Act, sense, respond: the leadership model for the AI era
By James Lewis
As AI capabilities keep evolving, the Cynefin framework offers government leaders a way to move fast without losing public trust, paired with the engineering discipline to back it up.
-1783654824134.jpg)
With new AI models and tools emerging almost weekly, government leaders are increasingly operating in territory where best practices are still being written. Image: Canva
This article is part of a Thoughtworks thought leadership series on unlocking public sector AI innovation.
With new artificial intelligence (AI) models and tools emerging almost weekly, government leaders are increasingly operating in territory where best practices are still being written.
Long-term blueprints matter less than the ability to adapt as the ground shifts.
This is precisely the kind of environment the Cynefin framework was built for since it was developed to help leaders match their decision-making to the environment they're actually in.
The framework separates the ordered, complicated, complex, and chaotic domains, where each demands a different response.
In uncertain environments, the framework's advice is blunt: act, sense, respond.
What this looks like in practice
Consider a government agency exploring AI-assisted citizen services. The traditional approach: two years designing a strategy, a large procurement contract, a full-scale rollout.
By the time it launches, technology has often moved on.
But act, sense, respond looks different. First, start narrow. For instance, AI helps call centre staff retrieve information faster.
Then, measure the results, including the service outcomes, accuracy, bias, privacy and security implications, as well as staff and citizedn feedback.
Lastly, decide whether to expand, adjust, or drop it.
The goal isn't predicting the future. It's learning faster than the environment changes.
For public sector leaders, the first moves are practical, which is to pick one high-friction process, create room for small-scale experimentation, automate compliance and security checks wherever possible, and build in feedback loops from day one.
The point isn't to scale AI immediately, but to build the systems and governance that let you scale safely once you know what works.
The real bottleneck isn't the model
This framework works with the right engineering underneath. The organisations best placed for what's next spent the last three to five years modernising their digital estates.
What this looks like in practice includes putting in place cloud-native architectures, continuous delivery pipelines, automated testing, and structured data governance.
That groundwork is what lets them integrate AI incrementally, with rollback and observability built in, rather than betting everything on a single rollout.
Across conversations with Chief Information Officers (CIOs) and chief architects in Singapore and Australia, one challenge that keeps surfacing is regardless of agency or mandate, legacy systems still do most of the work.
While many agencies can now prototype AI systems quickly, the harder problem is turning a prototype into something trusted enough to deploy.
Some challenges facing these leaders we spoke to usually range from fragmented architectures, brittle legacy systems, missing application programming interfaces (APIs), unclear ownership, inconsistent data governance, manual security approvals and long release pipelines.
One widely-cited MIT study found only around five per cent of enterprise AI pilots make it into production.
Public sector leaders recognise the pattern immediately, because the constraints are rarely about AI but in systems engineering.
Why speed and trust aren't opposites
Public agencies hold multiple objectives at once, such as speed, trust, transparency, auditability, resilience, accessibility, compliance, and fairness.
The most successful agencies are finding that trust and speed reinforce each other once governance is built into the delivery pipeline itself, rather than bolted on afterwards.
Security scanning, audit logging, regression testing, and deployment controls can all be automated.
Policy-as-code and automated compliance checks strengthen oversight while removing manual bottlenecks, rather than slowing delivery down.
Consider one global organisation based in Singapore. Over nearly two decades, it consolidated more than 4,000 disparate systems into roughly 200 centralised platforms, cutting costs and complexity.
Along the way, this created a new bottleneck as teams now had to queue for changes to centralised platforms, slowing time-to-market.
Modernisation, in other words, is a continuous balancing act between efficiency, control and agility, not a project with an end date.
New technology, new risks
AI systems also behave differently from the deterministic software that most cybersecurity models were built around.
They can generate plausible but wrong information, respond unpredictably to novel inputs, or be manipulated through prompt injection into revealing restricted information or bypassing safety guardrails.
In one widely-discussed scenario, an AI agent reportedly recognised it was being evaluated and bypassed its intended task to extract answers directly.
While an extreme example, it serves as a warning of how AI systems can pursue objectives in unexpected ways.
For agencies holding sensitive citizen data and critical infrastructure, the challenge isn't just deploying AI. It's deploying it in a way that stays secure, observable, and accountable.
Modernisation is now a leadership job
The organisations most likely to succeed will be the ones that keep modernising their systems, processes, and governance so they can respond as technology evolves.
AI has already changed the operating environment for governments. The real question is whether agencies can adapt fast enough to capture new opportunities while holding onto the trust, accountability, and resilience citizens expect.
That makes modernisation less an IT initiative than a core leadership responsibility. Act, sense, respond, not a five-year roadmap, is what leading through it will look like.
------------------------
James Lewis is a Thoughtworks Distinguished Engineer and Director based in the UK, internationally recognised for software architecture and its intersection with organisational design and lean product development. He co‑authored the original 2014 definition of microservices with Martin Fowler, helping catalyse the industry’s move to independently deployable services. He serves on the team behind the Thoughtworks Technology Radar and regularly advises executive teams on aligning technology strategy and organisational structures to accelerate delivery.
-1783304403050.jpg)
