THE PROBLEM
AI adoption has outpaced the governance models built to oversee it.
Copilots arrive embedded inside software you already own. Business units procure AI services outside IT. Agentic AI takes live actions on production systems. Meanwhile, most boards still rely on a written AI policy and an annual ethics statement as their evidence of governance.
That posture was fine when AI was experimental. It isn't fine now. The EU AI Act's risk-based obligations are live. DORA, NIS2 and ISO 42001 set expectations that go well beyond a policy document. Regulators want to see the inventory, the controls, the audit trail and the human override paths, operationally, on demand.
From the Xcession Irish AI Governance Briefing
THE FIVE GAPS
Five operational gaps every UK and Irish IT leader needs to close.
Drawn from our work with regulated enterprises and public sector clients across the UK and Ireland. These are the gaps regulators, boards and audit committees are starting to probe.
A current inventory of every AI system, model, agent and embedded copilot across the estate - including the AI that arrived inside SaaS you already own.
Prompt injection, model misuse, data leakage through inference, unauthorised agent actions. A new attack surface that existing playbooks do not yet cover.
Written policy converted into live monitoring, named ownership, evidence flows and audit trails mapped to the EU AI Act, NIS2, ISO 42001 and the NIST AI RMF.
Real-time visibility of what models are doing in production. Drift detection, human-override rates, a working kill-switch path when an agent goes off-script.
Hard evidence of productivity, automation savings and adoption quality. The ROI question your board is already asking, and that OBAIR will start benchmarking publicly.
The Operational Answer
ServiceNow AI Control Tower brings all five gaps into a single operational layer.
Built on the platform that already runs your service management, change, asset and risk processes — and the CMDB that already maps your estate. AI Control Tower extends that operating model to AI itself.
Discovers every AI agent, model and identity across the enterprise, including AI deployed outside ServiceNow, across AWS, Azure, Google Cloud, SAP, Oracle and Workday. Observes runtime behaviour and ROI live. Secures access with least-privilege controls and a real-time kill switch when an agent steps beyond its permissions. Governs against the EU AI Act, NIST AI RMF and your internal policy library. Measures cost and value per AI service.
Why it matters for you
You already own the platform that gives auditors most of what they ask for: a CMDB, a change record, an incident workflow, a risk register. AI Control Tower brings AI into the same operating model, rather than standing up a parallel governance stack that nobody owns and no audit committee trusts.
EXPLORE AI CONTROL TOWER →
How Xcession Delivers
From a two-week readiness review to a governed AI estate at scale.
Xcession is governance-first and senior-led. We have been delivering on ServiceNow since the early years, and we run AI implementations under our EmpowerAI programme with guardrails and controls built in from day one.
Step 01
AI Control Readiness Review
Two weeks. Output: a prioritised remediation roadmap, an outline operating model, and an evidence framework mapped to the EU AI Act, NIS2, ISO 42001 and NCSC guidance. The report is written for a board or audit committee audience.
Step 02
AI Control Tower Implementation
Stand up Discover, Observe, Secure, Govern and Measure on your existing ServiceNow platform. Onboard models, integrate AWS, Azure and Microsoft 365, and configure the governance policies that flow through to live workflows.
Step 03
EmpowerAI - agentic AI at scale
Foundations, Agent Development and Centre of Excellence. Build, pilot and scale AI agents under the same control plane that governs them, so adoption and assurance move together rather than against each other.
THE REGULATORY PICTURE
What you will be measured against - UK and Ireland, end of 2026.
| EU AI Act (Reg. 2024/1689) | Risk classification of every AI system. Conformity assessment for high-risk systems. Human oversight, transparency, post-market monitoring, incident reporting. |
| NIS2 & DORA | Operational resilience evidence covering AI components in critical and financial services. Third-party AI provider oversight. Incident response that includes AI failure modes. |
| ISO/IEC 42001:2023 | AI management system — policy, roles, lifecycle controls, audit, continual improvement. The first ISO standard auditors will reach for when they want a structured AI assurance answer. |
| NIST AI RMF 1.0 | Govern, Map, Measure, Manage. The framework most multinationals are aligning against in parallel to their EU obligations. |
| NCSC AI Cyber Risk Assessment | UK and Ireland baselines for AI cyber risk — the prompt-injection, data-leakage, agent-misuse layer that traditional cyber frameworks do not yet cover. |
| AI Office of Ireland / OBAIR | Sectoral EU AI Act enforcement focal point. Observatory for Business AI Readiness will begin benchmarking enterprise AI maturity publicly through 2026 and 2027. |
GO DEEPER
Read more, or talk to us directly.
How the five gaps map to Discover, Observe, Secure, Govern, Measure - and what Xcession does to deliver it. Read more.
The long-form argument for why a written policy is no longer enough - and what a working AI control plane actually looks like. Read more.
Book an AI Control Readiness Review.
Two weeks. One report your board, your CISO and your audit committee can act on. The diagnostic stands on its own, whether or not the next conversation involves us.