The new CIO mandate is clear: facilitate AI adoption across the enterprise at speed. According to CIO.com’s State of the CIO survey, CEOs’ top priority for their IT executives is to capitalize on AI. From researching to evaluating AI products, CIOs are now the central figures in their organizations’ AI strategies.
And company leaders are looking for real outcomes. Almost two-thirds of senior leaders report there is more pressure to prove ROI on their AI investments than a year ago, according to Kyndryl’s 2025 Readiness Report. Numerous sources — from the board, to the CEO, to business units and competitors — are behind this pressure, says Jonathan Tushman, chief AI officer and CTO at Hi Marley, a customer conversational platform for the property and casualty insurance industry.
Succeeding in the task ahead of them requires complex conversations, and getting through legal, compliance, and other checks “at a reasonable clip,” adds Tushman, who added CAIO to his remit more than 18 months ago but has felt added urgency in the past six months. In professional gatherings, board conversations, and almost everywhere across the business world, the conversation turns to AI — and then quickly the fear of falling behind.
That includes employees as well. “It’s the engineering team and there’s everybody else — marketing, sales, finance. It’s people who are not AI-native, but they’re very eager to use these tools at an early level,” he says.
As CIOs find themselves facing pressure to scale and demonstrate real value, the challenge is keeping up with risk considerations — without creating unnecessary friction.
“CIOs cannot be risk averse on this,” says Karthik Chakkarapani, SVP, CIO, and head of enterprise AI at Zuora. “We need to do security and governance, but we don’t want to be seen as slowing down the process. You have to build the highway with enough guardrails and fewer speed breakers.”
Moreover, he adds, “this is not about automating existing work. This is reimagining how work gets done.”
Most IT leaders are a long way from feeling comfortable with the new AI risk management balancing act. Just 31% of respondents feel completely ready across external business risks, Kyndryl’s survey reports. Tushman believes two things are genuinely different about the risks AI introduces. The first is that AI is indeterminate, whereas most technology is deterministic. “You can’t prove an AI system will or won’t do X, so the traditional ‘put controls around it and verify’ model breaks down,” he says. “We need a different way to govern something whose behavior you fundamentally can’t pin down.”
The second is the gravitational pull on end-users. “With most tech, IT could take its time evaluating before rollout,” he says. “With AI, if you don’t put powerful tools in front of people fast, they’ll route around you — and shadow use creates more risk than controlled access ever would. The timeline compresses at the same time the control model gets harder.”
Tony Vizza, founder and managing partner of Novera, agrees that the instinct to move fast can lead to the exact failures everyone fears. “This might be staff putting sensitive information into public tools without a proper governance structure, or people copying and pasting straight out of AI and sending incorrect deliverables to customers,” says Vizza.
Organizations should avoid jumping into AI because of the fear of missing out without first clarifying where and how it will be used. All risk decisions should flow from these questions, he says. “What problems are you trying to solve — is it better customer service or deeper insight into your data? What are you actually trying to do?”
Vizza recommends guiding AI decisions with a risk assessment that considers expected outcomes, size of investment, and its importance to the organization’s objectives. “You define your risk appetite, build a risk register, and define what risk treatment should be for each risk,” he says. “For example, if you’re going to use a public AI model, you might treat that risk by not putting sensitive data in or buying the right license so that if you do, you’re covered, or getting guidance from the regulator before you proceed.”
Organizations must also consider AI services as a third-party risk, and not leave all accountability with AI providers, Vizza says. “You can’t outsource the responsibility,” he adds. Due diligence is required to understand what is in the AI provider’s contract, who is responsible if they have a data breach, and how your organization can pursue them if something goes wrong. “Some organizations build that into their risk management process. Others are quite flippant or don’t even know they should be asking those questions — and that’s what gets them stuck down the track,” he says.
At Hi Marley, Tushman and team have made structural decisions to foster “healthy internal tensions” that are intended to surface and address AI risk considerations. This includes separation between the “AI adopters” in the product and technical teams and the “AI oversight” teams in compliance and legal. Compliance owns the audits, security concerns, and ongoing oversight, while legal owns the documentation that describes the boundaries. “The key is that it’s independent from the teams pushing AI forward,” he says.
“Companies need to invest seriously in these compliance functions. Hire smart, nuanced people. These roles can’t just be ‘no’ machines, but they can’t rubber-stamp everything either. The value is in the judgment,” he says.
