Software developers shift to AI code reviewers

Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Thu, 14 May 2026 07:12:47 GMT https://www.computerweekly.com editor@computerweekly.com <p>The use of <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/End-users-can-code-with-AI-but-IT-must-be-wary">artificial intelligence (AI) in coding</a> is shifting the role of software development, but measuring lines of code is no longer a valid measure of developer productivity, a survey by AI software delivery platform Harness has found.</p> <p>The <a href="https://www.harness.io/state-of-modernization-2026">poll of 700 software developers</a> and managers across the US, the UK, India, France and Germany found that although 89% believe productivity metrics have improved, 81% said they are now spending more time reviewing AI-generated source code.</p> <p>The survey found that when AI generates code, metrics that measure software development output improve and software development cycle times shorten. The developers surveyed said they feel more productive because AI means they can write more code, are able to tackle more complex problems and can to move faster through familiar work.  However, the survey also revealed that one of the major drawbacks in using AI is that developer time spent on code review has increased dramatically.</p> <p>The current state of AI-based tools means that people are often kept in the loop to avoid mishaps, and the need for having a human in the loop is happening in software development.</p> <p>On average, the survey reported that 31% of a developer’s day is now consumed by AI-related invisible work that is not being measured. When we asked them where AI creates the most friction, 53% put reviewing AI-generated code as causing the most friction in their work. Over half (52%) said that the most friction was being caused by having to fix subtle bugs in AI code, while 48% said that having to explain the AI-generated code to teammates was causing them the most friction.</p> <p>However, organisations tend to measure gross output in terms of the amount of code generated. According to Harness, they are not measuring where the productivity gains are being spent.</p> <p>When asked whether they are worried about the use of AI tools to <a href="https://www.techtarget.com/searchsoftwarequality/news/366631712/Google-DORA-Software-delivery-caught-up-to-AI-coding-tools">measure their performance</a>, 96% of the developers polled said they are worried. Most developers who took part in the survey (94%) said <a href="https://www.techtarget.com/searchsoftwarequality/tip/Guidelines-for-AI-driven-legacy-code-modernization">tech debt,</a> validation time and developer burnout are missing from their current metric. Over half (54%) expressed concerns over individual performance evaluations based on AI data.</p> <p>Harness urges IT managers to track AI review time, debugging overhead and the cost of productivity lost due to developers having to switch between different environments. For instance, Harness recommended investigating a reported 20% gain alongside an unmeasured 31% overhead before planning the next investment cycle.</p> <p>It also recommended that software development organisations within businesses understand fully the volume of code that is being completed, merged and deployed. While AI increases code volume, as Harness points out, it does not automatically increase code delivery.</p> <p>“AI coding is the first technology shift in modern software that has changed not just what developers build, but how they spend their hours,” said Trevor Stuart, senior vice-president and general manager at Harness. “AI is reshaping the developer’s job entirely, and the measurement frameworks that the industry has relied on for the past decade weren’t built for this new unit of work.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more AI in coding stories</h3> <ul class="default-list"> <li>How <a href="https://www.computerweekly.com/news/366639364/How-AI-code-generation-is-pushing-DevSecOps-to-machine-speed">AI code generation</a> is pushing DevSecOps to machine speed: Organisations should adopt shared platforms and automated governance to keep pace with the growing use of generative AI tools that are helping developers produce code at unprecedented volumes.</li> <li><a href="https://www.techtarget.com/searchsoftwarequality/news/366632374/Market-research-AI-coding-tools-push-production-problems">AI coding</a> tools push production problems: Recent reports show that AI-generated code adds instability and vulnerabilities in production, but auto-remediation tools face persistent organisational friction.</li> </ul> </div> </div> Using artificial intelligence to generate code is not necessarily a productivity boost, with programmers spending far more time reviewing AI-generated code https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/software-code-keyboard-adobe.jpeg https://www.computerweekly.com/news/366643082/Software-developers-shift-to-AI-code-reviewers Thu, 14 May 2026 06:26:00 GMT Software developers shift to AI code reviewers <p><i>Inside FDP is an exclusive series of articles written by the former deputy director of data engineering at NHS England, Tom Bartlett, who led the 150-person team that built the <a href="https://www.computerweekly.com/news/366620412/NHS-chief-data-officers-concerned-with-FDP-roll-out">Federated Data Platform</a> (FDP), the <a href="https://www.computerweekly.com/news/366640417/Health-workers-call-for-Palantir-to-be-booted-from-NHS-contracts">controversial Palantir-supplied system</a> linking data across the health and care service. </i></p> <p><i>This is the third in a five-part series on what FDP is for. Parts 1 and 2 defined <a href="https://www.computerweekly.com/opinion/Inside-FDP-part-1-Understanding-the-problems-facing-NHS-data">the eight problems</a>, the <a href="https://www.computerweekly.com/opinion/Inside-FDP-part-2-Delivering-on-the-NHS-vision-for-data">seven Frontline-First dimensions</a>, and how FDP delivers them. This article describes the specific features of Palantir's Foundry, the commercial software platform on which FDP is built, that make those dimensions technically possible.</i></p> <section class="section main-article-chapter" data-menu-title="What the best NHS data platforms have in common"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What the best NHS data platforms have in common</h2> <p>The <a href="https://www.computerweekly.com/news/366620412/NHS-chief-data-officers-concerned-with-FDP-roll-out">NHS data community</a> includes people who have built genuinely sophisticated platforms: linked datasets spanning acute, primary, mental health, and community care; population-level risk stratification; near-real-time dashboards used 24 hours a day in system control centres; embedded analytics inside clinical systems; write-back capabilities pushing data into GP records.