{"version":"1.0","type":"agent_native_article","locale":"en","slug":"enterprise-ai-deployed-years-executives-dont-know-what-they-have-mqx32i1w","title":"Enterprise AI Has Been Deployed for Years and Barely One in Five Executives Knows What They Have","primary_category":"ai","author":{"name":"Simón Arce","slug":"simon-arce"},"published_at":"2026-06-28T00:02:56.968Z","total_votes":86,"comment_count":0,"has_map":true,"urls":{"human":"https://sustainabl.net/en/articulo/enterprise-ai-deployed-years-executives-dont-know-what-they-have-mqx32i1w","agent":"https://sustainabl.net/agent-native/en/articulo/enterprise-ai-deployed-years-executives-dont-know-what-they-have-mqx32i1w"},"summary":{"one_line":"80% of large organizations have deployed generative AI without assessing security risks, revealing a systemic governance gap driven by misaligned executive incentives rather than technical limitations.","core_question":"Why do most large organizations deploy enterprise AI without adequate governance, and what structural changes are required to close that gap?","main_thesis":"The enterprise AI maturity crisis is not a technology problem but an incentive design problem: organizations reward deployment speed over governance quality, creating a structural gap where AI systems operate without oversight, security assessment, or accountability frameworks."},"content_markdown":"## Enterprise AI Has Been Deployed for Years, and Barely One in Five Executives Knows What They Have\n\nMore than half of the world's largest organizations already have generative artificial intelligence operating somewhere within their business. That is a documented fact. What is not documented with the same ease is what lies beneath that statistic: systems processing sensitive data without anyone having defined who supervises them, autonomous agents making decisions within workflows that no security team has audited, and layers of governance that arrived late or never arrived at all.\n\nA study published by OpenText Cybersecurity in collaboration with the Ponemon Institute yields a figure that deserves sustained attention: **only one in five executives can claim that their AI systems are fully deployed with security risks assessed**. This is not an uncomfortable majority. It is eighty percent of organizations that have moved forward with adoption without resolving the most basic questions about control, access, and accountability.\n\nThis is the maturity problem that no one wants to discuss honestly in the boardroom, because naming it means admitting that the pressure to adopt moved faster than the capacity to govern.\n\n## Adoption Without Architecture Is Just Another Form of Improvisation\n\nThe predominant narrative around enterprise artificial intelligence continues to operate as though the central problem were access to technology. As if it were enough to implement the right model, connect it to the correct systems, and wait for results to arrive. That narrative offers a certain comfort to the C-Level: it allows progress to be measured in the number of pilots, in tools deployed, in departments that \"already use AI.\"\n\nWhat that narrative conceals is far more costly. According to data from the same study, **a majority of organizations report that AI has made compliance with their privacy and security requirements more complex, not simpler**. And yet, a significantly smaller proportion has established the policies and controls necessary to manage those risks. The gap is not technical. It is a matter of priorities.\n\nSanjay Srivastava, who from Genpact has built one of the most precise frameworks for thinking about enterprise AI maturity, formulates it without ambiguity: the path toward maturity in artificial intelligence runs directly through data. Not through models. Not through the innovation budget. Through data architecture, through governance embedded in operations, through clarity about who is responsible for what and under what conditions. When an organization skips that step, it does not adopt AI with maturity: it deploys capability without control.\n\nThe problem is not exclusively technical because AI systems do not operate in a vacuum. They operate within organizations where teams closest to the business rarely speak with security teams before something fails. They operate in environments where autonomous agents can interact with financial, legal, or customer data without any updated inventory of what has access to what. And they operate under executive pressure that frequently rewards speed of deployment over the soundness of the architecture.\n\nAnalyst Jason Snyder calls it \"coordination theatre\": that organizational scene where there are AI committees, adoption dashboards, and quarterly presentations showing traction, while the actual workflows remain unredefined, the data unintegrated, and the governance undefined. The result is an adoption measured in activity metrics, not in operational or financial impact. And when the audit arrives, or the incident occurs, the organization discovers that it adopted without building.\n\n## Security That Arrives Late Can No Longer Arrive on Time\n\nThere is a specific dynamic that characterizes organizations with low AI maturity: security and governance are treated as layers added after deployment, not as design conditions. It is a pattern that security teams know well, but one that the C-Level tends to underestimate until it carries a direct cost.\n\nData from the Forbes Research AI Survey 2025 quantifies the magnitude of the problem with a precision that should concern any board of directors: **62% of business leaders acknowledge that AI complicates the maintenance of their cybersecurity defenses**, and 63% state that AI-powered threats could render their current defenses obsolete within a matter of months. One year earlier, that second percentage stood at 29%.\n\nThat is not a gradual trend. It is an abrupt acceleration in the perception of risk, which coincides with the acceleration of AI deployment in operations. Organizations are introducing more AI into their systems at precisely the moment when their exposure to AI-enabled threats is growing faster than their capacity to respond.