Tushman’s role is the AI innovation steward, spearheading AI adoption that includes being challenged on risk, compliance, and legal considerations. “We have a senior leadership team and we have ‘conflict by design’ within that group,” he says. “I play the CAIO role and next to me, I have our head of legal and our head of compliance. So in that leadership team, if we have ‘conflict,’ we’re able to understand the trade-offs and make a decision as a group.”
Tushman believes this creates healthy tension: Innovation-minded leaders push boundaries while compliance and risk leaders counterbalance them. But if a decision can’t be reached, it goes to the CEO. “I do recommend a split decision goes to another officer in the organization,” he says.
Decisions about organizational structure could prove to be as consequential as the AI adoption decisions themselves, Tushman says. “The companies that get the organizational design right early will have a real advantage,” he explains.
One of the features of the AI wave is the thirst for access — from the board to employees — to use the tools, build applications, and start putting them to work. “Right now, everyone’s dying to try it,” says Tushman. Hi Marley is in the “activation” phase — meeting the appetite for the tools with safety wrappers. “My main goal here is to have people learn the tools, start using them, and gain some competency with them,” he says. “We will get to the measurement phase, but I think spending too much time on measuring right now is not worth the effort.”
Tushman, like many, is watching how quickly models improve. “AI has huge implications for how you organize, how you hire, and what buy-versus-build decisions you make,” he says.
Zuora, which specializes in software for subscription and recurring revenue businesses, is three years into its AI journey. Chakkarapani is adamant that speed for speed’s sake is not the goal. “We don’t want to take an existing process and just make it faster. You’re just making a process more chaotic. Can we make it fast, smarter, and reorganize it?”
Vizza believes a good percentage of CIOs will need external help to navigate the push for rapid AI adoption. “Or they’ll need to upskill themselves, because AI operates very differently to traditional IT,” he says. His advice is threefold. First, “make your decisions on the right basis — either learn how AI really works or bring in someone who can advise you properly,” he says. Second, bring it back to the business purpose. “There are opportunities with AI, but the core question is, ‘What are we trying to achieve by bringing this in?’” And third, work out how you’re going to manage the risk. “Risk isn’t necessarily a bad thing — Formula 1 cars are risky, but they have very good braking systems so they can go faster,” he says. “It’s the same with AI: You put the right risk management in place so the business can move quickly without suffering adverse consequences.”
In its almost three-year AI journey, Zuora started with experimentation before moving 12 enterprise-wide pilots into production, Chakkarapani says, adding that there are three pillars to assess potential AI projects against: effort, value, and confidence. “Effort includes the security risk,” he says. “Is it low, medium, or high?”
Chakkarapani’s team started with simple executions, although the first experiments didn’t go as hoped — providing valuable lessons for the following ones. “We learned AI is only good when you have the right data — the right content, context, and governance,” he says. They moved on to IT service management and that’s when the practical learnings really started, gaining feedback from internal teams and users, answering the security and governance questions, and iterating as they went.
Early applications include marketing, sales, product, and technology, achieving 10x to 25x throughput improvements. Success is measured in business outcomes such as growth, cost saving, customer engagement. Through this process, the team has been doing the “behind the scenes” work to speed AI adoption across the company. “We realized that to go at speed and scale, we need to have the right trust, security, and governance underlying it,” he says.
An enterprise-wide platform connects Zuora’s approved AI services, including ChatGPT and domain-specific tools, to its structured and unstructured data. On top of this is the context layer and services so that people can build their own applications. It uses each employee’s existing login and organizational profile, and it respects the same role-based security.
“We slowly developed the framework that became our blueprint with the 10 to 12 things that need to be considered when creating an AI-driven application. When someone is interested, they’re taken to the self-directed process with these do’s and don’ts that is automatically downloaded as a markdown file to that person’s computer,” he says.
The ultimate aim is delivering up to 100x business value through an enterprise-wide governed platform — covering IT, HR, finance, legal, procurement, sales, and product. IT plays the role of orchestrator, providing the platform to access the tools and agents and collaborating with the business team to reorganize that workflow.
