A year on from 8foldGovernance introducing an LLM into the business, founder Adam Spinks reflects on hype, experimentation, and why good governance means he’s not losing any sleep over it.
Understanding Before Applying
About a year ago, we started experimenting with AI inside 8foldGovernance.
Like a lot of organisations at the time, we found ourselves caught somewhere between curiosity and caution. There were workshops, funding schemes, bold predictions, and an increasing sense that this was something organisations needed to engage with or risk falling behind.
Our starting point wasn’t especially dramatic. We took part in an AI engagement programme, brought the team together, and spent time understanding how large language models actually worked.
And it was really helpful.
What Changed Once We Understood It
Once you understand that an LLM isn’t really “thinking” in the way people imagine, and that a lot of what appears intelligent is sophisticated prediction and probability, it changes the way you think about both the opportunity and the risk.
One exercise stood out. Rather than asking whether AI could solve a problem, we were encouraged to first think about the work we actually do and then explore where AI might help.
By the end of those sessions, we all had the same feeling.
We came away thinking: ‘Oh my God, the potential of this stuff could be huge!’ We just couldn’t quite see what it was.
That created an odd tension. Normally, you introduce technology because you’ve got a defined problem and a clear measure of success, right? This felt backwards. We didn’t yet know the use case, but we had a strong sense there was something in it (haven’t we all?!)
That uncertainty became the thing I took responsibility for managing.
I could imagine AI streamlining processes, reducing repetitive work, helping us research more quickly, and creating more space for higher-value thinking. But I couldn’t ignore the questions that came with it.
The Promise and the Questions of AI
- How would we explore AI without compromising the confidentiality and integrity of client information or introducing unacceptable risk into the way we work?
- How would we meet obligations under GDPR around transparency, data minimisation and data subject rights?
- Could these tools introduce bias into decision-making or influence judgement in ways we didn’t immediately see?
- Would we lose control of our own processes and become overly reliant on tools we didn’t fully understand?
Those questions didn’t make me think we should avoid AI, they made me think we needed to approach it properly.
The biggest risk wasn’t AI. It was unmanaged AI use
At the same time, I was becoming increasingly aware that people were already using AI informally across all sorts of organisations.
Not because they were reckless, but because they were curious, under pressure, and trying to work more efficiently.
The thing that worried me wasn’t AI. It was that everyone was going to use it anyway, because people are curious and often move faster than organisations do.
The question was whether they were going to do it safely.
Trying to stop that entirely felt like being King Canute trying to hold back the tide. You can spend your time pretending change isn’t happening, or you can accept reality and create the conditions for people to engage with it responsibly.
I didn’t want people experimenting invisibly. I wanted to give them permission to do it safely.
For us, that never meant uploading client information into public tools and hoping for the best. It meant understanding the risks, choosing appropriate tools, and creating clear boundaries around how AI could and couldn’t be used.
So rather than saying no, we created a sandbox. Permission to experiment, with clear guard rails.
Applying governance principles to AI adoption
What surprised me most was how familiar the process of applying governance to AI became once we started.
At first, AI felt completely different, but once we slowed down and approached it properly, something became obvious: the fundamentals of risk management hadn’t changed.
We already had the tools.
One of the first things we did was carry out a thorough Data Protection Impact Assessment (DPIA). Although a DPIA is primarily focused on risks to personal data, it has become an extremely useful way of thinking more broadly about governance, accountability, unintended consequences and proportionate risk management.
From there, we put practical mitigations in place.
- We strengthened vendor assurance processes so we understood where data was going, what was retained, whether information was used to train models, and whether the tools we selected gave us confidence that sensitive information remained appropriately protected.
- We created an internal AI adoption checklist so new tools could be evaluated consistently.
- We agreed some simple rules around human oversight and built review into the process. We also set clear expectations that experimentation would happen without using client or personal data for testing purposes.
- We were transparent with the team about how AI was being used and where the boundaries sat.
We also borrowed a principle that has long existed in healthcare compliance and health technology: intended use.
Just because a tool can do something doesn’t mean that’s what it should be used for.
That helped us avoid mission creep and protect something we care about deeply at 8fold, which is delivering healthcare compliance with a human touch.
Why we started with more controls, not fewer
One thought I’ve always returned to throughout my career is that when something genuinely new arrives, our instinct is often to give people freedom first and introduce controls later if problems emerge. And I’ve generally found the opposite works better.
