Two manufacturers, both with around 300 people, both in the same sector.
One has AI running everywhere: a vision system on the line, generative tools on every engineer’s desktop, Copilot embedded across the business, a scheduling pilot that started predicting routes in January.
The other has almost none, because every time AI comes up, the answer is “not until we figure out how to manage it.”
They look like opposites. But they’re both getting AI wrong, and exposing their organization to risk.
The fast mover got there by saying yes to every possible use case for AI.
None of that went through a governance decision, because there wasn’t one to go through. Ask this manufacturer what AI it runs and what data each system touches, and you’ll get a shrug and a partial list.
That’s exposure waiting for a trigger. A customer due diligence questionnaire asks about AI controls and there’s no real answer. An insurer adds AI-specific questions at renewal. A model in the HR screening tool turns out to have been making decisions nobody signed off on.
AI is changing risk, so organizations need to change too. The speed felt like an advantage right up until someone asked who’s accountable.
The cautious manufacturer made the opposite call and ended up in the same place. It knows it lacks governance, so it treats governance as a gate.
Nothing gets adopted until the policy, the controls, and the sign-offs are all in place, and since none of that exists yet, nothing moves.
The intent is sound, but the result is a standstill.
While the board waits for a framework that no one has been tasked to build, competitors are running AI in production and learning what works. Every quarter of paralysis is a quarter of ground given away, and the gap compounds.
Both types share the same trap. They think the decision in front of them is about AI. Whether to adopt it. How fast. Which tools.
The actual decision is whether (and how) they govern what they adopt, and neither one is making it.
The fast mover and the frozen one need the identical first step. Not a thicker policy. Not a tooling decision. A risk management framework that tells them what AI is in use, sorts it by risk, and sets priorities accordingly.
You can’t govern what you can’t see, which is why the work starts with an inventory.
Every AI system, tool, and embedded capability gets identified, then assessed across the data it touches, the models behind it, and the vendors involved. Once that picture exists, use cases get classified and controls get matched to the risk each one actually carries.
One deliverable, both problems addressed.
For manufacturers, AI sitting inside production machinery may fall under rules that are still being redrawn, with the compliance pathway for embedded systems expected to shift over the next couple of years.
If you haven’t inventoried your system, you can’t map those rules to it.
Governance done right doesn’t slow you down
The laggard fears that governance slows everything down. The adopter never asked the question.
Both have it backwards.
Ungoverned AI is what slows you down, in the cleanup after a customer asks a question you can’t answer, or an incident you didn’t see coming. Governed AI lets you move with confidence, because you know what’s running, what it’s worth, and what it could cost.
77% of manufacturers use AI, but most have no governance on it.
This is where an AI risk assessment and use case inventory is essential: it gives you visibility on where AI risk lives today.
From there, AI strategy, policy and governance design defines how AI should be used before more risk accumulates.
Whether you’re moving too fast or not moving at all, the foundation is the same. The key is making sure you put it in place without bringing your business to a halt.
Most manufacturers we talk to recognize themselves in one of these two types. Either way, the way out is the same: see what you’re running, decide what matters, and govern it.
Risk is constant. Ready is a choice.
Want to know which type you are, and what it would take to fix it? Talk to us.
Get the latest cyber and AI insights to help your organization stay compliant, resilient and ready for ever-evolving threats and challenges.
Because while risk is constant, ready is a choice.
The DoD's own rulemaking estimates that getting through a Level 2 certification assessment costs a mid-sized...
Read more
Two manufacturers, both with around 300 people, both in the same sector. One has AI running everywhere:...
Read more
You have an incident response plan. It's signed, filed, and probably named in your last insurance renewal. But...
Read moreLet’s help Plan, Build and Run your cyber and AI programs to keep your business capable, compliant, and resilient. Because while risk is constant, ready is a choice.