Chakkarapani believes the more secure the environment, the more it paves the way for experimentation, adoption, and, in time, business results. At Zuora, Chakkarapani has evolved this process through three levels of organizational AI maturity to date. Level 1: IT provides a platform and services. Employees have controlled access to data based on their role and security privileges. They can create their own agent for themselves. If something doesn’t pass the minimal security and compliance requirements, it cannot move ahead. Level 2: An employee-built agent goes through an IT governance check for duplication or overlap, model improvements, security scans, and manual reviews. If approved, it’s shared with the wider enterprise. “We’re doing well on that, but it’s still a lot of manual work because there are no tools in the market that can automate this,” he says. Level 3: At this stage of maturity, an organization has established a secure foundation across its applications so AI can scale safely. At Zuora, over six to eight months the team tightened endpoint and application security, enforced mobile device management, introduced AI usage monitoring (including what staff upload into prompts), and disabled Google authentication to block personal or bulk email accounts from accessing unapproved apps.
Earlier this year, the team embarked on working toward Level 4 maturity, where anyone can create a functioning application with minimal human involvement. Realistically, they expect to be 80% to 85% zero-touch because the final mile will still require human involvement. “My goal is to provide a zero-touch service for anybody in the organization to create applications. If we do, they can go from a concept to an idea, prototype, design, and production — and they do it in less than two weeks,” he says.
According to the Logicalis Global CIO Report 2026, which surveyed over 1,000 CIOs globally, 94% of CIOs say organisational appetite for AI is growing, yet half say adoption is too fast. CIOs report early proof-of-concept success, but two-thirds don’t believe they can scale AI beyond initial deployments. 62% report compromising on governance due to limited knowledge. 76% of CIOs say unchecked AI remains a serious concern. Just 39% of CIOs are confident their organisation actively manages AI’s environmental impact. Most organisations (94%) report an increased appetite for AI over the past year, yet the structure to support that ambition is lagging. More than half believe AI adoption is already moving too fast, and an overwhelming 89% describe their organisation’s current approach as “learning as we go.”
Driving that appetite is early evidence that AI delivers. Over a third of organisations have accelerated their AI initiatives based on proof-of-concept results, and the technology is delivering impact in areas such as strengthening predictive analytics and data-driven forecasting and enhancing the customer experience. However, two-thirds of CIOs don’t believe they can scale AI beyond initial deployments. The most frequently cited constraint is not funding, but skills. A lack of internal technical capability is holding back AI ambitions in almost nine out of ten organisations. However, structural frameworks are also a significant challenge. While most CIOs use AI governance controls to some extent, 62% report compromising on governance due to limited knowledge and just 44% say they fully grasp the risks of AI adoption. What’s more, 76% of CIOs say unchecked AI remains a serious concern for them.
According to CIO.com’s 2026 State of the CIO survey, less than a fifth (19%) of respondents say AI initiatives have met or exceeded business goals, and 18% admit fewer than a third of AI use cases are meeting defined expectations. Lack of clarity around business strategy and metrics is proving to be a major barrier to advancing CIOs’ AI agendas. Almost a third (32%) of this year’s State of the CIO respondents called out ill-defined ROI metrics as a hurdle to scaling AI, along with murky corporate AI strategy (31%) and a lack of in-house expertise, cited by 40% of this year’s respondents.
“No one is measuring ROI on an ongoing basis because we are facing counterpressures from every vice president and line-of-business domain looking to implement AI for their own optimization,” notes Andrea Ballinger, CIO at Rensselaer Polytechnic Institute (RPI). “We are saying yes to everyone without stepping back and focusing on the business cases that show real value.”
The dynamic is starting to shift as organizations prioritize targeted use cases and lay the groundwork for scalability and ROI. Cross-functional steering committees and specialized task forces are emerging as critical building blocks to identify, prioritize, and align use cases to enterprise goals. Eighty-three percent of IT leaders surveyed confirmed their organizations either have such structures in place or are planning to implement them within the year. IT is the dominant player on these committees with other functional areas well represented, including corporate leadership and security and risk teams, and to a lesser degree, business-oriented domains such as finance, legal, and HR.
Formal processes for approving AI projects are far less evolved. Slightly more than half (53%) of 2026 State of the CIO respondents have established some type of official approval process, with 28% planning to activate something within the next 12 months. KPIs, another critical milestone for AI success, are also not well defined in most enterprises. Less than half (47%) of respondents have established formal metrics, with another 34% planning to do so within the year. For those measuring AI success, operational efficiency and process improvement rank as the top metric, cited by 40% of respondents, followed by employee productivity (34%) and cost reduction (30%). AI’s impact on revenue or growth is less of a factor today, cited by only 27% of respondents.
