The modern CIO’s mission is straightforward: drive AI adoption across the entire organization as quickly as possible.
CIO.com’s State of the CIO survey confirms that CEOs now consider leveraging AI their most important expectation for IT leadership. From exploring new AI solutions to vetting products, CIOs have become the pivotal players in shaping their companies’ AI strategies.
And executives are demanding tangible results. Nearly two-thirds of top-level leaders say they face greater pressure to demonstrate returns on AI spending than they did a year ago, based on Kyndryl’s 2025 Readiness Report.
This mounting pressure comes from multiple directions — boards of directors, CEOs, individual business units, and even competitors — explains Jonathan Tushman, who serves as chief AI officer and CTO at Hi Marley, a conversational AI platform serving the property and casualty insurance sector.
Meeting these demands requires navigating difficult discussions and moving through legal, compliance, and other reviews “at a reasonable pace,” notes Tushman, who took on the CAIO role alongside his existing duties over 18 months ago but has sensed a marked increase in urgency over the past six months. Whether at industry events, board meetings, or virtually any corner of the business landscape, talk quickly shifts to AI — and then just as quickly to the anxiety of falling behind.
That anxiety extends to the workforce too. “There’s the engineering team, and then there’s everyone else — marketing, sales, finance. These aren’t people who grew up with AI, but they’re extremely eager to start experimenting with these tools at a basic level,” he observes.
As CIOs grapple with pressure to scale AI and show concrete value, the real challenge lies in staying on top of risk factors without creating needless roadblocks.
“CIOs can’t afford to be risk-averse here,” says Karthik Chakkarapani, SVP, CIO, and head of enterprise AI at Zuora. “Security and governance are essential, but we don’t want to be viewed as the department that slows everything down. Think of it as building a highway — you need guardrails, but try to minimize the speed bumps.”
Beyond that, he stresses, “this isn’t about simply automating what we already do. It’s about fundamentally rethinking how work gets accomplished.”
AI represents a paradigm shift in risk management
Most IT leaders still feel far from confident when it comes to balancing the new risk landscape AI creates. Only 31% of those surveyed say they feel fully prepared for external business risks, according to Kyndryl’s findings.
Tushman points to two aspects that genuinely set AI-related risks apart. First, AI is inherently non-deterministic, unlike most traditional technology. “You can’t definitively prove that an AI system will or won’t do something, so the old approach of ‘apply controls and verify’ falls apart,” he explains. “We need an entirely different governance framework for something whose behavior you can’t fully predict.”
The second differentiator is the magnetic pull AI has on end users. “With most technologies, IT had the luxury of taking its time before rolling something out,” he says. “With AI, if you don’t get powerful tools into people’s hands quickly, they’ll find workarounds — and uncontrolled shadow usage creates far more risk than managed access ever would. The timeline shrinks just as the control model becomes more complex.”
Tony Vizza, founder and managing partner at Novera, shares the view that the rush to move quickly can produce the very outcomes organizations dread.
“This could look like employees feeding sensitive data into public AI tools without proper oversight, or people copying AI-generated content verbatim and sending inaccurate deliverables to clients,” Vizza cautions.
Organizations should resist the temptation to adopt AI purely out of FOMO without first defining precisely where and how it will be deployed. Every risk-related decision should stem from those foundational questions, he advises. “What specific problems are you trying to address — is it improving customer service or gaining deeper insights from your data? What’s the actual goal?”
Vizza suggests anchoring AI decisions in a structured risk assessment that weighs expected outcomes, the scale of investment, and how critical the initiative is to the organization’s broader objectives. “You establish your risk tolerance, create a risk register, and determine the appropriate treatment for each identified risk,” he explains. “For instance, if you plan to use a publicly available AI model, you might mitigate that risk by keeping sensitive data out of it, purchasing the appropriate license so you’re protected if you do, or consulting with regulators before moving forward.”
Companies must also treat AI services as a third-party risk and avoid placing all accountability on the vendors themselves, Vizza adds. “You can’t simply hand off responsibility,” he emphasizes.
Thorough due diligence is essential — understanding the terms in the AI provider’s contract, clarifying who bears liability in the event of a data breach, and knowing how your organization can seek recourse if things go wrong.
“Some organizations have woven these considerations into their risk management processes. Others are surprisingly casual — or completely unaware they should even be asking these questions — and that’s what ends up tripping them down the road,” he warns.
Why organizational design matters
At Hi Marley, Tushman and his team have put deliberate structural measures in place to cultivate “healthy internal tensions” designed to bring AI risk considerations to the surface. This includes a clear separation between the “AI adopters” embedded in product and technical teams and the “AI oversight” teams situated within compliance and legal. Compliance manages audits, security concerns, and ongoing monitoring, while legal owns the documentation that defines operational boundaries. “The critical factor is that these functions remain independent from the teams driving AI adoption,” he says.
“Organizations need to invest meaningfully in these compliance roles. Recruit sharp, thoughtful people. These positions can’t simply be obstructionist, but they shouldn’t rubber-stamp everything either. The real value lies in sound judgment,” he adds.
Tushman sees his own role as an AI innovation steward — championing adoption while being openly challenged on risk, compliance, and legal grounds. “We have a senior leadership team built around ‘constructive conflict,'” he describes. “I sit as the CAIO, and right beside me are our head of legal and our head of compliance. So when disagreements arise within that group, we work through the trade-offs and arrive at a collective decision.”
Tushman believes this structure produces a productive dynamic: innovation-focused leaders push the envelope while compliance and risk leaders provide the counterbalance. But when consensus can’t be reached, the matter escalates to the CEO. “I do recommend that a deadlock gets elevated to another senior leader for a final call,” he says.
