AI, without fear: An open note to IT

If your inbox looks anything like mine, AI has gone from “my group wants to explore this interesting pilot” to “red alert, board-level priority.” Nearly 70% of Fortune 500 companies use Microsoft Copilot. Of those that partner with Integreon, many are still primarily using the browser-based version. What that tells me is the interest is real, but the comfort level isn’t there yet.

Here’s the reality, my IT friends — generative AI is a strategic imperative and one we as guardians of the data and infrastructure need to be front and center. The impediment is certainly not a lack of vision; rather, it is risk-based. How IT and our partners in InfoSec choose to support, or conversely restrict, AI now will have a direct impact on the company’s ability to compete at a variety of levels and within various corporate disciplines.

Let’s take a collective deep breath and explore ways in which IT can be that strategic enabler, while still maintaining integrity and security. You with me?

See AI’s value in the larger strategic context

Corporate data (including legal, HR and marketing documents) has been growing at an exponential rate. Historically, these documents required heavy manual work — drafting, reviewing, summarizing, classifying and archiving. Human capacity scales linearly, while unstructured data grows exponentially. The result? Vast amounts of untapped corporate knowledge and an increased reliance on outsourcing, which only widens the cyber and third-party risk surface.

AI changes this dynamic. It offers automation at scale for drafting, summarizing and classifying unstructured data — creating a generational opportunity to rearchitect enterprise data governance. We now have the potential to evolve from fragmented, federated data silos into next-generation semi-centralized architectures (data lakes, data rivers) that serve both structured and unstructured needs.

For IT, this is an invitation to extend capabilities into areas traditionally underserved — legal, procurement, HR, marketing — while also reducing attack surfaces and improving data quality.

See risk in the business context

Risk management should never be reduced to simply saying “no” to AI. Instead, IT has an opportunity — and a responsibility — to partner with business leaders in evaluating risk in proportion to the value AI delivers.

Generative AI and AI agents, in many ways, mirror human performance characteristics. And just as businesses have long relied on human-driven processes for critical workflows, they have also developed robust detective, corrective and compensating controls to manage risks inherent in human operations. The difference now is scale and automation — but the principles of governance remain familiar.

This means organizations don’t need to reinvent the wheel. Many established procedures, policies and guidelines can be modernized and extended to cover AI-driven workflows. By adapting existing governance frameworks, businesses can integrate AI more confidently without stalling innovation.

Equally important, when IT takes the time to understand the risk appetite of the business, it often helps streamline end-to-end processes rather than complicate them. And when IT brings in its toolkit — such as privileged access management, single sign-on, identity governance, endpoint protection and other enterprise-grade controls — the result is not just safe adoption, but a stronger overall security posture for the organization.

In short: AI risk isn’t a reason to say no. It’s an invitation for IT and business to align more closely — modernizing existing controls, adapting governance and ensuring innovation happens securely and responsibly.

Build and unify AI security and risk management infrastructure

Just as we would not build security architecture one employee at a time, we should not approach AI piecemeal. IT needs to establish a holistic AI security and risk infrastructure, ready for a world where AI agents become a core part of enterprise workflows.

A baseline architecture should include at least these seven layers:

1. Security operations center (SOC): 24/7 threat monitoring, detection and response, including penetration testing and dark web monitoring, to provide real-time visibility and actionable insights.
2. Security policy & awareness: Regular, engaging training and simulations to reduce human risk and build a culture of vigilance.
3. Endpoint managed detection and response (MDR): Next-gen antivirus, continuous monitoring and active remediation of endpoint threats.
4. Identity protection & privileged access management (PAM): Continuous monitoring of user behavior, MFA enforcement and protection against credential misuse. Enforcing least privilege, securing privileged accounts and providing auditable, monitored remote sessions.
5. Vulnerability management: Ongoing asset discovery, scanning, penetration testing and prioritized remediation.
6. Advanced email threat protection: AI-powered detection of phishing, ransomware and targeted attacks across inbound, outbound and internal traffic.
7. Audit & compliance: Alignment with globally recognized standards (ISO 27001, ISO 27701, SOC 2 Type II) to maintain transparency, governance and client trust.

By combining these layers, IT can build resilience into the enterprise by design — ensuring AI adoption strengthens rather than weakens security posture.

A strategic imperative

AI isn’t just another wave of technology — it’s a shift in how we work, secure and create value. As IT leaders, we get to choose whether we slow things down or step up to help our businesses move forward with confidence.

If we embrace the enabler role, we don’t just keep the lights on — we shape the future. By balancing risk with strategy, modernizing our controls and building a strong foundation, we can make AI both safe and transformative.

At the end of the day, the future of AI in the enterprise will be written by the technologists. We have the opportunity at hand to be the ones holding the pen.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?