</p> <p>These are not trivial achievements. They represent years of work by some of the most capable data professionals in the country.</p> <p>But even the best of these platforms share a common architecture - the data lives in a warehouse, the descriptions live somewhere else (in a catalogue, a wiki, or a developer's head), and the applications that capture or display the data live somewhere else again. Three separate things, connected through extracts, feeds, and bespoke integrations that the team maintains by hand.</p> <p>The analytical tools sit alongside the clinical systems, not inside the operational workflow - the clinician works in one place and the data team works in another. The two are connected, sometimes impressively, but the data, the tools, and the actions still live in separate places. A Frontline-First approach requires them to be in the same place.</p> <p>This article is about an architectural choice that collapses that separation. It is not about whether existing platforms work. Many of them do, within their scope. It is about what becomes possible when the data, the description, the application, and the action all live in the same place.</p> </section> <section class="section main-article-chapter" data-menu-title="What Palantir means by 'ontology'"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What Palantir means by 'ontology'</h2> <p>The word "ontology" has become a source of confusion in the FDP conversation because it means different things to different communities.</p> <p>In computer science and knowledge engineering, an ontology is a formal specification of what things exist in a domain, what properties they have, and how they relate to each other. It is a rigorous discipline with its own standards, including OWL (Web Ontology Language) and RDF (Resource Description Framework). It is not what <a href="https://www.computerweekly.com/news/366560657/Palantir-awarded-NHS-FDP-data-contract">the supplier of the FDP platform, Palantir</a>, means by the word.</p> <p>In Palantir’s Foundry software the ontology is something different. It is the operational layer of the platform where real-world concepts are represented as digital things that users interact with directly. It holds the data, hosts the applications, enforces access controls, and supports actions that change the state of the things it represents. It is closer to a living operational workspace than to a formal knowledge representation framework.</p> <p>The double usage causes confusion in almost every conversation I have about FDP. Data architects hear "ontology" and think of formal knowledge engineering. Palantir engineers hear "ontology" and think of the operational layer their applications run on. Both are legitimate uses of the word – but they describe fundamentally different things.</p> <p>For the rest of this article I am using the Palantir meaning - the ontology as the operational workspace, not the ontology as a formal logical framework for knowledge representation.</p> </section> <section class="section main-article-chapter" data-menu-title="Object types: the building blocks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Object types: the building blocks</h2> <p>The foundation of Foundry's ontology is the object type. An object type is Foundry's way of representing a real-world concept that the NHS manages - a patient, a referral, a theatre session, a ward bed, a consultant, a waiting list entry, an appointment.</p> <p>Each object type does two things that a traditional database table does not.</p> <p>First, it holds both the data and its description in the same place. A theatre session object type does not just contain a row of values. It contains the definition of what a theatre session is, what its properties mean, how they relate to other concepts, and who is allowed to see or change them. The description travels with the data rather than sitting in a separate catalogue that nobody maintains.</p> <p>Second, object types are connected to each other through link types, which are defined relationships that the platform maintains and resolves automatically.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> 'Actions' are the mechanism by which FDP applications capture new data at the point of care, not just present data that was captured somewhere else </figure> <figcaption> <strong>Tom Bartlett</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>In a relational database, the relationship between a theatre session and a patient exists as a foreign key. How that relationship gets resolved depends on what you are trying to do.</p> <p>If you are an analyst running a query across all theatre sessions and all patients, the database engine performs an SQL JOIN, scanning both tables to find the matches. If you are a clinician looking up a single patient's theatre session, the system retrieves the linked record directly.</p> <p>These are fundamentally different workloads, and traditional architectures handle them with fundamentally different systems: an OLTP system, such as an <a href="https://www.computerweekly.com/feature/Electronic-health-records-are-still-creating-issues-for-patients">electronic patient record (EPR)</a>, for the clinician's individual lookup; and an OLAP system, such as a data warehouse, for the analyst's cross-population query. Data flows from the first to the second through overnight extracts and batch pipelines, and the two never share a live view.</p> <p>Foundry's ontology resolves both queries from the same data. When a clinician views a theatre session, the platform performs what Palantir calls a "search-around" - starting from a single object and navigating its defined links to the patient, the consultant's schedule, the recovery bed status. This is operationally instant, like an OLTP lookup, but it draws on a data estate that spans domains no single operational system covers.</p> <p>When an analyst needs to query across all theatre sessions Trust-wide, they work with what Foundry calls an "Object Set" - a filtered, aggregated view across a population of objects that supports grouping, counting, summing, and segmenting in the same way an analyst would query a warehouse, but running against the same live data the clinician is viewing.