Over the past year I’ve been experimenting with agentic patterns, reading the research papers, and writing my analyses here. A few weeks ago, I pumped the brakes and read a lot of others’ analysis work while shipping some projects.
What this piece is NOT about: The entirely vapid writing I’ve endured - most of it in LinkedIn articles (shocker!) - that positions proprietary “this is my product’s wedge” thought pieces. I have a lot to say about that and I quietly say it to myself, probably just like you, but I might swear more.
What it IS about: Choices. Choosing technologies, primarily, but moreover choosing how to combine them to form a solution and then how to support that solution. For the past several years, I was a CIO who made some non-trivial decisions about integrations, development priorities, security and risk postures, and trying to future-proof on a budget. Those choices, like the ones that we all make, reflected my taste, my philosophy, and most of all my values.
The first few weeks with a new organization tell you almost everything. It’s helpful if there’s a “cemetery map” or at least somebody who knows where the bodies are buried, but you can get a sense of the choices - and values! - of those who came before pretty clearly. Not from briefing decks or stakeholder interviews, but from the primary source artifacts themselves: the org chart iterations, the architecture diagram (the ultimate cemetery map!), the ticketing system, the security posture, and the last audit findings. Sometimes you learn more from what’s missing than from what’s there.
The uncomfortable truth that underpins most of these situations is that the evidence for why you’re there is usually visible within days. The org didn’t hire you in your FTE or fractional capacity because everything was fine. And the same signals that explain why they need outside help also sometimes predict where the resistance will be.
And so I want to zoom out from the AI governance and enablement work I’m steeped in and look at the broader CIO landscape. Because the decisions organizations make about product development, IT staffing, security, and audit readiness form a coherent value system, whether those values were chosen deliberately or inherited by accident. And AI governance and enablement, when you finally get to it, are just the newest and most honest expression of everything that came before. More on that later.
How You Build Tells Me What You Believe
The application architecture spectrum runs from all-SaaS (no custom integrations, UX defined entirely by the vendor) through hybrid models with integrations and organizational UX decisions, all the way to custom applications with headless everything and total control.
None of these are inherently wrong. The average enterprise now manages roughly 291 SaaS applications according to CloudNuro’s 2026 analysis [1], up from 110 in 2020. Large enterprises with 10,000-plus employees average 473. (!) That number alone tells a story of organizations thinking about technology as a procurement problem, not an engineering problem or, frankly, a deeper business problem.
When I see a pure SaaS shop, I know a few things immediately. The organization values speed of deployment over customization. They’ve accepted vendor roadmaps as their product strategy. Integration planning is either nonexistent or held together with Zapier and copious prayer. The CIO is probably more of an IT director managing vendor relationships and license renewals.
The hybrid model is where most mid-market organizations land, and it’s where the interesting tensions live. You’ve got SaaS for commodity functions, maybe some custom work for competitive differentiation, and an integration layer that someone built a while ago and nobody fully understands anymore. Most mid-market organizations end up here eventually - the question isn’t whether you’ll end up here, it’s whether you’ll be here on purpose or by accident.
The pure-custom end of the spectrum is rare outside of large enterprises, specific verticals, and boutique companies. Custom applications with headless architectures and API-first design represent a deliberate choice to own the full stack and accept the staffing, maintenance, and technical debt implications. Custom software development is still very much alive, increasingly so thanks to agentic development practices, driven by organizations that need proprietary business logic or competitive differentiation that SaaS can’t provide. I’ve been in - and created - those environments a few times, often reading into the wants of the existing leadership team. (Yes, I have regrets.)
The story is one of control and differentiation. If your architecture is all-SaaS, you’re telling me technology isn’t your competitive advantage and you know it. If it’s custom everything, you’re telling me technology is the product, or at least the thing that makes your product possible or your company relevant. Both can be right. The failure mode is the organization that acts like one while structured as the other, and that is common.
How You Staff Tells Me What You Can Do
The staffing model follows a parallel spectrum: all in-house, hybrid with outsourced functions, pure MSP, or fractional executives. Each configuration reveals what the organization believes about technology capability as a core competency.
The managed services market is growing fast, fueled partly by a talent problem that isn’t going away. A 2025 ManpowerGroup study found that 74% of employers are struggling to find the skilled talent they need [2]. For midmarket organizations, that struggle is even more acute because specialized and now just experienced talent gravitates toward the higher-paying employers, which tend to be larger or at least better-funded enterprises.
Something else I keep seeing firsthand in my practices is that companies who solve their IT staffing problem - whether through outsourcing, fractional leadership, or successful hiring - consistently outperform the ones that don’t. Staffing problems correlate with reactivity, which means higher costs, more downtime, and less strategic capacity. I have felt that deeply.
