Legacy Infrastructure Is Slowing Enterprise Agentic AI Adoption

Kris Lovejoy draws a hard line between the agentic AI demo and the enterprise system. The demo can be built quickly. The production environment has to be secure, compliant, resilient, reliable, scalable, and aware of the context embedded in decades of infrastructure decisions.

That distinction explains why Lovejoy sees agentic AI everywhere in pilots and almost nowhere at meaningful scale. Enterprises are past pure experimentation, in her view, but not yet in what she calls “the age of industrialization.” They are finding agentic systems costly, somewhat insecure, unreliable, and difficult to scale. In Europe, she adds, sovereignty concerns create another constraint.

Lovejoy is the global strategy leader at Kyndryl, the IT infrastructure company spun out of IBM about four years ago. She describes Kyndryl’s work in three broad areas: IT modernization, including moving legacy workloads and data-center infrastructure toward cloud environments; security and resiliency; and data and AI, including generative and agentic systems. In enterprise agentic AI, she says, the company’s role is not only to help build the “train” — the agentic workflow — but also to modernize the tracks on which that train has to run.

Her analogy is a bullet train capable of 150 miles per hour sitting on track that can only support 30 to 60 miles per hour. The limiting factor is not the theoretical speed of the train. It is the infrastructure beneath it. She applies that directly to enterprises trying to deploy agents into legacy estates made up of multiple clouds, old systems, SaaS products, and undocumented integrations.

Kyndryl’s emphasis, she says, is preparing the IT infrastructure and data layers: monitoring, registration, policy enforcement, orchestration, and the operational controls required to use agentic AI at scale. Without that foundation, an enterprise can get impressive pilots but not reliable horizontal automation across the business.

Lovejoy distinguishes between vertical use cases and horizontal ones. Vertical agentic applications — “know your customer,” healthcare invoicing, or a sales cash-to-order process — can succeed because they are contained. Horizontal workflows, where AI-driven processes integrate across business functions, remain mostly aspirational in her experience. She says she has not yet seen broad horizontal enterprise agentic AI operating at scale.

That is the core tension: boards are pressuring executives to deploy AI, while economic uncertainty makes those same organizations reluctant to spend capital. Lovejoy says many customers are effectively asking how to fund AI when they do not have money to spend. Her proposed answer begins not with the most visible business function, but with IT service management.

For Lovejoy, IT service management is the practical entry point for enterprise agentic AI because it is structured, process-heavy, and already organized around established operating procedures. Kyndryl has an AIOps platform developed after the IBM spinout to manage customer systems with a high level of automation. Over time, she says, Kyndryl has begun to “agentify” that operating model.

IT service management, in her framing, means the processes required to manage IT infrastructure: problem and incident management, configuration management, patch management, provisioning, security health checks, compliance, audit, and related administrative work. These are formal operating disciplines with known procedures and defined ownership in many enterprises.

Lovejoy says Kyndryl has a maturity model that allows customers to integrate agentic AI into IT service management gradually. The economic claim is direct but bounded: automating these processes can radically reduce IT service management costs, in some cases by as much as 90%. Those funds, she says, can then be used to pay for the modernization work that broader agentic deployment requires.

Lovejoy calls that a “modernization dividend.” It is a bottom-up route to horizontal AI adoption: start in IT operations, use the savings to improve the infrastructure and data foundation, and only then move toward broader cross-functional workflows.

The reason IT service management is unusually suitable, in Lovejoy’s account, is that the work can be mapped to runbooks and mature process models. Lovejoy points to ITIL — the IT Infrastructure Library — as the “best practices,” implementation blueprint, and maturity model for managing IT. She describes it as the administrator’s bible: if an administrator wants to patch a system, ITIL specifies what good management and automation maturity look like.

There are 34 ITIL processes, Lovejoy says, and she estimates that roughly 20 can be “agentified.” Kyndryl breaks those processes into discrete components mapped to ITIL, then builds agents against those components. The goal is not simply to let a model improvise. It is to combine known process logic, actual operating data from AIOps, and policy controls into agentic workflows.

