This episode of Impact of AI is all about taking the fear and mystery out of AI governance and turning it into something practical, human, and very doable for real organizations. In this blog we, James and Gerjon, unpack our conversation with Rob Fawcett about regulation, risk, and why most companies already have more of the answers than they think
1. Introduction
When most people hear “AI governance and compliance,” their eyes glaze over. It sounds like the opposite of the fun, shiny AI demos flooding our feeds. In this episode, we sit down with Rob Fawcett to talk about why AI governance doesn’t need to be terrifying, how it connects to things you’ve already done for years (like GDPR and ISO), and what practical first steps any organization can take today.
We recorded this conversation at a time when the EU AI Act is about to bite and the UK AI Act is taking shape, so there’s a real sense of urgency—but also a huge opportunity to do things properly. Together, we explore where organizations are getting stuck, how to balance speed with compliance, and why your service desk might secretly be your strongest AI governance asset.
2. Meet the Guest – Rob Fawcett
Rob Fawcett is the founder of The Human CTO, a consultancy focused on fractional CTO services with a strong emphasis on AI governance, assurance, compliance, adoption, and deployment. Over the past 20 years he has led IT, data, software, product, and change functions in highly regulated environments, helping organizations move faster while staying on the right side of regulators.
Alongside The Human CTO, Rob also runs Quantis, a software development company specializing in AI builds—including small domain‑specific language models, voice analytics tooling, and the data pipelines that feed them. His work increasingly revolves around helping organizations prioritize AI use cases, implement sensible controls, and build what he calls “human‑centred” frameworks for AI readiness and assurance, such as his ARIA (AI Readiness Impact Assurance) framework.
3. Setting the Stage – Why This Topic Matters
Right now, many organizations feel they “have to do something with AI” but are terrified of opening the floodgates—especially in highly regulated sectors. Compliance teams often respond by putting roadblocks everywhere, while individuals quietly install tools like “OpenClaw” on the side because they just need to get work done.
At the same time, regulations like the EU AI Act are no longer theoretical; enforcement is coming, with fines and expectations that will feel very familiar to anyone who lived through the GDPR rollout. Rob’s central message is that none of this is truly new: if you’ve handled data protection, ISO audits, and GDPR, you already have the muscles you need—you just need to remember how to use them in an AI context. In this blog, we walk through what that looks like in practice and why grounded, boring work is exactly what unlocks safe, impactful AI.
4. Episode Highlights
- “This is nothing you haven’t done before.”
Rob’s key reassurance to anyone panicking about AI governance is straightforward: if your organization has been around for the last 10–15 years, you’ve already dealt with data protection, GDPR, and ISO audits. AI governance is the same kind of work—documenting what you do, why you do it, and proving you actually do it—just with “AI” written on top. - Speed vs. compliance: tech debt, but for AI.
We talk about the “speed versus compliance” tug of war, where organizations want to ship AI fast and assume governance will kill momentum. Rob compares ignoring compliance to building a pile of technical debt: you move quickly at first, but you pay it back—with interest—when something breaks, a regulator calls, or your AI behaviour drifts after the 64,000th model update. Build in governance early, accept the slower start, and you’ll be faster and safer in the long run.
5. Deep Dive – AI Governance Is Just Good Governance
One of the strongest themes in the episode is that AI governance isn’t a brand‑new discipline; it’s an extension of the governance, risk, and compliance practices organizations have needed for decades. When Rob walks into a company, he often finds teams spinning up bespoke “AI taskforces,” hiring big consultancies, and effectively reinventing the wheel because the word “AI” makes everyone forget they already have DPOs, GDPR experts, and ISO auditors in‑house.
He reminds leaders that regulators like the ICO, FCA, CMA, Ofcom, and MHRA already have AI‑related enforcement mechanisms in play, and existing laws such as the Equality Act 2010 already cover many of the fairness and bias questions people are worried about today. The EU AI Act and the upcoming UK AI Act will add an AI‑specific layer, but the underlying logic—document your processes, justify your decisions, protect individuals—hasn’t changed.
Rob argues that the real work of AI governance sits after a system goes live, not just during the project phase. Once an AI use case is in production, it becomes an asset like any other: it needs monitoring, maintenance, and periodic checks to ensure it still does what it was designed to do, especially as underlying models and vendors change under the hood. That’s where governance lives, and that’s where organizations will win or lose with regulators.
6. Real-Life Stories & Examples
Throughout the conversation, we kept coming back to very human stories of how organizations are actually behaving around AI right now.
- The OpenClaw effect – forgetting 30 years of IT hygiene
We talk about the “OpenClaw” moment: the wave of people pasting passwords, API keys, and sensitive data into public AI tools because AI FOMO overrode everything they’d ever learned about security. Decades of IT policy went out the window overnight because the tool felt magical. It’s a perfect illustration of why culture, training, and clear guardrails matter just as much as technology. - Agentic AI deleting production databases
We touch on real incidents where agentic AI systems have gone disastrously wrong—including the now‑infamous example of an AI agent that deleted a production database and cost millions in losses. Even though the stack involved tools like Claude and Cursor rather than a fully in‑house system, the organization still had to live with the consequences; the lesson is that “no human in the loop” is not just a technical architecture choice—it’s a risk posture. - Boring use cases that actually move the needle
Rob and his colleague Dan worked with a global organization to prioritize AI use cases using the ARIA framework. The top three use cases that emerged were, by their own admission, boring: they weren’t flashy gen‑AI demos but quietly delivered the biggest efficiency gains. In another example we discuss, a healthcare organization started AI adoption by automating its most hated internal form, turning AI from a job‑threat into a relief from tedious admin. - Service desks as unsung governance heroes
Rob makes the case that service desk teams should be in the room—and maybe even chairing—the internal AI usage committee. These are the people who can see how new tools will affect the estate six or twelve months down the line and who will be left cleaning up ticket queues if things go wrong. Their “lazy in a good way” mindset—avoiding future pain—makes them natural guardians of sustainable AI operations.
7. Key Takeaways
Here’s what we hope you’ll walk away with after this episode:
- AI governance is not new; it builds on the same muscles you used for GDPR, ISO, and data protection—don’t forget that experience.
- Don’t wait for the “perfect” national AI act; the EU AI Act plus existing regulators already set a practical standard you can work against today.
- Avoid “policy and forget” culture—AI policies should be living tools, not PDFs no one ever reads after onboarding.
- There are three common organizational modes: policy‑and‑forget, the waiting game, and speed vs. compliance—recognize which one you’re in and adjust.
- Building compliance in early will slow you down at the start, but it prevents expensive rework, tech debt, and regulatory pain later.
- Prioritize AI use cases by business outcomes and real problems, not by who wrote the best Claude‑generated business case.
- Start with “boring” efficiency wins and tedious internal processes—these build trust and adoption without triggering job‑loss fears.
- Treat every live AI use case as an asset that needs ongoing monitoring, maintenance, and review.
- Involve IT—especially the service desk—in AI governance; they see the long‑term operational risks others miss.
- If you have no tooling yet, start with a simple spreadsheet listing every AI tool, who uses it, what for, how often, and what data goes in.
8. Closing Thoughts
If there’s one message we’d love AI‑curious leaders to take from this episode, it’s this: you are not starting from zero. You already have people, processes, and hard‑earned lessons from previous regulatory waves—you just need to reconnect them to what you’re doing with AI.
As agentic systems grow and regulations tighten, the organizations that win won’t be the ones that moved fastest at any cost, but the ones that combined speed with grounded, human‑centred governance. We’ll be coming back to these themes in future Impact of AI episodes, including more on frameworks like ARIA and the practical realities of keeping humans in the loop as AI systems become more autonomous.
We’d love to hear how your organization is handling AI governance: are you in policy‑and‑forget, waiting mode, or stuck in a speed vs. compliance tug of war?
