Managing AI

Introduction to AI (I2AI)

Andy Weeger

Neu-Ulm University of Applied Sciences

June 5, 2026

Introduction

Discussion

What challenges have you observed or heard about when organisations try to use AI in practice?

Introductory Remarks

Understanding how generative AI works is one thing.
Knowing what to do with it inside an organisation is another.

The shift from recognition to generation, and now toward agentic systems, has not just expanded what AI can do but fundamentally changed the management challenge.

The same properties that make modern AI powerful are also what make it difficult to govern (urbach2026managing?):

• An LLM that hallucinates confidently is not just a technical failure — it is a management failure
• A diffusion model that embeds bias invisibly is not just a modelling problem — it is a governance problem
• An agentic system that takes unintended actions is not just a deployment error — it is a strategy problem

The previous lecture covered what generative and agentic AI can do. This lecture asks the harder question: how should organisations respond? The properties that make modern AI different — autonomy, learning, and opacity of reasoning — are precisely what make managing it different from managing conventional software.

Three management challenges

Organisations today face three major challenges (urbach2026managing?):

• Identifying the right use cases: not every process that can be automated should be; choosing well requires connecting AI capability to actual strategic value
• Building and integrating solutions: data quality, make-or-buy decisions, and workflow redesign are as important as model quality
• Governing AI responsibly: ethics, accountability, regulatory compliance (including the EU AI Act), and ongoing monitoring cannot be afterthoughts

None of these challenges can be solved by understanding the technology better.

AI Strategizing

Discussion

Why do you think most AI projects fail — even when the underlying technology works?

Why AI demands a strategic response

AI projects fail more often than they succeed — not because the technology doesn’t work, but because organisations launch them without strategic direction (urbach2026managing?).

The underlying problem is structural. AI doesn’t merely improve efficiency — it changes the conditions under which organisations compete:

• Market shifts: from human-crafted to AI-driven products and services; from generalised targeting to individual customisation
• Resource shifts: from manual to data-driven decision-making; from human-dependent to AI-enhanced productivity; from uncertainty as obstacle to uncertainty as an unavoidable factor to manage

These shifts are not IT-level changes. They require a strategic response. The rise of generative AI and large language models has accelerated both the opportunity and the pressure (feuerriegel2024genai?).

Definition: AI strategy

An AI strategy is a set of guidelines for courses of action and decisions that directs AI projects in line with firm-specific goals and constraints toward a distinct strategic direction. (adapted from (urbach2026managing?))

The chain of argumentation

Why does AI specifically require its own strategy? (urbach2026managing?) lay out a four-step chain of reasoning:

• Facets of contemporary AI: three properties set AI apart from prior technology
  • Autonomy: acts without per-decision human instruction
  • Learning: behaviour changes over time
  • Inscrutability: internal logic is opaque to observers
• AI-induced shifts: these properties cause
  • Market shifts: competitive dynamics change
  • Resource shifts: what constitutes a scarce, valuable capability changes
• Strategic challenges: new tensions across all four dimensions — scope, scale, speed, and source
• Strategic response: a coherent AI strategy addressing all four dimensions simultaneously

Figure 1: Chain of argumentation for the need for an AI strategy. Adapted from (urbach2026managing?). {#fig-chain}

Step	Element	Content
1	Facets of contemporary AI	Autonomy — acts without per-decision human instruction · Learning — behaviour changes over time · Inscrutability — internal logic is opaque to observers
↓	lead to
2	AI-induced market and resource shifts	Market: from narrow to pervasive AI · from human-crafted to AI-driven products · from generalised to individual targeting · Resource: from manual to data-driven decision-making · uncertainty as unavoidable factor · AI-enhanced productivity
↓	result in
3	AI-related strategic challenges	Scope — setting up organisational structures · Scale — sourcing technological resources · Speed — balancing continuity and opportunity recognition · Source — assessing business model impact
↓	require a
4	Strategic response — AI strategy	Taxonomy — framework of dimensions and characteristics for strategy design · Clusters — typical manifestations of how organisations shape a strategic response in practice

Why inscrutability matters strategically

Most technologies fail in predictable, traceable ways. AI can fail silently, confidently, and in ways that are difficult to attribute. This inscrutability makes standard oversight mechanisms insufficient and creates accountability gaps that a strategy, not just an IT process, must address. Berente et al. (2021) argue that autonomy, learning, and inscrutability must be managed together, not in isolation — each interacts with the others.

The 4S taxonomy

A coherent AI strategy means making deliberate, consistent choices across all four dimensions (scope, scale, speed, and source).

The 4S maps the design space of those choices. It does not prescribe which configuration is right — that depends on the organisation’s competitive position, resource base, industry context, and risk appetite.

