This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. Cybersecurity’s global alarm system is breaking down Every day, billions of people trust digital systems to run everything from communication to commerce to critical infrastructure. But the global early warning system that alerts security teams to dangerous software flaws is showing critical gaps in coverage—and most users have no idea their digital lives are likely becoming more vulnerable. Over the past eighteen months, two pillars of global cybersecurity have been shaken by funding issues: the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—and the Common Vulnerabilities and Exposures (CVE) program, the numbering system for tracking software flaws.  Although the situation for both has stabilized, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time. Read the full story. 
—Matthew King
The first babies have been born following “simplified” IVF in a mobile lab This week I’m sending congratulations to two sets of new parents in South Africa. Babies Milayah and Rossouw arrived a few weeks ago. All babies are special, but these two set a new precedent. They’re the first to be born following “simplified” IVF performed in a mobile lab. This new mobile lab is essentially a trailer crammed with everything an embryologist needs to perform IVF on a shoestring. It was designed to deliver reproductive treatments to people who live in rural parts of low-income countries, where IVF can be prohibitively expensive or even nonexistent. And best of all: it seems to work! Read our story about why it’s such an exciting development.  —Jessica Hamzelou  This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, sign up here. The must-reads I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology. 1 Trump is seeking huge cuts to basic scientific researchIf he gets his way, federal science funding will be slashed by a third for the next fiscal year. (NYT $)+ The foundations of America’s prosperity are being dismantled. (MIT Technology Review)+ Senators are getting ready to push back against proposed NASA cuts. (Bloomberg $)

2 Conspiracy theorists are starting to turn on TrumpHe whipped them all up over the supposed existence of Epstein’s client list, and now they’re mad nothing’s being released. (The Atlantic $)3 AI actually slows experienced software developers downThey end up wasting lots of time checking and correcting AI models’ output. (Reuters $)4 The Pentagon is becoming the largest shareholder in a rare earth minerals companyIt shows just how much competition is hotting up to secure a steady supply of these materials. (Quartz $)+ The race to produce rare earth elements. (MIT Technology Review) 5 Solar power is starting to truly transform the world’s energy system Globally, roughly a third more power was generated from the sun this spring than last. (New Yorker $)6 Cops’ favorite AI tool auto-deletes evidence of AI being used A pretty breathtaking attempt to avoid any sort of audit, transparency or accountability. (Ars Technica)+ How a new type of AI is helping police skirt facial recognition bans. (MIT Technology Review)7 Why Chinese EV brands are being forced to go globalCompetition at home is becoming so intense that many have no choice but to seek profits elsewhere. (Rest of World)+ China’s EV giants are betting big on humanoid robots. (MIT Technology Review)8 Which Big Tech execs are closest to the White House? Check out this scorecard showing how they’re all doing trying to stay in Trump’s good graces. (WSJ $)9 Elon Musk says Grok is coming to Tesla vehiclesYes, that’s the same Grok that keeps being racist. Shareholders must be delighted. (Insider $)+ X is basically becoming a strip mine for AI training data. (Axios)10 Trump Mobile is charging people’s credit cards without explanationBut I’m sure it’s all perfectly explicable and above board, right? Right?! (404 Media) Quote of the day “It has been nonstop pandemonium.” —Augustus Doricko, who founded a cloud seeding startup two years ago, tells the Washington Post he’s received a deluge of fury online from conspiracy theorists who blame him for the catastrophic Texas floods. One more thing
STEPHANIE ARNETT/MIT TECHNOLOGY REVIEW | LUMMI What’s next for AI in 2025 For the last couple of years we’ve had a go at predicting what’s coming next in AI. A fool’s game given how fast this industry moves. But we gave it a go anyway back in January. As we sail pass this year’s halfway mark, it’s a good time to ask: how well did we do? Check out our predictions, and see for yourself!
—James O’Donnell, Will Douglas Heaven & Melissa Heikkilä This piece is part of MIT Technology Review’s What’s Next series, looking across industries, trends, and technologies to give you a first look at the future. You can read the rest of them here.

