Building AI maturity on trusted foundations

Artificial Intelligence (AI) is no longer emerging. It is already embedded in how work is executed, often introduced through familiar AI platform experiences rather than deliberate transformation programs. As a result, many organisations are already using AI without having consciously decided how it should scale or be governed.

Across those progressing beyond early AI adoption on AI platforms, a consistent set of structural requirements emerges. While organisations move at different speeds, these requirements tend to appear in a recognisable sequence as AI shifts from experimentation to execution.

Establish trust before scale
Convert AI productivity into organisational capability
Use low code development and automation platforms as the governance backbone for innovation.
Identify what data can be used for reasoning with information governance platforms.
Enterprise AI control and accountability layer

These stages are not a prescriptive maturity model, nor are they dependent on specific product releases. They reflect the organisational, governance, and operating constraints that consistently surface as AI moves from assistive use into execution at scale.

1. Establish trust before scale

AI outcomes are only as strong as the data foundations beneath them. In practice, this makes data security, identity, and access control the starting point for AI maturity.

Executives must be confident about what data AI systems can access, how permissions apply in AI-assisted scenarios, and whether existing access models remain appropriate. This stage often exposes long-standing issues that were previously tolerated, including overly broad permissions, inconsistent content ownership, and legacy governance approaches that become risky once intelligence is layered across the organisation.

A defining characteristic of this approach is that AI operates within existing identity, security, and compliance boundaries, rather than bypassing them. Where trust exists, AI adoption accelerates. Where it does not, progress often slows or stalls.

Trust also extends beyond access into how information is classified, protected, and re-used; considerations that become unavoidable once AI begins reasoning across enterprise content.

Many organisations underestimate this stage. Security and data readiness are sometimes treated as hurdles to clear rather than capabilities to strengthen. In practice, organisations that invest properly here move faster later, because confidence replaces caution.

Trust is not a constraint on AI maturity. It is the enabler.

2. Convert AI productivity into organisational capability

For many organisations, copilots and native AI in software and tooling is where value first becomes visible. It reduces effort across drafting, summarisation, analysis, and information discovery, so people can spend more time on judgement and decision-making and less on mechanics.

Maturity, however, does not come from access alone. It comes from turning individual productivity gains into repeatable organisational outcomes. These include clearer ways of working, role-based patterns, and shared confidence in when AI is appropriate.

In the early stage, adoption is often uneven. Some teams see immediate benefit, while others struggle with inconsistent outputs, unclear expectations, or scepticism about reliability. The organisations that progress make the shift from general training to platform-specific habits that improve quality and trust:

Role-specific use cases and prompt patterns (not generic tips)
Shared norms for where AI is used, and where human judgement must lead

As capability grows, the emphasis shifts beyond assistance toward execution. AI-enabled coworking and workflow capabilities mark the beginning of this transition. They make visible a shift that many organisations were already approaching from AI assisting individual tasks to AI coordinating and executing multi-step work across teams.

Rather than only helping users produce content, these AI-enabled workflow tools can plan and carry out multi-step tasks, from drafting and coordinating to routing and updating work across the tools people already use. They should still operate within enterprise identity, security and compliance controls, while keeping people in the loop.

This is typically a turning point. Productivity gains become more material, but so do dependencies on process quality, data consistency and clear guardrails. When AI can execute work, the organisation needs to be explicit about what can be executed, by whom, with what approvals, and with what audit trail.

This marks a critical maturity shift, from AI assisting work to AI executing work. At that point, governance moves from “guidance” to “operating model”, and that is where low-code automation platforms and AI agent management tools become invaluable.

3. Use low code development and automation platforms as the governance backbone for Innovation

As automation and AI adoption scale, so does delivery demand. Teams want to build automations, apps and AI-enabled solutions quickly. Low-code application development platforms are often the route to doing so at pace.

Low-code app development, workflow automation and AI development tools enable delivery close to the business, using shared identity, data and policy foundations. This is a key advantage, as innovation can happen without stepping outside the boundary conditions established in Stage 1.