</p> <p>The links and the aggregations always reflect the current state, so neither the clinician's individual view nor the analyst's population-level view is stale, and neither required extracting data from one system into another.</p> </section> <section class="section main-article-chapter" data-menu-title="Actions: the part that changes everything"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Actions: the part that changes everything</h2> <p>Object types that store data with descriptions and link to each other are valuable. A well-designed data warehouse with a good catalogue and a good data model can approximate the descriptive part - governed definitions, documented relationships, consistent naming.</p> <p>What it cannot approximate is the live, navigable links between objects that users traverse in real time, or the dual-mode querying described above. To get that from a warehouse, you have to build an application layer on top of it, and at that point you are no longer comparing like with like.</p> <p>What a warehouse cannot do at all is host actions.</p> <p>An action in Foundry is a defined operation that a user can perform on an object type – for example: accept a referral; cancel a theatre session; discharge a patient; assign a recovery bed; escalate to a consultant.</p> <p>Actions are not just buttons on a screen. They are transactions defined in the ontology itself, with validation rules, access controls, and audit trails built in. When a user performs an action, the action updates the relevant object types and all the linked relationships update with them.</p> <p>This is the feature that makes FDP an operational platform rather than an analytical one. It is also what makes the Frontline-First approach possible, because actions are the mechanism by which FDP applications capture new data at the point of care, not just present data that was captured somewhere else.</p> <p>Consider what happens when a theatre session needs to be cancelled. In a typical Trust today, the scheduler cancels the session in whatever system the Trust uses for theatre management. That information then has to reach other systems: the waiting list, the bed management view, the operational dashboard. Depending on how those systems are connected, that might take hours, or it might happen overnight through a batch extract. In the meantime, a waiting list manager may reassign the slot or contact a patient based on information that is already wrong, because the cancellation has not reached them yet.</p> <p>In the ontology, the scheduler performs a "cancel theatre session" action. The action updates the theatre session object type, and because the theatre session is linked to the waiting list entry, the patient, the consultant, and the recovery bed, every linked concept reflects the cancellation immediately - the waiting list manager, the analyst, and the COO's dashboard all see the change at the same time. There is no overnight feed, no delay, and no reconciliation.</p> <p>For analysts who need frozen reporting for board papers or national submissions, the platform also supports submission snapshots that lock the state at the end of a reporting period - the live view and the frozen view coexist.</p> <p>Now consider something more important. A discharge coordinator uses an FDP application to manage the discharge pathway. They perform actions such as "confirm transport arranged"; "confirm pharmacy complete"; "confirm social care package in place". Each action creates new data on the platform, data that did not exist in any source system because no source system tracks the discharge pathway at this level of detail. The coordinator's spreadsheet used to hold this information. Now the FDP application holds it, with an audit trail, with access controls, and with live links to the patient, the ward, the bed state and the analytics layer above.</p> <p>Actions can also trigger automated responses: a notification to the community team that the patient is ready; an API call to the transport booking system; an alert to the ward manager that a bed will be free. The platform supports scheduled and event-driven automation, which means actions do not always require a human to trigger them - a rule that fires automatically when a patient meets discharge criteria and initiates the coordination workflow is a different proposition from a coordinator clicking a button.</p> <p>This is the point that most critics of FDP miss. They compare it to warehouses and dashboards because they are thinking about platforms that present existing data. FDP applications capture new data through actions, and that new data sits on the same platform as everything else. The discharge coordinator's "confirm transport arranged" action is as much a part of the patient record as the admission that came from the EPR. The secondary uses - such as, how many discharges were delayed by transport nationally - and the primary use - is this patient ready to go home today - are happening on the same data, on the same platform, in the same session.</p> </section> <section class="section main-article-chapter" data-menu-title="The logic layer: an area to watch"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The logic layer: an area to watch</h2> <p>There is a further capability in the ontology that FDP has not yet fully exploited in the NHS context but which has significant potential.</p> <p>Palantir's description of its architecture identifies four components: data, logic, action, and security.</p> <p>The logic layer is the set of business rules, algorithms, forecast models, optimisation models, and clinical pathways that sit between data and action. In a discharge pathway, the logic might determine which actions are prompted at which stage. In theatre scheduling, it might incorporate a capacity model that optimises slot allocation across surgeons and specialties. In population health, it might run segmentation algorithms that identify patients at risk of deterioration.</p> <p>The logic layer allows these rules and models to be connected into the ontology alongside the data and the actions, so that AI agents and human users can draw on the same reasoning when making decisions. This is largely unexplored territory in the current FDP product set, but it is where some of the most significant operational value may sit in the years ahead.</p> </section> <section class="section main-article-chapter" data-menu-title="What AIP adds to the platform"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What AIP adds to the platform</h2> <p>The Artificial Intelligence Platform (AIP) adds two capabilities that change what the platform can do.