Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Even if AI never solves a problem, it’s solved one for me

  • Published: July 8, 2026
  • Category: Artificial Intelligence

Share this post

Avatar photo
Adam Spinks

Share this post

A year on from 8foldGovernance introducing an LLM into the business, founder Adam Spinks reflects on hype, experimentation, and why good governance means he’s not losing any sleep over it.

Understanding Before Applying

About a year ago, we started experimenting with AI inside 8foldGovernance.

Like a lot of organisations at the time, we found ourselves caught somewhere between curiosity and caution. There were workshops, funding schemes, bold predictions, and an increasing sense that this was something organisations needed to engage with or risk falling behind.

Our starting point wasn’t especially dramatic. We took part in an AI engagement programme, brought the team together, and spent time understanding how large language models actually worked.

And it was really helpful.

AI governance in healthcare, EU AI Act compliance, Medical AI compliance, AI risk management, Healthcare AI regulations, ISO 42001 certification

What Changed Once We Understood It

Once you understand that an LLM isn’t really “thinking” in the way people imagine, and that a lot of what appears intelligent is sophisticated prediction and probability, it changes the way you think about both the opportunity and the risk.

One exercise stood out. Rather than asking whether AI could solve a problem, we were encouraged to first think about the work we actually do and then explore where AI might help.

By the end of those sessions, we all had the same feeling.

We came away thinking: ‘Oh my God, the potential of this stuff could be huge!’ We just couldn’t quite see what it was.

That created an odd tension. Normally, you introduce technology because you’ve got a defined problem and a clear measure of success, right? This felt backwards. We didn’t yet know the use case, but we had a strong sense there was something in it (haven’t we all?!)

That uncertainty became the thing I took responsibility for managing.

I could imagine AI streamlining processes, reducing repetitive work, helping us research more quickly, and creating more space for higher-value thinking. But I couldn’t ignore the questions that came with it.

The Promise and the Questions of AI

  • How would we explore AI without compromising the confidentiality and integrity of client information or introducing unacceptable risk into the way we work?
  • How would we meet obligations under GDPR around transparency, data minimisation and data subject rights?
  • Could these tools introduce bias into decision-making or influence judgement in ways we didn’t immediately see?
  • Would we lose control of our own processes and become overly reliant on tools we didn’t fully understand?

Those questions didn’t make me think we should avoid AI, they made me think we needed to approach it properly.

The biggest risk wasn’t AI. It was unmanaged AI use

At the same time, I was becoming increasingly aware that people were already using AI informally across all sorts of organisations.

Not because they were reckless, but because they were curious, under pressure, and trying to work more efficiently.

The thing that worried me wasn’t AI. It was that everyone was going to use it anyway, because people are curious and often move faster than organisations do.

The question was whether they were going to do it safely.

Trying to stop that entirely felt like being King Canute trying to hold back the tide. You can spend your time pretending change isn’t happening, or you can accept reality and create the conditions for people to engage with it responsibly.

I didn’t want people experimenting invisibly. I wanted to give them permission to do it safely. 

For us, that never meant uploading client information into public tools and hoping for the best. It meant understanding the risks, choosing appropriate tools, and creating clear boundaries around how AI could and couldn’t be used.

So rather than saying no, we created a sandbox. Permission to experiment, with clear guard rails.

Applying governance principles to AI adoption

What surprised me most was how familiar the process of applying governance to AI became once we started.

At first, AI felt completely different, but once we slowed down and approached it properly, something became obvious: the fundamentals of risk management hadn’t changed.

We already had the tools.

One of the first things we did was carry out a thorough Data Protection Impact Assessment (DPIA). Although a DPIA is primarily focused on risks to personal data, it has become an extremely useful way of thinking more broadly about governance, accountability, unintended consequences and proportionate risk management.

From there, we put practical mitigations in place.

  • We strengthened vendor assurance processes so we understood where data was going, what was retained, whether information was used to train models, and whether the tools we selected gave us confidence that sensitive information remained appropriately protected.
  • We created an internal AI adoption checklist so new tools could be evaluated consistently.
  • We agreed some simple rules around human oversight and built review into the process. We also set clear expectations that experimentation would happen without using client or personal data for testing purposes.
  • We were transparent with the team about how AI was being used and where the boundaries sat.

We also borrowed a principle that has long existed in healthcare compliance and health technology: intended use.

Just because a tool can do something doesn’t mean that’s what it should be used for.

That helped us avoid mission creep and protect something we care about deeply at 8fold, which is delivering healthcare compliance with a human touch.

Why we started with more controls, not fewer

One thought I’ve always returned to throughout my career is that when something genuinely new arrives, our instinct is often to give people freedom first and introduce controls later if problems emerge. And I’ve generally found the opposite works better.

When uncertainty is high, it’s often easier to start with stronger controls and relax them over time as confidence grows.

Part of that is about risk management.

Part of it is about people.

If you allow unrestricted use and later realise you need controls, people experience that as friction. It feels like something is being taken away from them and adoption becomes harder.

