I had lunch a few weeks ago with an executive at a financial services firm, the kind of client every security advisor quietly hopes for: growing, regulated, complex enough to need real security help and profitable enough to pay for it. They'd kept a third-party technical and security advisor on retainer for years, someone who knew their environment cold and knew where the bodies were buried because he helped bury them.
Somewhere between the entrée and the coffee, the conversation turned to AI. The board had been pushing, competitors were moving, and they'd decided AI was going to be part of how they compete. To their credit, they wanted to do it right, securely and with a plan, so they took the question to the person they pay to answer exactly this kind of question.
"What should our AI implementation look like?"
The answer they got was "We'll have to get back to you on that." The client was asking the most consequential strategic question a business leader can ask right now, the one they'd been saving for the person they trusted most, and what they heard back was silence wearing a suit.
That advisor has no idea what the sentence cost him.
Moments after sharing that encounter, the executive told me the firm is already moving on, not on the AI project but on the entire relationship. The security retainer, the technical work, all of it. Their reasoning was blunt: if you can't help us secure the AI side, we can't trust you to keep up with the rest.
How many of your key relationships are teeing up this same conversation?
78% of Employees Are Already Using AI Their Employer Never Approved
Maybe you think your clients aren't there yet, too small, too traditional, too busy. Nobody's asked you the AI question, so the clock hasn't started.
When we talk with companies, leadership tells us flat out that nobody on the team is really using AI. When we ask how they know, the answer is always the same: they've never asked. A 2025 WalkMe survey found 78% of employees admit to using AI tools their employer never approved. Bookkeepers, paralegals, account managers, and executives pasting who-knows-what into free tools governed by who-knows-whose terms of service. Great.
Your clients' employees aren't waiting for permission. They've already started, without anyone in charge.
This is the first of a three-part series. By the end, you'll have a clear picture of what an AI enablement plan looks like, including the three steps and the trap hiding inside each one, along with a maturity ladder you can run as a conversation instead of a sales pitch.
The Three-Step AI Enablement Plan
An AI enablement plan has three steps: govern before you enable, deploy with discipline, and scale with oversight. Underneath all three sit the CIS AI controls, which turn your plan from "trust me" into "here's the standard."
Step One: Govern Before You Enable
This is the step businesses routinely skip. Before a single tool gets provisioned, you need to discover the use cases already in play, establish the rules, define the roles, and draw the data perimeters, because you can't secure what you haven't defined. In practice that means an acceptable use policy written specifically for AI and clear enough for everyone to understand, policy-driven data classification that names what information the business can't afford to leak, decision rights about who approves new use cases and reviews outputs, and a working definition of what "AI" even means inside this business, because not everything with the label carries the same risk.
How you roll it out matters as much as what's in it. Many companies make the same mistake parents make about dangerous subjects: they lead with fear, and the room shuts down. Nobody volunteers what they've been doing once they think they're about to get punished for it. Open with an announcement instead of a warning: "We're moving forward as an organization to empower you to grow this company with the assistance of AI." People who think AI is coming for their job will hide how they use it. People who think it's there to make them better will tell you the truth, and the truth is what governance runs on.
Done right, governance leaves you with a named AI risk owner, one name that’s accountable for risk and who picks up the phone when an AI output causes a problem. If an organization can't name that person, governance hasn't happened yet. The trap is treating governance as a deliverable instead of a posture. A policy PDF emailed once and opened never isn't governance, and assuming the existing infosec policy already covers AI is the second version of that mistake. Go read it, because it almost certainly says nothing about training-data exposure, output review, or what happens when software takes an action instead of making a suggestion.
Step Two: Deploy With Discipline
This is where you move off consumer-grade and shadow AI onto business-class platforms with real controls. Brand matters less than use case, and whoever leads the AI market today won't be leading it in six months, so steer away from wiring so tightly to one vendor that switching later becomes its own risk. Identity management needs to mirror the role-based controls you use everywhere else. Data loss prevention needs to sit between the tool and anything sensitive. Session logging needs to ensure every interaction leaves a record. And SIEM integration matters because logs nobody reads aren't oversight. Then retire the shadow by blocking consumer-grade access for sanctioned work while making sure the approved tools cover the jobs people were doing in the dark.
The trap is buying the enterprise license and assuming the word "enterprise" did the work. The enterprise tier removes the worst defaults, but retention windows, model access, tenant restrictions, and audit log scope are still intentional choices somebody has to make. The client can buy the license without you. Knowing which toggles matter is where you earn the engagement.
Step Three: Scale With Oversight
This is where AI stops being a writing assistant and becomes a participant in workflows, with agents taking actions and Model Context Protocol connections giving models hands. The work here is defining which workflows are candidates for agentic AI and which aren't, standardizing how MCP servers get vetted and logged, building an oversight loop with usage metrics and output sampling, and writing an AI incident playbook before you need one. Agents belong where inputs and outputs are clearly defined, where an error is recoverable before it causes real damage, and where a human review gate can sit between the decision and the action. They don't belong anywhere with irrevocable financial, legal, or safety consequences, or anywhere nobody's written down what an AI incident would even look like.
