“Dear Rich,
I work for a traditional business, partnership-led, conservative by culture, and very slow to change. I have made my peace with that for the most part because the work is interesting and I have reasonable autonomy within marketing.
My current frustration is all thanks to AI. Over the past twelve months I have watched peers in other companies claim they are trialling it all over the place. I know that a lot of the stuff we hear from people on stage is hot air, but I do want to get my team at least playing with the tools that make their lives easier.
My team wants to move. I want to move. But every tool we try to adopt hits a wall with IT. The procurement process alone takes four to five months. We are yet to have a tool actually signed off. Two tools have been rejected outright on data security grounds with no real explanation beyond a blanket policy about third party data processing. There are zero IT tools available in the company.
I have tried going through the proper channels. I have tried building a business case. I have tried getting IT to come to the table early. Nothing moves at any speed.
I do not think IT are bad people. But I do think they are applying yesterday’s risk framework to tomorrow’s tools, and the cost to marketing is real and growing.
Any advice?”
Sarah, London
Rich’s reply
Sarah, I have certainly had my run-ins with IT over the years but, to be fair, they are not wrong to be cautious.
That is not the same as saying their current approach is right, or that the pace of their review process is acceptable, or that a blanket rejection with no explanation is a reasonable response to a well-constructed business case. None of those things are right. But the underlying instinct, that AI tools carry data risks that need to be properly understood before they touch client information, is a legitimate one. Especially in professional services, where client confidentiality is not a compliance checkbox but the foundation of the entire commercial relationship.
How you frame this internally matters enormously. If you go into the next conversation with IT treating them as obstructionists or laggards, they will become more entrenched. If you go in treating their concerns as real and worth solving together, you have a much better chance of finding a path through.
Understand what IT are actually afraid of
Most IT departments blocking AI adoption are not doing so because they dislike progress. They are geeks at heart. They love new toys. But they are probably blocking it because they have been burned before, or because they are accountable for something going wrong in a way that marketing is not. A data breach caused by an unvetted third party tool will land on the CISO, not on you.
Before your next conversation, try to understand specifically what the objection is. “Third party data processing” is a category of concern, not an explanation. Press for the detail. Is it about client data being ingested by the tool? Is it about data residency? Is it about the tool’s terms of service and what the vendor does with inputs? Is it about SOC 2 compliance or ISO 27001 certification? Is it a fear they will be lumbered with the cost? Or is it simply that they are overworked, with every country and every function making new requests and no bandwidth left to give?
Each of these is a different problem with a different solution. If you do not know which one you are actually solving, you cannot solve it.
The IT department that says no to everything is usually the one that has never been asked to help design a yes.
Take someone from IT out for a coffee
Before you send another formal request or build another business case, grab someone from IT and get a coffee somewhere away from the office.
Ask them their views on AI adoption and how ready the company is. Ask how other companies have solved it and what good governance looks like in practice. Let them educate you on the context you do not have. Whether that is genuine concerns about integration challenges, the fact that the CIO is retiring soon, or simply that the team is at capacity with current priorities. Until you know that context, it is hard to work around it.
Share what you have been reading about how the market has matured. Enterprise-grade tools now operate inside existing data boundaries rather than outside them. Several leading AI platforms offer SOC 2 Type II certification, data processing agreements, and explicit contractual commitments about how inputs are handled. Some of the most data-sensitive professional services firms in the world, large accountancy practices and major law firms, are adopting AI at scale. If the risk were truly unmanageable, those businesses would not be moving.
The goal of the coffee is not to win an argument. It is to understand what you are actually dealing with, and to give IT the experience of being consulted rather than pressured.
Use internal tools to warm the function up
If IT are blocking external AI tools on data security grounds, the most pragmatic starting point is a tool they have almost certainly already cleared. Microsoft Copilot operates within your existing Microsoft 365 tenant boundary. Your data does not leave your environment. It does not use your inputs to train external models. Microsoft’s own documentation confirms this, and it has been independently verified by enterprise security analysts. Copilot is an extension of an environment IT already governs, not a new risk surface.
Starting there serves two purposes. It gets your team using AI in a structured, governed way immediately. And it gives IT direct, observable experience of an enterprise-grade AI tool behaving exactly as their security policies require. That experience does more to reduce institutional fear than any amount of documentation or business case writing.
Once IT have seen Copilot work safely inside your environment, the conversation about additional tools changes. You are no longer asking them to trust a category they are unfamiliar with. You are asking them to evaluate specific tools against a framework they have now seen in practice. That is a much smaller ask.
The goal in the short term is not to win the argument about AI. It is to give IT a safe, observable experience of it that makes the next conversation easier. Let's help them 'break the seal'.
