Perhaps you recognize yourself in one of these questions:
- “Everyone is talking about AI, but where do I start?”
- “We launched a chatbot, but the business doesn’t see any added value.”
- “How do I make sure our data remains secure when people use ChatGPT?”
- “My employees are already using AI tools … but which ones, and with what data?”
- “We have three AI projects running, but no one knows how they are connected.”
- “The CISO says no. The business wants fast. The IT department has no capacity. And the CEO wants results.”
- “How do I protect my organization from the risks posed by AI?”
- “We’re looking at Copilot, but is that a tool, a platform or a strategy?”
Do any or all of these questions sound familiar to you? Then be sure to read on.
The AI stack in six layers
AI works in layers. And each layer builds on the previous one. Many organizations invest in one AI application and forget that underneath are four or five more foundations that help determine whether it works. The result: building on sand.
Layer 1: The models
The major language models themselves: GPT-4o, Claude, Gemini, LLaMA. Closed or open source, powerful AND source of bias, hallucinations and intellectual property questions. The wrong model for the wrong use case and it goes wrong before you even start.
Layer 2: The API layer.
The silent gateway between your organization and the model. Every prompt in an external tool sends data out: providers log, models learn, leaks of API keys give full access. The layer most organizations overlook.
Layer 3: Developer tooling.
The tools developers use to build with AI: GitHub Copilot, Claude Code, Azure AI Foundry, Copilot Studio. Linked to remote servers in the background, including secrets and business logic. Without clear policies, this remains a blind spot.
Layer 4: Agent frameworks and orchestration.
The layer where AI acts rather than answers: MCP, LangChain, AutoGen, multi-agent systems that send emails, create files, start processes. At this layer, prompt injection becomes a real attack surface.
Layer 5: The business applications.
The layer the business sees: chatbots, email agents, document processing, process automation. With a solid foundation, this delivers value. With faltering layers underneath, it becomes another silo or a time bomb.
Layer 6: Governance, security and compliance.
The framework that keeps everything above it manageable: EU AI Act, GDPR, ISO 42001, acceptable use policies, audit trails, human oversight. Without this layer, everything above it remains unmanaged.
“One weak layer pulls through to everything above it.”
You can have the most beautiful Copilot implementation. Without data governance, policies around shadow AI or monitoring, you are building a beautiful house on a shaky foundation.
What makes Xylos’ approach different?
AI is changing something fundamental in how IT projects run. What used to work as separate domains – modern workplace, cloud, security, data, managed services – are being laced into one by AI. An AI agent in the cloud touches on security. A Copilot implementation to data governance and modern workplace. A process automation project to the application layer as well as infrastructure. The boundaries between those disciplines are blurring, and many parties get stuck there.
At Xylos, we have been building expertise in all these domains for years. Each with its own people, its own maturity, its own architecture choices. AI today brings our people closer together: the security expert talks to the data architect, the workplace specialist works with the developer who builds agents. That’s how we work.
At the same time, we see too many organizations looking only at the top layer. The business applications, the chatbot, the Copilot or Claude license. Those who only address that top layer forget the questions that should be there first: is the data in order, are the processes ripe for automation, who manages the risks?
Where do you start as an organization?
Start with a plan. Then choose the tool.
That’s why we bring an AI Program Manager into the picture: someone who will come alongside your organization at short notice, map out the initiatives, name the blind spots and propose a program that is right at all levels. Technically based, organizationally supported, from management to employee. What remains is a clear starting point, a realistic path and a partner who understands the full stack.
All the expertise is under one roof: modern workplace, cloud, security, data, managed services. Locally anchored, with people who understand your context, and a vision that extends beyond the chatbot or optimized email.
“AI deserves a program approach.”
Is your organization ready to address the full AI stack? I’d love to talk about it.
About the author
Peter Verrykt is Business Unit Lead Data & AI at Xylos and guides organizations in turning data into concrete business value. He helps companies look beyond technical implementations and deploy data and AI as a foundation for better decisions, greater agility and sustainable growth.
