Two boards I sat in front of last quarter asked the same question: “What’s blocking our GenAI rollout?” In both cases the answer wasn’t the model, the data or the use-case. It was that the platform underneath couldn’t answer questions a regulator was about to start asking.
Specifically: workload identity coverage was inconsistent. Observability defaults didn’t span LLM calls. Policy-as-code existed for Kubernetes admissions but not for AI feature flags. Audit-evidence pipelines had no slot for “why did the model say what it said.”
Every one of those gaps is a platform-engineering capability gap. None of them is an AI capability gap. The bottleneck is the substrate, not the model.
What “AI-ready platform” actually means.
Five capabilities that a platform team needs in place before the first GenAI feature lands in production:
- Workload identity for AI calls. The LLM gateway, vector DB, RAG retriever and any agent runtime authenticate via short-lived, identity-bound tokens. Static API keys to model providers are the new static-credential problem.
- OpenTelemetry GenAI semconv by default. Every model call emits a trace using the stabilising OTel GenAI conventions: prompt, retrieved context, model version, latency, cost, token counts. No bespoke trace formats per team.
- Per-call cost attribution. Cost-per-request known at emit time, attributed to a product feature. The FinOps Foundation AI Working Group is standardising the chart-of-accounts.
- Policy-as-code applied to AI deploys. Eval-regression gates, model-version pinning, prompt-version pinning, guardrail coverage — enforced at deploy time, not at incident time.
- Audit-evidence pipeline. Per-decision trace, signed at decision time, retention-policy enforced, replayable on regulator query.
Note what’s not on this list: anything specific to GenAI as a capability. This is platform engineering work, full stop. It happens to be the prerequisite for safe GenAI deployment.
The compound.
An org with these five capabilities in its paved path ships its tenth GenAI feature in days, not months. An org without them ships its first in months and never reaches the tenth.
The substrate is the moat. Once it’s in place, every new AI use-case inherits identity, observability, policy and audit by default. The platform team doesn’t become “the AI team.” The platform — with these properties — is the AI team’s force multiplier.
This is the same dynamic that played out with mobile (2010), cloud (2014), microservices (2018) and Kubernetes (2020). The orgs that built the substrate first compounded for a decade; the ones that retrofitted spent the same decade catching up.
Why most banks haven’t noticed.
Three reasons.
First, GenAI got owned by the wrong function. Most enterprises put a Chief AI Officer or AI Centre of Excellence in charge. These functions are excellent at model selection, eval methodology and use-case sourcing. They’re structurally weak at workload identity, observability defaults and policy-as-code — because those are platform-engineering disciplines they don’t own.
Second, the platform-engineering function (where it exists) has been heads-down on the substrate for non-AI workloads — just finishing the Kubernetes migration, just standing up the IDP, just rolling out Backstage. Adding AI patterns to the paved path is the next thing, not the current thing.
Third, the regulatory pressure on GenAI in regulated industries is sharp but new. EU AI Act high-risk obligations enforceable from 2 Aug 2026. APRA CPS 230 from 1 Jul 2025. Boards haven’t pattern-matched this onto platform-engineering budget conversations yet.
What the platform team should ship next.
If your platform engineering function asks “what should we ship next quarter to enable safe AI?”, the answer is not “a model gateway.” It’s:
- OTel GenAI conventions as inherited default on every new service template. Wire to existing observability stack.
- Workload-identity migration for AI-touching workloads first. Use this as the wedge for broader migration.
- A “model-routing” abstraction layer in the platform — not because of cost optimisation (yet), but because version pinning, eval gating and fallback need a single place to live.
- An audit-evidence service that any service can call to emit a signed per-decision evidence pack. Retention policy encoded.
- An eval-regression gate in the deploy pipeline. Block merges that fail any critical eval threshold.
Each of these is a 4–8 week piece of work for a mature platform team. Sequenced over two quarters, they unblock every future AI feature.
How to fund it.
The boring answer: it’s a platform-engineering investment that also unblocks AI. Don’t fund it as “AI work.” The AI Centre of Excellence cannot defend it inside their budget — it doesn’t look like AI work to a finance committee. The platform engineering team can defend it; it does look like platform work.
The pitch to the board: “The platform investment in [X, Y, Z] unblocks our AI roadmap, reduces our DORA-reportable operational risk, and is a prerequisite for our ISO/IEC 42001 ambition. Same capability set, three concurrent strategic outcomes.” That is the actual truth. It is also the easiest finance committee conversation you’ll have this year.
Where Australia stands.
Australian Tier-1 banks are roughly split. Two have made the platform-substrate-first bet and are months ahead on safe AI delivery. Two are funding their AI rollouts in parallel with their platform programme — and will hit a wall at the first regulator-grade audit. Government departments are in a similar split, with DTA pushing toward shared platforms in a way that helps but doesn’t solve.
The split will become visible in 2027 when the AU Voluntary AI Safety Standard becomes mandatory (signposted) and the EU AI Act starts cross-border enforcement. The orgs without substrate will be visible in the news, not in the leaderboards.
The reframe worth keeping.
AI is not a workload. It’s a property of the platform.
Once you internalise that, the budget conversations get easier, the architectural conversations get clearer, and the work sequences itself. Run the Platform Engineering Readiness diagnostic next to the GenAI Readiness diagnostic. If they don’t score within one level of each other, you have a substrate gap.
Most orgs do.