\n\nThe solution put forward by this analysis is not to reduce the speed of adoption, but to change the sequence of decisions. **Security and governance cannot function as post-deployment audits; they must be embedded in the complete lifecycle of the system**, from model design through to its integration with business applications, encompassing training, deployment, and continuous monitoring.\n\nThis implies, in concrete terms, several things that organizations with low maturity frequently postpone. First, a real inventory of which AI systems are operating in the environment and what they can access. Without that visibility, no governance is possible. Second, an extension of identity and access management to include non-human agents: each AI agent must have a defined role, delimited permissions, and traceability of its actions. Third, a model of continuous monitoring that identifies anomalous behavior in real time and that has response protocols defined before the incident occurs, not after.\n\nNone of those steps is technologically sophisticated. What they require is something more difficult: the willingness to slow down deployment just enough to build the architecture that will sustain it. And that willingness is scarce when executive incentives are aligned with the speed of adoption rather than with the quality of governance.\n\n## What the Eighty Percent Reveals About How We Decide to Adopt\n\nThe figure of twenty percent of organizations with genuine AI maturity is not merely an indicator of technology management. It is a symptom of something deeper in how large organizations make decisions under market pressure.\n\nWhen eighty percent adopts without having assessed its security risks, it is not because they lack information about the need to do so. Technology, security, and compliance teams typically know what is required. The problem sits one level higher: in the conversation that never happened between the impulse to adopt and the conditions needed to sustain that adoption responsibly.\n\nIn many organizations there exists an implicit conversation that no one has explicitly: the one that should take place between the CEO who wants to show AI traction to the board, the CISO who knows that the security architecture is not ready, the CFO who has to approve an additional investment in governance that was not in the initial budget, and the legal team that has still not defined the limits of sensitive data use by autonomous agents.\n\nThat conversation does not happen in time because it carries an internal political cost. Slowing down or conditioning the deployment of AI at a moment when the market is pushing in the opposite direction requires that someone at the C-Level be willing to hold that position in front of the board, in front of shareholders, in front of the commercial team demanding results. And in the absence of an incident that forces that conversation, institutional inertia always tilts toward moving forward.\n\nThe AI maturity problem in enterprise settings, therefore, is not resolved solely with better governance tools or more security budget. Those are necessary instruments. But the prerequisite is that someone in leadership is willing to name what the system avoids naming: that the speed of deployment has outpaced the capacity for control, that this has real consequences, and that correcting it carries a short-term cost.\n\nThe organizations that manage to cross that threshold do not do so because they discovered a more elegant methodology. They do so because someone had that conversation before an incident forced it.\n\n## Maturity Is Not a State — It Is a Decision That Is Repeated\n\nThe Ponemon Institute's research establishes that achieving AI maturity means having systems fully deployed **with security risks assessed**. That conjunction is what defines the threshold. Not deployment alone. Not assessment alone. Both things simultaneously.\n\nWhat makes that threshold difficult for most organizations is not the technical complexity of the problem, but the structure of incentives surrounding the decision. Current incentives reward deployment. The success metrics reported to boards of directors are adoption metrics: how many departments use AI, how much time the tools save, how many processes have been automated. Governance metrics — inventory of access rights, risk assessment for each deployed system — rarely carry the same weight in that conversation.\n\nChanging this is not an abstract problem of organizational culture. It is a problem of concrete incentive design. As long as leaders are evaluated on speed of adoption rather than quality of the control architecture, the eighty percent will continue to be eighty percent, and incidents will continue to be the primary mechanism of learning.\n\nThe organizations that are crossing that threshold are doing something specific: they are incorporating governance and security criteria into the very definition of what it means for an AI system to be \"ready to operate.\" Not as an additional step at the end of the process, but as a closure condition for each phase of deployment. They are extending identity management to include non-human agents with the same rigor applied to managing employee access. They are monitoring the behavior of their AI systems in real time and have defined protocols for responding to anomalies before they escalate.\n\nNone of that is revolutionary. What is unusual is the willingness to do it before an incident demands it.