First Student, a leading provider of school bus transportation services, has stood up a well-defined innovation framework and AI-specific council — two moves CIO Sean McCormack credits to the firm’s early success scaling AI initiatives aligned to key business goals. The AI council, with representation across business leaders and the C-suite, meets regularly to review AI use cases and identify those with most potential for payback. “We have more discipline around business cases than most companies,” says McCormack. “Everything is metrics-driven and dependent on proving value. By the time we put something into production, it’s been through a series of proof of concepts, there’s been a deep dive on financials, and we are able to move quickly and demonstrate value.”
Three years into its AI journey, TIAA has a rich stable of generative AI and agentic AI use cases spanning fraud detection and prevention along with call center companions and a litany of other tools. The majority (85%) of the lifetime income-focused firm’s workforce uses TIAA GAIT, its internal AI platform. Yet even with all the right structures in place — investment in training, robust governance frameworks, steering committees, an AI center of excellence (CoE), and an enterprise mandate for strategic use of AI as part of everyone’s performance goals — ROI remains a challenge. “What’s on paper sometimes doesn’t turn into real ROI given the reality of operational costs,” notes Sastry Durvasula, TIAA’s chief operating, information & digital officer. “Something may prove to be a successful pilot, but you need to understand the full cost of operations — for example, the efficiencies of running tokens or how you’re handling traffic or RAG.”
Thomas Prommer, a longtime CTO, CIO, and CAIO, makes three recommendations to facilitate the quest for AI ROI. First, establish joint accountability at the project level with a named technical and business sponsor for each project, both of whom co-own outcomes. His firm had success replacing a centralized AI CoE with embedded AI squads that live inside individual business units. The CoE model created a clearinghouse that nobody owned, whereas embedded teams force accountability at the point of business impact, he explains. Prommer’s third recommendation is to implement stage-gated funding tied to outcome milestones, not deliverable milestones. “We don’t fund ‘build a model,’ we fund ‘reduce returns by 8% on this category’ with checkpoints at 90, 180, and 270 days,” he explains. “Projects that miss two checkpoints gets killed. We kill roughly a third of what we start and that’s healthy.”
Developing a keen understanding of business workflows and engineering the experience layer for the people tasked with executing AI-enriched workflows is essential to creating value and effective adoption at scale. “If someone on the data science team builds a great model that provides insights on improving manufacturing efficiency, but it’s so far removed from what the shop floor supervisor does in day-to-day life, it will never be used at scale,” says Sriram Krishnasamy, the former chief digital information and transformation officer at FedEx.
Who better than the CIO to usher in the organizational structures and business practices that help identify the right AI use cases and establish metrics for success. IT leaders’ in-depth knowledge of AI and the broader technology stack is a plus. But the reason top executives are leaning on CIOs as critical orchestrators of AI is their proven ability to work effectively across business functions and serve as change management champions. Almost half (46%) of this year’s respondents view the CIO as a business leader who proactively identifies business needs and opportunities and follows up with technology and provider recommendations that align with stated business goals. The vast majority (83%) view CIOs as a changemaker.
Much like last year, the top CEO priority for IT leaders is to research and implement AI products and projects, cited by 27% of respondents. IT leaders are meeting the mandate by working far more closely with lines of business on AI applications, according to 79% of respondents. “AI requires so much executive engagement — in our case, it made the most sense for me to lead the charge,” says First Student’s McCormack, also a member of CIO.com’s Hall of Fame.
This year’s IT leader respondents expect to accelerate and expand involvement with AI/machine learning (76%) and agentic AI (70%), as well as cybersecurity (63%). Responding organizations anticipate a boost in investments across the full complement of AI technologies, including generative AI (67%), machine learning (66%), and agentic AI (65%) over the coming year.
First Student is currently running AI in production at scale across multiple use cases, including for predictive maintenance, fleet and driver safety, contract development, automated hiring, agentic software development, and agentic voice bots that assist internal users with help desk and HR issues. As the company builds out its portfolio of AI-enabled use cases, McCormack says it’s critical to ground everything in a flexible architecture. “It’s such a changing landscape; it’s difficult to pick a solution,” he explains. “We’re building our own architecture so we can quickly switch models” and not be dependent on one system, he says.
While AI commands an all-hands-on-deck approach, it’s not the only CEO directive for CIOs this year. Cyber and data security remain top-of-mind in the C-suite, with a quarter of State of the CIO respondents noting it as a top CEO priority for 2026, up from 20% last year. CEOs are also looking for CIOs to strengthen IT and business collaboration, cited by 23% of 2026 respondents. To achieve those directives, CIOs are expanding technology initiatives in areas such as business process and IT automation (56%), security and risk management (55%), and data and business analytics (54%).