The trap deserves a real story. In September 2025, researchers discovered a malicious MCP server hiding inside an npm package called postmark-mcp. Version 1.0.16 added exactly one line of code that quietly BCC'd a copy of every email flowing through the server to an attacker-controlled address, and roughly 300 organizations had wired it into real workflows before anyone noticed. Letting users self-install servers from public registries with nobody vetting them is how you get there. A compromised server doesn't just infect a machine, it sits inside the workflows your client trusts most. If a decision maker’s eyes glaze during the governance talk, tell them this story.
The Industry Standard Behind the Plan: CIS AI Controls
In April 2026, the Center for Internet Security released three companion guides extending the CIS Critical Security Controls into AI environments: one for large language models, one for AI agents, and one for MCP. You don't have to invent your own control framework for AI. The LLM guide carries steps one and two, where data exposure is the central risk, and the agents and MCP guides carry step three, where autonomy and supply chain take over. When you get asked whether this is your methodology or an industry standard, you get to say both, and that answer separates you from every competitor who walks in with confidence and nothing behind it.
How to Figure Out The Starting Point
The plan tells you what the work is. The maturity ladder tells you where a business should start. Every organization has access to the same models and the same tools, so the distance between them has never been the tools themselves. It's how they're organized around the tools, who owns the decisions, what the data perimeter looks like, and whether anyone's watching. When someone asks which AI they should buy, the honest answer starts with a different question: how are you organized around the AI your people already use?
Five levels, L0 through L4, and most orgs are near the bottom. L0 is employees using free consumer AI on their own initiative with no business-class tooling and governance that amounts to a paragraph nobody can find. L0 doesn't mean no AI, it means unsupervised AI. L1 is when somebody bought the business-class platform, wired up single sign-on, ran training once, and wrote a policy people mostly follow, but use is still individual and the signature risk is misplaced confidence: outputs trusted because they look polished, a tenant assumed safe because the invoice said enterprise. Assess ten clients this quarter and expect eight of them on these two rungs.
L2 is AI woven into defined business processes, with dependence as the new risk. L3 is capability provisioned centrally, agents running behind review gates, an MCP inventory someone consistently maintains, and an incident plan with an AI chapter that's been tabletop-tested. L4 is the organization measuring and improving its own AI system on a cadence, which in the small and midmarket world is mostly a direction of travel.
You read every rung through four lenses: what employees are really doing, what's actually deployed, the governance reality rather than the aspiration, and the risk profile. Score each lens from zero to three. The client's dominant level is the highest rung where they score a two or better across most lenses, and the lower scores become the remedial homework. The missing documents do the talking without anyone having to argue about it.
What This Looks Like Across the Table
An L0 starts at step one, full stop. An L1 or L2 works step two, almost always with a remedial audit of step one, because the policy usually exists while the data classification is held together with good intentions. L3 and up live in step three, with the earlier steps running as continuous improvement. Here's how that sounds: "You're an L1. Deploying with discipline is your primary work. Before we go there, we need to audit your governance layer, specifically your data classification. And the agent work everyone's excited about? That waits until step two is stable."
That sentence names where they are without judgment, gives them a clear next move, and tells them what they're not ready for yet. Clients don't leave advisors who talk like that. They build budgets around them.
When the question of cost comes up, hand over a menu instead of a number. Platform and licensing is a trade they're already making, because the choice between free consumer AI and licensed AI has never really been about cost, it's about risk, and they're paying either way. Oversight and tooling covers AI monitoring, SIEM integration, and the quiet reality that ingestion grows when you start watching something new. The biggest section is people and process: training, policy time, data classification cleanup, an incident playbook with a tabletop run, legal review of vendor contracts, a call to the insurance broker, and the quarterly reassessment that keeps the score honest. Maybe a third of that menu is software. The rest is time, attention, and organizational will, which is exactly why companies can't buy their way through this with a license.
Before the Next Conversation
Run the maturity ladder on your own shop before you run it on a client's. Four lenses, zero to three. If you've never pointed the assessment at yourself, you don't know what the temperature of the seat feels like, and the score stings a little. That sting is what your clients will feel, and now you'll know how to sit with them in it.
Somewhere in the next few months, one of your clients is going to ask the question that financial services firm asked. When it happens, you'll have something better than "we'll have to get back to you on that," a plan with three steps and a standard behind it, a ladder that tells you where they're starting from, and the sentence that keeps relationships: here's where you are, here's your next move, here's what we're not doing yet. The advisor in my story never got to use any of this. You do.
That's the map. July 22nd is where we go past it. We’re hosting a free, half-day seminar called Beyond Intelligence, built around the full blueprint for securing an AI implementation end to end, the kind of depth that's hard to fit into a blog and easy to put to work the Monday after. If any of this landed, it's worth the hours.
See you for part two.