\n\nThere is a significant difference between organizations that learn from their own failures and those that learn from the failures of others. The eighty percent that has still not assessed its security risks is still choosing which of those two categories it wants to belong to.","article_map":{"title":"Enterprise AI Has Been Deployed for Years and Barely One in Five Executives Knows What They Have","entities":[{"name":"OpenText Cybersecurity","type":"company","role_in_article":"Source of primary research quantifying the AI governance gap in enterprise organizations"},{"name":"Ponemon Institute","type":"institution","role_in_article":"Co-publisher of the study establishing that only 20% of organizations have fully assessed AI security risks"},{"name":"Genpact","type":"company","role_in_article":"Organization where Sanjay Srivastava built a framework for enterprise AI maturity centered on data architecture"},{"name":"Sanjay Srivastava","type":"person","role_in_article":"AI maturity framework author cited to argue that governance must be embedded in data architecture, not bolted on"},{"name":"Jason Snyder","type":"person","role_in_article":"Analyst who coined 'coordination theatre' to describe organizations with AI activity metrics but no operational governance"},{"name":"Forbes Research AI Survey 2025","type":"institution","role_in_article":"Source of cybersecurity risk perception data showing accelerating executive concern about AI-enabled threats"},{"name":"Generative AI","type":"technology","role_in_article":"The deployed technology at the center of the governance gap — operating in over half of large organizations"},{"name":"Autonomous AI agents","type":"technology","role_in_article":"Specific AI deployment type highlighted as particularly ungoverned — accessing financial, legal, and customer data without audited permissions"}],"tradeoffs":["Deployment speed vs. governance quality: faster adoption generates board-visible traction but accumulates unassessed security risk","Short-term political cost of slowing deployment vs. long-term cost of an incident that forces reactive governance","Budget allocation between AI capability investment and governance infrastructure that was not in the original budget","Measuring AI success by activity metrics (departments using AI, processes automated) vs. governance metrics (access inventories, risk assessments per system)","Learning from own failures (reactive) vs. learning from others' failures (proactive) — with significant cost differential between the two"],"key_claims":[{"claim":"Only 20% of executives report their AI systems are fully deployed with security risks assessed (OpenText Cybersecurity / Ponemon Institute).","confidence":"high","support_type":"reported_fact"},{"claim":"A majority of organizations report AI has made compliance with privacy and security requirements more complex, not simpler.","confidence":"high","support_type":"reported_fact"},{"claim":"63% of business leaders say AI-powered threats could render their current defenses obsolete within months, up from 29% one year prior (Forbes Research AI Survey 2025).","confidence":"high","support_type":"reported_fact"},{"claim":"The governance gap is primarily an incentive design problem, not a technical one.","confidence":"medium","support_type":"inference"},{"claim":"Executive incentives aligned with deployment speed structurally prevent governance from arriving before incidents.","confidence":"medium","support_type":"inference"},{"claim":"Organizations that achieve AI maturity do so because someone had the governance conversation before an incident forced it.","confidence":"interpretive","support_type":"editorial_judgment"},{"claim":"Autonomous AI agents operating within enterprise workflows frequently lack defined roles, delimited permissions, or action traceability.","confidence":"medium","support_type":"inference"},{"claim":"Sanjay Srivastava's framework positions data architecture and embedded governance — not models or innovation budgets — as the path to AI maturity.","confidence":"high","support_type":"reported_fact"}],"main_thesis":"The enterprise AI maturity crisis is not a technology problem but an incentive design problem: organizations reward deployment speed over governance quality, creating a structural gap where AI systems operate without oversight, security assessment, or accountability frameworks.","core_question":"Why do most large organizations deploy enterprise AI without adequate governance, and what structural changes are required to close that gap?","core_tensions":["Market pressure to demonstrate AI adoption vs. organizational capacity to govern what is deployed","CEO incentive to show AI traction to the board vs. CISO knowledge that security architecture is not ready","Speed of AI-enabled threat evolution vs. speed of enterprise security response capacity","Governance as a cost center with no immediate ROI vs. deployment as a visible metric with immediate board recognition","Institutional inertia toward moving forward vs. the internal political cost of conditioning or slowing deployment"],"open_questions":["What governance metrics should boards of directors require alongside adoption metrics to create balanced executive incentives?","How should identity and access management frameworks be extended to cover autonomous AI agents at enterprise scale?","At what point does the accumulation of unassessed AI deployments create systemic rather than organizational risk?","Can AI maturity be achieved incrementally within existing organizational structures, or does it require a structural redesign of how deployment decisions are made?","What is the actual financial cost differential between proactive governance investment and reactive incident-driven remediation?","How do SMEs without dedicated security or compliance teams approach AI governance given the same deployment pressures?"],"training_value":{"recommended_for":["CISOs and security architects designing AI governance frameworks","CEOs and board members who need to understand the gap between AI adoption metrics and actual organizational control","CFOs evaluating governance investment as risk mitigation rather than cost center","Chief AI Officers and transformation leads responsible for enterprise AI deployment lifecycle","Risk and compliance teams extending existing frameworks to cover AI systems and autonomous agents","Consultants and analysts assessing enterprise AI maturity for strategic advisory