For the past two years, companies have done a lot of experimenting to AI.  Some of it has been highly successful, while some, well, not so much.  This year, though, while AI is still a top priority at most organizations – rightfully so – it may not be the absolute highest priority. 

Today, IT leaders are still being asked to scale AI, but added to the mix is simultaneously hardening their posture against a relentless ransomware economy and keeping a tight rein on spending.  The latest CTERA State of Data and Cloud Strategy Survey underscores the tension between these competing priorities.  Cybersecurity is the top priority for 80% of leaders, cost optimization follows at 61%, and AI sits close behind at 57%. 

While, at first glance, that may seem contradictory, it’s a rational sequencing that recognizes a desire for AI’s upside, but acknowledges that its value can only be unlocked when the underlying data is resilient and the operating model is secure and compliant.

The ransomware reality check is very real, considering every organization surveyed reported an attack within the past two years.  Outcomes, however, were varied:  17% experienced permanent or partial data loss, 10% paid a ransom and, perhaps most telling, 14% don’t know how the incident was ultimately resolved.  That last figure is a bit chilling, indicating lingering gaps in incident command, forensics, and post-event capabilities. 

In a world of tighter disclosure timelines and customer scrutiny, leaders can no longer rely on “best effort” narratives.  Rather, they need audit-ready evidence of backup immutability, clean-room recovery, and time-to-restore that is measured, tested, and continuously improved.

Against that backdrop, AI continues its march forward, but in controlled steps.  Seventy percent of respondents report partial deployments of AI assistants, with another 27% running pilots.  That pattern aligns with board-level enthusiasm tempered by frontline caution. 

Leaders are being pushed – often by investors – to deploy AI for better customer experience (64%), predictive intelligence (64%), and improved query accuracy (53%).  Yet, only 10% are prioritizing skills development.  It’s a revealing mismatch that highlights ambition at the edge but underinvestment at the core.  In other words, when teams lack the depth to manage data, prompts, access controls, and failure modes, AI scales more slowly and risks can rise faster than benefits.

The obstacles to AI are as much organizational as technical.  Two-thirds of respondents cite compliance and regulatory concerns as their top AI hurdle, followed by security risks such as data exposure or misuse (57%), data silos that limit model access to context (45%), and cost to implement and maintain (44%).  What’s noticeably missing is the idea that no single tool is the magic fix. 

What’s required is operating-model change (e.g., policy-as-code for data access, explicit governance gates in the AI delivery lifecycle, and systematic logging of prompts, responses, and model decisions), so teams can trace outcomes and prove controls.  AI needs to be treated like any other high-risk capability:  Threat-model it, monitor it, and audit it.

Cloud strategy adds another layer of nuance.  A majority (61%) of IT and security leaders prioritize cloud technologies over private data centers, but the enthusiasm is uneven across the org chart.  Twenty-six percent of C-level executives “strongly prioritize” cloud, compared to just 11% of VPs and 9% of directors.  That gap may explain many stalled or piecemeal migrations because, what may be a strategic imperative at the top is seen as a complex, risk-laden execution task for the teams who own uptime, data residency, and partner performance.

So, what does this all mean? 

First, leaders should start by reframing cybersecurity from a “necessary cost” to the enabling constraint for AI.  Ransomware resilience isn’t just about thwarting an attack; it’s about proving you can restore quickly, cleanly, and completely.  Immutable snapshots, isolated recovery environments, and rehearsed recovery SLAs should be the precondition for increased AI in sensitive workflows.  When the board asks, “How fast can we scale AI?” the answer should start with, “Here’s how fast we can recover – and here’s the evidence.”

Next, make data readiness a first-class product.  AI systems don’t fail for lack of algorithms – those are plentiful.  They fail for lack of governed, high-quality context.  Invest in classification, lifecycle policies, and lineage that make it safe and efficient to connect models to the right data at the right time.  Replace ad hoc permissions with attribute-based access controls and least-privilege defaults.  Build retrieval pipelines with PII minimization and redaction upstream, so you’re not filtering sensitive content as an afterthought.  When your data and access policies are codified, audited, and enforced automatically, AI delivery accelerates without sacrificing compliance.

Third, embed governance within release processes.  Create an AI risk register that inventories models, providers, datasets, prompts, and intended use cases; define go/no-go criteria tied to regulation and company policy; and require evidence (e.g., logs, test results, adversarial prompts, fairness or performance checks) at each step.  Build your environment such that AI events and anomalies flow through your SIEM/SOAR alongside traditional telemetry.  This will enable companies to scale safely and provide supporting evidence, when required, for regulators, customers, and stakeholders. 

Finally, close the human gap.  The survey’s finding that only 10% are focused on skills should set of warning flares.  Practical enablement – prompt engineering for operators, secure coding for teams building AI-powered apps, data stewardship for domain owners – is key.  It reduces silent failures, curbs shadow AI, and shortens the time between development and production.  Pair that with cost-to-value visibility (FinOps for AI), so informed decisions can be taken regarding where AI models make sense and where alternative (e.g., traditional automation) makes sense.

Again, the overarching message from this year’s survey is that sequencing matters.  Organizations aren’t choosing between cybersecurity, cost, and AI, but are aligning them logically and for better business value.  Harden ransomware recovery, and you de-risk AI. Govern data access and lineage, and you speed model performance while satisfying compliance.  Clarify cloud operating models and you unblock migrations that unlock both scale and savings.  The winners will be those companies that view AI not as a tangential experiment, but as a capability that feeds off of resilient infrastructure, disciplined governance, and an equipped workforce.