Omer Grossman, Chief Trust Officer and Head of the CYBR Unit at CyberArk, explains why nearly every enterprise claims to use AI but almost none have transformed the way their organizations actually operate.
"Almost every company today is experimenting with AI. Some are beginning to scale it, but only about one to five percent have actually redesigned how their organizations work around it."
There is a stark gap between how enterprises talk about AI and how they actually use it. CEOs claim transformation, boards ask for it, and marketing teams work overtime to project it. But strip away the messaging and the reality is far more modest: the vast majority of companies are running isolated pilots and calling it adoption.
Omer Grossman is the former Chief Trust Officer and Head of the CYBR Unit at CyberArk. Previously the Head of the Israel Defense Forces' Cyber Defense Operations Center and its Center of Computing and Information Systems, Grossman brings two decades of experience at the intersection of cybersecurity, operations, and organizational design. He outlines a set of structural gaps that explain why most organizations remain stuck in the lowest tier of AI adoption. "Almost every company today is experimenting with AI. Some are beginning to scale it, but only about one to five percent have actually redesigned how their organizations work around it." Grossman maps enterprise AI adoption into three buckets.
The first—experimentation—covers approximately three-quarters of companies, if not more. These are organizations using ChatGPT, Copilot, and a handful of isolated pilots, where AI is perceived and leveraged as a productivity tool. The second tier—scaling—includes approximately 20 percent of companies, where AI is embedded into real workflows like engineering copilots, marketing automation, and support operations. But the org charts still look the same. The third tier—the true human-AI operating model—sits at roughly 1 to 5 percent. These companies have redesigned workflows, deployed AI agents in core operations, and built governance frameworks from the ground up.
Three structural gaps explain why so few companies reach that top tier.
Leadership is the bottleneck: Technology moves faster than management thinking. Most leaders still frame AI in terms of tools and productivity rather than organizational architecture. "The real shift isn't about deploying better AI tools. It's about redesigning the organization itself to operate as a human-AI system," Grossman says.
Governance TBD: Enterprises still lack answers to basic questions: who is accountable for AI decisions, what data can AI access, and how is AI behavior monitored? "Until that is solved, companies move very cautiously," Grossman says. Companies with mature data governance tend to have an easier time pulling that muscle toward AI, but most are nowhere close.
The design gap: Every company today is structured around humans. Org charts assume humans do the work, managers supervise humans, and tools support humans. "AI introduces a new type of worker, the AI agent. Organizations are not designed for that yet," Grossman says.
From those gaps, Grossman outlines what the next-generation enterprise looks like in practice. It is not a simple extension of today’s model, but a structural shift in how work is designed, executed, and governed. The focus moves away from layering AI onto existing roles and toward rebuilding systems where humans and AI operate as a coordinated unit.
System management: "Leaders won't just manage people anymore. They'll manage humans, AI agents, and the orchestration layer that connects them," Grossman says. An engineering manager might oversee 10 engineers, 40 agents, and the automated workflows coordinating development tasks. Leadership shifts toward system design and oversight, not task coordination.
The AI control plane: AI agents accessing customer data, deploying infrastructure, or executing financial workflows effectively become privileged digital identities. Without governance infrastructure for identity, access, behavioral monitoring, and policy enforcement, enterprises create a massive new attack surface.
Middle management moves: AI automates status tracking, reporting, and meeting coordination. Managers shift from asking "what's the status of this project" to asking which agent executed a workflow, where humans intervened, and what the confidence level of the output was. "Management practically becomes oversight of human-AI workflows," Grossman says.
Capability beats hierarchy: Instead of a marketing director managing a team, Grossman envisions a growth engine consisting of AI content agents, campaign optimization AI, analytics AI, and a human brand strategist. "The team becomes a human-AI capability system, not a hierarchy," he says.
For security teams in particular, Grossman sees the shift accelerating in the near term. AI already triages alerts, correlates signals, and drafts investigation reports while humans review complex cases. SOC analysts will increasingly become SOC engineers who supervise agent outputs rather than perform daily routines. The pace of that transition depends on each organization's risk appetite and the trust between the CISO and leadership.
"The most valuable leadership skill of the next decade will be the ability to design organizations around AI capabilities, not just adopt new technology," Grossman concludes. "The AI revolution isn't really about tools. It's about redesigning how organizations function. We're still in the very early innings of that shift, but the time is now."
