The Practical CTO

Two Different Visions of Enterprise AI When Microsoft shipped Copilot and SAP shipped Joule, they were not building the same product for the same problem. They were starting from fundamentally different philosophies about where AI belongs in enterprise workflows — and understanding that philosophical gap is the key to making the right choice for your organization. Microsoft's approach to Copilot is breadth-first. They built an AI layer that sits across the entire Microsoft 365 surface — Word, Excel, Outlook, Teams, PowerPoint, SharePoint, Dynamics — and gives users a consistent conversational interface for everything they do in that ecosystem. The bet is that the productivity gains from having AI assistance everywhere, across all of these tools, compounds into something larger than any single deep capability. Copilot's power comes from its scope. SAP's approach to Joule is depth-first. They built an AI layer that goes as deep as possible into SAP's own product su...

In early 2024, a mid-sized logistics company I consulted for deployed what they called an "AI agent" to handle IT helpdesk tickets. Within three weeks, it had autonomously escalated 847 tickets to executive-level review — because its escalation logic treated any mention of a director's name as a severity-1 incident. It wasn't hallucinating in the factual sense. The reasoning was just catastrophically wrong, and nobody had thought carefully about what "autonomous decision-making" actually meant in that context. That story captures the current state of enterprise AI agents in 2026 better than any benchmark does. The technology is genuinely powerful. The organizational capacity to deploy it safely and effectively is still catching up. This guide is about the gap between those two things — and how serious engineering and design work is closing it. Photo by Tara Winstead on Pexels What an AI Agent Actually Is (Clear Definitions First) The term ...

In 2026, Zero Trust is everywhere. Every major security vendor claims to offer it. Every enterprise RFP asks for it. CISOs reference it in board presentations. It appears in government mandates, insurance questionnaires, and compliance frameworks. Zero Trust has, in the span of about five years, gone from a niche architectural philosophy to a ubiquitous marketing term — and that ubiquity has created a serious problem. The problem is that "Zero Trust" now means almost nothing, because it means too many different things. A vendor selling multi-factor authentication calls it Zero Trust. A company that replaced its VPN with a cloud proxy calls its network Zero Trust. An organization that added certificate-based authentication to its API gateway calls that Zero Trust. Each of these is a step in the right direction, but none of them is Zero Trust in the original sense — and more importantly, none of them alone provides the security posture that the term implies. I have wor...