Every day, billions of people trust digital systems to run everything from communication to commerce to critical infrastructure. But the global early warning system that alerts security teams to dangerous software flaws is showing critical gaps in coverage—and most users have no idea their digital lives are likely becoming more vulnerable. Over the past eighteen months, two pillars of global cybersecurity have flirted with apparent collapse. In February 2024, the US-backed National Vulnerability Database (NVD)—relied on globally for its free analysis of security threats—abruptly stopped publishing new entries, citing a cryptic “change in interagency support.” Then, in April of this year, the Common Vulnerabilities and Exposures (CVE) program, the fundamental numbering system for tracking software flaws, seemed at similar risk: A leaked letter warned of an imminent contract expiration. Cybersecurity practitioners have since flooded Discord channels and LinkedIn feeds with emergency posts and memes of “NVD” and “CVE” engraved on tombstones. Unpatched vulnerabilities are the second most common way cyberattackers break in, and they have led to fatal hospital outages and critical infrastructure failures. In a social media post, Jen Easterly, a US cybersecurity expert, said: “Losing [CVE] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.” If CVEs identify each vulnerability like a book in a card catalog, NVD entries provide the detailed review with context around severity, scope, and exploitability.  In the end, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for CVE another year, attributing the incident to a “contract administration issue.” But the NVD’s story has proved more complicated. Its parent organization, the National Institute of Standards and Technology (NIST), reportedly saw its budget cut roughly 12% in 2024, right around the time that CISA pulled its $3.7 million in annual funding for the NVD. Shortly after, as the backlog grew, CISA launched its own “Vulnrichment” program to help address the analysis gap, while promoting a more distributed approach that allows multiple authorized partners to publish enriched data. 
“CISA continuously assesses how to most effectively allocate limited resources to help organizations reduce the risk of newly disclosed vulnerabilities,” says Sandy Radesky, the agency’s associate director for vulnerability management. Rather than just filling the gap, she emphasizes that Vulnrichment was established to provide unique additional information, like recommended actions for specific stakeholders, and to “reduce dependency of the federal government’s role to be the sole provider of vulnerability enrichment.” Meanwhile, NIST has scrambled to hire contractors to help clear the backlog. Despite a return to pre-crisis processing levels, a boom in vulnerabilities newly disclosed to the NVD has outpaced these efforts. Currently, over 25,000 vulnerabilities await processing – nearly 10 times the previous high in 2017, according to data from software company Anchore. Before that, the NVD largely kept pace with CVE publications, maintaining a minimal backlog.
“Things have been disruptive, and we’ve been going through times of change across the board,” Matthew Scholl, then chief of the computer security division in NIST’s Information Technology Laboratory, said at an industry event in April. “Leadership has assured me and everyone that NVD is and will continue to be a mission priority for NIST, both in resourcing and capabilities.” Scholl left NIST in May after 20 years at the agency, and NIST declined to comment on the backlog.  The situation has now prompted multiple government actions, with the Department of Commerce launching an audit of the NVD in May and House Democrats calling for a broader probe of both programs in June. But the damage to trust is already transforming geopolitics and supply chains as security teams prepare for a new era of cyber risk. “It’s left a bad taste, and people are realizing they can’t rely on this,” says Rose Gupta, who builds and runs enterprise vulnerability management programs. “Even if they get everything together tomorrow with a bigger budget, I don’t know that this won’t happen again. So I have to make sure I have other controls in place.” As these public resources falter, organizations and governments are confronting a critical weakness in our digital infrastructure: Essential global cybersecurity services depend on a complex web of US agency interests and government funding that can be cut or redirected at any time. Security haves and have-nots What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up. In early July, the CVE database crossed over 300,000 catalogued vulnerabilities. Numbers jump unpredictably each year, sometimes by 10% or much more. Even before its latest crisis, the NVD was notorious for delayed publication of new vulnerability analyses, often trailing private security software and vendor advisories by weeks or months. Gupta has watched organizations increasingly adopt commercial vulnerability management (VM) software that includes its own threat intelligence services. “We’ve definitely become over-reliant on our VM tools,” she notes, describing security teams’ growing dependence on vendors like Qualys, Rapid7, and Tenable to supplement or replace unreliable public databases. These platforms combine their own research with various data sources to create proprietary risk scores that help teams prioritize fixes. But not all organizations can afford to fill the NVD’s gap with premium security tools. “Smaller companies and startups, already at a disadvantage, are going to be more at risk,” she explains.  Komal Rawat, a security engineer in New Delhi whose mid-stage cloud startup has a limited budget, describes the impact in stark terms: “If NVD goes, there will be a crisis in the market. Other databases are not that popular, and to the extent they are adopted, they are not free. If you don’t have recent data, you’re exposed to attackers who do.” The growing backlog means new devices could be more likely to have vulnerability blind spots—whether that’s a Ring doorbell at home or an office building’s “smart” access control system. The biggest risk may be “one-off” security flaws that fly under the radar. “There are thousands of vulnerabilities that will not affect the majority of enterprises,” says Gupta. “Those are the ones that we’re not getting analysis on, which would leave us at risk.” NIST acknowledges it has limited visibility into which organizations are most affected by the backlog. “We don’t track which industries use which products and therefore cannot measure impact to specific industries,” a spokesperson says. Instead, the team prioritizes vulnerabilities on the basis of CISA’s known exploits list and those included in vendor advisories like Microsoft Patch Tuesday.