</p> <p>The first is making analytics accessible without the traditional route through an analyst. <a href="https://www.computerweekly.com/opinion/Inside-FDP-part-2-Delivering-on-the-NHS-vision-for-data">Part 2 of this series of articles</a> described the app called Ask FDP and its potential to change the culture of data use in Trusts. The technical reason it works is that the large language model (LLM) is grounded in the Trust's own data through the ontology, with the same access controls and audit trail that apply to every other interaction with the platform.</p> <p>This is not a chatbot bolted onto a database. It is an AI capability that understands the relationships between object types and can traverse the ontology to answer questions that would otherwise require a skilled analyst and an SQL query.</p> <p>The second capability is AI-FDE, or AI Forward Deployed Engineer, which provides an AI-assisted development environment powered by the latest LLMs. For professional engineers, AI-FDE accelerates their work - it can generate React applications, ontology configurations, Python scripts, and any other deliverable an engineer would normally produce by hand. For clinicians and operational staff with no engineering background, it lowers the technical barrier to entry dramatically. A discharge coordinator can describe the workflow they need and AI-FDE translates that into a working application on the platform. AI-FDE also works with Foundry's no-code features, including Workshop for building interactive applications visually, and Pipeline Builder for building data transformations without writing code.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> This is not a chatbot bolted onto a database. It is an AI capability that understands the relationships between object types and can answer questions that would otherwise require a skilled analyst and an SQL query </figure> <figcaption> <strong>Tom Bartlett</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>This is the mechanism by which a Frontline-First approach scales beyond what a central development team can deliver. The Build with FDP event described in Part 2 saw clinical and operational staff building working applications in two days. The paramedic, the ward clerk, the discharge coordinator all have knowledge of their workflows that no nationally commissioned product can capture. AI-FDE lets them contribute that knowledge directly rather than waiting for someone else to build it for them.</p> <p>There is also a longer-term opportunity in using AI to convert unstructured data into structured, actionable insight. <a href="https://www.computerweekly.com/news/366636205/Interview-Erik-Mayer-transformation-chief-clinical-information-officer-Imperial-College">Imperial College Healthcare NHS Trust</a> developed a natural language processing tool that analyses free-text patient feedback comments, detecting sentiment and theming responses in minutes rather than days. The tool has since been adopted by nine NHS Trusts. The free text problem <a href="https://www.computerweekly.com/opinion/Inside-FDP-part-1-Understanding-the-problems-facing-NHS-data">described in Part 1</a> – such as, DIALOG scores buried in progress notes, discharge letters sitting as inaccessible PDFs - is the same class of problem, and AIP on the ontology makes this kind of work architecturally simpler because the grounding, access controls, and audit trail are already in place.</p> <p>A team building AI features on a freely engineered stack has to integrate the LLM externally, manage grounding manually, build audit trails separately, and worry about clinical data leaving the platform. The clinical coding AI assistant that came runner-up at Build with FDP is the AIP pattern - a small team built a clinically useful AI tool in two days because the platform already handled the plumbing underneath it.</p> <p>The platform is also evolving toward autonomous agents that can orchestrate workflows across multiple steps, not just answer questions or build applications - an agent that monitors a ward's discharge readiness, identifies patients who meet criteria, and initiates the coordination workflow represents the next generation of what Frontline-First could deliver.</p> </section> <section class="section main-article-chapter" data-menu-title="Why the orthodox data stack cannot do this"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why the orthodox data stack cannot do this</h2> <p>Anyone with a technical background will be asking why the orthodox data stack cannot replicate what the earlier sections described. The short answer is that Foundry collapses architectural separations that the orthodox stack treats as fundamental.</p> <p>The standard enterprise data architecture separates the systems where things happen from the systems where things are measured.</p> <p>The EPR is an example of the first type - an Online Transaction Processing (OLTP) system that records clinical events in real time, optimised for fast writes and looking up individual records.</p> <p>The data warehouse is an example of the second - an Online Analytical Processing (OLAP) system that aggregates historical data, optimised for complex queries across large datasets.</p> <p>In simpler terms, the app the clinician uses and the database the analyst queries are built on different technology for different purposes. Data flows from one to the other through overnight extracts and batch pipelines. This separation exists because the two workloads have different performance characteristics and historically could not be served by the same infrastructure.</p> <p>Foundry's Object Storage V2 challenges this separation. It is built on a different architectural principle - data is indexed into specialised object databases through an orchestration layer (the Object Data Funnel), with indexing and querying decoupled into separate subsystems that scale horizontally.</p> <p>The architecture is closer to an inverted index search engine than to a traditional relational database. It can serve both operational queries - give me this patient's current state, with all linked objects and available actions - and analytical queries - show me all patients across this Trust matching these criteria, aggregated by specialty - from the same data store, without extracting data from one system to another.</p> <p>The difference is structural. A traditional warehouse join scans two full tables to find matches across all rows, but the ontology's search-around navigates from a single object to its linked objects, which is how a clinician thinks – “show me everything connected to this patient” - rather than how an analyst thinks – “show me all patients matching these criteria”.