Enterprise AI Has Been Deployed for Years, and Barely One in Five Executives Knows What They Have
More than half of the world's largest organizations already have generative artificial intelligence operating somewhere within their business. That is a documented fact. What is not documented with the same ease is what lies beneath that statistic: systems processing sensitive data without anyone having defined who supervises them, autonomous agents making decisions within workflows that no security team has audited, and layers of governance that arrived late or never arrived at all.
A study published by OpenText Cybersecurity in collaboration with the Ponemon Institute yields a figure that deserves sustained attention: only one in five executives can claim that their AI systems are fully deployed with security risks assessed. This is not an uncomfortable majority. It is eighty percent of organizations that have moved forward with adoption without resolving the most basic questions about control, access, and accountability.
This is the maturity problem that no one wants to discuss honestly in the boardroom, because naming it means admitting that the pressure to adopt moved faster than the capacity to govern.
Adoption Without Architecture Is Just Another Form of Improvisation
The predominant narrative around enterprise artificial intelligence continues to operate as though the central problem were access to technology. As if it were enough to implement the right model, connect it to the correct systems, and wait for results to arrive. That narrative offers a certain comfort to the C-Level: it allows progress to be measured in the number of pilots, in tools deployed, in departments that "already use AI."
What that narrative conceals is far more costly. According to data from the same study, a majority of organizations report that AI has made compliance with their privacy and security requirements more complex, not simpler. And yet, a significantly smaller proportion has established the policies and controls necessary to manage those risks. The gap is not technical. It is a matter of priorities.
Sanjay Srivastava, who from Genpact has built one of the most precise frameworks for thinking about enterprise AI maturity, formulates it without ambiguity: the path toward maturity in artificial intelligence runs directly through data. Not through models. Not through the innovation budget. Through data architecture, through governance embedded in operations, through clarity about who is responsible for what and under what conditions. When an organization skips that step, it does not adopt AI with maturity: it deploys capability without control.
The problem is not exclusively technical because AI systems do not operate in a vacuum. They operate within organizations where teams closest to the business rarely speak with security teams before something fails. They operate in environments where autonomous agents can interact with financial, legal, or customer data without any updated inventory of what has access to what. And they operate under executive pressure that frequently rewards speed of deployment over the soundness of the architecture.
Analyst Jason Snyder calls it "coordination theatre": that organizational scene where there are AI committees, adoption dashboards, and quarterly presentations showing traction, while the actual workflows remain unredefined, the data unintegrated, and the governance undefined. The result is an adoption measured in activity metrics, not in operational or financial impact. And when the audit arrives, or the incident occurs, the organization discovers that it adopted without building.
Security That Arrives Late Can No Longer Arrive on Time
There is a specific dynamic that characterizes organizations with low AI maturity: security and governance are treated as layers added after deployment, not as design conditions. It is a pattern that security teams know well, but one that the C-Level tends to underestimate until it carries a direct cost.
Data from the Forbes Research AI Survey 2025 quantifies the magnitude of the problem with a precision that should concern any board of directors: 62% of business leaders acknowledge that AI complicates the maintenance of their cybersecurity defenses, and 63% state that AI-powered threats could render their current defenses obsolete within a matter of months. One year earlier, that second percentage stood at 29%.
That is not a gradual trend. It is an abrupt acceleration in the perception of risk, which coincides with the acceleration of AI deployment in operations. Organizations are introducing more AI into their systems at precisely the moment when their exposure to AI-enabled threats is growing faster than their capacity to respond.
The solution put forward by this analysis is not to reduce the speed of adoption, but to change the sequence of decisions. Security and governance cannot function as post-deployment audits; they must be embedded in the complete lifecycle of the system, from model design through to its integration with business applications, encompassing training, deployment, and continuous monitoring.
This implies, in concrete terms, several things that organizations with low maturity frequently postpone. First, a real inventory of which AI systems are operating in the environment and what they can access. Without that visibility, no governance is possible. Second, an extension of identity and access management to include non-human agents: each AI agent must have a defined role, delimited permissions, and traceability of its actions. Third, a model of continuous monitoring that identifies anomalous behavior in real time and that has response protocols defined before the incident occurs, not after.
None of those steps is technologically sophisticated. What they require is something more difficult: the willingness to slow down deployment just enough to build the architecture that will sustain it. And that willingness is scarce when executive incentives are aligned with the speed of adoption rather than with the quality of governance.
What the Eighty Percent Reveals About How We Decide to Adopt
The figure of twenty percent of organizations with genuine AI maturity is not merely an indicator of technology management. It is a symptom of something deeper in how large organizations make decisions under market pressure.
When eighty percent adopts without having assessed its security risks, it is not because they lack information about the need to do so. Technology, security, and compliance teams typically know what is required. The problem sits one level higher: in the conversation that never happened between the impulse to adopt and the conditions needed to sustain that adoption responsibly.
In many organizations there exists an implicit conversation that no one has explicitly: the one that should take place between the CEO who wants to show AI traction to the board, the CISO who knows that the security architecture is not ready, the CFO who has to approve an additional investment in governance that was not in the initial budget, and the legal team that has still not defined the limits of sensitive data use by autonomous agents.
That conversation does not happen in time because it carries an internal political cost. Slowing down or conditioning the deployment of AI at a moment when the market is pushing in the opposite direction requires that someone at the C-Level be willing to hold that position in front of the board, in front of shareholders, in front of the commercial team demanding results. And in the absence of an incident that forces that conversation, institutional inertia always tilts toward moving forward.
The AI maturity problem in enterprise settings, therefore, is not resolved solely with better governance tools or more security budget. Those are necessary instruments. But the prerequisite is that someone in leadership is willing to name what the system avoids naming: that the speed of deployment has outpaced the capacity for control, that this has real consequences, and that correcting it carries a short-term cost.
The organizations that manage to cross that threshold do not do so because they discovered a more elegant methodology. They do so because someone had that conversation before an incident forced it.
Maturity Is Not a State — It Is a Decision That Is Repeated
The Ponemon Institute's research establishes that achieving AI maturity means having systems fully deployed with security risks assessed. That conjunction is what defines the threshold. Not deployment alone. Not assessment alone. Both things simultaneously.
What makes that threshold difficult for most organizations is not the technical complexity of the problem, but the structure of incentives surrounding the decision. Current incentives reward deployment. The success metrics reported to boards of directors are adoption metrics: how many departments use AI, how much time the tools save, how many processes have been automated. Governance metrics — inventory of access rights, risk assessment for each deployed system — rarely carry the same weight in that conversation.
Changing this is not an abstract problem of organizational culture. It is a problem of concrete incentive design. As long as leaders are evaluated on speed of adoption rather than quality of the control architecture, the eighty percent will continue to be eighty percent, and incidents will continue to be the primary mechanism of learning.
The organizations that are crossing that threshold are doing something specific: they are incorporating governance and security criteria into the very definition of what it means for an AI system to be "ready to operate." Not as an additional step at the end of the process, but as a closure condition for each phase of deployment. They are extending identity management to include non-human agents with the same rigor applied to managing employee access. They are monitoring the behavior of their AI systems in real time and have defined protocols for responding to anomalies before they escalate.
None of that is revolutionary. What is unusual is the willingness to do it before an incident demands it.
There is a significant difference between organizations that learn from their own failures and those that learn from the failures of others. The eighty percent that has still not assessed its security risks is still choosing which of those two categories it wants to belong to.









