Enterprise AI efforts stall when leaders treat tool adoption as progress and skip the hard work of mandates, trust, and organizational buy-in.
Andy Sharma, CIO and CISO at Redwood Software, lays out a leadership-first model that puts executive authority and frontline engagement ahead of technology decisions.
The approach builds durable change by aligning leadership on clear principles, involving teams in execution, and using governance to enable growth while reducing risk.
Most AI transformations don’t stall because the models are flawed or the tools are immature. They stall because leadership treats adoption as a given. In the boardroom, progress is declared once a platform is purchased or a pilot is announced. On the ground, teams see unclear direction, unaddressed job anxiety, and tools imposed without trust. The result is predictable: slow adoption, shadow processes, and transformation that looks successful on paper but never changes how work actually gets done.
Andy Sharma, CIO and CISO at Redwood Software, has seen this pattern play out across global enterprises and high-growth firms alike. His conclusion is blunt: digital transformation, especially with AI, is not a technology challenge. It’s a leadership test that requires both an explicit mandate from the top and genuine buy-in from the people whose work will change. Only when those two forces are aligned, Sharma argues, does technology become a multiplier rather than a distraction.
"Any transformation requires two main things. Number one is the mandate from the top, because there is no substitute for it. Number two is engaging the people on the ground who are going to be most affected and making sure they buy into it," says Sharma. It's a philosophy that shows up clearly in how Sharma approaches tool decisions.
Get down to business: Instead of letting vendor selection turn into an executive tug-of-war, Sharma removes politics early. "Before we talk about tools, we agree on what the tool has to do for the business," he says. He starts with a short list of five to seven shared tenets, aligned with the CEO and executive peers. Requirements like cloud delivery or multi-currency support are locked in upfront, so debates stay focused on outcomes rather than preferences.
An inside job: Execution follows the same logic. Line managers are brought in early and embedded directly in implementation and testing. "The people who live with the process every day have to help design it," Sharma explains. He avoids outsourced testing entirely. "When consultants leave, employees are stuck with processes they don’t trust and problems that never went away." By keeping testing in-house, those closest to the work become the strongest advocates and trainers, making adoption far more durable.
The framework becomes especially critical with AI, where trust often determines whether adoption moves forward or stalls out. For employees worried about job loss, Sharma pairs AI rollout with explicit upskilling plans, pointing to Level 1 support staff who were retrained into Level 2 analysts and now build the knowledge bases the AI relies on. That responsibility, he emphasizes, can’t sit with the CIO alone. For customers, trust comes through transparency, including sharing model cards that spell out what data is used and how models are trained. For boards and investors, it means setting clear guardrails that show AI can be deployed aggressively without creating outsized risk. Together, those layers form a governance model designed for AI adoption, not just oversight.
All about strategy: On governance, Sharma treats compliance less as a box to check and more as a strategic lever. "I don’t see frameworks as just being related to compliance. I see them as a way to gain a competitive advantage," he says, pointing to how certifications like ISO 27001 can open doors in European and Asian markets, while SOC 2 carries more weight in the U.S.
That market-driven logic extends to AI, where he likens today’s AI governance moment to the early days of GDPR, when standards lagged adoption before eventually hardening into global expectations. The goal, he said, is not to chase every framework, but to choose the ones that align regulation, customer trust, and growth.
Sharma’s security perspective brings the argument to a close. As third-party integrations and open-source dependencies multiply, small breakdowns now cascade across entire ecosystems. In that environment, speed without discipline becomes a liability, and leadership-driven transformation shifts from a best practice to a necessity.
"From a security lens, what we’re seeing now is unprecedented," Sharma concludes. "When one integration can expose hundreds of companies, or when open-source compromises jump from a few dozen to hundreds of packages, it becomes clear that tools alone won’t save you. The only real defense is leadership that sets direction, removes friction, and builds trust before the technology ever shows up. If you don’t do that work first, AI and automation don’t reduce risk. They multiply it."
