Introduction
Introductory Remarks
Understanding how generative AI works is one thing.
Knowing what to do with it inside an organisation is another.
The shift from recognition to generation, and now toward agentic systems, has not just expanded what AI can do but fundamentally changed the management challenge.
The same properties that make modern AI powerful are also what make it difficult to govern (Urbach, Feulner, & Dilger, 2026):
- An LLM that hallucinates confidently is not just a technical failure — it is a management failure
- A diffusion model that embeds bias invisibly is not just a modelling problem — it is a governance problem
- An agentic system that takes unintended actions is not just a deployment error — it is a strategy problem
The previous lecture covered what generative and agentic AI can do. This lecture asks the harder question: how should organisations respond? The properties that make modern AI different — autonomy, learning, and opacity of reasoning — are precisely what make managing it different from managing conventional software.
Three management challenges
Organisations today face three major challenges (Urbach, Feulner, & Dilger, 2026):
- Identifying the right use cases: not every process that can be automated should be; choosing well requires connecting AI capability to actual strategic value
- Building and integrating solutions: data quality, make-or-buy decisions, and workflow redesign are as important as model quality
- Governing AI responsibly: ethics, accountability, regulatory compliance (including the EU AI Act), and ongoing monitoring cannot be afterthoughts
AI Strategizing
Why AI demands a strategic response
AI projects fail more often than they succeed — not because the technology doesn’t work, but because organisations launch them without strategic direction (Urbach, Feulner, Mayer, & Meierhöfer, 2026).
The underlying problem is structural. AI doesn’t merely improve efficiency — it changes the conditions under which organisations compete:
- Market shifts: from human-crafted to AI-driven products and services; from generalised targeting to individual customisation
- Resource shifts: from manual to data-driven decision-making; from human-dependent to AI-enhanced productivity; from uncertainty as obstacle to uncertainty as an unavoidable factor to manage
These shifts are not IT-level changes. They require a strategic response. The rise of generative AI and large language models has accelerated both the opportunity and the pressure.
An AI strategy is a set of guidelines for courses of action and decisions that directs AI projects in line with firm-specific goals and constraints toward a distinct strategic direction. (adapted from Urbach, Feulner, Mayer, & Meierhöfer (2026))
The chain of argumentation
Why does AI specifically require its own strategy? Urbach, Feulner, Mayer, & Meierhöfer (2026) lay out a four-step chain of reasoning:
Figure 1: Chain of argumentation for the need for an AI strategy. Adapted from Urbach, Feulner, Mayer, & Meierhöfer (2026, p. 163).
Facets of contemporary AI: three properties set AI apart from prior technology
- Autonomy: acts without per-decision human instruction
- Learning: behaviour changes over time
- Inscrutability: internal logic is opaque to observers
AI-induced shifts: these properties cause
- Market shifts: competitive dynamics change
- Resource shifts: what constitutes a scarce, valuable capability changes (the “4S”)
Strategic challenges: new tensions across all four dimensions
- Scope: how AI is organized and governed (e.g., strategic ownership, governance level)
- Scale: how AI capabilities are acquired (e.g., knowledge acquisition, technology sourcing)
- Speed: how AI use cases are identified and grown (e.g., use case identification, use case expansion)
- Source: how AI affects the business model (e.g., technology aspiration, value creation)
Strategic response: a coherent AI strategy addressing all four dimensions simultaneously
Most technologies fail in predictable, traceable ways. AI can fail silently, confidently, and in ways that are difficult to attribute. This inscrutability makes standard oversight mechanisms insufficient and creates accountability gaps that a strategy, not just an IT process, must address. Berente et al. (2021) argue that autonomy, learning, and inscrutability must be managed together, not in isolation — each interacts with the others.
