Insights

You have just closed your term sheet. The champagne is barely flat when the investor’s due diligence checklist arrives. Somewhere around question fourteen, it asks about your information security framework. You check with your CTO. The honest answer is a shared Google Drive, a password manager you adopted six months ago, and a vague intention to “do something about security” next quarter.

Your Series A investor has just asked how you govern your AI models. Your enterprise prospect wants to know how you manage bias in your product. Your board wants assurance that your AI systems are being developed responsibly. You have nothing documented. This is the situation I see repeatedly when working with AI startups. The technology is impressive, the team is talented, but the governance is non-existent. And in 2026, that gap is becoming a commercial liability.

Over the past couple of years, AI has evolved from a general-purpose tool into something far more autonomous. By 2025, it became a co-pilot. Now, in 2026, we have entered the era of agentic AI — autonomous systems that don't just suggest content but actually execute multi-step workflows, negotiate contracts, and manage cloud budgets without human intervention.

It's been an extremely busy start to the year at Sampson ISO Audit & Consult Ltd — barely a moment to breathe. So I thought it sensible to take stock of what we've achieved, how we've delivered it, and where we want to go for the rest of the year.

The year 2026 marks a tipping point for risk assurance globally. With the EU AI Act in full effect and ISO/IEC 42001 set to become the global benchmark for trust, it’s quite telling that the traditional once a year internal audit has become obsolete and not fit for purpose in today’s ever changing world.

As the EU AI Act begins its staged rollout, waiting and seeing is no longer a viable business strategy. For UK firms selling into Europe or using AI internally, the time to audit needs to be now. This checklist, informed by the ISO/IEC 42001 framework, provides a high level roadmap for your AI Governance and will enable you to get in an appropriate state of readiness ahead of the August 2026 deadline.

It’s February 2026. The traditional definition of a corporate perimeter has collapsed. In a hyper connected ecosystem driven by SaaS and integrated AI solutions, your organisation’s greatest vulnerabilities likely lie outside your own walls.

As alluded to in earlier articles,, the "Brussels Effect" has now come into play and is dictating laws, standards and policies globally. Even though the UK is outside the EU, the NIS2 (Network and Information Security Directive 2) is directing terms for any British firm serving European markets or acting as a critical supplier. So if you thought ISO 27001 was enough to keep the regulators at bay, it's time for a reality check.

It’s a common misconception in 2026 that because we are post Brexit, the EU AI Act doesn't apply to the UK. In reality, if your AI system has an output used within the EU, or if you have a single customer in Paris or Berlin, you are likely within its extraterritorial reach. It’s a common misconception in 2026 that because we are post Brexit, the EU AI Act doesn't apply to the UK. In reality, if your AI system has an output used within the EU, or if you have a single custom

In 2023 and 2024, businesses rushed to integrate Large Language Models (LLMs) and automated decision making ahead of the increasing emergence of AI related business systems and processes . In 2026,with the EU AI Act in full force and global regulators tightening their grip, moving fast without due regard to compliance has been replaced by moving fast and staying compliant.

So the champagne has been drunk, the certificate is framed on the wall and the ISO project team have finally gone back to their day jobs. This is what’s known as the ‘Certification Hangover’ and in 2026, it’s the number one reason businesses fail their Year 1 surveillance audits.

Risk assurance is the structured process of providing confidence to stakeholders that risk controls are effective, proportionate and operating as intended. Unlike traditional audits, which assess compliance at a fixed point in time, risk assurance is forward-looking and ongoing.