Table 1: Taxonomy of AI strategy (15 dimensions across 4 layers). Adapted from (urbach2026managing?). {#fig-taxonomy}

Layer	Dimension	Characteristics
Scope	Strategic ownership	Central staff unit · Separate department · Integrated team · Cross-functional unit
	Organisational anchoring	Corporate · Divisional · Functional · Proprietary
	Lifecycle management	Centralised · Decentralised · Federal
	Governance level	Enterprise-wide · Portfolio-based · Application-specific
	Control mechanisms	Guiding · Restricting · No additional
	Data governance framework	Isolated · Hybrid · Integrated
Scale	Knowledge acquisition	Training · Hiring · Contracting
	Technology sourcing	Make · Hybrid · Buy
Speed	Use case identification	Systematical · Experimental
	Use case expansion	One-to-many · Many-to-one
Source	Technology aspiration	Established · Cutting-edge · Bleeding-edge
	Business model impact	Complementing · Extending · Renewing
	Risk tolerance	High risk · Limited risk · Minimal risk
	Value creation	Frontstage · Backstage · Front- and backstage
	Value recipient effect	Replacing · Reinforcing · Revealing

Strategic archetypes

Identifying the right archetype matters because each implies a different set of operational decisions:

• Use case selection: a Business Enhancer should prioritise process improvement use cases with clear ROI; a Technology Navigator should invest in proprietary capability-building even without immediate payoff
• Sourcing decisions: an Operations Stabilizer buys ready-made solutions; an Innovation Explorer experiments with open-source and in-house development
• Governance design: a Technology Navigator needs enterprise-wide AI governance; a Business Enhancer may manage AI at the portfolio or project level
• Risk tolerance: an Operations Stabilizer treats model failure as unacceptable; a Technology Navigator accepts more experimental risk in exchange for learning

Table 2: Clusters of AI strategy — four strategic archetypes. Adapted from (urbach2026managing?). {#fig-clusters}

Archetype	Strategic orientation	Examples
Technology Navigator	Pushes AI boundaries through R&D; undertakes risky but rewarding projects to achieve technological breakthroughs at the forefront of AI	JPMorgan, Microsoft, Infineon, SAP
Innovation Explorer	Delves into promising emerging territories; invests substantially in AI to unlock new value streams alongside existing products and services	American Express, Bayer, E.ON, Volkswagen
Business Enhancer	Focuses on improving operational performance with AI; explores initial use cases but is cautious about widespread application	MTU Aero Engines, P&G, Linde, Chevron
Operations Stabilizer	Resorts to AI in only a few isolated use cases; prefers stability and reliability over breakthrough innovations due to potential risks	Henkel, Nike, McDonald’s, Coca-Cola

Misalignment between archetype and actual decisions is a primary driver of AI project failure. An organisation that behaves like an Innovation Explorer in its use-case selection but like an Operations Stabilizer in its resourcing will run ambitious experiments with inadequate infrastructure. The archetype identification makes these misalignments visible before they become expensive.

No archetype is inherently superior

A regulated utility pursuing an Operations Stabilizer approach may be making a more rational strategic choice than a startup chasing cutting-edge technology it cannot sustain. What matters is internal consistency: the chosen archetype should be coherent with the organisation’s competitive context, and all four strategic dimensions (“4S”) should point in the same direction. The goal of AI strategizing is not to maximise technological ambition but to match strategic posture to organisational reality.

Misalignment between archetype and actual decisions is a primary driver of AI project failure.

AI Readiness

Definition and motivation

AI readiness is the preparedness of an organisation to implement changes involving AI applications and technology. (alsheibani2018aireadiness?)

The concept matters because strategy on paper does not equal strategy in practice. An organisation may choose the right archetype and still fail to execute, because the necessary conditions are not in place. AI readiness identifies those conditions.

Why a dedicated term is needed

“Digital readiness” or “technology readiness” captures part of the picture but misses what is distinctive about AI. AI requires not just infrastructure and skills, but a cultural tolerance for probabilistic outputs, opaque reasoning, and systems that change their own behaviour over time. Readiness for AI is therefore both broader and more specific than generic technology readiness — which is why it warrants its own construct.

Organisational readiness for change

Before any AI-specific factors, organisations must have a baseline capacity to adopt and sustain new technology at all:

• Financial and technological resources: adequate investment capacity and infrastructure
• Management support: active sponsorship from leadership; without it, initiatives lose priority when they compete with operations
• Organisational culture: tolerance for experimentation, calculated risk, and continuous learning
• Commitment: sustained resolve to work through implementation setbacks

These factors are necessary but not sufficient. AI adds further demands on top of them.

