Anthony Oren | 30 Years in Tech | Founder and CEO at NEROConsulting.com and NightCrawlerAI.
A client called me recently with a simple request. They wanted to roll out an AI coding assistant and a desktop automation agent to their 30-person team the following week.
When I asked what their data-classification policy looked like, there was a long pause. They didn’t have one.
When I asked who would own AI-related incidents, another pause.
When I asked what the rollback plan was if the tools produced something harmful, the answer was, “We figured we’d see how it goes.”
This is not an unusual conversation. I have a similar one nearly every week. And it quickly becomes a slippery slope for my IT consulting business because the first thing I think about is my client’s use (or misuse of AI), and the second thing is the liability my company would encounter if things go sideways.
From what I’ve seen, the pace of enterprise AI adoption has outrun the governance that should sit beneath it. Managers and leaders are being told that falling behind AI is an existential risk. They are not being told, with equal clarity, that adopting AI without a framework is also an existential risk, just a slower one.
The Three Stages Of AI Maturity
Most organizations I work with fall into one of three stages of AI maturity, and the gap between them is wider than people realize:
1. AI-Aware: The company knows AI exists. Employees are probably using it already, often without telling anyone. There is no policy, no inventory, no oversight. The board is starting to ask questions the executive team cannot yet answer. This stage is more common than any manager wants to admit.
2. AI-Managed: The company has published an acceptable use policy. It has approved a short list of tools. It logs usage and trains employees. Risk has been acknowledged, but not yet engineered out.
3. AI-Governed: The company treats AI the way mature organizations treat financial controls. There is a named owner (typically a CFO, COO or CTO equivalent). There is a data-classification standard that determines what may and may not be fed into a model. There is an incident response process for AI-specific events. Vendors are evaluated for model provenance, training data and retention. Outputs are auditable.
The trap is that most companies believe they are at the second stage when they are actually at the first stage.
Three Questions To Identify Your AI Maturity
If you want to know honestly where your organization sits, ask these three questions:
1. If you asked every department head to list every AI tool their team uses, including free browser-based ones, could they answer in 24 hours? If not, you do not have an inventory. You have a guess.
2. If a customer asked you tomorrow whether any of their data has been processed by a generative AI model, could you answer with confidence? If not, you have a disclosure problem waiting to happen.
3. If an employee used an AI tool to make a decision that caused real harm—a flawed contract clause, a hallucinated medical reference, a biased hiring screen— who owns the response? If the answer is “legal will figure it out,” you do not have governance. You have luck.
I have watched organizations try to jump from stage 1 to stage 3 in a quarter, but it does not work. Governance without management collapses under its own weight. In my experience, policies get written, ignored and quietly abandoned.
The companies that succeed do something different. They move deliberately through the stages, treating AI governance as a capability to build that’s continuous rather than a document to produce and “set it and forget it.” They start by getting honest about what is already happening, then they add structure, then they add controls.
Conclusion
The issue for many companies is that they are trying to solve a technology problem rather than an organizational-maturity problem dressed up as a technology problem.
To reach the organizational maturity required for successful AI adoption requires answering, with evidence, what their employees are doing with AI today, what data is flowing through which models and who is accountable when something goes wrong.
If you cannot answer those questions, the right next step is not to slow down your AI adoption, but to invest first in the framework that lets you accelerate it safely. From what I’ve seen, achieving AI value through speed only works if you have the governance that earns the right to move fast.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