</p> <p>The ontology supports both modes from the same data. This is what allows it to be both an operational workspace and an analytical platform simultaneously - a genuinely new concept for most NHS data professionals, and the reason FDP does not fit neatly into the categories people try to put it in. The ontology also supports media references, which means documents such as discharge letters and clinical images can be attached to objects as properties and accessed alongside the structured data.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about the NHS Federated Data Platform</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640417/Health-workers-call-for-Palantir-to-be-booted-from-NHS-contracts">Health workers call for Palantir to be booted from NHS contracts</a> - Health justice charity Medact warns that Palantir’s involvement in NHS data systems is a threat to patients and healthcare organisations.</li> <li><a href="https://www.computerweekly.com/news/366620412/NHS-chief-data-officers-concerned-with-FDP-roll-out">NHS chief data officers concerned by FDP roll-out</a> - The Chief Data and Analytical Officers Network has raised concerns over the way the NHS Federated Data Platform is being implemented and NHS England’s approach to its adoption.</li> <li><a href="https://www.computerweekly.com/news/366616320/NHS-Federated-Data-Platform-celebrates-first-birthday">NHS Federated Data Platform celebrates first birthday</a> - In its first year, more than 100 NHS organisations have signed up to the controversial platform, aiming to bring together data from different IT systems.</li> </ul> </div> </div> <p>Consider what it takes to build an equivalent operational capability on Azure. To create a discharge coordination product that captures new data at the point of care, you would need to wire together Azure Functions for the business logic, Cosmos DB or SQL for the data store, a custom API layer for the front-end application, Azure AD for authentication, a separate audit logging pipeline, and a manually maintained schema that describes what the data means.</p> <p>Each component is mature and well-documented. But the integration is bespoke engineering for every product, and the semantic description of the data - what a referral means, how it relates to a patient, what actions are available on it - lives in your application code and your documentation, not in the data layer.</p> <p>On Foundry, actions are defined in the ontology itself - the validation rules, access controls, audit trail, and linked object updates are handled by the platform. The semantic description travels with the data.</p> <p>This has a direct consequence for AI. When AIP queries the ontology, it already knows what a referral is, how it relates to a patient, what properties it has, and what actions can be performed on it, because the semantics are embedded in the same layer as the data.</p> <p>To achieve something comparable with Azure and Copilot, you would need to build a retrieval augmented generation (RAG) pipeline -extracting the data, writing grounding instructions that explain the schema and its meaning, managing the context window, and maintaining those instructions every time the data model changes. The semantics and the data live in separate places, maintained separately, and they can drift apart. On Foundry, they cannot, because they are the same thing.</p> <p>Azure, Databricks and all the other reporting-first platforms are excellent at what they were designed to do. But they were designed within the orthodox OLTP/OLAP separation. Foundry was designed to collapse it. That is the architectural choice that makes the Frontline-First approach possible, and it is the reason I argue that FDP is not just another data warehouse with better marketing.</p> <p>It is worth noting that the rest of the industry is moving in this direction, which validates the principle even if the implementations differ.</p> <p>Microsoft launched Fabric IQ in late 2025, which introduces an ontology layer with entity types, relationships, and AI grounding through a unified semantic layer. Databricks has extended Unity Catalog with business semantics and AI agents. Both are building semantic layers that bring data and meaning closer together, and Gartner now treats universal semantic layers as critical infrastructure.</p> <p>But neither yet offers what Foundry has in production - defined actions that create new data through transactions in the ontology, with validation rules, access controls, audit trails, and linked object updates handled by the platform. The semantic layer is necessary but not sufficient for Frontline-First - without actions, you have a smarter way to understand data, not a platform that captures it at the point of care. That is the gap the competitors have not yet closed, and Foundry has been in production with it for over a decade.</p> </section> <section class="section main-article-chapter" data-menu-title="How this works across organisational boundaries"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How this works across organisational boundaries</h2> <p>The architecture described so far operates within a single Trust's FDP instance. But the Frontline-First approach requires data to connect across Trusts and care settings. The mental health patient who attends A&E at the acute Trust needs their community mental health data to be visible and actionable through the same platform.</p> <p>Foundry achieves this through shared spaces.</p> <p>Each Trust has its own private space with its own ontology. When two or more Trusts want to collaborate across organisational boundaries, they create a shared space with a shared ontology. Each organisation controls which data it shares - the shared space provides the common ground where cross-organisational products operate.</p> <p>One NHS Trust Group has already done this in production - they created a shared space across two Trusts, with a single cross-Trust patient tracking list that is live, with no issues of lag or latency. They are in the process of re-platforming all their core products into the shared space so that across both Trusts they run a single theatres product, a single Optica, and a single set of operational products, backed by permissions that control whether users see one organisation's data or both. Additional workflow features handle the practical realities, such as ensuring patients are not booked into the wrong site.