See the way AI governance, automation, and compliance are redefining enterprise efficiency and accountability.
Sam, your journey in SaaS and product leadership spans over two decades. How have your earlier roles shaped the way you approach innovation and decision-making at IO (formerly ISMS.online) today?
A lot has changed since I started out in SaaS, but I think what has been consistent throughout is that innovation comes from solving real problems, not just chasing the new. When you focus on solving real problems, you boost adoption and build customers’ trust. That approach certainly shapes how we work at IO today. We focus on purposeful innovation, making careful decisions about where AI and automation can add genuine value, and ensuring every step we take strengthens both our product and our customers’ confidence.
Automation is often seen as a double-edged sword. What kinds of tasks do you believe are best left to automation, and where do you draw the line to ensure human accountability stays intact?
For me, I see that automation works best where repetition and accuracy are most crucial, such as in evidence gathering, log collection, or mapping controls across multiple frameworks. These are areas where machines can add real value to the compliance process. But decisions about risk, ethics, and accountability can’t and shouldn’t be handed over wholesale. People must remain responsible for interpreting what that evidence means, deciding how risks are prioritised, and understanding how compliance choices affect customers and society. For me, the line is drawn where judgment, context, and values come into play.
Many organizations are still wrapping their heads around ISO 42001. From your vantage point, what makes this standard particularly relevant in the current AI regulatory landscape?
ISO 42001 provides organisations with a structured approach to AI governance, not as an abstract ethical debate, but as a management system with clear accountabilities. That’s particularly relevant now because regulations are emerging piecemeal around the world, often with different emphases. Having a recognised international framework, such as ISO 42001, provides a common language for risk management and compliance, which in turn reduces the likelihood of having to play catch-up each time a new law comes into force. For businesses that must comply with these laws and many other regulatory requirements, this is a significant time-saving and risk-reduction measure over time.
When it comes to embedding ‘privacy by design’ into AI systems, what role does ISO 42001 play in moving beyond theory and into implementation?
What I believe ISO 42001 does is help translate ‘privacy by design’ into practice. Ultimately, what ISO 42001 does is it requires organisations to operationalise privacy throughout the AI lifecycle, from data sourcing and model training through to deployment and monitoring. Instead of privacy being a one-off checkpoint, the standard encourages it to be baked into processes, governance structures, and accountability mechanisms from the ground up.
You’ve emphasized that automation can simplify evidence collection and compliance tasks. What kind of impact does that have on overall team productivity and risk posture?
For me, the clearest immediate impact is the time it saves. Skilled people aren’t bogged down by repetitive admin. That frees them to focus on higher-value work, such as analysing risks, stress-testing scenarios, or engaging leadership in meaningful conversations about resilience. Longer term, I believe it will also sharpen the organisation’s risk posture because when leveraged sensibly, evidence is more reliable, audits are smoother, and blind spots are less likely to develop.
As AI governance becomes more complex, how important is cross-functional collaboration in ensuring responsible deployment of AI systems?
It’s absolutely essential. AI governance isn’t just a technical problem or a compliance box-tick. To achieve effective compliance that drives business growth and results in AI that meets your business’s needs, it requires people from all areas of the business to be at the same table, including legal, operations, marketing, communications, sales, and customer success. Without that cross-functional dialogue, you risk building systems that are perhaps technically brilliant but ineffective for your business or customer needs, create regulatory or reputational issues for you as a business or are even compliant on paper but brittle in practice.
ISMS.online supports companies working towards ISO 42001. What practical support or tooling have you found most effective in helping organizations operationalize the standard?
In my view, the most effective support is anything that helps organisations bridge the gap between policy and practice. That could be clear risk frameworks for AI use cases, mechanisms for ongoing monitoring, or accessible ways to evidence decisions over time. The key is practicality; organisations need help turning broad principles into day-to-day actions that withstand scrutiny but also actually work for how their business is set up.
Some argue that over-reliance on templates can dilute thoughtful compliance. How do you ensure your tools strike the right balance between efficiency and integrity?
Templates are helpful starting points, but they’re not substitutes for thinking. The balance comes from designing them as scaffolding, not crutches. They should prompt the right questions, highlight common pitfalls, and speed up documentation, but still leave room for organisations to tailor answers to their specific risks and context. Integrity comes from ensuring the human element, the why and the how, isn’t lost in the rush to complete the what. Our whole ethos at IO is that effective compliance requires people, processes and platforms. Compliance should never be a black box, whereby you have no idea how things are working or why they were done. We are focused on creating systems that work for each organisation that comes to us, meeting their specific needs, and that can scale with their needs as they grow.
The concept of ‘privacy by design’ has been around for a while. What’s changed in its application now that AI is front and center in many business models?
What’s changed is the scale and complexity. AI systems can process data in ways that are sometimes unclear even to their developers, and the consequences of misuse therefore increase exponentially when models are embedded into critical decision-making. In my opinion, privacy by design has evolved from being a regulatory ‘nice-to-have’ to a structural safeguard. It’s no longer enough to patch privacy considerations onto a finished system; they need to inform the earliest design choices if organisations are to retain trust and legitimacy.
Looking ahead, what excites you most about how automation, compliance, and responsible AI are converging — and what should leaders be doing now to stay ahead?
What excites me is the possibility of using agentic AI, connected through MCP servers in core business applications, to automate compliance reporting at the source. MCP provides the plumbing into systems, while the agents handle the gathering and presentation of evidence. I believe that to stay ahead, leaders should be experimenting now by getting the right tooling in place, piloting AI agents in low-risk workflows, and establishing governance frameworks that balance automation with accountability.
A quote or advice from the author
The key for organisations is practicality; organisations need help turning broad principles into day-to-day actions that withstand scrutiny but also actually work for how their business is set up.
Sam Peters
Chief Product Officer, IO
Sam Peters has a diverse work experience starting from 2003 to present. They are currently serving as the Chief Product Officer at ISMS.online since May 2021. Previously, they worked at Alliantist for 8 years, from January 2013 to May 2021, in the role of Head of Products and Services. Before that, they held the position of Product and Support Manager at WPM Education from June 2011 to January 2013. Prior to that, they worked at East Sussex County Council as a Schools ICT Applications Manager from September 2009 to June 2011. They also worked as a General Manager at DB Education Services from April 2008 to September 2009. Their earliest professional experience was at Digitalbrain PLC, where they served as a Service Delivery Manager from November 2003 to April 2008.
Sam Peters attended Cardiff University / Prifysgol Caerdydd from 1997 to 2000, where they obtained a BA (Hons) degree in Politics Social Philosophy and Applied Ethics. Additionally, they have certifications as a Certified SCRUM Product Owner from Roman Pichler Consulting and an ITIL (V3) Foundation Certificate from EXIN. The months and years of obtaining these certifications are not specified.
