Key Takeaways
- Technology outpaces policy and risk lives in that gap, but it doesn’t have to become exposure.
- AI momentum starts with clarity: know your stage, manage those risks, and scale from there.
- Risk management isn't a barrier to AI value; it's what makes sustained value achievable.
Whether in business or around the dinner table, most conversations about AI seem to go sideways. Our observation is that this occurs for a simple reason: people aren't talking about the same thing.
Consumers and employees are using tools at different stages of effectiveness, maybe even paying personally for Claude or ChatGPT Pro. Meanwhile, CFOs are looking at five-figure proposals for enterprise Copilot licenses and (naturally) asking about ROI. The CEO feels behind because they just read about a competitor who is "transforming their business with AI." Nobody's wrong exactly, but no one is on the same page either.
That misalignment is where AI growth stalls, and where security risk quietly creeps in.
Understanding Where You Are on the AI Adoption Curve
Before you can assess whether your AI strategy is working, you need to know where your organization actually sits on the adoption curve. Kreischer Miller’s Technology Advisory team developed a staged model to help identify where a business is on the continuum. The labeling matters less than the process of doing an honest self-assessment.
Most mid-market companies land somewhere across five stages: Shadow IT, Aware, Exploring, Operational, or Transforming.
The AI ROI Curve: Why Value Dips Before It Rises
The relationship between maturity and ROI isn't linear. It follows something closer to a J-curve.
In the earliest stage, Shadow IT, AI is already in your organization (whether you've sanctioned it or not). Employees are using personal accounts, free tools, and consumer-grade chat products to get work done. There's no cost on the books, so it looks cheap. It isn't. You have no visibility into what data is leaving the building, no control over how it's being used, and no idea what risks you’re being exposed to.
When companies move to get serious, typically by purchasing an enterprise tool like Microsoft Copilot, something uncomfortable occurs: ROI expectations drop. You've just converted a hidden, unmanaged cost into a visible line item, and the immediate return doesn't match the invoice. This is the dip in the curve, and it's the moment when a lot of otherwise sound AI investments get second-guessed.
This is normal. It’s not a sign that you made the wrong call.
Enterprise AI requires what all enterprise technology requires: deliberate setup, governance, and adoption work before the value compounds. Companies that push through it start climbing toward meaningful returns. Those that pull back stay stuck.
AI Risk Isn’t Purely a Technical Problem
Knowing where you sit on the curve also tells you which risks are relevant right now. A company in the Shadow IT stage has a data exposure problem today, whether leadership knows it or not. Employees sharing client information with a consumer AI tool are operating outside any policy, any contract, and any audit trail.
A company in the Exploring stage needs to understand what their tools are doing with the data they're fed. A company integrating AI into operational decisions, hiring, lending, and financial reporting needs to think seriously about auditability and legal accountability. The law is increasingly clear that using an AI tool doesn't transfer your compliance obligations to the vendor.
Your vendors carry risks too. Most SaaS providers are quietly integrating AI into their workflows, which means your data may be interacting with AI systems you never evaluated. That makes AI due diligence a standard part of any vendor selection or renewal conversation.
Managing AI Risk: Four Strategic Options
When it comes to managing these risks, there are really only four options:
- Avoid the activity where the risk is unacceptable
- Mitigate through policy, training, and human oversight
- Transfer financial exposure through contracts and insurance
- Accept the risk consciously as a business decision.
Most organizations will use all four options at different points. The worst outcome is the fifth option that nobody names: ignoring the risk entirely and calling it a strategy.
Moving Forward with Clarity and Intent
None of this requires a compliance overhaul before you're allowed to move. It requires being intentional. The organizations that get AI right aren't the ones that move slowest. They're the ones that knew where they were before they decided where to go next.
If you're not sure where you are, that's a reasonable place to start.
Closing the Gap Between Technology, Policy, and Risk
Technology moves fast. Policy moves slow. Risk lives in the gap. Navigating this well doesn’t require the most sophisticated tools or the longest policy documents. It does require a map, and for leaders to stay oriented, keep moving, and adjust when the landscape shifts; disciplined, but not rigid.
Not Sure Where Your Organization Falls on the AI Adoption Curve?
AI rarely stalls because leaders move too quickly; it stalls when they move without alignment. Understanding where your organization actually sits on the AI adoption curve is the difference between controlled momentum and unmanaged risk. If you’re unsure where that line is for your organization, that uncertainty is your signal. Kreischer Miller’s Technology Advisory team can help you assess your current state, surface the risks that matter now, and build a clear, practical roadmap for scaling AI with confidence.