Understanding how generative AI works is one thing.
Knowing what to do with it inside an organisation is another.

The shift from recognition to generation, and now toward agentic systems, has not just expanded what AI can do but fundamentally changed the management challenge.

The same properties that make modern AI powerful are also what make it difficult to govern (Urbach, Feulner & Dilger, 2026):

• An LLM that hallucinates confidently is not just a technical failure but a management failure
• A diffusion model that embeds bias invisibly is not just a modelling problem but a governance problem
• An agentic system that takes unintended actions is not just a deployment error but a strategy problem

Organisations today face three major challenges (Urbach, Feulner & Dilger, 2026):

• Identifying the right use cases: not every process that can be automated should be; choosing well requires connecting AI capability to actual strategic value
• Building and integrating solutions: data quality, make-or-buy decisions, and workflow redesign are as important as model quality
• Governing AI responsibly: ethics, accountability, regulatory compliance (including the EU AI Act), and ongoing monitoring cannot be afterthoughts

AI projects fail more often than they succeed. Not because the technology doesn't work, but because organisations launch them without strategic direction (Urbach et al., 2026).

AI doesn't merely improve efficiency. It changes the conditions under which organisations compete:

• Market shifts: from human-crafted to AI-driven products and services; from generalised targeting to individual customisation
• Resource shifts: from manual to data-driven decision-making; from human-dependent to AI-enhanced productivity; to uncertainty as an unavoidable factor to manage

These shifts require a strategic response.

An AI strategy is a set of guidelines for courses of action and decisions that directs AI projects in line with firm-specific goals and constraints toward a distinct strategic direction.

— Urbach, Feulner, Mayer & Meierhöfer (2026)

Why does AI specifically require its own strategy? Urbach et al. (2026) lay out a four-step chain of reasoning:

Figure 1: Chain of argumentation for the need for an AI strategy. Adapted from Urbach, Feulner, Mayer & Meierhöfer (2026, p. 163).

AI introduces strategic challenges across four dimensions:

A coherent AI strategy means making deliberate, consistent choices across all four dimensions.

The configuration across the 4S dimensions depends on the organisation's strategic archetype:

Table 2: Adapted from Urbach et al. (2026, p. 166).

Identifying the right archetype matters because each implies a different set of operational decisions:

• Use case selection — e.g., a Business Enhancer should prioritize process improvement with clear ROI
• Sourcing decisions — e.g., an Operations Stabilizer buys ready-made solutions
• Governance design — e.g., a Technology Navigator needs enterprise-wide AI governance
• Risk tolerance — e.g., an Operations Stabilizer treats model failure as unacceptable

A regulated utility pursuing an Operations Stabilizer approach may be making a more rational strategic choice than a startup chasing cutting-edge technology it cannot sustain.

What matters is internal consistency: the chosen archetype should be coherent with the organisation's competitive context, and all four strategic dimensions ("4S") should point in the same direction.

AI readiness is the preparedness of an organisation to implement changes involving AI applications and technology.

— Alsheibani et al. (2018)

The concept matters because strategy on paper does not equal strategy in practice. An organisation may choose the right archetype and still fail to execute, because the necessary conditions are not in place. AI readiness identifies those conditions.

Before any AI-specific factors, organisations must have a baseline capacity to adopt and sustain new technology at all:

• Financial and technological resources: adequate investment capacity and infrastructure
• Management support: active sponsorship from leadership; without it, initiatives lose priority when they compete with operations
• Organisational culture: tolerance for experimentation, calculated risk, and continuous learning
• Commitment: sustained resolve to work through implementation setbacks

These factors are necessary but not sufficient. AI adds further demands on top of them.

• Innovation adoption: shaped by perceived relative advantage, compatibility, complexity, trialability, and observability (Rogers, 2003); for AI, complexity and observability are particular friction points
• Resources: rare skill combinations (data scientists, ML engineers), qualitatively different infrastructure (high-performance compute, MLOps tooling); organisations that underestimate these requirements stall at proof-of-concept
• Knowledge: AI literacy cannot be limited to a specialist team
• Culture: AI exposes errors in ways conventional software does not — blame cultures will find AI particularly difficult to deploy responsibly
• Data: availability, quality, accessibility, and governance; data is the fuel of AI and the most common bottleneck in practice

Readiness is not a binary state.

An AI strategy tells an organisation what to pursue. Governance answers under what conditions and according to what rules.

Governance mechanisms are structured frameworks, policies, procedures, and controls that guide, monitor, and manage operations to ensure alignment with organisational objectives, ethical standards, and regulatory requirements. AI governance specifically addresses the complexity, opacity, and failure modes that are particular to AI systems and that increase uncertainty and risk in ways that generic IT governance does not fully capture.

— Urbach, Feulner & Dilger (2026)

AI-related risks arise at four levels (Urbach et al., 2026):

1. Technical risks: data and model uncertainty; complex error traceability; cybersecurity vulnerabilities (adversarial inputs, data poisoning, model inversion)
2. Economic risks: cost escalation without proportional value; non-acceptance negating AI's value; reputational damage from biased outputs
3. Regulatory risks: GDPR violations at AI scale; EU AI Act (Art. 9 and Art. 14) non-compliance; absence of agreed industry standards
4. Ethical and social risks: algorithmic bias invisible in aggregate metrics; opacity breeding mistrust; job displacement and erosion of human agency

Effective AI governance is a portfolio of mechanisms at three complementary levels (Urbach, Feulner & Dilger, 2026):

Governance must be built iteratively and integrated into existing structures, not layered on top (Urbach et al., 2026):

1. Establishing an AI strategy with consideration of internal values
2. Setting up an AI roadmap
3. Identification and development of use cases
4. Iterative analysis and comparison with requirements
5. Ensuring safe AI usage
6. Integration of AI governance mechanisms
7. Evaluation of AI governance

Several established frameworks provide concrete reference points:

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive, legally binding AI regulation. It applies to any AI system deployed in the EU, regardless of where the provider is based (from 2027 on).

For managing AI, three things matter most:

• What it regulates — which AI systems face obligations
• What it requires — what those obligations are
• Who is responsible — which actors must comply

The Act's defining design principle is proportionality: obligations scale with potential harm to people and society.

For high-risk systems, the Act mandates (European Commission, 2024):

The Act deliberately distributes obligations across the AI value chain:

• Providers build AI systems and place them on the market. They bear the heaviest obligations: conformity assessments, technical documentation, registration in the EU AI database, post-market monitoring
• Deployers use a provider's AI system in their own products or processes. They cannot outsource compliance to their vendor; directly responsible for human oversight, staff literacy, informing affected individuals, and maintaining operational logs
• Affected individuals have the right to know that an AI system was involved in a decision significantly affecting them

Large foundation models (LLMs, diffusion models, multimodal systems) are regulated under a distinct regime as General Purpose AI (GPAI) systems.

GPAI presents a unique regulatory challenge: these models are not designed for a single application — risk cannot be fully assessed at development time.

• Providers must document and disclose training data, including copyright compliance
• Providers must supply technical documentation of capabilities, limitations, and known risks to downstream deployers
• Providers must comply with EU copyright law and demonstrate adherence to the Copyright Directive's text and data mining provisions

The EU AI Act sets minimum requirements. Meeting them is necessary but does not guarantee that a system is trustworthy or well-governed.

Compliance means the system meets the legal baseline for EU deployment.