Request a dedicated IT business partner
This is one of the most effective structural moves available to you, and it tends to get overlooked because it does not feel like a tactical fix.
Request that IT assign a dedicated business partner aligned to marketing. Not a helpdesk contact. A named person whose remit includes understanding what marketing is trying to do, helping to navigate procurement and security processes, and acting as an internal advocate within IT for the tools you need.
IT get visibility into everything marketing is exploring before it becomes a formal request, which reduces the feeling of being ambushed. Marketing gets someone who understands the policies and philosophies IT operates within, which means fewer wasted applications. And over time, you build genuine rapport with someone inside the function who can argue for you in rooms you are not in.
The business partner becomes your insider. That is not manipulation. It is how large organisations are supposed to work, and most IT functions respond positively to being asked for partnership rather than permission.
Propose a sandboxed pilot rather than full adoption
If the procurement and security review process is the bottleneck, propose something smaller. A sandboxed pilot, run on non-sensitive internal data only, with no client information involved, is a much easier thing for IT to approve than a full enterprise rollout.
Define the scope tightly. One tool. One use case. Three months. Agree upfront what data the tool will and will not touch. Offer to have IT involved in the setup so they can see exactly how it works rather than reviewing it from a distance.
A pilot does two things. It gets you moving. And it gives IT direct, controlled experience of the tool, which tends to reduce fear far more effectively than any amount of documentation.
The cost of doing nothing is not zero
There is one more argument worth having ready, not to use aggressively, but to deploy if the conversation stalls on risk. IT’s caution is framed around the risk of adopting AI tools. But there is an equally real risk on the other side that rarely gets named.
The Larridin State of Enterprise AI 2025 report found that 67 percent of organisations admit they do not have full visibility into which AI tools their employees are already using. When businesses block sanctioned adoption, people do not stop using AI. They use personal accounts, free tools, and consumer-grade applications that carry none of the enterprise data protections IT are trying to enforce. The risk IT is trying to prevent does not go away when they say no. It goes underground.
A controlled, IT-approved pilot with proper data governance is categorically safer than the alternative. That reframe, from ‘AI adoption is risky’ to ‘uncontrolled shadow AI is the real risk’, tends to land well with security-minded leaders because it speaks their language. You are not asking IT to lower their guard. You are asking them to channel it more effectively.
Build the coalition before the escalation
A business case presented by marketing to IT is a marketing document. A business case co-authored by marketing, finance, and a senior business leader or two carries significantly more weight.
Spend two weeks quietly building internal support. Find people who are already frustrated by the pace of change and get them to say so in the room. Find out whether your CFO has a view on the competitive cost of inaction. A finance voice saying “we are losing ground and that has a number attached to it” changes the dynamic in a way that marketing saying “our content is slower than competitors” simply does not.
This is not politics for its own sake. It is making sure that the conversation IT is having reflects the full weight of the business need, not just the enthusiasm of one department.
If none of this moves things, escalate deliberately
Some IT functions in traditional businesses are structurally risk-averse in a way that no amount of coalition building will fully overcome. If you have genuinely tried the collaborative approach, brought the market evidence, proposed a sandboxed pilot, and built cross-functional support, and the answer is still no with no credible path to yes, then escalation to the CEO is not a failure of diplomacy. It is the appropriate next step.
But escalate with a solution, not a complaint. Do not go to the CEO and say IT are blocking us. Go with a fully formed proposal: here is the tool, here is the use case, here is how comparable firms have handled the security question, here is the pilot structure, here is what it costs, here is what we stand to gain, and here is what we are currently losing by waiting. Link the solution to a positive gain and inaction to a negative effect, on pipeline, on win rates, on team productivity.
At that point you are not asking the CEO to override IT. You are asking them to make a business decision with full information. That is a very different ask, and a much easier one for a senior leader to act on.
Going to the CEO empty-handed is a complaint. Going with a fully costed, de-risked proposal is a recommendation. Know the difference before you walk in.
The short answer
Take someone from IT for a coffee and find out what you are actually dealing with. Start with tools already inside your approved environment, Copilot being the obvious first step, to give IT a safe, observable experience of enterprise-grade AI. Request a dedicated IT business partner who can become your internal advocate. Propose a sandboxed pilot that keeps the risk surface small. Use the shadow AI argument to reframe inaction as the greater risk. Build a cross-functional coalition so your business case carries more than marketing’s voice.
And if the collaborative route has been genuinely exhausted, escalate to the CEO with a fully formed proposal rather than a grievance. You are not asking for permission to do something reckless. You are asking for support to do something your competitors are already doing.
The relationship with IT is worth preserving. But not at the cost of your team standing still while the market moves.
And if your CEO still says no, well, come send me a note!
Onwards,
Rich
Got a question for Rich? Email it to editor@b2bmarketing.com
