Skip to the main content.

Our client portal provides all the tools you need to create, view or update your support requests. 


For urgent IT support during business hours, or if you suspect anything suspicious call  01314528444 for the fastest response.


If one of our team has asked you to start a remote control session on your computer, use the remote control menu option above.

25 min read

AI webinar series: AI business readiness June 2026

Catch up on our first AI webinar

In the second of our AI webinar series, we look in-depth at the things your business needs to do before starting to use AI including governance, data readiness, and how to appraise AI tools.

The topics we cover are:

  • Business Review to identify bottlenecks
  • Governance documents
  • Insuarance
  • Data Readiness
  • Appraising AI tools

Transcript:


Alastair Struthers   We've got an agenda today. The agenda is going to cover a couple of topics. This is only 1/2 hour lunch and learn so it's not too long, but there's some very, very big weighty topics in here that we need to cover.

They broadly break down as your business review, we'll talk about the governance of AI, getting data ready for AI, and then a quick look at how you should review AI platforms, and then we'll have a little Q&A at the end. If you've got any questions, pop them in the QA. Stacey will deal with them as we go through. If there's any that need answered as we go through, I'll try and deal with them.

Otherwise, we'll deal with any questions at the end. Without further ado, let's bring up the next slide.

AI is not a magic bullet. There are a lot of people that think you just go and turn AI on and it will solve all of the world's problems and it's going to be great. But that sadly is just not the case. You might pull the trigger on AI, expect miracles, but end up with a nightmare because there's a lot to it. There's a whole lot to it, as you will see as we go through this webinar.It's not a simple thing to turn on, or rather, it shouldn't be a simple thing to turn on.

You could just go and enable an AI tomorrow, but you'd probably regret it without having done a whole lot of legwork, set the groundwork for it. And that's what we're here to talk about today.

Let's start at the beginning. Let's start with reviewing your business and identifying the pain, because actually, when you're thinking about AI, the first thing to think about is nothing to do with AI at all. I know we're all very keen to get to the shiny new toy, the tool, but actually, if you just rush into it and just turn on AI, you're not going to get the most out of it. You will probably find that actually ends up hindering you and you'll need to spend a lot of time undoing what you tried to do in the first place.

What you want to do is look for the automation opportunities first. And what that really means in business speak is look for your bottlenecks. Conduct a review of your business and identify where your bottlenecks are. Now, I've put just a selection on here on this slide, but it doesn't necessarily mean that these are the same for every business. They will vary from business to business, from industry to industry.

But I guess the regular things that tend to come up are repeated data entry, you know, people doing things like that, and data analysis where you've got someone spending days or weeks going through huge amounts of data. That's the kind of thing that can be automated really, really effectively. Same with, if you're sending out standard replies, if a customer emails you or messages you on some messaging platform and it's pretty much the same response that goes out every time. That's a great candidate for automation/AI. The automation is probably the more important bit here. The AI is just the decision engine in the back where something might need to be thought about or created slightly differently each time.Really, the automation is the thing you're looking for here.

You also can look at things like internal approval processes. If they get slowed down because they're waiting for a decision from someone, but actually that decision isn't particularly complicated. It's just needing someone to check, is this done? Is this done? Is this done? Yes, rubber stamp, and away it goes. That is a key opportunity for AI. It's a perfect use case for it. You can read the list there yourself. I'm not going to read out every single one because that's a waste of your time. But you can see on here some of the opportunities you can automate.

And when you bring AI into that automation workflow, that's really where you get the big wins. That's where you get the time savings and you get that value back, but it does start with looking at the business, mapping it out in detail, and identifying these opportunities.

Our next slide is about setting the scene for governance.Governance, for many smaller companies at least, is a box that they don't necessarily want to take. Some are having to do it if they're a regulated industry, then you will have to obviously think about governance, but many other businesses don't really think about it.

But the Information Commissioner's Office is very, very clear about something.Where businesses are using AI, the business is accountable for the decisions made by or influenced by AI. This is a statement that they made a couple of years ago. It is still very, very relevant. And what that means is if AI goes and does something, you, the individual who's in charge of that company, is the one who's responsible for that action, which means you need to have that governance in place to protect yourself and your business should something ever go wrong.

You need to be able to trace it back and say, we have thought about this, we've put these controls in place, we've covered ourselves liability wise, we've got our insurance, we've done everything we need to do. This has still happened, but we have done everything we can do and we've been accountable. And that's really why we're talking about laying this foundation for AI before you anywhere near it.So.Where are we?

Let's start with the governance checklist. We've already talked about this in the agenda. For our governance checklist, we need to make policies and procedures (very, very dull) but everyone needs them. We'll look at a bit more detail on what those need to cover in a minute, but you need your policies and your procedures. You then need, underpinning that, an AI risk assessment and a DPIA.Those will probably be familiar to you from just the rest of your business. I assume most businesses have got risk assessments and you've got your data protection impact assessments there. It's just a question of making sure that they're updated and relevant for the world of AI. You're then looking at your staff contracts, your customer contracts, and your insurance cover. And we'll look at each of these in a bit more detail as we go.

Starting with AI policies and procedures, it's a really rock'n'roll thing. It's incredibly exciting. I know you're all just giddy with excitement to talk about policies and procedures. I know it's dull, but it's fundamentally really, really important. To create your AI policy, on our IT foundation's portal for our supported customers, we actually have a draft IT policy there that they can download.You can just fill in all the blanks, tweak it to suit your own business, and then you have got out of the can.

But if you're creating one from scratch, there are a few things you really want to make sure you've got covered in there. And the first and foremost is a really obvious, but quite often overlooked part of it, and that's stating what your company's position is, regardless of whether it's embracing AI or whether it's denying AI. There's some very good reasons for companies not using AI. Some of them are very environmentally conscious and we can't hide the fact that AI is, at this exact moment in time, quite damaging to the environment. It uses an awful lot of energy. AI data centres around the world are causing problems: environmentally, climatically, they cost a lot of money, they cost a lot of resources, they use a lot of water. There are issues with them. And so some companies are very deliberately saying, you know what, as much as we think we would benefit from AI, we're not going to do it. And that's fine. Others are embracing it because they want to be leading the competition, they want to be drivers of their industry, they want to be at the forefront and getting the biggest returns that they possibly can.

And your AI policy should state where you are on that spectrum. You know, where do you lie? What is your company's position on AI? And then you need to say, what are we going to say to the public about this? You want a public transparency statement. We are going to tell people where it is being used, where it is not being used, how it is being used, et cetera.

Further down, you then need to start thinking about the accountability and responsibility part here. Now, effectively, this is who is leading on your AI, who reviews your AI, who approves your AI, and who is monitoring your AI, so that you have that framework there, you know exactly who is responsible for what elementof your AI rollout. And when something goes wrong or somebody has a question, there's a clear route to one single person who has that responsibility and that accountability for it.

Once you've gone through the process of identifying who that person is and what your company's position is, the next thing you want to do is actually document any already approved AI tools. Are you already using Copilot? Have you been through this, but you've not got the policy for it? If that's the case, then you need to go and document your AI tool whitelist as well as your denied list. You may say yes, you're allowed to use Copilot. No, you're not allowed to use anything that's based in China or Russia or any of these other specific ones. And you need that to be very, very clearly in black and white.

My recommendation would actually put that in a separate appendix so you can add it to it and remove from it at any given moment and just refer to it in your main policy. At IT Foundations, we've got one that's a separate spreadsheet. It's got two different tabs in it. One is looking at what's approved. One's looking at what's denied.It talks about what the tool is, why the tool is approved or denied, when it was last reviewed, and who has the responsibility for it. It's not complicated stuff, but this is the kind of documentation you need.

Should anything ever go wrong in the future, you can refer to it and say, here is our due diligence, here is our governance, Mr. Insurance Company / Mr. Regulator, whoever might be knocking on your door asking for information.

You then want to talk about the approval process itself in that policy. How does a tool get approved? What are your criteria for approving it? You know, we'll talk about at the end of this webinar about how you should go about reviewing tools, but you want to have that process documented in here so that everybody knows what that should look like. You also in there want to have the procedure slightly further down for how new tools get requested to be reviewed. If your staff are going, “hey, there's this really cool new tool over here that we really want to use”, you need to tell them how they go about formally requesting that tool be looked at, appraised, reviewed, and approved long before they go anywhere near using it.

And that's really why Shadow AI has appeared in the first place, because people just disappear off and go and try new tools, and actually nobody at the top of the company is aware of the fact that this is happening. Make that clear. Let the staff know exactlywhat it is that they need to do to get a tool approved.

Next one down is talking about, allowed and prohibited uses for the users themselves. It's a fine saying that a tool is approved for use, but your policy should say what it is approved for use to do. Are staff allowed to create customer-facing documents and just send them out? Are they only allowed to generate a first draft, for example? Are they allowed to create images? Are they allowed to have an AI make a decision in a workflow, or does that need approval, or is that just an outright no? You need to have a really deep think about what you want AI to be allowed to do and be very clear to your staff about it.And then the last one is commit to training your staff in AI.

Not a complicated one, but that should be in your policy. AI is still greatly misunderstood and many people don't really have knowledge about it. It's such a new tool that there's a lot of people out there who claim to be experts and actually I suspect half of them probably aren't experts. Half of them are probably just pretending to be experts and are winging it.The other half actually do know what they're talking about. And trying to find the ones who know, from the ones who don't, trying to weed them out is a challenge. What you need to do is find a good resource, a trusted resource that teaches your staff how to use AI, how to prompt, how to build an agent, how to do anything, frankly, with AI. You can't expect them just to know these things without training.

There you go, that's the governance piece. It's not the sexy, I know, but it's still very, very important. Let's dive a little bit more into the AI risk assessment.

I imagine we're probably all quite familiar with risk assessments. These are things we've been doing for years, and are fundamental to most businesses these days. We can't get away from them. An AI risk assessment is not really any different. I've put up here five different things to think about, five different categories, I guess, for your AI risk assessment. But it boils down to identifying where AI is planned to be used. Then you assess the risk, what could actually happen with business data, legal, reputational risk, and all these things, document them, rate the likelihood and impact as you would in any risk assessment.

Define your controls. They might be: we've identified this, we're going to have a human in the loop, people are going to review these things before they go out. Or we've drafted something with AI, a human is going to review it, and then it will get sent out, just as an example.You might want to restrict access. Only people with certain roles have got access to AI in the business, not everybody needs AI. You might be just restricting access to limit the risk. You might be talking about data protection controls. There’s things like data labelling that we'll talk about later on. That's one’s a really good way to control that data.And just monitoring. It could just be a simple case of you are going to check and see what AI has been doing. Someone once a month looking at the marketing content that is put out, something along those lines. And then finally making sure that somebody has ownership of it and reviewing the stuff regularly. It’s not rocket science. We are all quite aware of how to do a risk assessment.

And then the next one is, of course, your data protection impact assessment.Just a super exciting phrase that, I can just tell every year, so pumped to talk about data protection impact assessments.Again, just something we need to do. Very, very similar to your risk assessment, you need to identify where your data is being used, identify the purpose and the data flow, and your lawful basis for it if it's going through AI, figure out whether it has any privacy risks to the individuals at all, particularly paying attention to where data is processed by an AI, where data is stored by an AI, whether an AI is being used to train models.

All of this we’ll come on to later in the Webinar, but these are the kinds of things you need to pay really close attention to so you can competently complete data protection impact assessments. Similarly, to find your safeguards, you minimize the amount of data sent through them, et cetera, et cetera, and assign that one or make sure that somebody is responsible for it and record it.

There you go. Moving on to the slightly more obvious things, but things maybe people aren't even thinking about.

I'm going to qualify this slide and my next slide by pointing out that big blue banner across the middle saying, seek expert advice.I'm going to give you a little bit of a steer here on what you need to be thinking about, but I'm not going to tell you what you need to say in your contracts or what your own contracts should say. Go find a lawyer and an HR company to give you proper qualified advice for this stuff, okay?

Staff contracts first. Staff contracts, they may be absolutely fine. You might not need to do anything with your staff contracts at all to be AI ready, depending on how they're drafted. But what you kind of want to make sure you're looking for is, has your current staff contract put a requirement in there for them to assign and adhere to an AI policy? I imagine they probably have it as a blanket policy thing saying that they will adhere to all of your company policies, but it's worth just checking that. Are they obliged to sign up to your AI policy? Is there a clause in there about the consequences of breaching your AI policy or indeed your wider suite of policies?

The one that you may not have covered at the moment is clarity around IP ownership. IP is covered in a lot of staff contracts, depending on what your business is doing. You may or may not be generating content that is private to your organisation. But if people start using AI, that's where they're going to blur the line between what is private information and what's public information because you're potentially using a public engine to generate private IP and you want to make sure you are very, very clear on who owns that.Now, in your staff contract, you want to be saying if you generate something with an AI tool, that is still classed as you generating it for the business and it's a business asset so your employees have no claim to that at all.

And then the last one is, has your contract got a clause saying that you can use your staff's personal information with AI? This kind of becomes more relevant if you're thinking of using AI for part of your HR process. You might use it to record and transcribe one-to-ones, give coaching notes back to somebody, it might be looking at analysing holiday patterns. It could be… there's a whole bunch of things you might be using AI for, and if your staff contract doesn't say specifically that you are going to put their data in to an AI, and they give you permission to do so, you might find yourself in hot water, potentially. As I say, we’re not HR not experts, but these are the kinds of things we're thinking about here, and you probably need to be thinking about too.

The next one is your customer contracts. This is the flip side of it. This is what you're saying to your customers. And you see along the bottom there, I've got my little quick test. Would a customer understand how AI affects them and what happens to their data from your existing contract? If they can, great, you're probably home free.Again, seek expert advice before amending any of your contract.

But the kind of stuff you want to look for is kind of the same thing that you may have been thinking about with your staff contract -is AI being used? I would go back to the information commissioners position. They tell you that you have to tell customerswhere you're using AI. They need to know that their information is being used in an AI model, whether it’s being used to train it, or whether it's just going through it. But you need to be very explicit and open to your customers saying, we are using your data. And it specifically is in this bit of the service delivery, whatever it is you're delivering. You need to be clear in your contract that you're using AI andwhat for. You then want to explain if AI influences any decisions in that process, where is the human review? Assuming that there is., you need to be clear to people that there are controls in place - that needs to be in your contract saying that humans will review this, this, this and this, and to be very transparent with them.

Next one down is a biggie.And this is really probably the biggest, most important thing in any of the contractual stuff. And this is about limiting your risk and your liability.We've updated our terms recently. I suggest you do the same thing, to limit your liability from AI exposure. If an AI does do stuff in your business, if it's creating outputs that people end up relying on, for example, if you are using it to generate IP, whether that's images or whether that's any content, frankly, you need to be very, very clear that you're limiting your liability on that.

With the caveat that if you've got human oversight on it, and it's been human reviewed before it goes out, it's probably less important because the human should pick up any errors or any issues in there. But it's worth having a clause in there to protect yourself, just in case, because frankly, at the moment, nobody really knows. No one knows quite what this is going to look like. We'll come on to insurance companies in a minute, but they aren't sure what things look like. And if the insurers are unsure and the lawyers are unsure, then it's pretty obvious that the rest of us are going to be a bit unsure as to exactly where the liability line is going to lie. Make sure you've got something in that contract talking about limiting your liability.

And then the last one on here is talking about AI data terms. In your contract, you should really document which tools you're using. Tell customers where their data is being stored and processed and locations where it's got sub-processors. This is not really anything new because this all came in with GDPR. But now it's just making sure that any AI tools you use are covered by those declarations, something you might not have thought about until now, but you need to be clear about that and also whether their data has been used to train a model, whether it's your own model or someone else's model. You need to be clear about these things up front.

Okay, let's move on to insurance. I've mentioned this a couple of times. Insurance is ais a funny one. Yes, the insurance companies don't really know quite what's going on themselves. We're just beginning to see commentary and data emerging from the industry. They're doing lots and lots of research and they're beginning to think about what does insurance for cyber risk look like when you start bringing AI into the mix? They are treating AI as part of cyber insurance for the moment, but they are realising that that might not actually be where it's limited to. Although it's a standalone product kind of at the moment, it might end up having either its own separate classification of AI insurance, or it might get split across all the different types of insurance you have.

And the other thing to be aware of is the fact that there's no standard approach yet., all the different insurance companies are looking at AI risk in different ways, in little silos, and so they're not all dealing with it in the same way. It's not like car insurance, for example, or even business liability insurance, where there's generally accepted standards across the whole industry. If you go from one insurer to the next, they're generally treating public liability, for example, the same way. But that's not the case with AI risk yet. It just, it's too immature. It's still being developed.

Where are we at the moment? Well, at this exact moment in time we're starting to see policies with explicit exclusions for AI risk. We're also seeing some specifically endorsed AI risk. But again, this is because of this lack of a standard approach. Some companies are including it, some are excluding it. The main risks that they're looking at are data leakage, so information going into public AI tools and then being regurgitated to someone else. Now we've seen this happen quite a lot. I think the most famous example was Samsung, where their coder put information in to ChatGPT back in the early days. That code started getting surfaced elsewhere because they hadn't realised that it wasn't sandboxed. That's a big risk insurance companies are thinking about.They actually, the last I heard, they were thinking of moving that kind of liability into professional negligence insurance. That's kind of where they're thinking that might end up.

They're looking at governance failures. All of that paperwork we talked about earlier on, all that really exciting stuff, that's what the insurance company is going to be looking at, because that's really the only thing that they can look at the moment.The tools are very opaque. We know that some things like Copilot are a lot more secure than others, but we don't know what this picture is going to look like generally. They are looking at how you as a business are dealing with this in a governance way, because that's all they can, which is why I've got that big flash there. I'm saying the implication is basically that premiums are going to be differentiated by your AI governance. If you can tick all the AI governance boxes, you'll probably, and this is not proper advice, this is my own opinion, you are probably going to end up with a lower insurance premium than if you don't. It's a bit like Cyber Essentials. Companies that have got Cyber Essentials are basically demonstrating to an insurance company that, “hey, I meet some minimum security standards.I'm dealing with this stuff correctly. I've actually thought about it.” And the insurance company is rewarding them with lower premiums. The same is going to happen for AI use. I suspect in the not-too-distant future, we'll see an AI equivalent of Cyber Essentials or AI will get wrapped into Cyber Essentials, which I think is probably more than likely. And that's going to be your route to these lower insurance premiums and hopefully getting cover that covers you should something go disastrously wrong with the use of AI.

And then the last bit that they're looking at, really the biggest risk, arguably, is the use of deepfakes in AI phishing. I presume everyone on this call probably knows what phishing is by now. It's been around long enough. But now we're seeing AI deepfakes mimicking people's voices, mimicking people in video, more scary still,mimicking people in real Teams calls as if they were actually there. There was a relatively famous story out of Hong Kong last year where there was a deep fake of a, I think it was the CFO dialled into a Teams call, instructed the team to transfer a couple of million pounds somewhere else. And they did, and it wasn't the CFO, it was a deep fake.We're starting to see this kind of thing creep in more and more often. And that's, I think, one of the biggest risks that the insurance companies are trying to figure out - how to deal with this at the moment. Making sure you've got that governance piece, that insurance piece in place is absolutely critical.

What else did I want to say on this one? The last bullet point there, we were just talking about the fact that AI risk I think at the moment it's being split across these different policies, as I said. We're seeing it in cyber insurance policies, fine. We're seeing it in professional indemnity insurance, and we're seeing it in employment liability insurance. They are the three places that we've seen it crop up so far, but it's varying. It's varying significantly from company to company.

Okay, let's move on to talk about data readiness, because I'm conscious of time here and I'm slightly behind where I needed to be. I've got a couple more slides to go, so I'll try and speed things up a little bit.

Data readiness is the next biggie. You've done all your governance stuff, great, you're now into your data section. And this is where we can help, but only to a certain extent, because we don't know your data.You know your data, what's relevant, but we don't. Going back to what I said in our last webinar, AI is dumb. It's really, really stupid. It's like a toddler. It doesn't understand context and nuance in the same way that a human would. You need to make sure your data is ready and prepared for rolling out AI.

What that means is figuring out where your information is. Most companies, they've got data invarious systems, there are some local files, there are some knowledge base articles, there are some emails, there's some in line of business apps, it's all over the place. You need to figure out where that is and whether it can all be joined together, can it be consolidated, for example. You then need to figure out who has access to this data. If you take something like Copilot, Copilot will restrict itself to only the permissions that people have right now. If you plug in something like Claude or Fireflies or any of these other ones, they don't necessarily respect those boundaries. I'm not saying they don't, but they don't definitely respect those data boundaries. You need to figure out who has access to what data and really quickly organise that into the right places so that only the right people can see what they're supposed to see.

And then you need to figure out whether your data is relevant. And this is probably the hardest job, to be honest, because you will have years, decades worth of data in your systems that AI will just have a look at and go, oh, that's just as relevant as this over here. You need to go through all of that and figure out what's relevant and what's not. Then you're going to go, okay, well, I've done that, I've been through it. What do I do next? Well, the next stage is to do something with it. You've analysed your information. You've hopefully done something like this. You've done a little triage of it. You've got a matrix somewhere with, here's my green data. It's all accurate. It's up to date, clear owner, perfect. Don't need to worry about that. You think of your amber and your reds, which is slightly messier or it's out of date and you need to figure out what you're going to do with it.

And your choices are these ones. Basically, you can either cleanse your old data, which is inaccurate data, you can bin it, put it in the recycle bin, it's gone, which is by far the best way of doing it. But if you need to keep hold of that data for regulatory requirements or retention periods or whatever reason, that's not an option to you.

Which means that really, you've got three options. One of them is restricting access to data, which is maybe the way to do it. If you could restrict everything down to one person, then okay, one person's AI experience might be a bit rubbish, but you've still got it siloed there, and it's not accessible elsewhere. Maybe, not particularly ideal.

You can talk about migrating or linking your systems. If you've got information that is inaccessible because it's in this system over here, well, maybe you need a company to come in, like we can do this, but many others can as well. They can write API connections and pull information from over here and make it accessible to your AI over there, or you can move it.If information is stuck, you could just take it out of the system and chuck it into somewhere like SharePoint, for example. If it was historically in a database and it doesn't need to be there anymore, it could be moved.

Or you can exclude your data. And that sounds really, really easy, but it's not.If you take Copilot as an example, Copilot has three different ways of excluding data. Again, you can delete it. Maybe not possible. You can use something called Microsoft Restricted Content Discovery, where you could place all the information you don't want an AI to access into a specific folder or a group of folders, and you can restrict the access to that.But that's not necessarily the easiest thing in the world to do. I'm pretty sure you can do that with your Business Premium licenses as we speak. It shouldn't need any extra license, but it just means you're fragmenting your data., you have your live folders over here and your inactive folders over here, and you've got the same data in two different places, and it can get messy.It's doable, but it can get messy.

That realistically leaves you the last option. And the last option is adopting data labelling and data lifecycle management. And that is not a task to be taken lightly. It's something we should all be doing. We've got data labelling on our data, and don't get me wrong, it's a pain. It's difficult to work with because , if you create a new document, it's restricted to being internal only and you share it and you forget and someone can’t access it. And, data labelling and data sensitivity is a pain. But actually, we're getting to a world where we almost need to have that on because it's the only way to tell an AI, look at this, don't look at this, you're not allowed to send this, you're not allowed to access this depending on the person that's trying to access it.But that is a really, really, really big job that I'm saying maybe we should all be doing.

Something to be thinking about. If you're interested in finding out more about it, you can contact us separately after the webinar and we can talk to you about data labelling and data lifecycle management.So, let's talk about the last topic on here, because I'm very conscious of time.AI platform assessments. How do you actually go about reviewing a new AI tool that you want to have? We've said in our IT policy at the beginning that you're going to review your tools, but what does that actually mean? How do you go about proving an AI tool? Well, it’s relatively simple. It involves digging into the Ts and Cs. That's largely what this looks at. Look at the technical bits in the Ts and Cs and go have a look and see where all this information is hidden.

But fundamentally, you want to ask, where is the data stored? If you can figure out that the data is stored in the UK or in the EU, great, great big tick. If the data is only stored in the US, like Claude,For example, that becomes a bit more of a problem. Claude at the moment doesn't have European data centers, so any information that Claude processes is being sent over to the United States. For some companies, that might be a big red flag, and you go, we'd love to use Claude, but we can't. That's the kind of thing that you want to be having a look at. Where is the data? Where is it processed? Where is it stored?How is it deleted? What are there retention periods on your data? Those kinds of things.

Then we want to look at the difficult one. Is data being used for training? They will all somewhere in the T&Cs whether your data gets used to train the model. Now, it might only get used to train your specific model. If you take something like Copilot, for example, your data is used to by your model of Copilot, but it's not being used to train the wider platform.Whereas other ones, we've looked at Otter AI in the past and they very clearly state in their T&Cs that they will use your data to train their model to make it better for everyone. Depending on where your company sits on that, you can either accept that as a T&C or not. I'm not telling you what to do, but that's something you need to think about and figure out where your company stands on these things.

And then figure out what permissions are requested from the software. If you plug software, an AI tool into your Microsoft 365 environment, it's going to come up with that little box saying, “I want access to this, and I want to do that with it”. And more often than not, most of these tools are looking for really, really deep admin privileges to your data because they want to be able to read it, they want to be able to do something with it.And so they need permissions to change and to delete and all kinds of stuff. And actually, you need to be really careful about whether you want to approve this or not. We've seen AIs go rogue in the past. They have deleted things they're not supposed to delete. They have accessed information and surfaced it to other companies. Look and see what power this tool is looking for and do you want to grant it or do you want to go look for something else that's actually just asking for fewer permissions that's a little bit safer for you to use.

And then the very last one on here is one that I've just put on the slide because I have heard nobody talking about this anywhere, but I really think people should and that's to do with data portability.Obviously, the EU's got its data portability requirements from GDPR. But if you go and build all these systems, put a whole lot of data through an AI, if in a year's time you think, oh, this is a newer better shiny one, I want to move, how easy is it to do that? Now, this is not an easy thing to find out, I think, at the moment, but it's something you want to be thinking about. Can you extract your data from that AIand move it elsewhere? Is there cross-platform compatibility? Can you download a spreadsheet or a CSV or a database and upload it somewhere else? Big questions. And at the moment, there aren't really answers. But the important thing is don't approve a tool until you've been through and answered all of these questions. And importantly, you've documented all of these questions. This comes back to that governance piece right at the very beginning.It's all about the governance. Make sure you've answered every single question and if it ticks every box, then give it a green light. Go ahead.

That's pretty much everything I wanted to say. I've got a quick little slide with some takeaways. I've covered quite a lot of ground in a fairly short space of time here. But your takeaways for today, your tasks if you will are: if you want to roll out AI, start by having a business review, figure out where your AI can help it. Get your governance stuff in place, put in your AI policies, your risk assessments, and your contracts. Get your insurance, and then look at your data. Who, what, where, why. Is it valid? These are not the most complicated headings in the world. Go and do these things. And when you're satisfied that you've got all these in place, then you're ready to think about rolling out AI.

We've got two more webinars in the series. This is the second of four. We've looked at an AI overview. We've looked at getting your business AI ready.The next one is going to be looking at Copilot in a bit more detail., what are the cool things that Copilot can actually do? We'll look at agents and all kinds of stuff. We'll maybe quickly talk about Copilot co-work, which is coming out. And we'll look at how you can get the most out of Copilot in your business. And then finally, on the 22nd of July, we will talk about how you actually go about rolling AI out. You've been through the governance bit, you've got everything ready, you're all excited, you've chosen your tools. How do you go about rolling AI out successfully in your business in a way that your staff understand, that they're not scared of, that they're going to embrace, and that makes it a success for you so you see that return on your investment?

And that's us. That is the presentation. I hope that was interesting and exciting and I didn't send you all to sleep talking about governance.

 

 

AI webinar series: AI overview June 2026

AI webinar series: AI overview June 2026

Catch up on our first AI webinar In the first of our AI webinar series, we explore the concept of AI and deliver a high level overview of what it can...

Read More
Is Your Business AI Ready?

Is Your Business AI Ready?

Businesses that fail to prepare for AI will fall behind competitors. Learn how to roll it out safely now.

Read More
AI at Work: Do You Know What’s Happening Behind the Scenes?

AI at Work: Do You Know What’s Happening Behind the Scenes?

AI is being used in your business. You might not know about it, but it is. It's time to get it under control.

Read More