Five Steps of AI Adoption and Why Most Teams Are Stuck on Step One
Table of contents
The Framework
Boris Cherny published a framework this week that maps how engineering teams adopt AI agents. Not a marketing slide. Not a maturity model designed to sell consulting hours. A practical five-step ladder from "we barely have access" to "a thousand agents run and I steer by intent."
The framework is useful because it names the bottleneck at each step. Not "what should we do next" but "what is actually preventing us from moving."
Here is the full ladder, condensed.
Step 0: Gated
Agents: 0
Only older or lighter models are approved. Latency compounds through AI gateways and custom auth layers. No MCP governance. Internal access to AI tools is gated or process-heavy. There is no IT infrastructure or approval path for hosting AI-created code or artifacts. Outputs only exist locally on individual machines.
The bottleneck: Legacy security and approval processes. The organization focuses on cost-per-token containment instead of outcomes. True technical voices are absent from decision-making.
What helps: SSO/SCIM with role-based access. Org-level budget caps. Deploying inside existing approvals and IAM. A data governance package that security teams can actually sign off on.
Most companies that think they have adopted AI are here. They approved ChatGPT Enterprise, put it behind three approval layers, restricted it to GPT-4o-mini, and called it a strategy.
Step 1: Assisted
Agents: ~1 (you plus an agent, a pair)
One engineer, one agent, mostly supervised. A fast pair programmer. You run one session at a time and review almost every change before it merges.
The unlock: A change that used to fill an afternoon becomes something you finish between meetings.
The bottleneck: Your attention. Due to low trust in the model's output and lack of self-verification, you feel you must read everything. Work is synchronous. You sit and watch while the agent works instead of moving to the next task.
This is where I see the majority of engineering teams in July 2026. They are using Claude Code or Copilot, they are getting real productivity gains, but they are babysitting every output. The agent is a junior developer who is never allowed to commit without a code review.
The trap at Step 1 is that it feels productive. You are shipping faster. But you are still the bottleneck.
Step 2: Parallel
Agents: ~10 (you as orchestrator)
One engineer orchestrates 5 to 10 agents at once, each on its own worktree or git checkout. Claude checks its own work (tests, build, lint, security scan) before you see it. Auto mode is always on. Automated code review and security review are on by default.
The unlock: A backlog that used to take the team weeks becomes one engineer's afternoon of orchestration.
The bottleneck: Reviewing output. You are hand-writing less code and instead checking six streams of it. Prompting and steering the model as you juggle sessions.
This step requires a critical mindset shift. You stop being a writer of code and become a reviewer of code. The skill changes from "can I implement this" to "can I verify this is correct across ten parallel streams."
The tools that enable this step matter: worktree isolation (so agents do not collide), auto mode configuration, agent view for monitoring multiple sessions, and automated code review that catches issues before you even look.
Step 3: Supervised Autonomy
Agents: ~100 (manager of managers)
Claude writes all or nearly all of the code. The question shifts from "did you read the code" to "what context was the model missing and how do we solve it for next time."
The unlock: The agent proactively does work you would have had to kick off manually. Maintenance and cleanup that used to wait for someone to find the time now runs continuously in the background.
The bottleneck: Trust in the loop and your team's decision throughput. The agent tree is too deep to babysit. The trap is scaling agent count before the loop has earned widespread trust.
This is the step that separates companies running AI experiments from companies running AI operations. At 100 agents, you cannot review everything. You need the verification loop (tests, build, lint, security scan, automated code review) to be so reliable that exceptions are rare and meaningful.
Token economics also become real at this scale. Monitoring via OpenTelemetry or analytics dashboards is no longer optional. The culture needs to encourage experimentation while controlling costs once internal use cases find product-market fit.
Step 4: AI-Native
Agents: ~1,000+ (VP steering by intent)
The loop is fully closed. Most agents are kicked off by other agents, not humans. Hundreds to thousands of agents run. You steer by intent and monitor by exception.