purposes"],"when_this_article_is_useful":["When advising an organization on AI governance framework design","When diagnosing why an AI deployment has not delivered expected operational or financial impact","When preparing a board-level conversation about AI risk that goes beyond adoption metrics","When designing executive incentive structures that balance deployment speed with governance quality","When assessing whether an organization's AI security posture matches its deployment footprint","When evaluating the maturity of an enterprise AI program for investment, acquisition, or partnership purposes"],"what_a_business_agent_can_learn":["How to distinguish between AI adoption metrics and AI maturity indicators when assessing organizational readiness","The specific governance steps required before an AI system should be considered 'ready to operate': inventory, identity extension to non-human agents, continuous monitoring, pre-defined response protocols","How incentive misalignment at the C-Level creates structural governance gaps that technology tools alone cannot resolve","The pattern of 'coordination theatre' as a diagnostic signal for low AI maturity organizations","Why security and governance must be embedded as design conditions rather than post-deployment audits","How to frame the internal political cost of slowing deployment as a risk management decision rather than a competitive disadvantage"]},"argument_outline":[{"label":"1. The documented gap","point":"Only 1 in 5 executives can confirm their AI systems are fully deployed with security risks assessed, per OpenText Cybersecurity and Ponemon Institute research.","why_it_matters":"This means 80% of large organizations are running AI in production environments without basic control, access, or accountability definitions in place."},{"label":"2. Adoption without architecture","point":"The dominant enterprise AI narrative measures progress in pilots and tools deployed, not in governance quality or operational impact — what analyst Jason Snyder calls 'coordination theatre'.","why_it_matters":"Activity metrics mask structural risk: workflows unredefined, data unintegrated, governance undefined. The gap is not technical; it is a matter of organizational priorities."},{"label":"3. Security as afterthought","point":"62% of business leaders say AI complicates cybersecurity defense maintenance; 63% say AI-powered threats could render current defenses obsolete within months — up from 29% one year prior.","why_it_matters":"Organizations are accelerating AI deployment precisely when their exposure to AI-enabled threats is growing faster than their response capacity."},{"label":"4. The conversation that never happens","point":"The real governance failure occurs at the C-Level intersection: the CEO wants to show AI traction, the CISO knows the architecture is not ready, the CFO has not budgeted governance, and legal has not defined data use limits for autonomous agents.","why_it_matters":"This conversation carries internal political cost, so institutional inertia defaults to moving forward — until an incident forces the issue."},{"label":"5. Incentive redesign as the prerequisite","point":"As long as leaders are evaluated on adoption speed rather than control architecture quality, the 80% will remain 80%. Governance must become a closure condition for each deployment phase, not a post-deployment audit.","why_it_matters":"Maturity is not a state achieved once; it is a decision repeated at each deployment cycle. Organizations that cross the threshold do so by changing what 'ready to operate' means."}],"one_line_summary":"80% of large organizations have deployed generative AI without assessing security risks, revealing a systemic governance gap driven by misaligned executive incentives rather than technical limitations.","related_articles":[{"reason":"Directly complementary: argues that 93% of AI budget goes to technology while the 7% allocated to people and process determines outcomes — mirrors this article's thesis that the governance gap is not technical but organizational and incentive-driven","article_id":14321},{"reason":"Covers AI supply chain security risks that organizations are not buying into — directly relevant to the security-as-afterthought pattern and the gap between known risks and organizational action described here","article_id":14281},{"reason":"Examines how automating without redesigning preserves dysfunction at scale — structurally parallel to deploying AI without governance architecture, which this article identifies as the core enterprise maturity failure","article_id":14259}],"business_patterns":["Security and governance treated as post-deployment layers rather than design conditions — a pattern repeated across low-maturity organizations","Coordination theatre: AI committees, dashboards, and quarterly presentations coexist with undefined workflows, unintegrated data, and absent governance","Executive pressure rewarding deployment speed creates institutional inertia that defaults to moving forward in the absence of a forcing incident","The gap between technology/security teams knowing what is required and C-Level acting on it is a recurring organizational failure mode","Organizations that achieve maturity embed governance as a phase-closure condition, not an additional step at the end of the process"],"business_decisions":["Whether to slow AI deployment to build governance architecture before scaling","Whether to include security and governance criteria as closure conditions for each AI deployment phase rather than post-deployment audits","Whether to extend identity and access management frameworks to cover non-human AI agents","Whether to build a real-time inventory of all AI systems operating in the environment and their access rights","Whether to establish continuous monitoring with pre-defined anomaly response protocols","Whether to restructure executive incentives to reward governance quality alongside deployment speed","Whether to have the C-Level governance conversation proactively or wait for an incident to force it"]}}