AI-specific readiness factors

• Innovation adoption: shaped by perceived relative advantage, compatibility, complexity, trialability, and observability (also see rogers2003diffusion?); for AI, complexity and observability are particular friction points — AI systems are harder to pilot meaningfully than conventional software, and their value is often indirect and delayed
• Resources: rare skill combinations (data scientists, ML engineers, domain experts, AI-literate managers); qualitatively different infrastructure (high-performance compute, scalable data pipelines, MLOps tooling); organisations that underestimate these requirements tend to reach proof-of-concept and then stall
• Knowledge: AI literacy cannot be limited to a specialist team; Article 4 of the EU AI Act mandates adequate literacy for all staff involved in operating or using AI systems, calibrated to role and context
• Culture: psychological safety to challenge AI outputs; cross-functional collaboration as a prerequisite; AI exposes errors in ways conventional software does not — blame cultures will find AI particularly difficult to deploy responsibly
• Data: availability, quality, accessibility, and governance — data is the fuel of AI and the most common bottleneck in practice

An organisation with strong strategic intent but poor data readiness cannot realise AI’s potential regardless of technical investment. Data readiness assessment is therefore a prerequisite to AI strategy execution (urbach2026managing?).

Readiness is not a binary state — it is a profile of strengths and gaps that determines whether strategy can be executed.

Governance of AI

Discussion

When you hear “AI governance,” what comes to mind — an ethical issue, a legal issue, or an operational issue?

Why governance cannot be an afterthought

An AI strategy tells an organisation what to pursue. Governance answers under what conditions and according to what rules.

Without governance, even a well-designed strategy degrades in practice:

• Responsibilities are unclear
• Risks accumulate silently
• Accountability evaporates the moment something goes wrong

The case for governance is not primarily ethical — it is operational. AI systems learn from data, behave probabilistically, fail in subtle and delayed ways, and are often opaque even to their builders. Standard IT controls are necessary but not sufficient.

Definition: AI governance

Governance mechanisms are structured frameworks, policies, procedures, and controls that guide, monitor, and manage operations to ensure alignment with organisational objectives, ethical standards, and regulatory requirements. AI governance specifically addresses the complexity, opacity, and failure modes that are particular to AI systems and that increase uncertainty and risk in ways that generic IT governance does not fully capture (urbach2026managing?).

The risk landscape

Before deciding what governance is needed, an organisation must understand what it is governing against. AI-related risks arise at four levels (urbach2026managing?):

1. Technical risks: data and model uncertainty; complex error traceability; cybersecurity vulnerabilities (adversarial inputs, data poisoning, model inversion)
2. Economic risks: cost escalation without proportional value; non-acceptance negating AI’s value; operational disruption and reputational damage from biased outputs
3. Regulatory risks: GDPR violations at AI scale; EU AI Act (Art. 9 and Art. 14) non-compliance; absence of agreed industry standards
4. Ethical and social risks: algorithmic bias invisible in aggregate metrics; opacity breeding mistrust; job displacement and erosion of human agency

Risk interaction

These four categories are not independent. A technical failure (biased model) creates economic risk (damaged reputation), triggers regulatory scrutiny (GDPR, EU AI Act), and constitutes an ethical harm (discriminatory decisions). Governance must address all four simultaneously.

Three types of governance mechanisms

Effective AI governance is not a single policy or a compliance checklist. It is a portfolio of mechanisms at three complementary levels (urbach2026managing?).

Structural mechanisms

Define the formal organisational architecture within which AI decisions are made and accountability is assigned.

• Roles and responsibilities: operational (project leads, product owners) and strategic (executive sponsors, Chief AI Officer — CAIO)
• Cross-functional governance bodies: AI steering committees integrating legal, compliance, technical, and business perspectives
• Centres of Excellence: centralise expertise, set standards, reduce fragmentation across business units

The core challenge structural governance addresses is AI’s inherently interdisciplinary nature. Data scientists, engineers, legal staff, compliance officers, domain experts, and business strategists all have essential and often conflicting perspectives. Without a clear structure, these perspectives do not converge — they create friction.

Procedural and relational mechanisms

Procedural mechanisms

Define how AI is developed, validated, deployed, and monitored.

• Documentation standards: traceability of model development, testing, and known limitations
• Quality assurance: coding guidelines, testing protocols, and validation procedures across the AI lifecycle
• Compliance monitoring: continuous checks against legal and internal standards
• Escalation procedures: defined pathways for flagging unexpected model behaviour or performance degradation

Relational mechanisms

Address the collaborative dynamics across the people and teams involved in AI.

• Interdisciplinary team design: technical, legal, domain, and ethical expertise in working teams — not sequential handoffs
• Training and onboarding: AI fundamentals, governance structures, and ethical implications for all team members
• Transparency practices: explainability tools and accessible reporting for non-technical stakeholders
• Dialogue and feedback loops: regular alignment, workshops, channels for surfacing concerns early

Procedural governance is particularly important because AI’s behaviour is not fully specified in advance — it emerges from training. Without structured processes, there is no reliable way to know whether the system deployed last month still behaves as expected today.

