-
It Gets Cleaner On The Way Up

A project team gets to a go-live meeting. Sign-off is on the agenda. The supplier has already been told the enterprise controls aren’t sufficient. But there’s a payment milestone attached to that go-live, and the meeting isn’t really about whether it’s safe to proceed. It’s about whether it can be made to look safe enough…
-
August 2026 Is Not the Deadline

The EU AI Act entered into force on 1st August 2024. Prohibited practices and the AI literacy duty applied from 2nd February 2025. The first rules for general-purpose AI models began applying from 2nd August 2025, with transitional arrangements for models already on the market. Most of the Act becomes applicable on 2nd August 2026,…
-
Things Made Too Dangerous to Release

Every significant capability governance failure of the last fifty years follows the same shape. Someone drew a boundary around an approved use case. The capability moved outside it. Nobody had asked what happens when it does. That pattern predates AI by decades. It shows up in molecular biology, network infrastructure, industrial control systems, and weapons…
-
AI-Generated Evidence Is Only Caught By Accident

A Derbyshire Police case, and the reconstruction test most organisations have never run A Derbyshire Police officer is under criminal investigation for allegedly using AI to create evidential material in a number of cases. The Crown Prosecution Service is now working with the force to review which cases may be affected. No arrests. The officer…
-
Three AI Certifications, Three Governance Problems

Last year I spent a week talking to C-suite members individually as part of a wider governance assessment. The company was already using AI in several places. Some of it sanctioned. Some of it not. A couple of tools had been quietly adopted by teams who never thought to ask permission because they did not…
-
Complaints Handling Becomes a Real Governance Control

When the Freedom of Information Act came into force, I was brought in to build and manage an internal audit team for a large government agency. The FOI compliance picture wasn’t the reason I was there. It emerged during the audit. Requests that had been missed entirely. Others within days of breaching the statutory deadline.…
-
Classifying AI Risk Before You Deploy It

I was doing a review for a client in the entertainment sector recently. Not a cyber incident. A broader governance piece. During the review we found tools already embedded in their outreach operation. Approved software. Budget already signed off. Users already dependent on it. One of them was segmenting audiences. Deciding, in effect, who got…
-
Your Risk Appetite Doesn’t Matter When You Inherit Theirs

I got a call from a client after their MSP went dark. Not a courtesy call. A crisis call. The service had been breached. Everything dependent on it had stopped. They were buying laptops, actual laptops, from a shop, just to keep people working. The breach lasted over a month. When I arrived, the first…
-
The Risk Register Nobody Looks At

Someone asked a simple question in a quarterly risk review last month. “What’s actually different in the business since last quarter?” The register was updated. RAG statuses were current. Actions had owners. Nobody could answer. That’s a large manufacturing client. Well-governed on paper. But the register had been maintained religiously while the business ran in…
-
What GDPR Actually Ask For

Most GDPR programmes spend too much time producing artefacts and not enough time proving judgement. Somewhere along the way, privacy compliance became a document factory. Another policy. Another register. Another DPIA filed in a folder nobody opens. But that is not what the law asks for. UK GDPR asks for something more practical and more…
