Governance

How Retrieval-Augmented Generation helps organisations protect sensitive information while harnessing AI’s full potential. When you ask ChatGPT or another AI tool a question, it answers based on what it knows from its training data — typically a massive blend of public information from the internet and available literature up to a certain point in time. While this is powerful, it misses something vital: your own institutional knowledge. Your company’s proprietary policies, control frameworks, audit reports and lessons learned — they aren’t part of the public training set (and you don’t want them to be). But imagine if you could blend the vast “hive mind” of general AI with the unique knowledge sitting inside your own documents - all the while keeping it private, local and secure. That’s exactly what RAG — Retrieval-Augmented Generation — allows you to do. ...

As AI systems increasingly claim to “know” their users, the risks around trust, manipulation, and decision-making are growing just as fast. In this post, I explore whether AI truly understands individuals—or whether we are mistaking prediction for insight. For anyone working in governance, risk, or cybersecurity, the distinction isn’t just academic; it’s a critical emerging threat. Link to Substack post Can AI really get to know you? How well could an AI ever really know you? This week, I’ve been experimenting with using AI as a kind of coach — a patient, curious thought partner — and exploring what it seems to understand about me ...

What the playbook covers The UK Government published their Artificial Intelligence (AI) Playbook on 10 February 2025, setting out 10 Principles for using AI in government organisations. The playbook updates previous UK government publications, providing an expanded guide designed to help public sector organisations harness AI technologies safely, effectively, and responsibly. It is a must-read for risk managers, cyber-security professionals, and compliance experts working with or within the UK public sector. The playbook provides guidance and principles to navigate the unique challenges and opportunities presented by AI. ...

Forrester Research challenges the Three Lines of Defence (3LOD) model twenty years on. The research firm writes that the three lines of defence is outdated: built for SoX, 3LOD hasn’t been reconsidered in two decades, and it’s time for a change. The three lines of defense (3LOD) concept was initially developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act. […] But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk. Instead, it defines, with ample rigidity, the roles required to comply with segregation of duties requirements. This division is conceptually simple but does not match the operating model at most organizations. Forrester ...

The US Government’s National Institute for Standards and Technology, known commonly as NIST, released its updated Cybersecurity framework in February. This was the first new version in 10 years, following the 1.0 version in 2014 that was primarily aimed at protecting US critical infrastructure. The new 2.0 version is international and aimed for broad consumption: drafted in collaboration with experts across 100 countries, it should also be easier to use. Version 2.0 also introduces a new category: Govern, recognising that the world has changed since 2014, with Cyber now an enterprise risk being discussed in the boardroom. ...

Security Boulevard notes that firms have less than two months to comply with DORA. With the EU’s Digital Operational Resilience Act (DORA) coming into effect next month, financial services firms in the EU are updating processes, policies and provisions to comply with the new regulation. Meanwhile, PwC highlights in International Banker (PwC) the challenge of updating ICT contracts under DORA’s requirements. As part of TPRM, DORA stipulates that all ICT contracts must contain specific baseline contract terms. There are also more onerous additional requirements for contracts supporting critical or important functions (CIFs). ...

Corporate governance addresses the fundamental problem of how to ensure that those who manage a company act in the best interests of its owners, known as the agency problem. It is the system of rules, practices, and processes designed to align the interests of management with those of shareholders and other stakeholders, promoting accountability, transparency, and responsible decision-making. Effective corporate governance is essential for building trust, attracting investment, and fostering long-term sustainable growth. ...

Board governance is the system by which a board of directors controls an organisation, defining how it operates, makes decisions, and oversees key business outcomes such as strategy, risk, and performance. Effective boards ensure accountability through transparent reporting and ethical conduct, setting the tone at the top and fostering a culture of responsible leadership. Responsibilities of a Board Member Board members play a critical role in: Decision-Making: Setting strategic direction, approving major initiatives, and balancing short-term needs with long-term sustainability while considering stakeholder interests. ...