underneath all of it sits the substrate. A governance layer that can't hand an agent a rubric to run or a template to fill isn't policy. It's tradition. The version living in senior reviewers' heads is neither auditable nor transferable, and it's the version adding weeks to every queue. Codifying it is the platform bet of 2026, ahead of the next model, because it's what lets every future build ship without the six-month tax.
AI compressed the build layer. That was the easy part. Everyone got the faster typewriter. The next decade of enterprise AI won't be won on better models. It turns on whether the layer built to protect patients from bad software, back when bad software was the threat, can be made to compress itself before the delay starts landing on the other side of the ledger.
That layer will not shrink on its own. It has to be handed its own rubric and told to grade the work it used to guard by hand. No team that owns a queue volunteers to automate it. Someone with the authority to override that instinct has to decide the delay costs more than the control.
In a patient-facing industry, the queue is not paperwork. The queue is the patient. Every week it stays uncompressed is a week charged to someone who never got a seat in the room.



