In companies, the summer often slows down the decision-making process, but in the tech sector, such a pause increasingly comes at a tangible cost. AI, cybersecurity, the cloud, data and regulations now form a single landscape of risks and costs that management should sort out before autumn brings the pressure of budgets, projects and results.
September is often treated as a second start to the year. Teams return, projects get underway, and meetings about ‘what we do next’ appear in calendars. The problem is that, in the tech sector, September is increasingly rarely a time for calm reflection. More often, it becomes a test of decisions that were either made or postponed in July and August.
It’s not about approving major transformations during the summer holidays. It’s about something more fundamental: identifying owners, defining the scope, assessing the costs and identifying the risks. The most expensive thing today is not just new technologies, but ambiguity: who is responsible for AI, who oversees cloud costs, who manages the data, who responds to incidents and who ensures regulatory compliance.
The first decision concerns AI. In many organisations, artificial intelligence has already moved beyond the demonstration stage, but has not yet become fully integrated into day-to-day processes. This is a significant difference. A company may have several pilot projects, generative tools in the hands of its staff and high expectations of automation, yet still lack an answer to the question of where AI is actually supposed to improve results, streamline processes or take the strain off the team.
This is less and less a problem with the technology itself, and increasingly a problem with the organisation. Market analyses indicate that AI adoption often stalls due to fragmented ownership, mismatched processes and a lack of scaling principles, not just the limitations of the models themselves. That is why the board should not ask, in general terms, whether the company is ‘implementing AI’. A better question is: which two or three processes are to move from AI experimentation to the company’s day-to-day operations, and who is accountable for their outcomes? Without such a decision, the autumn may bring more tests, but not necessarily more measurable change.
The second decision involves both the CIO and the CFO: who actually controls the costs of the cloud and AI? For years, the cloud has been described in terms of flexibility, speed and scalability. These remain its key benefits, but today they are increasingly accompanied by a second set of terms: complexity, waste and unpredictability. According to analyses based on data from Flexery and Finout, 73 per cent of organisations report an increase in the operational complexity of cloud environments, and 31 per cent of cloud expenditure is wasted.
AI adds another layer to this. Costs no longer arise solely in traditional infrastructure, but also in models, queries, agents, data, integrations, licences and security. This is not a technical detail on an invoice. It is a question of how the company is managed. Are cloud and AI costs visible by product, department and business outcome, or do they still appear as a single, aggregated item on the IT side? If even a minimal level of cost discipline is not established by September, autumn AI projects may increase infrastructure usage faster than the company’s ability to assess the return on investment.
The third decision concerns cybersecurity, but understood not as a catalogue of tools, but as operational resilience. The summer holidays mean time off, cover staff, travel, remote working and more dispersed teams. This need not cause panic, but it does mean checking whether the company really knows what to do in the first few hours following an incident.
The scale of the risk is growing. According to information provided by Polish government representatives and quoted by the AP, in 2025 Poland recorded 270,000 cyberattacks – 2.5 times more than the previous year. From the board’s perspective, the key question is therefore not whether the organisation has yet another security solution, but whether it has an up-to-date response plan, tested backups, access controls and a clear division of responsibilities. September is a good time for new projects, but a bad time to discover that, in a crisis, nobody knows who is making the decisions.
The fourth decision is less spectacular, but may be the most important: which data is actually ready for use? AI projects rarely stall due to a lack of enthusiasm. More often, they stall due to data quality, availability, scattered sources, unclear permissions and a lack of ownership. This is why the discussion about data should return to board level, rather than remaining solely within the IT department.
Data is not an add-on to an AI strategy. It is a prerequisite for ensuring that AI does not remain merely a showcase, but becomes a repeatable process. In the case of AI agents, researchers point out that one of the fundamental tasks of compliance and control is a comprehensive inventory of the system’s activities, data flows, integrated tools and the people affected by the system. This may sound technical, but the decision is very much a business one: which datasets are critical to the most important processes, and who is responsible for their quality, availability and access rights? If a company fails to establish this over the summer, its autumn automation projects may begin not with scaling up, but with getting the basics in order.
The fifth decision concerns regulation. The AI Act, NIS2, cyber resilience, data protection and accountability for AI systems are no longer separate compliance issues. They are having an increasingly significant impact on technology procurement, supplier contracts, system architecture and the way decisions are documented. The AI Act came into force on 1 August 2024, but its provisions are being implemented in phases, and organisations must gradually prepare for new obligations relating to AI systems. Meanwhile, NIS2 has extended European cybersecurity requirements to more sectors and reinforced the importance of oversight, risk management and incident reporting.
However, it is not worth reducing this to a mere legal obligation. For the board, the most important question is: does the company know where it actually uses AI, which systems may pose regulatory risks, and who is responsible for documentation, suppliers and compliance? Companies that put this issue on the back burner may not face an immediate problem in the form of a fine. Chaos is more likely: more difficult procurement, longer negotiations, unclear accountability and delayed projects.
How should priorities be set? Not by which issue is making the most noise. AI may be the most high-profile topic, but within a specific company, backup procedures, controlling cloud costs or organising customer data may be more urgent. A good decision-making filter is simple: which decision reduces the greatest operational risk, which improves cost control most quickly, which unlocks other projects, and which must be taken now due to regulations, budget constraints or staff availability.
This is precisely why a summer technology brief should not be a list of trends. It should be a discussion of the implications. The board does not need to finalise the entire digital strategy over the summer holidays, but it should distinguish between projects that can wait and those where a delay would increase costs, risks or loss of momentum.
September is rarely a completely fresh start in the tech sector. More often than not, it reveals the effects of decisions that were made or postponed over the summer. Companies that use July and August to sort out their priorities will not have to work any harder than others in the autumn. They will simply start with less chaos.