Choices around organizational structure could prove just as impactful as the AI adoption decisions themselves, Tushman notes. “The companies that nail their organizational design early will hold a genuine competitive advantage,” he explains.
The hunger for AI is reshaping the risk equation
One defining characteristic of the current AI wave is the widespread appetite for access — from board members to frontline employees — to experiment with the tools, build applications, and start putting them to practical use. “Right now, everyone is eager to get their hands on it,” says Tushman.
Hi Marley is currently in what Tushman calls the “activation” phase — channeling that enthusiasm by pairing the tools with appropriate safety guardrails. “My primary objective here is to get people learning the tools, actively using them, and building some
“We’re still building our expertise with these tools,” he remarks. “Eventually we’ll reach the evaluation stage, but I believe dedicating excessive time to metrics at this point isn’t particularly productive.”
Tushman, along with many others, is observing the rapid pace of model advancement. “AI has enormous consequences for how organizations structure themselves, how they recruit talent, and whether they choose to build solutions internally or acquire them externally,” he explains.
Zuora, a company focused on subscription management and recurring revenue software, has been pursuing its AI strategy for three years now. Chakkarapani is firm in his conviction that accelerating for the sake of speed alone misses the point.
“Simply taking an existing workflow and running it faster isn’t the answer — you’d just be amplifying the disorder. The real question is: can we make it faster, more intelligent, and fundamentally restructured?”
Vizza is confident that a significant portion of CIOs will require outside expertise to manage the pressure for swift AI integration. “Alternatively they’ll need to invest in their own development, because AI functions in a fundamentally different way than conventional IT,” he notes.
His counsel comes in three parts. First, “ensure your decisions rest on solid ground — either develop a genuine understanding of how AI works or engage someone who can provide sound guidance,” he says. Second, tie everything back to business objectives. “AI presents real opportunities, but the essential question remains: what outcome are we hoping to accomplish by adopting it?” And third, figure out your approach to risk management. “Risk isn’t inherently negative — Formula 1 cars carry risk, yet they’re equipped with exceptional braking systems that allow them to go faster,” he explains. “It’s the same principle with AI: you implement appropriate risk controls so the organization can move swiftly without facing harmful fallout.”
Over the course of its nearly three-year AI initiative, Zuora began with exploratory work before transitioning 12 company-wide pilot projects into full production, Chakkarapani states. He adds that potential AI initiatives are evaluated against three key criteria: effort, value, and confidence. “Effort encompasses the security dimension,” he clarifies. “Is it low, medium, or high?”
Chakkarapani’s group began with straightforward implementations, though the initial trials didn’t deliver the expected results — offering important insights for subsequent efforts. “We discovered that AI performs well only when you have the right data — the right content, the right context, and proper governance in place,” he reflects.
They progressed to IT service management, and that’s when the hands-on learning truly accelerated — gathering input from internal teams and end users, addressing security and compliance concerns, and refining their approach along the way.
Early deployments spanned marketing, sales, product development, and engineering, delivering throughput gains of 10 to 25 times. Success is gauged through business impact metrics such as revenue growth, cost reduction, and customer engagement.
Throughout this journey, the team has been laying the groundwork to accelerate AI adoption across the entire enterprise. “We came out to realize that to move at both speed and scale, we needed the right foundation of trust, security, and governance underneath everything,” he says.
A company-wide platform connects Zuora’s vetted AI services — including ChatGPT and specialized domain tools — to both its structured and unstructured data. Built on top of this infrastructure is a contextual layer and set of services that enables employees to construct their own applications. It leverages each worker’s existing credentials and organizational profile while maintaining identical role-based access controls.
“We gradually constructed a framework that became our playbook, identifying the 10 to 12 critical factors that must be addressed when building an AI-powered application. When someone expresses interest, they’re guided through a self-service process with best practices and pitfalls, which automatically generates a markdown file downloaded to their machine,” he explains.
The overarching objective is to deliver as much as 100-fold business value through a governed enterprise-wide platform — spanning IT, human resources, finance, legal, procurement, sales, and product. IT serves as the orchestrator, supplying the platform for accessing tools and agents while partnering with business units to redesign those workflows.
The AI maturity model
Chakkarapani holds that a more secure environment naturally encourages broader experimentation, wider adoption, and, ultimately, tangible business outcomes. At Zuora, Chakkarapani has advanced this progression through three tiers of organizational AI maturity so far:
Tier 1: IT delivers a platform and supporting services. Staff members receive governed access to data aligned with their role and security clearance. They can build their own personal agent. Anything that fails to meet baseline security and compliance thresholds is halted from proceeding.
Tier 2: An employee-created agent undergoes an IT governance review to check for redundancy or overlap, model enhancements, security assessments, and manual evaluations. Once approved, it becomes available to the broader organization. “We’re making progress here, but it still involves considerable manual effort because there aren’t adequate tools available to automate this process,” he notes.
Tier 3: At this maturity stage, an organization has established a security baseline across all its applications so that AI can expand safely. Over a period of six to eight months, Zuora’s team hardened endpoint and application security, enforced mobile device management, introduced AI usage tracking (including monitoring what employees paste into prompts), and disabled Google authentication to prevent personal or bulk email accounts from accessing unauthorized applications.
Earlier this year, the team began advancing toward Tier 4 maturity, where any individual can produce a working application with minimal human intervention. In practice, they anticipate reaching 80% to 85% automation, since the final stretch will still demand human judgment.
“My ambition is to offer a fully automated service that lets anyone in the company build applications. If we succeed, they can move from concept to idea, prototype, design, and production — all within less than two weeks,” he says.
