Most boards are still asking which model to license. That’s a procurement question. The decisions reshaping enterprise AI right now are happening one layer up — at the architecture layer — and most leadership teams have not named them yet.
The Promise
The architectural shifts compounding under the headlines are real, and together they create more leverage than any single frontier model release. Reasoning capability that competes with domain experts on complex problems. Small language models delivering eighty to ninety-five percent of frontier performance at a fraction of the cost. Local AI that solves privacy, latency, and unit economics simultaneously. Orchestrated agents that move AI from chat into work. Sovereign deployments tuned to regulatory geography.
These are not separate trends. They are a stack of architectural choices that, made deliberately, give the organization more capability per dollar, more compliance posture per workload, and more resilience per deployment. The boards that engage with these decisions early will compound an advantage that late movers will not catch easily.
The Risk
The risk is what we always do when a new technology arrives — treat it as procurement. Twenty-five years in cybersecurity has shown me this pattern, exactly. Leadership delegates understanding to the technical team. Vendors frame the conversation around what they are selling. The board asks which firewall, which antivirus, which model. Five years later the organization realizes the questions that mattered were about identity, segmentation, oversight, and where the perimeter lived.
AI is in that same moment. The August 2 enforcement deadline for the EU AI Act is twelve weeks away. Most enterprises have an AI strategy. Almost none have an AI architecture. That gap has a price, and starting August 2 it has a regulator attached.
The Verdict
The Promise & Risk needle is leaning toward Promise — but only for organizations that treat AI strategy as an architecture problem, with their cybersecurity leadership in the room when the decisions get made. The frameworks are catching up faster than most boards are. NIST AI RMF, ISO 42001, EU AI Act, the IAPP AIGP credential — all ready. The question is whether your organization is ready to use them.
The leadership question is no longer “which model do we use?” It is “what are our five architectural decisions, who is making them, and who is reviewing them?”
If you cannot answer that, the decisions are still being made. You are just not in the room.
For the full analysis → I wrote a longer piece on this for board directors and senior IT leaders. It maps all five architectural decisions — capability, size, location, topology, jurisdiction — and walks through the security and governance thread running through every one.