</p> <p>This is not a central hub pulling data from the periphery. It is a peer-to-peer collaboration model where each Trust retains control of its own data and the shared space provides the integration layer. The shared ontology ensures that the data model is consistent across both organisations, so a product built in the shared space works for both Trusts without separate configuration. This is the architectural mechanism that makes the cross-setting collaboration dimension from Part 2 possible at scale.</p> <p>None of this removes the practical challenge of integrating Foundry with the existing Trust application estate. Getting data in and out of the platform, connecting to EPRs and the dozens of other systems a Trust runs, is an area the programme is actively working on and one where the experience of early adopters will be critical.</p> </section> <section class="section main-article-chapter" data-menu-title="Can EPR implementation solve the same problems?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Can EPR implementation solve the same problems?</h2> <p>One concern raised by senior digital leaders is that the problems described in Part 1 are not architectural failures requiring a new platform, but implementation failures that better EPR deployment would solve. There is some truth in this.</p> <p>Implementation quality matters enormously, and the same EPR system can be well or badly implemented. But even a perfectly implemented EPR cannot make a tool built in one Trust available to every other Trust without rebuilding it. EPR convergence programmes can link data across organisational boundaries within their footprint, but this is limited to Trusts that have adopted the same system and does not extend nationally. It cannot enforce semantic consistency across 220 Trusts running different EPR systems with different configurations.</p> <p>And while some EPR suppliers are extending into operational territory with their own features for discharge tracking, bed management, and clinical coordination, these capabilities remain local to each Trust's implementation and are not portable across the 220 Trusts running different EPR systems with different configurations.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> FDP does not replace the EPR. What it does is provide a layer alongside it where operational products can capture data that the EPR was never designed to hold </figure> <figcaption> <strong>Tom Bartlett</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>There are also entire data domains that will always be out of scope for any EPR, notably workforce and finance, which are critical to operational management but are not clinical data. National portability, semantic consistency across 220 Trusts, and coverage of non-clinical domains like workforce and finance are architectural properties of a platform, not implementation quality issues, and the Frontline-First approach cannot work without them.</p> <p>FDP does not replace the EPR. What it does is provide a layer alongside it where operational products can capture data that the EPR was never designed to hold, in a structured form that is nationally consistent and immediately available to every other product on the platform. Trusts can choose to keep the EPR as the designated clinical record. FDP provides the operational data estate that the EPR was never asked to be.</p> <p>The platform supports multiple writeback methods including API, HL7, and FHIR - the constraint on writing data back into the EPR is not technical but commercial. To date, the programme has not achieved sufficient traction with EPR providers to establish routine writeback into the clinical record. Trusts who are awaiting this functionality should understand that the barrier is supplier engagement, not platform capability.</p> <p>FDP does not introduce divergence from the EPR. It replaces unaudited, ungoverned, invisible divergence with audited, governed, visible divergence. That is a net improvement in every dimension, even if it is not the clean single-record picture that information governance frameworks assume.</p> </section> <section class="section main-article-chapter" data-menu-title="What the platform does not do well yet"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What the platform does not do well yet</h2> <p>Foundry is structured in a genuinely novel way and this is what makes it uniquely suited to the Frontline-First approach, but it does not make it a perfect platform. Teams I have worked with who have adopted Foundry have come across limitations that they have found frustrating, and it is likely that others will too.</p> <p>The general frustration is about a tension between two types of analytical work.</p> <p>Foundry prioritises users who are building repeatable, reusable analytical processes, an approach actively encouraged in NHS England under the Reproducible Analytical Pipelines (RAP) framework. For this kind of work, the platform is excellent - governed, auditable, shareable. But a large proportion of what analysts do day-to-day is not RAP. It is exploratory - quickly viewing a dataset, sharing rough cuts with colleagues, testing an approach before committing to it.</p> <p>The platform makes the first type of work excellent and the second type harder than it needs to be. Getting data in takes more effort than analysts expect - getting data out is harder still. Analysts who needed spreadsheet functionality found it lacking, though the platform does support R, Shiny, and more recently SQL Studio, and Trusts can connect external tools like Power BI and Tableau. NHS England restricted some of this on its own instance, but individual Trusts make their own decisions.</p> <p>Beyond the analyst experience, there were engineering challenges. Foundry's branching model allows developers to branch live data the way a software engineer branches code, test changes against real-world data, and merge back.</p> <p>The national FDP team embraced this because it allowed them to move fast. But engineers who were new to the platform, many of whom had spent years managing data flows from Trusts to NHS England, found it deeply uncomfortable. They were accustomed to long-established best practices - test data, separate development, testing, and production environments, careful promotion between them. Branching real-world data on the master branch felt reckless by those standards.</p> <p>Some teams tried to reconcile the two approaches by setting up test data and then branching it, which satisfied neither philosophy - the test data could not guarantee coverage of the edge cases that would break a pipeline in production, and the branching added complexity without the benefit of working against real data.