London, 7 May 2026
Executives, cyber-security specialists and risk professionals gathered at Microsoft’s Paddington offices on Thursday morning to debate how to govern artificial intelligence when the technology is moving faster than the rules meant to control it.
The breakfast, titled AI & Governance in Practice, was hosted by technology services firm Plain Concepts at the London base of Microsoft UK.
A discussion held on a significant day
The timing was striking. On the same day in Brussels, the European Council presidency and European Parliament negotiators reached a provisional political agreement to push key compliance deadlines for high-risk AI systems back from 2 August 2026 to 2 December 2027 (European Council press release, 7 May 2026).
The extra time has been welcomed by businesses, but lawyers caution that the technical standards needed for compliance are still being drafted. Attendees noted that many UK and Irish organisations have little specialised legal or technical capacity to interpret the regulation, whichever deadline applies.
The innovation-security gap
A primary concern raised by speakers was that organisational security is failing to keep up with AI innovation. “Organisational security is not able to catch up with AI innovation and there is a gap,” one speaker said. Another added: “Because of AI innovation, the technology which was relevant one year ago may not be relevant today.”
Insights were shared by four practitioners: Laura Barranco on transformation, Xavier Pes on cyber security, Martin Sher on actuarial risk, and JC Durbin on shadow AI, where employees bring tools into the workplace without the knowledge of IT or compliance teams.
While the general consensus was that “security enables governance,” Journalism News Network observed significant concern among CTOs in attendance about these vulnerabilities.
The dynamic raises a critical question for readers: how can organisations claim to govern AI when their own innovation teams are capable of breaking through company security controls at any time?
The vulnerability extends to the AI models themselves. One Speaker noted that even when advanced models such as Claude refuse a clearly unethical request, a determined user can rephrase the prompt until the model ultimately provides an unethical solution. That observation underlined the difficulty of treating model-level safety as a substitute for organisation-level governance.
You can’t govern what you can’t see
A recurring theme was the lack of visibility into daily AI use. Speakers stressed that “you can’t govern what you can’t see,” which prompted several unresolved operational questions:
When the same AI agent is used by multiple people, how can a company identify who is misusing it?
If a team within an organisation is using prohibited tools, how can leadership check and verify this?
India’s AI Gamble: A Billion Users and No Rulebook
Approaching deadlines and productivity
These visibility and security challenges are compounded by regulatory pressure. The EU AI Act was originally expected to force companies to comply by August 2026, and although the political proposal reached in Brussels later that same day is set to push the deadline for high-risk systems to December 2027, many firms still lack the expertise to meet the standards.
Despite the hurdles, speakers agreed that halting adoption is not the answer. Framing the path forward, one speaker concluded: “All transformation starts with personal productivity.”
Right of reply
Submit your review | |