Strategic archetypes
A coherent AI strategy means making deliberate, consistent choices across all four dimensions (i.e., scope, scale, speed, and source). The 4S maps the design space of those choices. It does not prescribe which configuration is right. That depends on the organization’s competitive position, resource base, industry context, and risk appetites: Identifying the right archetype matters because each implies a different set of operational decisions:
- Use case selection: a Business Enhancer should prioritise process improvement use cases with clear ROI; a Technology Navigator should invest in proprietary capability-building even without immediate payoff
- Sourcing decisions: an Operations Stabilizer buys ready-made solutions; an Innovation Explorer experiments with open-source and in-house development
- Governance design: a Technology Navigator needs enterprise-wide AI governance; a Business Enhancer may manage AI at the portfolio or project level
- Risk tolerance: an Operations Stabilizer treats model failure as unacceptable; a Technology Navigator accepts more experimental risk in exchange for learning
| Archetype | Strategic orientation | Examples |
|---|---|---|
| Technology Navigator | Pushes AI boundaries through R&D; undertakes risky but rewarding projects to achieve technological breakthroughs at the forefront of AI | JPMorgan, Microsoft, Infineon, SAP |
| Innovation Explorer | Delves into promising emerging territories; invests substantially in AI to unlock new value streams alongside existing products and services | American Express, Bayer, E.ON, Volkswagen |
| Business Enhancer | Focuses on improving operational performance with AI; explores initial use cases but is cautious about widespread application | MTU Aero Engines, P&G, Linde, Chevron |
| Operations Stabilizer | Resorts to AI in only a few isolated use cases; prefers stability and reliability over breakthrough innovations due to potential risks | Henkel, Nike, McDonald’s, Coca-Cola |
Misalignment between archetype and actual decisions is a primary driver of AI project failure. An organisation that behaves like an Innovation Explorer in its use-case selection but like an Operations Stabilizer in its resourcing will run ambitious experiments with inadequate infrastructure. The archetype identification makes these misalignments visible before they become expensive.
A regulated utility pursuing an Operations Stabilizer approach may be making a more rational strategic choice than a startup chasing cutting-edge technology it cannot sustain. What matters is internal consistency: the chosen archetype should be coherent with the organisation’s competitive context, and all four strategic dimensions (“4S”) should point in the same direction. The goal of AI strategizing is not to maximise technological ambition but to match strategic posture to organisational reality.
AI Readiness
Definition and motivation
AI readiness is the preparedness of an organisation to implement changes involving AI applications and technology. (Alsheibani et al., 2018)
The concept matters because strategy on paper does not equal strategy in practice. An organisation may choose the right archetype and still fail to execute, because the necessary conditions are not in place. AI readiness identifies those conditions.
“Digital readiness” or “technology readiness” captures part of the picture but misses what is distinctive about AI. AI requires not just infrastructure and skills, but a cultural tolerance for probabilistic outputs, opaque reasoning, and systems that change their own behaviour over time. Readiness for AI is therefore both broader and more specific than generic technology readiness — which is why it warrants its own construct.
Organisational readiness for change
Before any AI-specific factors, organisations must have a baseline capacity to adopt and sustain new technology at all:
- Financial and technological resources: adequate investment capacity and infrastructure
- Management support: active sponsorship from leadership; without it, initiatives lose priority when they compete with operations
- Organisational culture: tolerance for experimentation, calculated risk, and continuous learning
- Commitment: sustained resolve to work through implementation setbacks
These factors are necessary but not sufficient. AI adds further demands on top of them.
AI-specific readiness factors
- Innovation adoption: shaped by perceived relative advantage, compatibility, complexity, trialability, and observability (also see Rogers, 2003); for AI, complexity and observability are particular friction points — AI systems are harder to pilot meaningfully than conventional software, and their value is often indirect and delayed
- Resources: rare skill combinations (data scientists, ML engineers, domain experts, AI-literate managers); qualitatively different infrastructure (high-performance compute, scalable data pipelines, MLOps tooling); organisations that underestimate these requirements tend to reach proof-of-concept and then stall
- Knowledge: AI literacy cannot be limited to a specialist team; Article 4 of the EU AI Act mandates adequate literacy for all staff involved in operating or using AI systems, calibrated to role and context
- Culture: psychological safety to challenge AI outputs; cross-functional collaboration as a prerequisite; AI exposes errors in ways conventional software does not — blame cultures will find AI particularly difficult to deploy responsibly
- Data: availability, quality, accessibility, and governance — data is the fuel of AI and the most common bottleneck in practice
An organisation with strong strategic intent but poor data readiness cannot realise AI’s potential regardless of technical investment. Data readiness assessment is therefore a prerequisite to AI strategy execution (Urbach, Feulner, Mayer, & Meierhöfer, 2026).