The biggest vulnerability Brian Martin has watched this system evolve—and deteriorate—from the inside. A former CVE board member and an original project leader behind the Open Source Vulnerability Database, he has built a combative reputation over the decades as a leading historian and practitioner. Martin says his current project, VulnDB (part of Flashpoint Security), outperforms the official databases he once helped oversee. “Our team processes more vulnerabilities, at a much faster turnaround, and we do it for a fraction of the cost,” he says, referring to the tens of millions in government contracts that support the current system.  When we spoke in May, Martin said his database contains more than 112,000 vulnerabilities with no CVE identifiers—security flaws that exist in the wild but remain invisible to organizations that rely solely on public channels. “If you gave me the money to triple my team, that non-CVE number would be in the 500,000 range,” he said. In the US, official vulnerability management duties are split between a web of contractors, agencies, and nonprofit centers like the Mitre Corporation. Critics like Martin say that creates potential for redundancy, confusion, and inefficiency, with layers of middle management and relatively few actual vulnerability experts. Others defend the value of this fragmentation. “These programs build on or complement each other to create a more comprehensive, supportive, and diverse community,” CISA said in a statement. “That increases the resilience and usefulness of the entire ecosystem.” As American leadership wavers, other nations are stepping up. China now operates multiple vulnerability databases, some surprisingly robust but tainted by the possibility that they are subject to state control. In May, the European Union accelerated the launch of its own database, as well as a decentralized “Global CVE” architecture. Following social media and cloud services, vulnerability intelligence has become another front in the contest for technological independence.  That leaves security professionals to navigate multiple, potentially conflicting sources of data. “It’s going to be a mess, but I would rather have too much information than none at all,” says Gupta, describing how her team monitors multiple databases despite the added complexity.  Resetting software liability As defenders adapt to the fragmenting landscape, the tech industry faces another reckoning: Why don’t software vendors carry more responsibility for protecting their customers from security issues? Major vendors routinely disclose—but don’t necessarily patch—thousands of new vulnerabilities each year. A single exposure could crash critical systems or increase the risks of fraud and data misuse.  For decades, the industry has hidden behind legal shields. “Shrink-wrap licenses” once forced consumers to broadly waive their right to hold software vendors liable for defects. Today’s end-user license agreements (EULAs), often delivered in pop-up browser windows, have evolved into incomprehensibly long documents. Last November, a lab project called “EULAS of Despair” used the length of War and Peace (587,287 words) to measure these sprawling contracts. The worst offender? Twitter, at 15.83 novels’ worth of fine print. “This is a legal fiction that we’ve created around this whole ecosystem, and it’s just not sustainable,” says Andrea Matwyshyn, a US special advisor and technology law professor at Penn State University, where she directs the Policy Innovation Lab of Tomorrow. “Some people point to the fact that software can contain a mix of products and services, creating more complex facts. But just like in engineering or financial litigation, even the most messy scenarios can be resolved with the assistance of experts.”
This liability shield is finally beginning to crack. In July 2024, a faulty security update in CrowdStrike’s popular endpoint detection software crashed millions of Windows computers worldwide and caused outages at everything from airlines to hospitals to 911 systems. The incident led to billions in estimated damages, and the city of Portland, Oregon, even declared a “state of emergency.” Now, affected companies like Delta Airlines have hired high-priced attorneys to pursue major damages—a signal opening of the floodgates to litigation. Despite the soaring number of vulnerabilities, many fall into long-established categories, such as SQL injections that interfere with database queries and buffer memory overflows that enable code to be executed remotely. Matwyshyn advocates for a mandatory “software bill of materials,” or S-BOM—an ingredients list that would let organizations understand what components and potential vulnerabilities exist throughout their software supply chains. One recent report found 30% of data breaches stemmed from the vulnerabilities of third-party software vendors or cloud service providers.
She adds: “When you can’t tell the difference between the companies that are cutting corners and a company that has really invested in doing right by their customers, that results in a market where everyone loses.” CISA leadership shares this sentiment, with a spokesperson emphasizing its “secure-by-design principles,” such as “making essential security features available without additional cost, eliminating classes of vulnerabilities, and building products in a way that reduces the cybersecurity burden on customers.” Avoiding a digital ‘dark age’ It will likely come as no surprise that practitioners are looking to AI to help fill the gap, while at the same time preparing for a coming swarm of cyberattacks by AI agents. Security researchers have used an OpenAI model to discover new “zero-day” vulnerabilities. And both the NVD and CVE teams are developing “AI-powered tools” to help streamline data collection, identification, and processing. NIST says that “up to 65% of our analysis time has been spent generating CPEs”—product information codes that pinpoint affected software. If AI can solve even part of this tedious process, it could dramatically speed up the analysis pipeline. But Martin cautions against optimism around AI, noting that the technology remains unproven and often riddled with inaccuracies—which, in security, can be fatal. “Rather than AI or ML [machine learning], there are ways to strategically automate bits of the processing of that vulnerability data while ensuring 99.5% accuracy,” he says.  AI also fails to address more fundamental challenges in governance. The CVE Foundation, launched in April 2025 by breakaway board members, proposes a globally funded nonprofit model similar to that of the internet’s addressing system, which transitioned from US government control to international governance. Other security leaders are pushing to revitalize open-source alternatives like Google’s OSV Project or the NVD++ (maintained by VulnCheck), which are accessible to the public but currently have limited resources. As these various reform efforts gain momentum, the world is waking up to the fact that vulnerability intelligence—like disease surveillance or aviation safety—requires sustained cooperation and public investment. Without it, a patchwork of paid databases will be all that remains, threatening to leave all but the richest organizations and nations permanently exposed. Matthew King is a technology and environmental journalist based in New York. He previously worked for cybersecurity firm Tenable.