Kyndryl’s agent-building process starts with the customer’s defined operating procedures and its own runbooks. Lovejoy says the ontology is already defined in many cases. Kyndryl also has AIOps data showing how the process actually runs in practice: the environment, the problems that recur, and the operational patterns around execution. Its framework ingests the process and the operational insights, “crunches” the workflow, and produces agents to automate parts of the process.

The level of autonomy varies by customer. Lovejoy repeatedly separates two control models: a human “in the loop,” where human checkpoints sit inside the workflow, and a human “over the loop,” where humans supervise agents from above. That difference matters because regulated, critical, or brittle environments require more direct intervention. Some customers will accept more autonomy; others want explicit human checkpoints before consequential actions.

Kris Lovejoy says Kyndryl tends toward open-source models where possible, but the model choice depends on the customer. Some customers want Kyndryl to use their own models, often for intellectual property reasons. Her emphasis is not on a single “brain” for agents, but on the framework around them.

The named system is the Kyndryl Agentic AI Framework, which Lovejoy says had been released about six months earlier. She describes it as having a policy ingestion and agent-creation component, plus an orchestration engine for managing agentic workflows inside a single enterprise. In her description, Kyndryl’s architecture begins with process knowledge, policy requirements, and operational data, then wraps the resulting agents in controls for how they are run.

Under that sits Kyndryl Bridge, which Lovejoy frames as a multi-tenant capability. The goal, she says, is reusability: an agent that works for one customer may be reusable for others, provided it can be discovered, registered, governed, monitored, and constrained appropriately. Bridge, in her description, is the mechanism for discovering agents, registering them, defining the policy that needs to be monitored, monitoring them, and enforcing policy across agents running through multiple orchestration frameworks.

Lovejoy’s description treats the agent less as a one-off automation script than as something that needs operational management. The agent must be found. It must be registered. The relevant policy must be defined. Its workflow must be monitored. Enforcement has to work across the places where agents actually operate.

This is also why she is skeptical of “fire-and-forget” agents. Even when the agent’s job is to monitor security, she says, it needs human supervision. Agents learn and change behavior based on what they observe. A policy written only for what the agent is today may not constrain what it becomes. Lovejoy says Kyndryl tests agents in digital twin environments, including work with Microsoft’s digital twin technology, to see how an agent behaves under different circumstances and how it might evolve.

The objective, as she describes it, is to set policy not only for the agent’s current state but for its expected evolution, then constrain it from evolving beyond acceptable boundaries. Separately, she says Kyndryl uses “guardian agents” for testing, policy evolution, policy implementation, monitoring, and enforcement.

That introduces a recursive pattern: agents are used to monitor agents. But Lovejoy does not present that as a substitute for human judgment. She says humans are still needed because the underlying systems are too context-dependent and because the signal can be ambiguous. Good software and bad software can look similar. Bad coding practices are common enough that an agent trained on “good” examples can learn questionable patterns. An agent using CVEs and other vulnerability signals still may not understand whether a particular configuration is intentional, compensating for a legacy dependency, or dangerous.

The most concrete risk Lovejoy describes is an agent doing something technically reasonable that is operationally destructive.

Her example is a vulnerability-checking agent that finds an unpatched communication protocol and patches it. On its face, the agent did the right thing. But the protocol may have been configured that way because it is tied to a 15-year-old legacy system in the background. Once patched, that system no longer works, and a critical service goes down.

That is why Lovejoy says the problem is not simply vulnerability detection. It is context, configuration, and the complexity of the underlying infrastructure. Enterprises often run a hodgepodge of multiple clouds, legacy systems, and SaaS products. The hard part is understanding not only where systems are, but why they are configured as they are.

The location of that knowledge varies. In mature organizations, it may be in ticketing systems, problem and incident management histories, configuration management databases, or systems such as ServiceNow. In smaller or less mature organizations, it may not be well captured at all. It may be in people’s heads, or absent after turnover.

This is where Lovejoy gives a qualified defense of compliance. Compliance is costly and painful, she says, but it forces hygiene. Auditors ask for records around critical infrastructure systems because when something breaks, an organization needs to know what happened and how to unwind it. That recordkeeping becomes essential when agents begin taking or recommending actions.