The fractional model is the fastest-growing segment of this landscape. LinkedIn profiles mentioning fractional roles went from roughly 2,000 in 2022 to 110,000 in early 2024 according to Great Entrepreneurs research [3]. Demand for fractional CMOs, CFOs, and CTOs grew 68% year-over-year, and this isn’t a temporary staffing trend. Organizations are learning that they can access executive-level technology leadership without the fully-loaded cost of a permanent hire. It’s a big part of why I revived MADE, Inc. for fractional and project work, and spun out Ordovera Advisory for the AI engagements - that’s just where the market’s going.
An organization that’s staffed in-house has decided technology is core to what they do. An organization that’s pure MSP has decided it isn’t. The hybrid model, again, is where most organizations land and where most of my experience has been. And the fractional model exists in part because organizations have or develop technology problems that require executive judgment but can’t justify (or can’t attract) full-time leadership.
When the staffing model doesn’t match the architecture model, you’ve found a gap. An organization running custom applications with pure outsourced IT has a control problem. An organization with all-SaaS and a massive internal IT team has an efficiency problem. That mismatch is a great diagnostic.
Where Security Reports Tells Me How Seriously You Take It
According to the IANS Research and Artico Search 2026 State of the CISO Benchmark Report [4], 64% of CISOs still report into IT, typically to the CIO or CTO. This is the wrong reporting structure, and the reasons are structural. Only 11% report directly to the CEO, and the rest fall under the CFO, chief risk officer, legal counsel, or other business roles.
These reporting lines matter more than most organizations want to admit.
The share of executive-level CISO roles at large enterprises has risen from 33% in 2023 to 47% in 2025. In large publicly listed companies, that increase is even more pronounced: from 34% to 55% over the same period. Organizations are increasingly treating the CISO as a strategic leader embedded in enterprise governance and business decision-making, and that shift shows up in both title and reporting structure.
The org chart, the architecture, the staffing model, the security model, and the audit posture are confessions that reveal what an org’s leadership actually believes about risk, capability, and competitive advantage
But the inverse is also true. Director- or VP-level CISOs are far more likely to sit inside IT regardless of company size. And as the IANS report found [4], CISOs with executive-level titles are significantly more likely to report to a business leader (CEO, COO, CFO, CRO, or general counsel) than to the CIO. That’s 44% of executive-level CISOs at large organizations reporting outside IT, compared to a much smaller fraction of director-level CISOs.
The conflict of interest argument isn’t theoretical. When the CISO reports to the CIO, the CIO ultimately has veto power over security decisions. The CIO is rewarded for efficiency and savings; the CISO is responsible for identifying risks that often require new spending. Those incentives don’t naturally align, and they introduce tension that needs to be leveraged, not quietly quashed.
For the organizations I work with (mostly nonprofits and mid-market companies), the reality is often starker in that there’s no CISO at all. Security is a function of the CIO office with no dedicated staffing, or it’s been bundled into an MSP contract without clear accountability for risk posture or oftentimes specificity as to what exactly they’re doing. Sometimes security “responsibility” is assigned to someone whose actual job is maintaining the network, and security happens in whatever time is left over. This is... not great. But it is a common reality.
That configuration tells everything about the organization’s relationship with risk. Security staffed as an afterthought or not at all produces security that’s an afterthought or nonexistent. This shouldn’t surprise anyone, but it consistently does.
How You Handle Audit Tells Me If You’re Managing Risk or Performing It
The audit dimension might be the most revealing of all, because it’s the one where organizations have the hardest time hiding.
Hyperproof’s 2025 IT Risk and Compliance Benchmark Report [5] documented a major shift: organizations testing all controls (not just the most critical ones) jumped 26% year-over-year. And 59% of respondents now report testing all controls, representing what Hyperproof called a significant move toward proactive compliance management. The industry is shifting, slowly, from reactive audit-driven assessments to strategic and holistic control testing.
But “the industry is shifting” doesn’t mean your organization has shifted. Audit functions are under increasing pressure to modernize how they work, improve consistency, and keep pace with emerging risks. And most organizations still aren’t there.
Here’s what I usually see in the first two weeks of a fractional engagement:
Proactive organizations have continuous documentation, automated evidence collection, and compliance baked into daily operations. Audit preparation is a non-event because the evidence already exists.
Reactive organizations treat audit like a fire drill. A few weeks before the auditor arrives, someone (usually an operations person with other responsibilities) starts scrambling to pull together evidence from multiple departments that aren’t coordinated, weren’t aligned, and aren’t sure what’s actually being asked for.
The in-between is probably the most common: organizations that have some documentation, some automated collection, but significant gaps that only become visible when someone asks for specifics. They’re not scrambling from zero, but they’re not really “ready” either.
The staffing dimension makes this worse. When audit readiness depends on existing operations staff and finance pulling it together on top of their regular jobs, you’re guaranteed a reactive posture. When organizations add dedicated resources (even temporarily), they at least have a shot at building the documentation and processes that make subsequent audits less painful.
