Across the first two pieces I argued for a mix, a paid frontier model such as Claude for the hard work, open models and agent runners for the cost-sensitive and routine work, and the discipline to decide which does what. The obvious objection from anyone who has sat through a compliance meeting is that all of this sounds like a governance nightmare, with models you do not own, agents acting on their own overnight, and data moving around in ways nobody quite tracks. I want to argue the opposite, which is that governance is not the brake on any of this, it is the accelerator, because the thing that actually lets a business move quickly and confidently with Ai is being able to show, at any moment, exactly what it did and why.
Start with the data, because the regulator already has
Everything here begins with data, and UK GDPR applies to an Ai agent in the same way it applies to a spreadsheet, which means the familiar principles of using the least data you need, for a clear purpose, and keeping it secure still hold. The catch is that agents are unusually good at quietly breaking those principles, and the Information Commissioner's Office has already said as much in its work on agentic Ai, warning that these systems tend to reach for far more personal data than a task actually needs and to treat their purpose far more broadly than they should. The fixes are not exotic, they are to decide deliberately which files and systems an agent may touch, to keep a human approval step in front of anything involving personal data, and to make sure you can switch the thing off quickly, because an agent you cannot stop in a hurry is itself the kind of security gap the law expects you to have closed, with penalties that run into the millions or a slice of global turnover if you have not.
There is a second data question that connects straight back to the first piece, which is where the data physically goes. If you keep an open model and its agent on infrastructure you control in the UK, the data never leaves your boundary and a whole category of legal headache simply disappears, whereas the moment you send it to a US cloud you are making what the law calls a restricted transfer that needs its own paperwork, and the cheapest hosted route for an open model may quietly run your data through servers in China. Sovereignty is not an abstract principle here, it is a direct consequence of which box the model runs in, and it is one of the strongest practical reasons to keep an open, self-hostable option in the mix for sensitive work. The rules themselves moved this year too, because the Data (Use and Access) Act changed how automated decisions are governed, shifting them from something close to a ban towards a permission that depends on having real safeguards and genuine human involvement in place, which only makes the ability to evidence that involvement more important than it already was.
Two ISO standards worth knowing, and why they fit together
Once the data question is in hand, two management standards do most of the heavy lifting, and they are worth knowing even if you never intend to get certified. ISO 27001 is the established information-security standard, and for an Ai agent it is the one that governs who and what can reach your data, how access is logged, how activity is monitored, and how you manage the outside suppliers in the chain. ISO 42001, published at the end of 2023, is the newer and more interesting one, because it is the first proper management standard written specifically for organisations using Ai, and it adds the parts that are unique to this technology, a written Ai policy, an honest assessment of the impact a system could have on real people, clear rules on human oversight, and governance of the data a model is fed. The useful thing is that the two share the same underlying structure, so a business already running ISO 27001 is most of the way to ISO 42001 rather than starting again, and the Ai-specific work becomes a manageable addition rather than a second bureaucracy.
I should be clear that I am not telling every small business to rush off and get certified, because for most the badge is beside the point. What matters is the practices the standards describe, in the same way a good florist does not need an auditor to know that customer details should be handled with care and that a complaint should be investigated rather than buried. The standards are simply a tried and tested checklist for running a business well, and Ai is now squarely one of the things they help you run well, which is why I treat a management system as the scaffolding you build around the technology rather than something you bolt on after it has gone wrong.
The audit trail is the whole point
This is where the agents from the second piece stop being a risk and start being an asset, because the very thing that makes them slightly unnerving, that they act on their own, is also the thing that makes them so governable. A well-run agent records what it does, so every action it takes, every scheduled job that fires, every tool it calls and every moment a human steps in to approve something leaves a timestamped trail behind it. That trail happens to be precisely the evidence both ISO standards ask you to keep, the logging and monitoring that 27001 wants and the oversight and lifecycle records that 42001 wants, produced automatically as a by-product of the work rather than reconstructed painfully from memory long after the fact.
What excites the engineer in me is that those same logs quietly do a second job, because as well as proving what happened they show you exactly where the work is going wrong and where it could be better. Anyone who has worked with Lean or Six Sigma will recognise this at once, because you cannot improve what you cannot measure, and a logged agent hands you those measurements for nothing, the error rates, the retries, the times a job needed a human, and the points where things slowed down. In the language of the quality world those logs are the Check in Plan-Do-Check-Act and the Measure and Analyse in a Six Sigma project, which means the record you keep to satisfy a regulator is the same record you use to make the work better. Governance and continuous improvement stop being two separate chores and become one dataset read two ways, and that is the single most useful idea in this whole series.
What that looks like on a Tuesday
None of this is theoretical, so picture an ordinary case. You have an agent that processes incoming invoices overnight, and one morning it starts filing some of them in the wrong place, which in a manual world would mean a frustrating afternoon of guessing what went wrong. Because every run is logged, the story is sitting there in front of you instead, showing the exact point the error rate climbed, the confidence scores the agent recorded, the version of the instructions it was following, and the fact that a supplier had quietly changed the layout of its invoices. The root cause turns out to be that template change rather than some vague unreliability in the Ai, and the fix is specific and recorded, so you tighten the check, you add a step that sends anything unfamiliar to a human, and you watch the error rate fall over the following days. That is textbook root-cause analysis and corrective action, and as a bonus the new human-approval step generates its own logs, which are exactly the evidence that a person was meaningfully involved that the updated data-protection rules now expect you to be able to produce.
Where open and paid each earn their place
Put the three pieces together and the shape of a sensible setup is clear, and it is decided by the sensitivity of the data rather than the brand on the model. The work that involves personal or confidential information, or that runs in high volume, is the work to keep on an open model inside your own boundary, where nothing leaves the building and the audit trail stays entirely yours. The genuinely hard, high-stakes reasoning on less sensitive material is the work to send to a paid frontier model such as Claude, under a proper contract, because that is where the extra capability earns its price. A simple routing layer in the middle lets you move a job from one to the other as the need changes, and the same logging sits underneath whichever model happens to do the work. Seen this way, open models and agent runners are not the threat to governance that a nervous board might assume, because a tool you can bound, inspect, log and improve in the open is very often the most governable option you have, not the least.
What it all comes down to
The businesses that come out of the next few years ahead on Ai will not be the ones that piloted the most tools the fastest, they will be the ones whose governance was quietly ready when the agents arrived, because that readiness is what lets you say yes to something new without lying awake about it afterwards. You do not need a certificate on the wall to begin, you need the habits the certificate would check for, the data mapped, the access decided, the human kept in the loop on anything that matters, and the logs treated as the asset they are. Get that scaffolding in place and the rest of this series stops being a list of risks to manage and turns into a genuine advantage, which is the whole reason I keep saying that governance is the accelerator and not the brake.
Sources
- UK GDPR, data minimisation and the ICO's work on agentic Ai: Information Commissioner's Office.
- The Data (Use and Access) Act 2025 and automated decisions: GOV.UK.
- The two management standards: ISO 42001 and ISO 27001.
- Deploying agents securely: NCSC.
- A free self-assessment for SMEs: DSIT's Ai Management Essentials tool.
- The earlier parts of this series: part one and part two.