Whereas if expectations and boundaries are there from the outset, and you gradually simplify where appropriate, people tend to experience that as trust increasing over time.

I think about old security practices. Imagine giving everyone completely open access and then later introducing passwords and two-factor authentication. Everyone experiences that as a barrier!

But if expectations are there from the beginning and you remove the things that turn out not to matter, people respond much more positively.

That was our approach with AI. We started with more control than we thought we might ultimately need and gradually loosened where experience showed we could.

This gave our team confidence to explore.

One year later: What using AI at 8fold actually looks like

If I’m honest, the outcome isn’t what I expected.

Personally, I use AI constantly now, but I don’t think it’s transformed my productivity; that’s not really the story. Mostly it’s become somewhere for me to think, organise ideas, summarise messy thoughts, that sort of thing.

In practice, most of our use has stayed relatively low-risk and internally focused: meeting notes, early-stage research, organising and iterating thinking, and reducing administrative friction.

And as a remote business, there’s something unexpectedly valuable in having another place to reflect and sense-check ideas (sometimes you just want to ask, ‘I’m not being stupid here, am I?’ and AI gives you somewhere to do that!)

Some of the team have found efficiencies and useful applications. Some haven’t.

What we’ve gained, though, is a much clearer understanding of what these tools do well, what they don’t do well, and where they’re genuinely likely to add value. That’s been valuable in its own right.

One of the things this experimentation has reinforced is something we’d normally say about any technology implementation: start with the business problem, not the tool.

In most situations, the first question shouldn’t be, “How can we use AI?”

It should be, “What problem are we trying to solve?”

Only then does it make sense to consider whether AI has a role to play alongside any other potential solutions.

What’s changed over the last year is that we’re now much more confident in making that judgement. We’ve spent enough time experimenting with these tools to understand where they’re genuinely useful, where they currently fall short, and when they’re likely to create more value than friction.

Ironically, spending time experimenting with AI has made us less likely to reach for it simply because it’s there.

Instead, we’re better equipped to make informed decisions about when AI should be in contention as part of the solution and when another approach is likely to be more effective. That helps us avoid wasting time, money and effort trying to use AI for AI’s sake or adopting tools simply because we’re worried about being left behind.

If you’re wondering what that experimentation actually looked like in practice, Daniel’s written a companion piece about what happened once we moved from governance into day-to-day use. It’s a more practical look behind the curtain at how we introduced Gemini into our workflows, what people actually used it for, what surprised us, and what turned out not to matter as much as we expected.

What hasn’t changed in an AI world

Even if AI never solves a problem for us commercially or operationally, you know what? Adopting LLMs has already solved one for me.

It gave me confidence we weren’t sleepwalking into risk.

Importantly, that confidence didn’t come from trusting AI. It came from understanding the limits of the tools and putting appropriate controls around how we used them.

There’s a quote that’s been bandied around a lot recently around the whole AI conversation, a line from an IBM training manual from 1979:

responsible AI adoption Even if AI never solves a problem, it’s solved one for me responsible AI adoption,AI adoption lessons,AI use case study,how to introduce AI safely into an organisation,lessons learned from adopting AI in business,responsible AI adoption case study UK

A computer can never be held accountable. Therefore a computer must never make a management decision.

responsible AI adoption Even if AI never solves a problem, it’s solved one for me responsible AI adoption,AI adoption lessons,AI use case study,how to introduce AI safely into an organisation,lessons learned from adopting AI in business,responsible AI adoption case study UK

For all the excitement around AI, I think that principle still holds.

Can technology generate outputs? Process information? Support decisions? Yes, for sure.

But accountability remains human.

Clients don’t come to us because we have access to information. They trust us to help them make good decisions.

That means bringing judgement, experience and context to situations where there usually isn’t one perfect answer. It means understanding risk and applying expertise proportionately.

That’s ultimately why I’m not especially worried about AI replacing what we do, because the work isn’t just about producing answers.

The work is helping people make good decisions… and taking accountability for those decisions – good and bad.

You may already have more of the foundations than you think

If you’re looking at LLMs or AI-enabled tools and wondering where to start, my reflection would be this:

You probably don’t need entirely new governance disciplines.

You might just need to apply the ones you already trust in a new context.

Good governance doesn’t stop change, it gives people permission to engage with change safely.

If you’re thinking through how to introduce AI into your organisation without compromising trust, accountability or compliance, our experience was that you don’t necessarily need entirely new answers. You may already have the governance foundations. Sometimes the challenge is applying them confidently in a new context.

Thinking about introducing AI into your organisation?

Looking to explore AI safely without compromising client confidentiality, GDPR compliance, or the trust you’ve built?

Get in touch.

Other Articles​

Loading...

Making sense of AI in Healthcare: Why we built 8fold Training

Read More →

April 20, 2026
AI isn’t special

AI isn’t special

Read More →

February 19, 2026
NHS Heal Tech

The Pendulum: AI, AVTs, and the Evolving Governance of Health Tech in the NHS

Read More →

August 13, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept