Preparing for AI: A Ten-Part Operating Playbook

If AI is an operating-model transition rather than a tool rollout, then preparation stops being abstract. It becomes a set of concrete steps an organization can start now. The ten that follow are sequenced roughly, but they reinforce each other, and most organizations will run several in parallel.

The through-line is the lesson from every prior transition in this series: value comes from the system built around the tool. These steps build that system, from the unit of analysis all the way through to measurement.

The first step is conceptual, and it determines the rest. A software-license rollout asks who gets access, what it costs, and whether people are trained. An operating-model transition asks how work will change, which decisions are affected, what controls are required, how roles evolve, and how performance is measured.

This changes ownership. Treated as a tool rollout, AI defaults to IT. IT is essential, but AI adoption also involves legal risk, data governance, security, training, customer experience, operational design, procurement, and strategy. It is an enterprise question because it changes how work is performed, supervised, measured, and improved.

Map tasks, not job titles. For each function, inventory the repetitive, language-heavy, analytical, customer-facing, compliance-sensitive, and judgment-heavy tasks. Then classify each one as suitable for automation, augmentation, acceleration, monitoring, or prohibition.

This avoids the two crude errors. Everyone should use AI everywhere is too blunt and ignores risk. AI is too risky so no one should use it is equally blunt and ignores value. A task map asks better questions: what is high-volume and low-risk, what is high-value but bottlenecked, what involves sensitive data, what requires expert review, and where AI is already being used informally.

You cannot govern what you cannot see, and shadow adoption is inevitable when employees can reach public tools without procurement. The answer is visibility, not just prohibition. If people believe disclosure gets them punished, the real risk landscape stays hidden. If they believe approved pathways exist, use cases come into the open.

A useful inventory captures the use case, user group, model or vendor, data involved, business process, risk level, human-review point, output type, integration status, and accountable owner. Keep it lightweight enough to encourage participation: a twenty-page form for every experiment pushes usage back underground. Tier the documentation by risk instead.

The best early use cases are rarely the flashiest. They are high-frequency, language-heavy, low-to-moderate-risk workflows with clear review mechanisms: drafting customer responses, summarizing meetings, first drafts of proposals, test generation, contract review for standard clauses, ticket classification, sales-call briefs, document extraction, and structured research support.

The evidence favors this targeting. In a study published in the Quarterly Journal of Economics, access to generative AI assistance raised customer-support productivity by 15 percent on average, measured by issues resolved per hour, with the largest gains going to less experienced workers. In a controlled experiment, developers with GitHub Copilot completed a coding task 55.8 percent faster than the control group. AI is often most valuable where it captures and distributes expert patterns, but prioritization must still weigh legal exposure, data sensitivity, and reviewability.

The strongest AI workflows are not human versus machine; they are structured collaboration. Humans define the objective, supply context, evaluate outputs, apply judgment, and remain accountable. AI retrieves, drafts, summarizes, classifies, compares, transforms, and suggests. The division varies by function, but the principle holds.

Require human review for regulated, financial, legal, safety-critical, customer-impacting, and brand-sensitive outputs, and make the standard explicit: what must be checked, by whom, against what source, with what documentation. Human in the loop is meaningless if the human is overloaded, undertrained, or rewarded for fast approval. Design review as a real checkpoint, with sampling, escalation rules, checklists, source links, and audit trails.

Literacy is broader than prompting. It means understanding what AI is good at, where it fails, why hallucinations happen, how sensitive data leaks, why outputs need verification, how bias enters, and when human judgment is required, plus knowing the organization's approved tools, prohibited uses, review requirements, and incident-reporting process.

It should be role-specific. A customer-service agent, a board member, and a machine-learning engineer need different depth, but everyone needs a shared baseline: what is allowed, what data cannot be used, how to verify, when to escalate, and who owns the final decision. The regulatory direction reinforces this; under the EU AI Act, prohibited-practice rules and AI-literacy obligations began applying on February 2, 2025, with governance and general-purpose-model obligations following on August 2, 2025.

Governance should be light enough to support experimentation and strong enough to prevent uncontrolled deployment in sensitive workflows. Its purpose is not to slow everything down; it is to create the conditions under which adoption can accelerate safely. The NIST AI Risk Management Framework offers a clean structure, organizing the work into four functions, govern, map, measure, and manage, performed continuously across the system lifecycle. ISO/IEC 42001:2023 adds a management-system approach emphasizing responsible use, traceability, transparency, reliability, and risk management.

In practice that means an empowered steering committee, approved-use policies, data-handling rules, vendor review, risk tiers, incident reporting, audit trails, model-evaluation procedures, and clear ownership. Risk tiering matters most: a low-risk brainstorming use needs only basic guidelines, while a customer-facing recommendation engine needs testing, bias evaluation, monitoring, security review, and legal approval. Proportional governance lets you move fast where risk is low and carefully where it is high.

AI is only as useful as the context it can reach and the quality of what it is allowed to use. Many organizations discover their AI problem is actually a knowledge-management problem: scattered policies, incomplete records, outdated documentation, unclear permissions, inconsistent terminology, and institutional knowledge trapped in inboxes and the memories of long-tenured staff.

So preparation includes cleaning knowledge bases, labeling authoritative sources, improving access, managing permissions, and building retrieval that lets AI work from trusted enterprise context. This is the most underappreciated part of readiness. A powerful model connected to bad information produces bad output with confidence. Knowledge governance, source authority, ownership, taxonomy, and review cycles sound mundane and are central to enterprise value.

AI reintroduces familiar risks in unfamiliar forms. Confidential data leaks through prompts. Employees paste customer information into public tools. Generated code carries vulnerabilities. Vendor models process data under terms nobody reviewed. Generated content raises copyright and attribution questions. Define approved tools, prohibited data types, retention rules, logging requirements, and escalation channels, so people do not have to guess.

Security review must go beyond vendor reputation to data retention, training terms, access controls, encryption, auditability, integration architecture, prompt logging, and incident response. Understand whether a vendor trains on your prompts, whether data can be deleted, and where it is processed. Intellectual-property risk deserves explicit rules for marketing, product, software, and client deliverables, including when AI use must be disclosed or avoided. Procurement, legal, and security should work together, not in sequence, because AI risk crosses all three.

Work changes before titles do. Many employees will not be replaced by AI, but they may be replaced by employees who use AI within a redesigned process. Expect new or expanded roles: AI workflow owner, model-risk lead, prompt and workflow designer, knowledge-base curator, AI auditor, human-in-the-loop reviewer. Align incentives to outcomes rather than visible effort or raw speed, and protect the apprenticeship tasks through which juniors build judgment by having them critique and verify AI output rather than simply submit it.

Finally, measure outcomes, not activity. Usage is the easiest metric and one of the least meaningful; thousands of prompts can produce little value. Define the baseline before the pilot, state a hypothesis, then measure cycle time, error rates, quality, customer satisfaction, rework, and risk reduction together. AI can raise throughput while lowering accuracy, so time saved is never enough on its own. Choose a workflow, baseline it, introduce AI, measure quality and time, add controls, compare, then decide whether to scale. Manage it like an operating-improvement program, not a novelty demonstration.