Relational mechanisms are often the least formalised and the most neglected — yet their absence is frequently what causes well-designed structural and procedural frameworks to fail in practice. A governance body that never actually convenes cross-functional dialogue produces documents, not accountability.

A governance body that never convenes cross-functional dialogue produces documents, not accountability.

Transforming toward AI governance

Governance does not appear fully formed. It must be built iteratively, and it must be integrated into existing governance structures — not layered on top as a separate system (urbach2026managing?).

Several established frameworks provide concrete reference points:

• ISO/IEC 42001:2023 — first certifiable AI management system standard
• NIST AI RMF 1.0 — voluntary, outcome-oriented; four functions: Map, Measure, Manage, Govern
• OECD Recommendation on AI (2019, updated 2023/2024) — intergovernmental reference framework
• EU AI Act — the most comprehensive and legally binding

The EU AI Act

What it is and why it matters

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive, legally binding AI regulation. It applies to any AI system deployed in the EU — regardless of where the provider is based (from 2027 on).

For managing AI, three things matter most:

• What it regulates — which AI systems face obligations
• What it requires — what those obligations are
• Who is responsible — which actors must comply

The risk-based logic

The Act’s defining design principle is proportionality: obligations scale with potential harm to people and society.

• Minimal or no risk — no additional obligations; e.g., recommendation engines, spam filters, video game AI; the vast majority of currently deployed AI
• Limited risk — transparency and disclosure only; chatbots must disclose they are AI; AI-generated content must be identifiable; deepfakes must be labelled
• High risk — strict obligations before and during deployment; covers critical infrastructure, healthcare, education, employment, access to essential services, law enforcement, migration, administration of justice
• Unacceptable risk — banned outright; social scoring, predictive policing by profiling, untargeted biometric scraping, emotion recognition in workplaces and schools, subliminal manipulation, exploitation of vulnerabilities

What high-risk deployment actually requires

For high-risk systems, the Act mandates:

• Continuous risk management (Art. 9): throughout the entire AI lifecycle — not a one-time pre-deployment check
• Human oversight (Art. 14): humans must be able to monitor, understand, interpret, and override outputs
• Data quality and governance (Art. 10): quality standards and demographic representation in training, validation, and test data
• Technical documentation (Art. 11): comprehensive, maintained throughout the lifecycle
• Transparency toward users (Art. 13): deployers must inform individuals when subject to a high-risk AI decision
• Audit logging: records enabling post-hoc review and accountability
• Conformity assessment: formal compliance assessment before deployment; third-party audit for certain categories
• AI literacy (Art. 4): a legal obligation for all staff involved in operating or using AI systems — not a recommendation, and not limited to technical teams

Who is responsible

The Act deliberately distributes obligations across the AI value chain:

• Providers build AI systems and place them on the market — they bear the heaviest obligations: conformity assessments, technical documentation, registration in the EU AI database, post-market monitoring
• Deployers use a provider’s AI system in their own products or processes — they cannot outsource compliance to their vendor; directly responsible for human oversight, staff literacy, informing affected individuals, and maintaining operational logs
• Affected individuals have the right to know that an AI system was involved in a decision significantly affecting them

The practical implication

Many organisations are deployers of high-risk AI without having classified themselves as such. A performance management system that uses ML to rank employees is high-risk. An automated loan pre-screening tool is high-risk. Before asking what the Act requires, managers must first ask honestly: where do our AI systems sit in the risk classification? The answer will often be less comfortable than assumed (urbach2026managing?).

Many organisations are deployers of high-risk AI without having classified themselves as such.

Generative AI and GPAI

Large foundation models (LLMs, diffusion models, multimodal systems) are regulated under a distinct regime as General Purpose AI (GPAI) systems.

GPAI presents a unique regulatory challenge: these models are not designed for a single application — risk cannot be fully assessed at development time.

• Providers must document and disclose training data, including copyright compliance
• Providers must supply technical documentation of capabilities, limitations, and known risks to downstream deployers
• Providers must comply with EU copyright law and demonstrate adherence to the Copyright Directive’s text and data mining provisions

For deployers: the risk classification depends on the use case, not the underlying model. The same LLM powering a general chatbot (limited-risk) becomes high-risk when integrated into automated recruitment screening.

Compliance as a floor

The EU AI Act sets minimum requirements. Meeting them is necessary — but does not guarantee that a system is trustworthy or well-governed.

Compliance means the system meets the legal baseline for EU deployment.

The governance mechanisms — risk management, human oversight, structural accountability, relational transparency — are what transform compliance from a checklist into a genuine capability (urbach2026managing?).

Literature

Berente, N., Gu, B., Recker, J., & Santhanam, R. (2021). Managing artificial intelligence. MIS Quarterly, 45(3), 1433–1450. https://doi.org/10.25300/MISQ/2021/16274