Governance of AI
Why governance cannot be an afterthought
An AI strategy tells an organisation what to pursue. Governance answers under what conditions and according to what rules.
Without governance, even a well-designed strategy degrades in practice:
- Responsibilities are unclear
- Risks accumulate silently
- Accountability evaporates the moment something goes wrong
The case for governance is not primarily ethical — it is operational. AI systems learn from data, behave probabilistically, fail in subtle and delayed ways, and are often opaque even to their builders. Standard IT controls are necessary but not sufficient.
Governance mechanisms are structured frameworks, policies, procedures, and controls that guide, monitor, and manage operations to ensure alignment with organisational objectives, ethical standards, and regulatory requirements. AI governance specifically addresses the complexity, opacity, and failure modes that are particular to AI systems and that increase uncertainty and risk in ways that generic IT governance does not fully capture (Urbach, Feulner, & Dilger, 2026).
The risk landscape
Before deciding what governance is needed, an organisation must understand what it is governing against. AI-related risks arise at four levels (Urbach, Feulner, Feulner, et al., 2026):
- Technical risks: data and model uncertainty; complex error traceability; cybersecurity vulnerabilities (adversarial inputs, data poisoning, model inversion)
- Economic risks: cost escalation without proportional value; non-acceptance negating AI’s value; operational disruption and reputational damage from biased outputs
- Regulatory risks: GDPR violations at AI scale; EU AI Act (Art. 9 and Art. 14) non-compliance; absence of agreed industry standards
- Ethical and social risks: algorithmic bias invisible in aggregate metrics; opacity breeding mistrust; job displacement and erosion of human agency
These four categories are not independent. A technical failure (biased model) creates economic risk (damaged reputation), triggers regulatory scrutiny (GDPR, EU AI Act), and constitutes an ethical harm (discriminatory decisions). Governance must address all four simultaneously.
Three types of governance mechanisms
Effective AI governance is not a single policy or a compliance checklist. It is a portfolio of mechanisms at three complementary levels (Urbach, Feulner, & Dilger, 2026).
Structural mechanisms
Define the formal organisational architecture within which AI decisions are made and accountability is assigned.
- Roles and responsibilities: operational (project leads, product owners) and strategic (executive sponsors, Chief AI Officer — CAIO)
- Cross-functional governance bodies: AI steering committees integrating legal, compliance, technical, and business perspectives
- Centres of Excellence: centralise expertise, set standards, reduce fragmentation across business units
The core challenge structural governance addresses is AI’s inherently interdisciplinary nature. Data scientists, engineers, legal staff, compliance officers, domain experts, and business strategists all have essential and often conflicting perspectives. Without a clear structure, these perspectives do not converge — they create friction.
Procedural and relational mechanisms
Procedural mechanisms
Define how AI is developed, validated, deployed, and monitored.
- Documentation standards: traceability of model development, testing, and known limitations
- Quality assurance: coding guidelines, testing protocols, and validation procedures across the AI lifecycle
- Compliance monitoring: continuous checks against legal and internal standards
- Escalation procedures: defined pathways for flagging unexpected model behaviour or performance degradation
Relational mechanisms
Address the collaborative dynamics across the people and teams involved in AI.
- Interdisciplinary team design: technical, legal, domain, and ethical expertise in working teams — not sequential handoffs
- Training and onboarding: AI fundamentals, governance structures, and ethical implications for all team members
- Transparency practices: explainability tools and accessible reporting for non-technical stakeholders
- Dialogue and feedback loops: regular alignment, workshops, channels for surfacing concerns early
Procedural governance is particularly important because AI’s behaviour is not fully specified in advance — it emerges from training. Without structured processes, there is no reliable way to know whether the system deployed last month still behaves as expected today.
Relational mechanisms are often the least formalised and the most neglected — yet their absence is frequently what causes well-designed structural and procedural frameworks to fail in practice. A governance body that never actually convenes cross-functional dialogue produces documents, not accountability.