This week I’m sending congratulations to two sets of parents in South Africa. Babies Milayah and Rossouw arrived a few weeks ago. All babies are special, but these two set a new precedent. They’re the first to be born following “simplified” IVF performed in a mobile lab. This new mobile lab is essentially a trailer crammed with everything an embryologist needs to perform IVF on a shoestring. It was designed to deliver reproductive treatments to people who live in rural parts of low-income countries, where IVF can be prohibitively expensive or even nonexistent. And it seems to work! While IVF is increasingly commonplace in wealthy countries—around 12% of all births in Spain result from such procedures—it remains expensive and isn’t always covered by insurance or national health providers. And it’s even less accessible in low-income countries—especially for people who live in rural areas. People often assume that countries with high birth rates don’t need access to fertility treatments, says Gerhard Boshoff, an embryologist at the University of Pretoria in South Africa. Sub-Saharan African countries like Niger, Angola, and Benin all have birth rates above 40 per 1,000 people, which is over four times the rates in Italy and Japan, for example.
But that doesn’t mean people in Sub-Saharan Africa don’t need IVF. Globally, around one in six adults experience infertility at some point in their lives, according to the World Health Organization. Research by the organization suggests that infertility rates are similar in high-income and low-income countries. As the WHO’s director general Tedros Adhanom Ghebreyesus puts it: “Infertility does not discriminate.” For many people in rural areas of low-income countries, IVF clinics simply don’t exist. South Africa is considered a “reproductive hub” of the African continent, but even in that country there are fewer than 30 clinics for a population of over 60 million. A recent study found there were no such clinics in Angola or Malawi.  
Willem Ombelet, a retired gynecologist, first noticed these disparities back in the 1980s, while he was working at an IVF lab in Pretoria. “I witnessed that infertility was [more prevalent] in the black population than the white population—but they couldn’t access IVF because of apartheid,” he says. The experience spurred him to find ways to make IVF accessible for everyone. In the 1990s, he launched The Walking Egg—a science and art project with that goal. In 2008, Ombelet met Jonathan Van Blerkom, a reproductive biologist and embryologist who had already been experimenting with a simplified version of IVF. Typically, embryos are cultured in an incubator that provides a sterile mix of gases. Van Blerkom’s approach was to preload tubes with the required gases and seal them with a rubber stopper. “We don’t need a fancy lab,” says Ombelet. COURTESY OF GERHARD BOSHOFF Eggs and sperm can be injected into the tubes through the stoppers, and the resulting embryos can be grown inside. All you really need is a good microscope and a way to keep the tube warm, says Ombelet. Once the embryos are around five days old, they can be transferred to a person’s uterus or frozen. “The cost is one tenth or one twentieth of a normal lab,” says Ombelet. Ombelet, Van Blerkom, and their colleagues found that this approach appeared to work as well as regular IVF. The team ran their first pilot trial at a clinic in Belgium in 2012. The first babies conceived with the simplified IVF process were born later that year. More recently, Boshoff wondered if the team could take the show on the road. Making IVF simpler and cheaper is one thing, but getting it to people who don’t have access to IVF care is another. What if the team could pack the simplified IVF lab into a trailer and drive it around rural South Africa? “We just needed to figure out how to have everything in a very confined space,” says Boshoff. As part of the Walking Egg project, he and his colleagues found a way to organize the lab equipment and squeeze in air filters. He then designed a “fold-out system” that allowed the team to create a second room when the trailer was parked. This provides some privacy for people who are having embryos transferred, he says. People who want to use the mobile IVF lab will first have to undergo treatment at a local medical facility, where they will take drugs that stimulate their ovaries to release eggs, and then have those eggs collected. The rest of the process can be done in the mobile lab, says Boshoff, who presented his work at the European Society of Human Reproduction and Embryology’s annual meeting in Paris earlier this month. The first trial started last year. The team partnered with one of the few existing fertility clinics in rural South Africa, which put them in touch with 10 willing volunteers. Five of the 10 women got pregnant following their simplified IVF in the mobile lab. One miscarried, but four pregnancies continued. On June 18, baby Milayah arrived. Two days later, another mother welcomed baby Rossouw. The other babies could come any day now. “We’ve proven that a very cheap and easy [IVF] method can be used even in a mobile unit and have comparable results to regular IVF,” says Ombelet, who says his team is planning similar trials in Egypt and Indonesia. “The next step is to roll it out all over the world.” This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now VentureBeat’s exclusive interview with Sam Evans, CISO of Clearwater Analytics, reveals why enterprise browsers are quickly becoming the frontline defense against shadow AI in its many forms.    Evans faced a critical challenge in October 2023. Standing before Clearwater Analytics’ board, he had to confront concerns that employees might inadvertently expose data that could potentially compromise the firm’s $8.8 trillion assets under management.   “The worst possible thing would be one of our employees taking customer data and putting it into an AI engine that we don’t manage,” Evans told VentureBeat. “The employee not knowing any different or trying to solve a problem for a customer…that data helps train the model.” Here is our conversation with Evans, edited for length and clarity VentureBeat: How do you see AI shaping cybersecurity today? Evans: The attacks have become significantly more sophisticated. If you consider it from the perspective of a bad actor, the phishing emails and attempts we receive have become much more complex. However, AI also possesses response capabilities. I like to explain it to our board, as the ultimate cat-and-mouse game. As bad actors start to use AI to advance phishing, or perhaps expedite the time it takes for exploits to emerge after vulnerabilities are announced, there’s the opposite side of security practitioners using AI to help advance how we respond. VentureBeat: How is AI helping your defensive capabilities? Evans: We’ve begun integrating AI into our security playbooks. By doing so, our security analysts now spend less time searching and hunting. The AI is involved in the security operations center (SOC) product, conducting its initial triage analysis and saying, “Based on previous things that

Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now AWS seeks to extend its market position with updates to SageMaker, its machine learning and AI model training and inference platform, adding new observability capabilities, connected coding environments and GPU cluster performance management.  However, AWS continues to face competition from Google and Microsoft, which also offer many features that help accelerate AI training and inference.   SageMaker, which transformed into a unified hub for integrating data sources and accessing machine learning tools in 2024, will add features that provide insight into why model performance slows and offer AWS customers more control over the amount of compute allocated for model development. Other new features include connecting local integrated development environments (IDEs) to SageMaker, so locally written AI projects can be deployed on the platform.  SageMaker General Manager Ankur Mehrotra told VentureBeat that many of these new updates originated from customers themselves.  “One challenge that we’ve seen our customers face while developing Gen AI models is that when something goes wrong or when something is not working as per the expectation, it’s really hard to find what’s going on in that layer of the stack,” Mehrotra said. SageMaker HyperPod observability enables engineers to examine the various layers of the stack, such as the compute layer or networking layer. If anything goes wrong or models become slower, SageMaker can alert them and publish metrics on a dashboard. Mehrotra pointed to a real issue his own team faced while training new models, where training code began stressing GPUs, causing temperature fluctuations. He said that without the latest tools, developers would have taken weeks to identify the source of the issue and then fix it.  Connected IDEs SageMaker already offered