</p> <p>Foundry does support formal environment separation, but Palantir's engineers discouraged it because it added significant overhead to the development process. The result was a period where neither approach was followed cleanly, and teams were caught between two engineering cultures without a settled way of working.</p> <p>None of this invalidates the architectural case, but it does mean that the journey from architectural promise to operational reality is harder and slower than anyone would like.</p> <p>A change of this scale cannot be delivered by a national programme alone, nor Trusts developing FDP in isolation. It requires cooperation across the system - Trusts, integrated care boards (ICBs), and the national team learning together, adapting together, and being willing to change how they work.</p> <p>The pace at which Frontline-First becomes real will be determined by the level of cooperation and willingness to adapt across all of these organisations.</p> </section> <section class="section main-article-chapter" data-menu-title="Why "just an expensive data warehouse" misses the point"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why "just an expensive data warehouse" misses the point</h2> <p>One of the most persistent criticisms of FDP, repeated in parliamentary debate and in media coverage, is that it is "a very overpriced data warehouse".</p> <p>If you assess FDP as a warehouse, this is a defensible view. The dashboarding is limited. The analytical tooling is less mature than a well-configured Power BI or Tableau environment. For analysts whose entire frame of reference is the analytical layer, FDP looks underwhelming and expensive.</p> <p>But the point of this article is that FDP is not primarily a warehouse. It is an operational application platform where the data, the semantics, the applications, and the actions all live in the same place. Calling FDP an expensive data warehouse is like calling a smartphone an expensive calculator. It is technically true that both can do arithmetic, and it completely misses what makes the smartphone worth having.</p> </section> <section class="section main-article-chapter" data-menu-title="What comes next"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What comes next</h2> <p>The next article explains why the NHS needs both a shared data model and the consistent products to enforce it, and why their combination is the most important asset in the programme.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about NHS data</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Electronic-health-records-are-still-creating-issues-for-patients">Electronic health records are still creating issues for patients</a> - Almost every NHS trust will have moved onto a digital system by this spring. Experts have cautioned many patients are still struggling to access their own health data.</li> <li><a href="https://www.computerweekly.com/news/366639993/Child-rapist-could-have-profiled-victims-through-unaudited-access-to-NHS-databases">Child rapist could have profiled victims through unaudited access to NHS databases</a> - NHS analyst’s conviction for child sexual abuse offences raises concerns over unaudited access to patient data.</li> <li><a href="https://www.computerweekly.com/news/366574914/Women-In-Data-panel-NHS-needs-to-get-data-basics-right-before-rushing-into-AI">NHS needs to get data basics right before rushing into AI</a> - During a panel discussion at a Women in Data event, speakers from across the public healthcare sector outlined the groundwork that has to be laid for artificial intelligence to take the NHS by storm.</li> <li><a href="https://www.computerweekly.com/news/366620174/NHS-investigating-how-API-flaw-exposed-patient-data">NHS investigating how API flaw exposed patient data</a> - NHS patient data was left vulnerable by a flaw in an application programming interface used at online healthcare provider Medefer.</li> <li><a href="https://www.computerweekly.com/news/366641178/NHS-digital-drive-hit-by-usability-gaps-despite-progress-national-survey-finds">NHS digital drive hit by usability gaps despite progress, national survey finds</a> - The shift from analogue to digital across the NHS is hindered by usability issues in electronic patient record (EPR), but the newly launched frontline productivity programme could be the answer.</li> </ul> </div> </div> </section> An in-depth look at the specific features of Palantir's Foundry, the commercial software platform on which FDP is built, and how the system makes use of them https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/health-MRI-scan-results-anatoliy-gleb-adobe.jpg https://www.computerweekly.com/opinion/Inside-FDP-part-3-The-data-architecture-that-makes-it-work Thu, 14 May 2026 04:00:00 GMT Inside FDP – part 3: The data architecture that makes it work <p>For the better part of two decades, the direction of travel in enterprise technology has been clear: <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-computing" target="_blank" rel="noopener">everything moves to the cloud</a>. The rationale was simple; the cloud was cheaper, scalable and easier to manage. But, as artificial intelligence (AI) enters the enterprise mainstream, that long-standing assumption is starting to bend.</p> <p>In certain areas, particularly where sensitive data is involved, companies are reconsidering how and where AI operates. Increasingly, they are exploring AI inside the firewall, running AI capabilities within their own on-premises controlled environments rather than relying entirely on cloud-based platforms. </p> <p>We are seeing this shift clearly through the lens of <a href="https://www.computerweekly.com/news/366639056/e-drives-AI-first-workforce-transformation-with-Oracle-Cloud" target="_blank" rel="noopener">human capital management (HCM) data</a>. Across our platforms, more than two million employees interact with workforce systems every day through time clocks, biometric verification and workforce management tools. That vantage point offers a clear view into how organisations think about employee data, and why control over that data matters.