Most leaders are still treating AI as a technology question. Which tool, which license, which integration. It's the wrong question, and the gap it leaves open is wider than it looks.
The technology is the easy part now. Your team can adopt a capable AI tool this afternoon, for free, without asking anyone. Many of them already have. In a 2025 survey of 1,000 U.S. workers, 78% said they use AI tools their employer didn't provide. The capability is solved. It's in the building.
What isn't solved is the part that was always hard: the structure around the tool. Who's allowed to use it for what. What data can go into it. Who's accountable when it's wrong. None of that ships with the software. It only exists if someone decides it.
And mostly, no one has.
A policy is not the same as a decision
Almost every organization makes the same move. AI shows up, usage spreads, someone gets nervous, and a policy gets written. Now there's a document. The box is checked. Everyone feels covered.
Look one layer down and the document is usually hollow. In the same year that three-quarters of organizations reported having an AI usage policy, far fewer had anyone who actually owned the thing: a named role, a way to monitor what was happening, a plan for when it went wrong. The policy existed. The structure behind it didn't.
That's the tell. A policy is a paragraph. A decision is harder: it names a person, draws a line someone can act on, and survives contact with a Tuesday afternoon when an account manager wants to paste a client's contract into a chatbot to summarize it.
Ask a simple question inside most companies: what, specifically, is a person here allowed to put into an AI tool? You get silence, or five different answers, or a confident answer that contradicts what the policy says. The same survey that found 78% using unsanctioned tools found that half of employees get conflicting guidance on how they're supposed to use AI at all.
When the rule is unclear, people don't stop. They guess. And they guess in the direction of getting their work done.
Why this is worse than having no policy at all
You'd expect the danger to sit with the companies that did nothing. Often it sits with the ones that did just enough to feel safe.
A company that knows it has no AI policy is at least awake to the risk. A company with a policy nobody owns, nobody checks, and nobody can answer questions about has something more dangerous: confidence it hasn't earned. It will move faster, share more, and assume someone upstream is handling it, right up until something lands in a place it can't be pulled back from.
That's not a hypothetical cost anymore. In IBM's 2025 breach research, unsanctioned AI use was a factor in roughly one in five breaches. Where that shadow use ran high, it added about $670,000 to the cost. Most of the breached organizations either had no AI governance policy or were still "working on one." The gap between the paragraph and the decision is where the money leaks out.
False confidence is its own risk class. It's the gap you can't see, growing inside the part of the org that believes it's already handled.
The decision you've never actually made out loud
Strip away the tooling talk and the discomfort underneath is almost always the same. It's not which AI tool should we use. It's a set of questions your organization has never sat down and answered on purpose:
What are we comfortable with our people putting into these tools, and what are we not?
Who here owns that answer, and who do people ask when they're unsure?
When AI produces something wrong and it goes out the door, who's accountable?
These aren't technology questions. No vendor demo answers them. They're decisions about how your organization works, and like every real decision, they only count once someone makes them on purpose, out loud, in a way the rest of the company can actually follow.
That's the work. It was always the work. The technology just made it urgent.
Start by seeing where you actually stand
You can't decide your way out of a gap you can't see yet. Before any policy, get an honest read on where AI already lives in your organization, what data is exposed, and which of these decisions are genuinely unmade versus only assumed.
That's what the AI Readiness Assessment does. It gives you a fast, structured look at where you stand across the five things that decide whether your AI use is a working system or a pile of guesses. No tooling pitch. Just a clear picture of which decisions you've actually made, and which ones the building is currently making for you.
You don't have a technology problem. You have decisions waiting to be made. Start by finding out which ones.
Keep reading
Part of a series on AI governance, the structure underneath the tools.
- What's Safe to Paste Into ChatGPT?. The data-classification question in its most literal form.
- The 4 Stages of AI Governance Maturity. The framework, and which stage you're actually in.