Skip to content

Acceptable Risk (Documented)

Because "documented" isn't a mitigation strategy

    • About Me
    • Privacy Policy
    • The Mission
  • It Gets Cleaner On The Way Up

    It Gets Cleaner On The Way Up

    A project team gets to a go-live meeting. Sign-off is on the agenda. The supplier has already been told the enterprise controls aren’t sufficient. But there’s a payment milestone attached to that go-live, and the meeting isn’t really about whether it’s safe to proceed. It’s about whether it can be made to look safe enough…

    July 15, 2026
  • August 2026 Is Not the Deadline

    August 2026 Is Not the Deadline

    The EU AI Act entered into force on 1st August 2024. Prohibited practices and the AI literacy duty applied from 2nd February 2025. The first rules for general-purpose AI models began applying from 2nd August 2025, with transitional arrangements for models already on the market. Most of the Act becomes applicable on 2nd August 2026,…

    July 15, 2026
  • Things Made Too Dangerous to Release

    Things Made Too Dangerous to Release

    Every significant capability governance failure of the last fifty years follows the same shape. Someone drew a boundary around an approved use case. The capability moved outside it. Nobody had asked what happens when it does. That pattern predates AI by decades. It shows up in molecular biology, network infrastructure, industrial control systems, and weapons…

    June 21, 2026
  • AI-Generated Evidence Is Only Caught By Accident

    AI-Generated Evidence Is Only Caught By Accident

    A Derbyshire Police case, and the reconstruction test most organisations have never run A Derbyshire Police officer is under criminal investigation for allegedly using AI to create evidential material in a number of cases. The Crown Prosecution Service is now working with the force to review which cases may be affected. No arrests. The officer…

    June 21, 2026
  • Three AI Certifications, Three Governance Problems

    Three AI Certifications, Three Governance Problems

    Last year I spent a week talking to C-suite members individually as part of a wider governance assessment. The company was already using AI in several places. Some of it sanctioned. Some of it not. A couple of tools had been quietly adopted by teams who never thought to ask permission because they did not…

    May 20, 2026
  • Complaints Handling Becomes a Real Governance Control

    Complaints Handling Becomes a Real Governance Control

    When the Freedom of Information Act came into force, I was brought in to build and manage an internal audit team for a large government agency. The FOI compliance picture wasn’t the reason I was there. It emerged during the audit. Requests that had been missed entirely. Others within days of breaching the statutory deadline.…

    May 20, 2026
  • Classifying AI Risk Before You Deploy It

    Classifying AI Risk Before You Deploy It

    I was doing a review for a client in the entertainment sector recently. Not a cyber incident. A broader governance piece. During the review we found tools already embedded in their outreach operation. Approved software. Budget already signed off. Users already dependent on it. One of them was segmenting audiences. Deciding, in effect, who got…

    April 27, 2026
  • Your Risk Appetite Doesn’t Matter When You Inherit Theirs

    Your Risk Appetite Doesn’t Matter When You Inherit Theirs

    I got a call from a client after their MSP went dark. Not a courtesy call. A crisis call. The service had been breached. Everything dependent on it had stopped. They were buying laptops, actual laptops, from a shop, just to keep people working. The breach lasted over a month. When I arrived, the first…

    April 27, 2026
  • The Risk Register Nobody Looks At

    The Risk Register Nobody Looks At

    Someone asked a simple question in a quarterly risk review last month. “What’s actually different in the business since last quarter?” The register was updated. RAG statuses were current. Actions had owners. Nobody could answer. That’s a large manufacturing client. Well-governed on paper. But the register had been maintained religiously while the business ran in…

    April 16, 2026
  • What GDPR Actually Ask For

    What GDPR Actually Ask For

    Most GDPR programmes spend too much time producing artefacts and not enough time proving judgement. Somewhere along the way, privacy compliance became a document factory. Another policy. Another register. Another DPIA filed in a folder nobody opens. But that is not what the law asks for. UK GDPR asks for something more practical and more…

    April 9, 2026
1 2
Next Page→

Acceptable Risk (Documented)

Because "documented" isn't a mitigation strategy

    © 2026 Paul Maxwell. All rights reserved

    Loading Comments...