You are currently viewing Your Workforce Is Three Times Ahead of Your AI Strategy. That Is The Real Story.

A few weeks ago, I was sitting with a senior leader at a regulated firm who said something I keep thinking about: "Our people are already using AI. We just have not figured out how to let them."

That sentence stuck with me, and honestly, it captures the moment we are in better than most reports do.

Then this week, NTT DATA’s research came out via Insurance Business and put numbers on it. Only 22% of insurers have scaled AI to production. But 66% of the insurance workforce has already adopted AI tools. Sit with that for a moment, because the gap is roughly three to one. The workforce is three times further along than the organization itself.

The report frames this as a "structural inflection point" where risk is outpacing resilience. I would frame it slightly differently. The bottleneck is not the tech, and it is not the people. It is everything in between.

The Workforce Is Not Waiting For Permission Anymore

For years, the story leaders told themselves about AI adoption was a story about resistance. People would not use it. People were scared of it. People needed convincing.

That story has run its course, or at least, it is not true in the way it used to be.

What we are seeing now is the opposite. People are already using AI, often quietly, sometimes through personal accounts, sometimes through tools the company technically does not sanction. They are pasting things into ChatGPT, drafting client emails with Claude, summarizing meeting notes with whatever browser extension they installed last Tuesday. And they are doing it because the work demands it, and because the tools are good enough that not using them feels like falling behind.

So when NTT DATA reports 66% workforce adoption against 22% production-scale deployment, what that really means is: your people have moved on, and the organization is still catching up.

That is a very different problem than the one most leaders are still solving for.

Trust And Governance Are The Actual Bottleneck

The NTT DATA report is pretty clear that the constraint is not technological. It is trust, governance, and operating models that were not designed for AI in the first place. Which, ok, that makes sense. You cannot bolt AI governance onto a process map that was built in 2015 and expect it to hold.

There is a parallel piece in Insurance Business about Canadian businesses adopting AI without the governance to manage it that puts a finer point on it. A Gallagher expert quoted in the piece said companies need to address how employees will adopt the tools, set clear expectations for acceptable use, and deal with concerns about redundancies head-on. Underwriters, she noted, are already asking these questions. They want to know how clients govern their AI use, whether employees are trained, and whether there is actual leadership behind it. Her phrase that stuck with me: "Elevating it more than it’s an IT problem."

That is exactly where the shift lives. When you treat AI as an IT rollout, you end up with a 22% production rate and a 66% shadow adoption rate, and a growing gap in the middle where nobody quite knows what is sanctioned, what is risky, and what is just normal work now.

The governance vacuum is not just a compliance issue, although it absolutely is one. It is a trust issue. People are using tools they do not fully understand, inside organizations that have not told them what is okay, and they are doing it because they have to deliver the work. That is not sustainable, and it is not safe.

What "Operating Models Not Designed For AI" Actually Looks Like

This phrase, "operating models not designed for AI," gets used a lot, and I think it sometimes obscures what is actually happening on the ground. So let me try to be concrete.

An operating model is the combination of roles, workflows, decision rights, escalation paths, and review cycles that tell people how work gets done. In most regulated firms, those models were built around human judgment at specific checkpoints. An underwriter reviews a file. A claims adjuster signs off. A compliance officer approves a customer communication.

When AI enters that picture, those checkpoints get scrambled. Who reviews the AI’s output, and who is accountable if the model is wrong? What does "human in the loop" actually mean when the human has thirty seconds to glance at a summary, and where does the audit trail live when that review is done? These are not technology questions, but rather governance and design questions, and most organizations have not answered them yet.

Which is why you get the gap. The workforce adopts because the tools help them do their job. The organization cannot scale because the operating model has no place to put the tool, no one who owns it end-to-end, no review process that makes regulators comfortable. So the pilot runs forever. The production deployment keeps slipping. And shadow usage keeps growing.

Where Leaders Can Actually Start

I want to be careful here, because I do not think there is a five-step playbook that solves this. But there are a few moves I have seen actually move the needle in regulated environments, and they are worth naming.

1. Map The Shadow Usage Before You Govern It

You cannot govern what you do not see. Before you publish another acceptable use policy, run a real listening exercise (and actually listening to the answers and taking action). Where are people already using AI? What for? What problems is it solving for them? You will learn more about your operating model in two weeks of honest conversations than in six months of policy drafting. And your people will tell you, if you ask the right way and make it safe to answer.

2. Decide What "Human In The Loop" Means For Each Workflow

This phrase gets used as if it means one thing, and it does not. For a customer-facing email, it might mean a quick read. For a coverage decision, it might mean full review and documented rationale. For an internal summary, it might mean nothing at all. Each workflow needs its own answer, and that answer needs to be written down somewhere a regulator could find it. Vagueness here is what is keeping pilots from going to production.

3. Move Governance Out Of IT And Into A Cross-Functional Owner

The Gallagher quote about "elevating it more than it’s an IT problem" is the right instinct. AI governance touches risk, compliance, HR, learning, operations, and the business lines. If it lives only in IT, it will not scale, because IT cannot make decisions about how an underwriter should use a tool or how a claims handler should document an AI-assisted decision. Pick a cross-functional owner with actual authority, and give them a real mandate.

4. Invest In The Workforce That Is Already Adopting

Here is the part most organizations skip. The 66% who have already adopted AI are your most valuable signal. They have figured out what works. They know where the tools break. They have opinions about what would make them better. Treat them as designers of the next phase, not as compliance risks to be managed. Build peer learning spaces. Surface what is working. Let the people closest to the work tell you what scaling actually requires.

The Real Inflection Point

The NTT DATA framing is right that this is a structural moment. But I do not think the inflection point is about risk outpacing resilience, exactly. It is about workforce reality outpacing organizational design.

Your people are not waiting. They have made their decision about AI, and the decision is yes. The question now is whether the organization can build the trust, governance, and operating models fast enough to meet them where they already are, and whether leadership treats that gap as an opportunity to listen and redesign, or as a problem to suppress.

Given what I have seen so far, the firms that close this gap will not be the ones with the biggest tech budgets, but the ones that took their workforce seriously as the leading indicator they already are.