Transforming toward AI governance
Governance does not appear fully formed. It must be built iteratively, and it must be integrated into existing governance structures — not layered on top as a separate system (Urbach, Feulner, Feulner, et al., 2026):
- Establishing an AI strategy with consideration of internal values
- Setting up an AI roadmap
- Identification and development of use cases
- Iterative analysis and comparison with requirements
- Ensuring safe AI usage
- Integration of AI governance mechanisms
- Evaluation of AI governance
Several established frameworks provide concrete reference points:
- ISO/IEC 42001:2023 — first certifiable AI management system standard
- NIST AI RMF 1.0 — voluntary, outcome-oriented; four functions: Map, Measure, Manage, Govern
- OECD Recommendation on AI (2019, updated 2023/2024) — intergovernmental reference framework
- EU AI Act — the most comprehensive and legally binding
The EU AI Act
What it is and why it matters
The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive, legally binding AI regulation. It applies to any AI system deployed in the EU — regardless of where the provider is based (from 2027 on).
For managing AI, three things matter most:
- What it regulates — which AI systems face obligations
- What it requires — what those obligations are
- Who is responsible — which actors must comply
The risk-based logic
The Act’s defining design principle is proportionality: obligations scale with potential harm to people and society (European Commission, 2024).
- Minimal or no risk — no additional obligations; e.g., recommendation engines, spam filters, video game AI; the vast majority of currently deployed AI
- Limited risk — transparency and disclosure only; chatbots must disclose they are AI; AI-generated content must be identifiable; deepfakes must be labelled
- High risk — strict obligations before and during deployment; covers critical infrastructure, healthcare, education, employment, access to essential services, law enforcement, migration, administration of justice
- Unacceptable risk — banned outright; social scoring, predictive policing by profiling, untargeted biometric scraping, emotion recognition in workplaces and schools, subliminal manipulation, exploitation of vulnerabilities
For high-risk systems, the Act mandates (European Commission, 2024):
- Continuous risk management (Art. 9): throughout the entire AI lifecycle — not a one-time pre-deployment check
- Human oversight (Art. 14): humans must be able to monitor, understand, interpret, and override outputs
- Data quality and governance (Art. 10): quality standards and demographic representation in training, validation, and test data
- Technical documentation (Art. 11): comprehensive, maintained throughout the lifecycle
- Transparency toward users (Art. 13): deployers must inform individuals when subject to a high-risk AI decision
- Audit logging: records enabling post-hoc review and accountability
- Conformity assessment: formal compliance assessment before deployment; third-party audit for certain categories
- AI literacy (Art. 4): a legal obligation for all staff involved in operating or using AI systems — not a recommendation, and not limited to technical teams
Who is responsible
The Act deliberately distributes obligations across the AI value chain:
- Providers build AI systems and place them on the market — they bear the heaviest obligations: conformity assessments, technical documentation, registration in the EU AI database, post-market monitoring
- Deployers use a provider’s AI system in their own products or processes — they cannot outsource compliance to their vendor; directly responsible for human oversight, staff literacy, informing affected individuals, and maintaining operational logs
- Affected individuals have the right to know that an AI system was involved in a decision significantly affecting them
Many organisations are deployers of high-risk AI without having classified themselves as such. A performance management system that uses ML to rank employees is high-risk. An automated loan pre-screening tool is high-risk. Before asking what the Act requires, managers must first ask honestly: where do our AI systems sit in the risk classification? The answer will often be less comfortable than assumed (Urbach, Feulner, & Mayer, 2026).
Generative AI and GPAI
Large foundation models (LLMs, diffusion models, multimodal systems) are regulated under a distinct regime as General Purpose AI (GPAI) systems.
GPAI presents a unique regulatory challenge: these models are not designed for a single application — risk cannot be fully assessed at development time.
- Providers must document and disclose training data, including copyright compliance
- Providers must supply technical documentation of capabilities, limitations, and known risks to downstream deployers
- Providers must comply with EU copyright law and demonstrate adherence to the Copyright Directive’s text and data mining provisions
For deployers: the risk classification depends on the use case, not the underlying model. The same LLM powering a general chatbot (limited-risk) becomes high-risk when integrated into automated recruitment screening.
Compliance as a floor
The EU AI Act sets minimum requirements. Meeting them is necessary — but does not guarantee that a system is trustworthy or well-governed.
Compliance means the system meets the legal baseline for EU deployment.
The governance mechanisms — risk management, human oversight, structural accountability, relational transparency — are what transform compliance from a checklist into a genuine capability (Urbach, Feulner, & Mayer, 2026).