There's a familiar concept in information security and risk management called the "Swiss cheese model." The basic idea is that every layer of protection has holes. A firewall may reduce certain risks, but not all of them. Multifactor authentication helps, but it doesn't solve every identity problem. Staff training matters, but people still make mistakes. The goal is not to find one perfect layer; the goal is to stack enough thoughtful layers so the holes don't line up at once.
It's a useful way to think about cybersecurity. It may also be a useful way to think about AI and organizational knowledge.
Most organizations have more knowledge gaps than they realize. Some procedures are documented carefully, while others live almost entirely in someone's head. Some decisions are captured in official records, while others are buried in email threads, meeting notes, or old slide decks. Some systems have clear owners, while others are held together by a few people who know where everything is and how things actually work.
For a long time, organizations have learned to work around these gaps. A new employee may not be able to find the answer in the handbook, but someone knows who to ask. A process may not be fully documented, but the team has done it enough times to muddle through. The official instructions may be out of date, but experienced staff know which parts to ignore.
This isn't ideal, but it is common. Most organizations run on some combination of formal documentation, informal knowledge, personal relationships, institutional memory, and a healthy amount of "ask Susan, she'll know."
AI changes the equation.
When organizations introduce AI tools, they often expect those tools to help surface, summarize, and reuse institutional knowledge. And in many cases, they can. AI can make it easier to search across large volumes of information, draft first versions of documents, synthesize notes, identify patterns, and help staff get unstuck.
But AI can also reveal just how incomplete, scattered, or outdated the underlying knowledge really is.
An experienced employee may know that a procedure changed last year, even though the document was never updated. AI probably will not know that. A program manager may know that two similar-looking policies apply to different teams for historical reasons. AI may not have that context. A senior operations person may know that the "official" workflow is not the one that people actually follow. AI may treat the official workflow as fact.
This is where the risk appears. When AI encounters missing or inconsistent information, it doesn't always know that something important is missing. Depending on the tool and the context, it may generate a plausible answer anyway. The answer will sound polished. It will most likely sound confident. But confidence isn't the same thing as accuracy, and polish isn't the same thing as organizational truth.
That's why knowledge gaps become more consequential in an AI-enabled environment. The same gaps that used to cause delays, confusion, or extra meetings can now produce incorrect summaries, incomplete recommendations, flawed drafts, or misleading answers at a much larger scale.
In other words, AI does not just create new risks. It can amplify the risks that were already there.
This is one reason AI readiness should not begin and end with tool selection. Choosing the right platform matters, of course. So do security, privacy, permissions, and governance. But organizations also need to ask more basic questions about the knowledge their AI tools will rely on.
Is important information documented? Is it current? Is it stored somewhere people can actually find it? Are there multiple conflicting versions of the same process? Do teams know which sources are authoritative? Are there areas where one person's departure would leave a major knowledge gap?
These questions may not feel as exciting as choosing an AI tool, but they're often more important.
AI works best when it is grounded in reliable, well-organized, well-governed knowledge. Strong knowledge management practices help create that foundation by making information easier to find, trust, share, and maintain over time. Without that foundation, organizations may find themselves using powerful tools to move faster through uncertainty.
The Swiss cheese metaphor is useful because it doesn't suggest that every hole must be eliminated. No organization has perfect documentation, perfect governance, or perfect knowledge capture. The goal isn't perfection; it's to understand where the holes are, which ones matter most, and what additional layers are needed so they don't create unnecessary risk.
For some organizations, that may mean improving documentation around critical workflows. For others, it may mean cleaning up SharePoint or Google Drive, clarifying ownership of key information, strengthening permissions, retiring outdated content, or creating a clearer taxonomy. It may also mean giving staff better guidance on when to trust AI-generated output, when to verify it, and where to go for the authoritative answer.
AI can be a powerful force multiplier. But it multiplies what is already present: clarity or confusion, structure or sprawl, good governance or wishful thinking.
Before asking how AI can transform your organization, it may be worth asking a simpler question:
How many holes are in your Swiss cheese?
Because AI will probably find them. The question is whether it finds them before they become operational risk.