Building a solid data and governance foundation is the most important agenda item at RPI, primarily in preparation for more extensive AI deployment and adoption. Ballinger, 70 days into her tenure as RPI CIO, concedes the educational institution is not aiming to be on the first adopter wave of AI innovation. Rather, its strategy is to adapt, grow, and transform organizational structures and its data ecosystem in pursuit of maximizing AI’s promised advantages. Ballinger is currently shopping an RFP that encompasses a data fabric layer, secure containerization, and a data factory approach. “We are designing the ecosystem with strategy and KPIs in mind,” she says. “The entire process is predicated on deciding what business cases are valuable before they hit the data ecosystem. We’re not looking to put something into the ecosystem and hope it gets a return.”
With the pace of change growing more intense and the stakes surrounding AI innovation soaring higher, the CIO role continues to be more business-oriented and less straight technology focused. Eighty-four percent of this year’s IT leader respondent pegged the CIO position as more digital and innovation focused while 82% confirmed that CIOs are more likely to actively lead digital transformation efforts compared to their business counterparts. With the average CIO now juggling 1.6 positions, including chief security officer, CISO, CAIO, and other business-related posts, the job continues to become more expansive, highly strategic, and more fulfilling, especially for leaders willing to close the door on the traditional “keeping the lights on” CIO model and embrace new challenges.
“The CIO of 2026 is a hybrid — half operating architect, half risk officer,” Prommer says. “The technology choices are getting easier, but the business and ethical choices are getting harder. CIOs who only know the tech stack will be reporting to CIOs who know both.”
A new IBM Institute for Business Value survey of 2,000 technology executives found that two-thirds of CIOs and CTOs are being held accountable for AI systems they do not fully control. “For CIOs and CTOs, the challenge now is scaling AI systems that operate continuously and autonomously, often within governance models and architectures designed for a far slower, more predictable environment,” said Matt Lyteson, CIO, IBM. Governance is also falling behind, with 77% of organizations surveyed reporting AI adoption is already outpacing current governance capabilities. Analysis shows that in organizations relying on manual governance, incident risk increases as AI adoption scales, whereas those that embed control directly into their AI systems experience 25% fewer incidents.
According to OneTrust’s 2025 AI-Ready Governance Report, which surveyed 1,250 IT decision-makers, nearly all — 98% — of enterprises plan to increase governance budgets in the next financial year, with the average business anticipating a 24% jump. More money is going into governance as 86% of IT leaders with “advanced AI adoption” say they’ve identified gaps in visibility, collaboration and policy enforcement. Teams spent 37% more time managing AI-related risks year over year, highlighting the growing complexity of AI oversight.
According to the Info-Tech Research Group AI Trends 2026 report, CIOs and IT leaders must balance AI’s potential with competing risks and responsibilities. Select business-driven use cases for agentic AI and include human oversight when developing agentic AI applications. Develop an adaptive AI governance framework to provide safeguards and self-regulate regardless of the legislative environment.
Recent coverage in CIO Dive on June 3, 2026, highlighted what CIOs should watch for in Trump’s AI oversight executive order signed June 2, 2026, titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The order establishes a voluntary framework for government review of advanced “covered frontier” AI models for cybersecurity and national security assessments. Clear standards will be key to making the process worthwhile for AI providers and the companies that contract with them, tech experts say. Holland & Knight noted on June 16, 2026, that the EO expands cybersecurity and federal oversight elements.
These developments add another layer for CIOs already wrestling with internal structures. The separation of adopter and oversight teams at places like Hi Marley offers one model. Zuora’s maturity ladder shows how governance can enable rather than throttle progress. Surveys from Logicalis, CIO.com’s State of the CIO, Kyndryl, IBM, and OneTrust paint a consistent picture: ambition runs high, scaling remains hard, and accountability is shifting onto leaders who may not control every model in production.
The organizations pulling ahead appear to be those treating governance as an enabler of velocity, not a brake. They invest in independent compliance functions with real judgment. They embed accountability at the business-unit level rather than central clearinghouses. They stage-gate funding to outcomes. They build platforms that let employees experiment inside defined boundaries. And they accept that some experiments will fail — and kill them early.
For CIOs, the test is no longer whether to pursue AI. It is whether the structures around it will hold when the first real incidents or regulatory questions arrive. The highway is under construction. The guardrails are still being set.
WebProNews is an iEntry Publication