So: do you manage risk, or do you perform risk management when someone is looking? The answer shows up in how you prepare for audit, and that preparation (or lack thereof) tells me exactly how the organization thinks about accountability. VALUES, remember?
AI Governance and Enablement: The Newest Confession
Everything I’ve described above establishes the terrain that AI governance and AI enablement have to navigate. And this is where the pattern recognition pays off.
An organization that’s all-SaaS, MSP-managed, with security as a CIO side responsibility and reactive audit posture? We can guess what their AI governance looks like before anyone says a word. It looks like... nothing. Or it looks like a policy document that someone downloaded and customized in an afternoon, sitting in a folder nobody visits.
An organization with a hybrid architecture, dedicated security leadership, and proactive audit practices? They’re probably already thinking about AI governance because they have the institutional muscle memory for it. They’ve done risk assessment before, understand frameworks, and know how to operationalize policy.
But here’s the thing I’ve been writing about for months now: governance alone doesn’t work. Governance without enablement produces policies nobody follows. Enablement without governance just accumulates risk. These are separate functions requiring different skills, different measures, and different organizational structures, even if one person initially wears both hats.
The EY survey I’ve cited before [6] found that while 72% of C-suite leaders have AI integrated across their organizations in some form, only a third have responsible controls in place. That gap maps directly to the patterns I’m describing. Organizations that can’t manage proactive security or audit readiness don’t suddenly develop that capability when AI shows up.
AI is actually the most honest signal in the entire stack because it’s new enough that organizations haven’t had time to build rationalizations around their choices. The legacy application architecture has a decade of justifications layered on top. The staffing model evolved incrementally and nobody remembers the original decision. But the AI decisions? Those are happening right now, in real time, the people making them are probably still around, and the choices are a raw reflection of organizational values.
Reading the System, Not the Slides
When you read these signals together, patterns emerge quickly. Here’s roughly what each posture looks like across the five dimensions I’ve described.
This isn’t a scorecard. Most organizations I work with land in different columns depending on the row. A “Deliberate” architecture with “Reactive” security is a specific kind of problem. “Emerging” across the board with one “Deliberate” outlier tells me someone in the org is fighting to mature a function without institutional support. More diagnostic mismatches.
And neither is this a maturity model. I’m not saying custom applications with a CISO reporting to the CEO and proactive audit is “level 5” and everything else is lesser. A 40-person nonprofit running all-SaaS with an MSP probably doesn’t need a dedicated CISO. A community bank with 200 employees probably shouldn’t be building custom applications.
The right configuration depends on what the organization does, what risks it actually faces, and what it’s trying to become. The failure mode is never picking the “wrong” spot on any of these spectrums. The failure mode is not knowing you picked a spot at all, or, worse, believing you’re in one position while actually operating from another.
One needs to read these signals as a single system. Architecture, staffing, security, audit, and now AI governance and enablement. When they align, the organization probably understands itself pretty well, even if the alignment is “we’re small, resource-constrained, and accepting certain risks deliberately.” When they don’t align, there’s the problem and it usually reveals itself before the first stakeholder interview is finished.
The org chart, the architecture, the staffing model, the security model, and the audit posture are confessions that reveal what an org’s leadership actually believes about risk, capability, and competitive advantage, regardless of what the strategic plan says. Boards and regulators are slow to forgive.
Credits: Anthropic Claude for editorial support. Cover image by Gemini Nano Banana Pro.
References:
[1] CloudNuro. (2026). “50+ Essential SaaS Statistics and Industry Trends for 2026.” https://www.cloudnuro.ai/blog/saas-statistics
[2] Prialto. (2025). “2025 Outsourcing Statistics and Trends,” citing ManpowerGroup 2025 Talent Shortage Survey. https://www.prialto.com/blog/outsourcing-statistics-trends
[3] Fractionus. (2025). “The Rise of the Portfolio Career: Why 2025 Is the Year of Fractional Work,” citing Great Entrepreneurs and industry research. https://fractionus.com/blog/rise-of-portfolio-careers-2025
[4] Hunt Scanlon Media. (2026). “2026 Report Finds Executive-Level CISO Titles More Prevalent than Ever,” citing IANS Research and Artico Search State of the CISO Benchmark Report. https://huntscanlon.com/2026-report-finds-executive-level-ciso-titles-more-prevalent-than-ever/
[5] Hyperproof. (2025). “2025 IT Risk and Compliance Benchmark Report.” https://hyperproof.io/2025-it-compliance-benchmark-report/
[6] EY. (2025). “EY survey: AI adoption outpaces governance as risk awareness among the C-suite remains low.” https://www.ey.com/en_ro/newsroom/2025/08/ey-survey-ai-adoption-outpaces-governance-as-risk-awareness