But speed introduces a predictable risk. Without common patterns and guardrails, organisations see duplicated solutions, inconsistent standards, unclear ownership and rising support overhead. When multiple teams are building AI agents and automations, fragmentation becomes a governance problem, not just a delivery nuisance.

Organisations that mature successfully establish a Centre of Excellence (CoE). The CoE is not a control function. It is an enablement capability that makes safe innovation repeatable through shared patterns, environment strategy, data and connector policies, lifecycle management and clear accountability.

This is often a decisive stage. Without leadership intent, innovation either stalls or splinters. With it, low-code and automation platforms become the governed backbone that allows AI-enabled delivery to scale across the enterprise rather than proliferate as isolated efforts.

Low-code and automation platforms govern how solutions are built and operated. They do not, on their own, resolve questions of information sensitivity, retention or reuse once AI begins reasoning over enterprise content at scale.

4. Identify what data can be used for reasoning

Once AI begins executing work rather than supporting individual tasks, the risk profile changes. The concern is no longer just what systems AI can access, but what information it can reason over, infer from and re-express.

AI assistants and emerging agentic capabilities can operate across emails, documents, chats, meetings and data repositories. In doing so, they surface patterns, connections and insights that were previously buried across silos. This is where many organisations encounter their next maturity constraint.

Information that was technically accessible but poorly classified, inconsistently labelled or governed only by convention suddenly becomes visible, summarised and reusable. Longstanding information management issues that were tolerated in a pre-AI world become material risks when AI can synthesise and redistribute content at speed.

This is where data governance and compliance tools become foundational to AI maturity.

These tools provide the information governance capabilities required to operate AI confidently at scale, including data discovery, sensitivity classification, retention, insider risk and compliance controls that extend into AI assistant and agentic experiences. They help ensure that AI systems respect not just access permissions, but also data context, sensitivity and organisational intent.

Organisations that mature successfully treat data governance and compliance not as a compliance afterthought, but as an enabling layer that allows AI to operate safely. They invest in classification strategies that reflect business realities, align retention and protection policies to how information is used, and ensure that leadership can answer practical questions such as:

What information can AI surface, reuse or infer?
How do we prevent sensitive context from being recombined unintentionally?
Can we trace, explain and defend AI-derived outputs?

Without this discipline, AI adoption either slows under risk concerns or accelerates into fragile territory. With it, AI can reason over enterprise information with confidence rather than caution.

At this stage, AI maturity is no longer defined by experimentation or capability. It is defined by whether the organisation can scale intelligence across its information estate without increasing risk exposure.

5. Enterprise AI control and accountability layer

With information governed through data governance and compliance tools, and low-code application development governed through a Centre of Excellence, the final challenge becomes oversight of autonomous agents.

As organisations approach more advanced operational use of AI, it must be treated with the same discipline as any other enterprise platform capability, with clear ownership, operational monitoring, risk management and continuous improvement.

The absence of these disciplines is one of the clearest signs that AI maturity has plateaued. When AI tools and agents proliferate without consistent oversight, organisations lose visibility into what is running, what it can access and what it is changing.

As AI agents become more autonomous, leadership concerns shift from “can we?” to “can we control it?”. CISOs and risk teams ask practical questions: Where are agents deployed? What data can they access? What actions can they take? What approvals are required? If something goes wrong, who is accountable?

This is where AI agent management and governance tools become important. They act as a governance, control and accountability layer for agentic AI, providing visibility of deployed agents, policy enforcement, security controls and the operational oversight required to run agents safely at scale. Their value is not novelty, it is confidence.

The need for this level of control and accountability predates any specific product. Security, risk and operations leaders have been asking these questions as soon as agents began executing work, regardless of tooling.

At this level, AI is no longer experimental. It is infrastructure, and it must be controlled and operated accordingly.

Final thought

Most organisations will not struggle with AI because of technology. They will struggle because execution outpaces trust, or because agents and automations scale faster than the controls that should surround them.

AI maturity emerges through intent. Not through early adoption of tools, but through deliberate progression from trust, to execution, to controlled operation.

The organisations that succeed will not be those that adopt AI first. They will be the ones that build a defensible enterprise capability, where AI can execute work at scale, with governance and accountability.