Outside of my work at Redgate, I spend an hour or two each week as an AI Advisor to organizations in government, healthcare, and retail. I’ve been doing this for about a year and a half now, sitting down with businesses to help them work through the reality of bringing AI into their organizations. That work covers a lot of ground:
- Building policy and governance frameworks before the chaos arrives
- Introducing AI in a controlled way that doesn’t immediately overwhelm teams or create security nightmares
- Helping departments build the business case for AI investments
- Training employees at every level, from executives to everyday users
- Figuring out how to slow down or stop Shadow AI before it becomes a serious liability
- Working out what skills to actually hire for, and what red flags to watch for in candidates
What strikes me most after eighteen months of this is how consistent the story is, regardless of industry, size, or technical maturity. Almost every organization goes through the same stages, in roughly the same order:
- Hard no. Policy comes down from on high. No AI, full stop.
- Controlled experiment. A small group of power users or engineers gets limited access to explore what’s possible.
- The flood gates open. Suddenly everyone is using AI, and it’s not hard to see why because at this point AI is embedded in almost every product people are already using daily.
- IT gets overwhelmed. The demand and the risk pile up fast. If policy and governance work hasn’t been done ahead of this moment, teams are scrambling hard to catch up.
- Policy turns out not to be enough. People bypass the guardrails, sometimes unintentionally, sometimes not, but they do so constantly. Shadow AI is everywhere, and it’s often invisible until something goes wrong.
- Training gets added. AI awareness rolls into annual compliance programs. Security risks and policy violations keep happening anyway.
- Formal controls go in. Tooling to deter Shadow AI gets deployed, new processes get layered on, and then new risks surface that require new processes all over again.
I meet regularly with security teams as part of this work and I have a lot of respect for what they are dealing with. AI gets sold as a magic bullet, and the problem is that bullet has a habit of pointing inward. Security teams are doing everything in their power to make sure their organization isn’t the one that gets hit when something goes wrong, and the pressure on them is relentless.
If you feel like your organization is uniquely overwhelmed by all of this, you are not alone. Every organization is going through this. Not just IT, not just development, but everyday users in everyday software. The organizations that come out of it in the best shape are the ones who stopped pretending this was a technology problem and started treating it as an organizational one.