Lovejoy calls her relationship with regulation “fraught” — a love-hate relationship. The pain is real, but so is the value of the hygiene it imposes. In agentic systems, that hygiene becomes part of the context an organization needs before it can safely automate.

The same context problem appears in modernization. In an SAP modernization, for example, Lovejoy says the hard part may not be lifting and shifting the application itself. Many organizations want to move first to the cloud and then to RISE. The painful work is often the networking, provisioning, and surrounding systems integrated into SAP that have to be reoriented for a cloud environment. Each application estate has its own “foibles,” and firms with migration experience know where to look.

COBOL introduces a different class of problem. Lovejoy says there are about 800 billion lines of COBOL code supporting critical infrastructure services, with about 400 billion lines written 20, 30, or sometimes 40 years ago. Mainframes are secure in important ways, she says, but they are built for backward compatibility. The old code runs as old code.

Her concern is that old COBOL and Java environments may contain “crypto relics” — cryptography baked into the code. In some cases, she says, those cryptographic elements do not manifest until runtime in memory, making them hard to find through ordinary review. Modernization then becomes an archaeological dig: find the cryptographic relics, decide whether the application must be refactored, and determine the options.

AI helps with this front-end discovery and refactoring work. Lovejoy calls code refactoring one of the bright spots for AI in modernization. It does not make modernization painless. It makes it “less ugly.” The work remains difficult, but AI can speed up the process of understanding what has to be done.

Kris Lovejoy treats agentic AI as both a security tool and a source of new operational risk. On defense, she says AI is needed because attackers also have AI. Phishing has improved sharply, and language barriers that once provided some protection in countries such as Japan and Korea no longer do. Agentic AI can help in security operations by identifying, triaging, and supporting resolution of incidents.

But when discussing the risk introduced by agentic AI, Lovejoy resists framing it mainly as sophisticated adversarial behavior. Her view of cybersecurity is broader and more mundane: many incidents classified as cybersecurity problems begin with somebody doing something “really dumb.” A system is misconfigured. A network is badly set up. An upgrade is missed or performed incorrectly. A deletion occurs. A mundane error creates the condition that is later exploited.

The implication for agentic AI, in Lovejoy’s risk framing, is that enterprises should focus on the failures most likely to occur and most likely to create major impact. She lists the “meat and potatoes” concerns: Was the agent registered? Was it provisioned correctly? Was the workflow right? Did the agent make a change that broke something else?

That is a notably operational security model. It treats agentic AI as a powerful automation layer operating inside brittle systems. If the agent has the wrong authority, the wrong workflow, or insufficient context, it can reproduce familiar enterprise failures faster and at larger scale.

This is also why vulnerability discovery by AI gives Lovejoy mixed feelings. She refers to an article about Claude doing an exceptionally good job identifying software vulnerabilities. That is useful, she says, because QA and checking tools are improving. But it can also create false comfort. Finding a vulnerability is not the same as knowing whether and how to patch it in a complex production environment.

Good and bad software can be difficult to distinguish. Agents trained to identify vulnerabilities may rely on CVEs and other standard signals, but those signals do not fully encode the operational context of legacy dependencies, compensating controls, or business-critical exceptions. Human minders remain necessary to review outputs and prevent agents from internalizing bad practices from supposedly good codebases.

The promise of agentic-first startups is speed: companies built from the start around AI agents, potentially operating faster and cheaper than legacy competitors. Craig Smith frames the question through the broader idea of a single founder with an agentic workforce building a billion-dollar company.

Lovejoy’s response is sharply divided between demo quality and enterprise deployability. She says agentic startup demos can be astonishing — “you built it in like 10 minutes?” — but the hard questions arrive immediately afterward. Where is the infrastructure running? Is it SOC 1, SOC 2, or SOC 3 compliant? How will it connect into SAP, CRM, email, and finance systems?

Her view is that agentic-native startups can disrupt once they solve reliable, secure, compliant, scalable operation. Until then, the larger vendors will continue to win much of the enterprise market, especially where core systems and data are involved. Salesforce and similar vendors, in her example, already sit inside customer software ecosystems and can add agentic capabilities there.

