From shared devices to AI copilots, decisions about access, behavior and day-to-day workflow are shaping technology outcomes well before formal buying begins.
Enterprise buying does not usually start with a vendor conversation anymore. It starts earlier, in quieter places, with decisions that do not feel like buying at all.
Someone decides a shared device model is necessary to keep work moving. A team accepts a new access pattern because it saves time. Employees are expected to make judgment calls in the moment -- clicking, scanning, responding -- long before any tool is selected or contract reviewed. By the time procurement gets involved, the most important choices have already been made.
What looks like technology adoption from the outside is often something else entirely on the inside. It is a decision about access. About expectations. About how work should flow. Those decisions are framed as operational or behavioral, not commercial, even though they quietly shape what technology an organization will eventually need to support them.
By the time procurement gets involved, the most important choices have already been made.
The result is not chaos or a loss of control. Control just starts somewhere else.
Early decisions in regulated environments
In a clinical healthcare setting, shared-use mobile devices are treated as essential infrastructure, not optional tools. IT decision-makers and clinical leaders often put their stamp of approval on their use, reflecting how governance gaps are limiting the potential of mobile devices in healthcare.
This does not register as a buying and procurement decision because the shared device model makes use of existing IT hardware and systems. It feels like extending what already exists rather than initiating a new buying cycle.
In a highly regulated clinical environment, the decision is framed as enabling care. Clinicians need to log in and out to access the information they need to do their jobs, wherever they happen to be in the hospital. Efficiency and care delivery, not vendor selection, are the stated motivations.
At this stage, the decision is already made. Before tools or vendors enter the picture, a system of permissions and expectations must be worked out -- who has permission to use which device, where and when.
When governance shows up late
Unfortunately, authentication roadblocks often hinder the shared device model once the decision has been put in place. More than half of healthcare staff experience accessibility issues once shared-use models expose weaknesses in device management, security posture and operational planning.
The friction is exacerbated by a lack of robust mobile device management (MDM) policies, insufficient hardware, inadequate data security and manual or inconsistent processes.
The tension is first felt by IT, which scrambles to get clinicians access to the right devices, then by clinicians, who are delayed in providing care. And, most importantly, it's felt by patients who are waiting to receive that care.
This is not just about mobile devices. It applies to any IT device in the hospital -- PCs, smartphones and tablets -- used by clinicians to do their jobs.
Part of the problem is the lack of clear centralized ownership. The decision to implement shared devices comes from IT and clinical leaders, but responsibility for making it work becomes diffuse and often ineffective.
Problems that should have been solved before implementation surface afterward:
Do we have enough devices spread across the hospital?
Do we have a device management system capable of supporting the policy?
Is adequate data protection in place to meet governance and HIPAA requirements?
These breakdowns are framed as implementation flaws that come as a surprise. They shouldn't be.
Risk forces decisions earlier than tools
Thanks to AI, organizations need to react to AI-supported phishing attacks in near real time, reflecting how AI is making phishing attacks more dangerous.
Attackers are using AI to make phishing messages more timely, more in the moment and more effective, bringing voice and impersonation into the picture. Speed matters more than certainty.
Countering phishing starts with the employee, even in the age of generative AI. Awareness training remains the first line of defense, even though humans are still considered the weakest link.
This looks like a behavior and access problem, not procurement, because many traditional countermeasures are human-centered: training, not clicking links, not sharing data, enforcing password best practices.
The primary area of control appears to be awareness and security training, setting behavioral expectations and judgment at the moment of interaction. Authentication and access restrictions come later and are more technological by contrast.
The framing assumes users will always make mistakes, controls will lag attackers, and speed matters more than certainty.
When the edge becomes the decision point
Users are often unaware of smishing as a threat, even as mobile devices already have access to corporate networks, underscoring how security teams are incorporating smishing into awareness training.
Smishing bypasses traditional cybersecurity controls because messages do not pass through corporate email systems.
Organizations cannot simply buy something to counter smishing. MDM might help at the margins, but procuring technology is not the answer.
They are ubiquitous and used everywhere, not just in corporate environments. They obscure destination URLs and bypass traditional indicators of attack, forcing users to make trust decisions at the moment of interaction.
There are multiple layers of protection: security software, multifactor authentication, education and awareness. Countermeasures are equally about tools and users. Decisions happen at the moment of scan.
These early decisions are not limited to security or compliance-driven environments. The same pattern is now showing up inside everyday productivity tools, where new capabilities appear as enhancements to existing platforms rather than as purchases. As AI features are embedded directly into workflows, decisions about how work gets done expand quietly -- often without triggering a formal buying or governance conversation.
Workflow-level decision sprawl
A CIO integrated Salesforce's agentic AI Slackbot to gather information using natural language and create onboarding documentation quickly, illustrating how Slackbots are evolving into AI copilots inside everyday work.
It is not really a procurement issue because it complements an existing product, Slack, making it more competitive with Microsoft Teams. There is no new SKU, no contract change and no formal buying motion.
Slackbot is free to Slack business and enterprise subscribers. It extends Salesforce's reach beyond its traditional CRM customers and positions Slack as an AI-enabled workflow surface.
Use might flow upstream from users to managers, IT and the CIO. But responsibility flows downstream, from the CIO to IT, managers and, ultimately, individual users.
When procurement becomes the receiver
Across very different parts of the enterprise, the pattern is the same. Decisions expand earlier than procurement, spread wider than any single team and take shape inside workflows before they ever look like purchases.
Shared devices are normalized before governance is ready. Security expectations are placed on employees before tools can intervene. AI capabilities appear inside existing platforms as enhancements, not buying events. Use can flow upward, but responsibility still flows downward, layered in after the fact.
Procurement is not being bypassed; it is being repositioned. Increasingly, it is asked to formalize, scale and govern decisions that are already in motion rather than originate them.
The challenge for organizations is not to pull buying back into a single gate. It is to recognize that buying now begins with access, behavior and workflow choices -- and to involve governance and procurement early enough to shape those choices before they harden into obligations.
James Alan Miller is a veteran technology editor and writer who leads Informa TechTarget's Enterprise Software group. He oversees coverage of ERP & Supply Chain, HR Software, Customer Experience, Communications & Collaboration and End-User Computing topics.