While agentic AI definitely marks a turning point in human-computer interaction, moving from tool use to collaboration, the next step is integrating these agents and actually deriving value. At VentureBeat’s Transform 2025, Matthew Kropp, managing director and senior partner at BCG, offered a game plan for workflow evolution, employee adoption, and organizational change.

“The companies that are at the top of this curve — what we call future built, the ones that are most mature — are seeing substantial results: 1.5 times more revenue growth, 1.8 times higher shareholder value,” Kropp said. “There’s value here, but we’re early.”

[embedded content]

Deploy, reshape, invent

To take advantage and create value with AI and with agents, a company needs to determine where to focus, using a deploy, reshape, invent framework. AI is already being deployed in every enterprise, and will have agents within the next few years. But if you give an employee a chatbot, you haven’t changed the way the work is done. You have to rethink the work, and reshape functions, departments, and workflows by identifying where human work can be automated.

“We’re advising companies right now to focus on your three or four big rocks. If you have a big customer support organization, you should apply AI in customer support. It has a huge impact. If you have a big engineering organization, you should employ tools like Windsurf to reshape the way that you do engineering, software development.”

Invention is still in the very early stage, but enterprises should be thinking about how to use AI’s ability to be creative, reason, and plan. Look at services and products, and how you interact with customers: can you reinvent that using those capabilities?”

For instance, makeup company L’Oreal launched a virtual beauty advisor to scale that exclusive service beyond their retail locations, reinventing the way they think about interacting with their customers at scale.

Thinking beyond basic use cases

It’s also critical to think about how AI changes your business. There’s been a lot of focus in the last couple of years on cost reduction by replacing workers, but that isn’t big-picture thinking. AI amplifies the employees you currently have, dramatically increasing their productivity.

“This is what we’re seeing in software development,” he said. “I don’t think we’ll see companies laying off their software developers. We’re going to see a massive explosion in the amount of capability and features that software companies are building.”

In a study BCG conducted with Harvard, Wharton, and MIT, they asked 750 knowledge workers to write a business and marketing plan, with and without generative AI. The participants using GPT4 executed 25% faster, completed 15% more tasks, and the quality of their output was 40% better. And when given an LLM, the bottom performers in the baseline did just as well as the top performers.

“It brought everyone’s performance up, which is very powerful, because in most organizations the new joiners are less effective than more experienced people,” he said. “It has the ability to increase time to proficiency.”

AI can also surpass human scale, even open up new applications that were not previously possible. For example, in the medical space, outcomes for patients are significantly improved with preoperative and postoperative follow-up from a nurse, but implementing this has been cost-prohibitive — until the advent of AI nurses that can take on that task for a large patient population.

Overcoming the biggest hurdle: Adoption

While these tools are fantastic, people aren’t using them. BCG tracked the adoption of GitHub Copilot and productivity metrics for an organization with about 10,000 software engineers. The top 5% engineers doubled in productivity in four months, while 60% showed zero improvement, because they just didn’t adopt the tool at all.

Why won’t humans adopt? There are three reasons. First is capability ignorance. The second, habit inertia. The third is identity threat, and that is the hardest to overcome. Developers are asking, “If this AI can write code for me then who am I? What’s my value?”

“This is going to be the real work of the next three to five years,” Kropp said. “It’s getting people to use the agents.”

Strategies overcoming reluctance

There are a few valuable ways to overcome these challenges. Naturally, getting the right tool is the first step, and integrating it with the way people work by training them explicitly. It’s also critical to measure and celebrate adoption for those employees actively using the tools so that everyone else starts to see they need to get on this bandwagon.

Another important step is ramping up scarcity — that means taking away resources so employees need to do more with less. At the same time, it’s essential to redesign work processes hand-in-hand with those employees who are on the front lines. Don’t just identify laborious processes where manual work can be automated — identify the parts where humans bring value.

“We minimize the toil and we maximize the joy,” Kropp said. “We’re left with a much more efficient process, a much more efficient company, a much more productive workforce, and jobs that people like to be in.”