She does not rule out disruption. She expects pockets of disruption where particular use cases are so successful that they change an industry quickly. But she is more optimistic about near-term lift on the consumer side than in B2B enterprise environments. Consumers are less concerned with integrating agents into finance systems, CRM systems, or other controlled enterprise infrastructure. In B2B, she says, if the agentic product does not touch data, the barrier is lower. If it does, adoption becomes harder.

In Lovejoy’s argument, agentic-first startups are not blocked because their technology is unimpressive. They are blocked because the enterprise integration burden is high. The constraint is strongest where a product needs access to enterprise data or core systems. Large customers are not simply buying capability; they are accepting operational, compliance, security, and resilience risk.

There is no stable metric yet for how many agents one human can manage. The premise is that middle management may shift from managing people to managing hybrid teams of humans and agents, and that some specialized workforce may be needed to supervise agentic systems.

Kris Lovejoy says the pattern is emerging logically, but no stable ratio exists. Ownership of agents tends to fall where process ownership already sits. A security management team owns security agents. A problem and incident management team owns incident agents. A provisioning team owns provisioning agents. Those teams understand the process, the tools, the environment, and what good and bad outcomes look like.

The ratio of humans to agents depends on the sophistication of the agent, the criticality of the environment, and the level of auditing and compliance required. In one organization, she says, the ratio might be one human to 100 agents; in another, one to 1,000. Highly regulated critical infrastructure, where uptime is paramount, will keep more humans in the mix.

Beyond IT, organizations face a harder design question: if agents are deployed into sales or other business functions, should technical staff be embedded inside the business, or should the whole workforce be upskilled?

Lovejoy says Kyndryl has built a workforce and operations “reimagining” practice around exactly this problem, but she does not claim a single answer. Everyone, she says, needs a base level of knowledge. Organizations should “lean in”: educate employees, give them access to basic licenses, and either require or strongly encourage use so people understand both what is possible and what can go wrong.

At the same time, specialists are still needed. She compares the model to Salesforce administration. Organizations have Salesforce admins today; they may have Salesforce agentic admins tomorrow. Whether those specialists sit in sales or IT will vary by company, just as Salesforce ownership varies today.

Lovejoy is equally cautious about the labor market. In cybersecurity, she does not see agentic AI eliminating the need for security jobs. Instead, she says it is helping fill a persistent gap by automating some rote line-one work. But that creates a pipeline problem: if entry-level SOC work is automated, how do people develop into level-three experts?

Her answer points toward apprenticeship and hands-on training. She argues that universities and employers may need something closer to a guild model, where education becomes more of a practicum. For security, she says, graduates need hands-on-keyboard experience from day one and should leave school able to perform level-two or level-three work. That likely requires co-investment among universities, businesses, and perhaps the public sector.

Lovejoy also makes a broader prediction about who will do well. People with liberal arts educations, strong analytical habits, and the ability to ask good questions may thrive in this market. She notes that she was an English major and sees value in the way that training taught her to frame problems. As rote skills are automated, the premium shifts toward judgment, inquiry, and the ability to reason through ambiguous systems.

Kris Lovejoy’s explicit prediction is not that enterprises as a whole will be transformed by agentic AI within a few years. It is narrower and more operational: by about 2031, in the IT infrastructure services market, roughly half of traditional line-one and line-two systems administration tasks will be performed by agentic AI, with humans either in the loop or over the loop.

She says it will take about five years to get the “rails and trails” in place. That prediction applies to IT services, not all business functions. Broader business adoption depends on the foundation being built first. After that, pockets of disruption may spread, but not uniformly and not immediately.

That distinction matters because it counters both extremes: the idea that agentic AI is already transforming enterprises at scale, and the idea that it is merely hype. Lovejoy sees accelerating experimentation and improving success in siloed projects. Six months earlier, she says, successful use cases were rare; now she sees more of them. What she does not yet see is a meaningful increase in large-scale implementations. There is more talk about them, but not yet much deployment.

Her metaphor is a growing bubble being pushed down the road. The experimentation is getting bigger and bigger, but the road is still gravel.