When uncertainty is high, it’s often easier to start with stronger controls and relax them over time as confidence grows.
Part of that is about risk management.
Part of it is about people.
If you allow unrestricted use and later realise you need controls, people experience that as friction. It feels like something is being taken away from them and adoption becomes harder.
Whereas if expectations and boundaries are there from the outset, and you gradually simplify where appropriate, people tend to experience that as trust increasing over time.
I think about old security practices. Imagine giving everyone completely open access and then later introducing passwords and two-factor authentication. Everyone experiences that as a barrier!
But if expectations are there from the beginning and you remove the things that turn out not to matter, people respond much more positively.
That was our approach with AI. We started with more control than we thought we might ultimately need and gradually loosened where experience showed we could.
This gave our team confidence to explore.
One year later: What using AI at 8fold actually looks like
If I’m honest, the outcome isn’t what I expected.
Personally, I use AI constantly now, but I don’t think it’s transformed my productivity; that’s not really the story. Mostly it’s become somewhere for me to think, organise ideas, summarise messy thoughts, that sort of thing.
In practice, most of our use has stayed relatively low-risk and internally focused: meeting notes, early-stage research, organising and iterating thinking, and reducing administrative friction.
And as a remote business, there’s something unexpectedly valuable in having another place to reflect and sense-check ideas (sometimes you just want to ask, ‘I’m not being stupid here, am I?’ and AI gives you somewhere to do that!)
Some of the team have found efficiencies and useful applications. Some haven’t.
What we’ve gained, though, is a much clearer understanding of what these tools do well, what they don’t do well, and where they’re genuinely likely to add value. That’s been valuable in its own right.
One of the things this experimentation has reinforced is something we’d normally say about any technology implementation: start with the business problem, not the tool.
In most situations, the first question shouldn’t be, “How can we use AI?”
It should be, “What problem are we trying to solve?”
Only then does it make sense to consider whether AI has a role to play alongside any other potential solutions.
What’s changed over the last year is that we’re now much more confident in making that judgement. We’ve spent enough time experimenting with these tools to understand where they’re genuinely useful, where they currently fall short, and when they’re likely to create more value than friction.
Ironically, spending time experimenting with AI has made us less likely to reach for it simply because it’s there.
Instead, we’re better equipped to make informed decisions about when AI should be in contention as part of the solution and when another approach is likely to be more effective. That helps us avoid wasting time, money and effort trying to use AI for AI’s sake or adopting tools simply because we’re worried about being left behind.
If you’re wondering what that experimentation actually looked like in practice, Daniel’s written a companion piece about what happened once we moved from governance into day-to-day use. It’s a more practical look behind the curtain at how we introduced Gemini into our workflows, what people actually used it for, what surprised us, and what turned out not to matter as much as we expected.
What hasn’t changed in an AI world
Even if AI never solves a problem for us commercially or operationally, you know what? Adopting LLMs has already solved one for me.
It gave me confidence we weren’t sleepwalking into risk.
Importantly, that confidence didn’t come from trusting AI. It came from understanding the limits of the tools and putting appropriate controls around how we used them.
There’s a quote that’s been bandied around a lot recently around the whole AI conversation, a line from an IBM training manual from 1979:
A computer can never be held accountable. Therefore a computer must never make a management decision.
For all the excitement around AI, I think that principle still holds.
Can technology generate outputs? Process information? Support decisions? Yes, for sure.
But accountability remains human.
Clients don’t come to us because we have access to information. They trust us to help them make good decisions.
That means bringing judgement, experience and context to situations where there usually isn’t one perfect answer. It means understanding risk and applying expertise proportionately.
That’s ultimately why I’m not especially worried about AI replacing what we do, because the work isn’t just about producing answers.
The work is helping people make good decisions… and taking accountability for those decisions – good and bad.
You may already have more of the foundations than you think
If you’re looking at LLMs or AI-enabled tools and wondering where to start, my reflection would be this:
You probably don’t need entirely new governance disciplines.
You might just need to apply the ones you already trust in a new context.
Good governance doesn’t stop change, it gives people permission to engage with change safely.
If you’re thinking through how to introduce AI into your organisation without compromising trust, accountability or compliance, our experience was that you don’t necessarily need entirely new answers. You may already have the governance foundations. Sometimes the challenge is applying them confidently in a new context.
Thinking about introducing AI into your organisation?
Looking to explore AI safely without compromising client confidentiality, GDPR compliance, or the trust you’ve built?