The unlock: The quarter-long migration becomes a workflow you kick off and check on.
The bottleneck: Identifying and automating work at scale, and enforcing the right guardrails for each type of work.
No one is reliably operating at Step 4 today. But the infrastructure is being built. The Claude Agent SDK for programmatically building and scheduling agents. Claude Tag for active monitoring across Slack channels. The pieces exist. The orchestration layer is what is missing.
Where Most Teams Actually Are
I work with automation in production every day. RPA bots, AI extraction pipelines, agentic workflows. Based on what I see across insurance, financial services, and enterprise IT:
Step 0: roughly 40% of enterprise teams. They have AI access on paper but security, procurement, or leadership has made it so painful to use that adoption is negligible.
Step 1: roughly 45% of enterprise teams. Individual engineers are productive with AI assistants, but the organization has not built the trust or infrastructure for unsupervised agent work.
Step 2: roughly 12% of enterprise teams. These are the teams running multiple agent sessions, using auto mode, and treating AI output as code to be reviewed rather than suggestions to be retyped.
Step 3: roughly 2 to 3% of enterprise teams. Mostly at AI-native companies or in dedicated platform engineering groups at large enterprises.
Step 4: effectively 0% in production. Proof-of-concept only.
The gap between Step 1 and Step 2 is the most important gap in enterprise AI right now. It is the difference between "AI helps me code" and "AI changes how my team operates."
The Transition Points
The framework is most valuable for its transition guidance. How do you get from one step to the next?
0 to 1: Executive alignment and escalation of blockers. Frameworks for launching AI securely. This is a people and process problem, not a technology problem.
1 to 2: Run more than one agent at a time. Build a self-verification loop you trust (tests, build, lint, end-to-end testing with a real dev environment). Enable auto mode to stop blocking on permission prompts. Automate code review.
2 to 3: Give agents a way to pull in context (code, wikis, discussions). Solve the agency and code review speed problem when agents touch code owned by other teams. Break work into loops and routines. Use dynamic workflows to fan out repetitive tasks. Let agents kick off other agents.
3 to 4: Scale automation of domain-specific use cases (code migration, fuzzing, feature-building, feedback remediation).
Notice the pattern. Each transition requires less technology and more organizational trust. The tools exist. The permission structures do not.
The Guardrails Scale With the Risk
One detail that makes this framework practical: the guardrails column. Each step has appropriate controls.
At Step 0, you need SSO and budget caps. Basic access control.
At Step 1, you need per-seat spend caps and centrally managed model settings. Compliance API. Plan mode to review intent before edits.
At Step 2, you need analytics to monitor team usage, automatic code quality enforcement, and manual code review as the final gate. You hold the same quality bar for human and agent-generated code.
At Step 3, you need automatic code review, automatic security review, agent sandboxing, and CLAUDE.md files encoding team standards. You tune the auto mode classifier based on your team's actual usage patterns.
At Step 4, you need cost controls and model selection for automation.
The guardrails do not get looser as you scale. They get more automated. Human review becomes exception-based rather than default.
What This Means for Builders
If you are building automation today, here is my take.
First, be honest about what step you are on. Most teams overestimate by at least one step. If you are reviewing every line of AI output before it ships, you are on Step 1 regardless of how many tools you have deployed.
Second, focus on the transition to Step 2. This is where the multiplier effect kicks in. One engineer orchestrating ten agents is not ten times more productive, but it is three to five times more productive. That is a real competitive advantage.
Third, invest in verification infrastructure. The common thread across every transition is trust. Trust comes from reliable self-verification. Tests, builds, lints, security scans, automated review. If your CI pipeline is not solid, scaling AI agents will amplify the mess rather than fix it.
Fourth, the bottleneck is always human. At every step, the constraint is human attention, human trust, human decision-making speed, or human organizational permission. The agents are ready. The question is whether your organization is.
The framework is worth bookmarking. Not because it predicts the future, but because it gives you an honest mirror for where you are today.