</p> <section class="section main-article-chapter" data-menu-title="Trust is at the heart of AI adoption"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Trust is at the heart of AI adoption</h2> <p><a href="https://www.computerweekly.com/news/366642597/Closing-the-AI-trust-gap-in-MENA-Why-visibility-governance-and-data-quality-matter-more-than-hype" target="_blank" rel="noopener">The driver behind this shift is trust</a>. Over the past year, AI tools from companies like OpenAI, Google and Anthropic have demonstrated extraordinary capabilities, from summarising complex documents to analysing data and accelerating decision-making across nearly every function of a business.</p> <p>Yet alongside the excitement sits the persistent question of what happens to the data?</p> <p>When organisations feed information into a cloud-based AI model, that data is, by definition, leaving their immediate environment. Even with strong assurances around privacy and training policies, many companies remain cautious about how sensitive information is processed and where it ultimately resides.</p> <p>In regulated industries such as financial services, legal services and healthcare, caution is even more pronounced. These organisations hold vast quantities of confidential client data and strategic internal information. Any uncertainty around how that data is stored, processed or reused introduces potential legal, operational and reputational risks.</p> </section> <section class="section main-article-chapter" data-menu-title="Sensitive data, sensitive decisions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Sensitive data, sensitive decisions</h2> <p>HCM data sits in a similarly sensitive category. Consider the types of information contained within HCM systems: compensation structures, performance assessments, succession planning, workforce restructuring plans, disciplinary records and strategic hiring decisions. For many organisations, this information is arguably more sensitive than financial data. It is deeply personal, strategically important, and subject to stringent regulatory oversight.</p> <p>As organisations explore AI applications in HR, from workforce planning to talent analytics, <a href="https://www.techtarget.com/whatis/definition/data-sovereignty" target="_blank" rel="noopener">the question of data sovereignty</a> quickly shoots to the top of the agenda. Simply put, businesses want to know exactly where their data sits, who can access it, and how it is being used.</p> </section> <section class="section main-article-chapter" data-menu-title="Inside the firewall: a new frontier for AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inside the firewall: a new frontier for AI</h2> <p>This is why many companies are now exploring ways to run AI models inside their own infrastructure or within tightly controlled internal networks. In these environments, sensitive datasets never leave the organisation’s control. In some ways, this represents a subtle reversal of the cloud migration that defined enterprise technology over the past 20 years. But this is less a retreat from the cloud than an evolution of how organisations balance innovation with risk.</p> <p>Cyber security has always been a moving target. Throughout my career in technology, one consistent observation from security leaders has been that defences are always designed for threats that are still evolving. AI introduces another layer of complexity to that challenge.</p> <p>The technology itself is advancing rapidly, and many organisations are still learning how to integrate it responsibly. Governance frameworks, model oversight and data management practices are still developing across the industry. Not surprisingly, many business leaders feel more comfortable adopting AI in environments where they retain the highest degree of visibility and control.</p> <p><a href="https://medium.com/@narendrant/beyond-moores-law-the-rise-of-huang-s-law-in-ai-computing-6117b98908d9" target="_blank" rel="noopener">As Nvidia CEO Jensen Huang argues</a>, we’re entering an era of ‘Hyper Moore’s Law’, with AI advancing faster than traditional computing cycles, and AI hardware becoming more powerful and more accessible. While the cloud still leads on performance, the gap is closing, and that shift is significant, as it brings in-house AI within financial reach and enables greater control, security and confidence over sensitive data.</p> <p>This is why a hybrid model is beginning to emerge. Some AI capabilities will live in the cloud, drawing on the huge computing resources and large-scale models offered by major providers. Others will operate inside the organisation, embedded within internal systems and protected environments.</p> </section> <section class="section main-article-chapter" data-menu-title="From biometric security to AI oversight"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From biometric security to AI oversight</h2> <p>We know that this shift is less about technology architecture and more about organisational confidence. Businesses will only fully embrace AI when they trust it. And trust begins with knowing that the data underpinning these systems remains protected.</p> <p>In the HCM space, that principle has always been fundamental. Biometric authentication, for example, relies on techniques such as template obfuscation to ensure that underlying personal data cannot be reconstructed or misused. The original biometric data is never stored in a usable form. </p> <p>The same philosophy applies as AI becomes embedded in workforce management systems. If organisations are going to use AI to support workforce planning, analyse employee trends or optimise operations, they need absolute confidence in how that data is handled.</p> <p>That is why we believe that the inside-the-firewall AI trend will become increasingly significant over the next 24 months, not because companies distrust AI itself, but because they see huge potential in it. However, they want to deploy it in ways that align with their responsibilities around data protection, governance and employee trust. In that sense, what we are witnessing is not a rejection of the cloud era, but the next stage of its evolution.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about security and AI</h3> <ul class="default-list"> <li>Agentic AI adoption may be surging, but security is lagging behind and its fundamental principles need to be intelligently re-scaled <a href="https://www.computerweekly.com/opinion/AI-agents-are-here-Are-we-ready-for-the-security-implications" target="_blank" rel="noopener">for a non-deterministic world</a>.</li> <li>Deepfakes and shadow AI have rendered the traditional security playbook obsolete, prompting cyber leaders to shift <a href="https://www.computerweekly.com/news/366642842/AI-threats-push-Middle-East-CISOs-towards-identity-first-security" target="_blank" rel="noopener">towards resilience-first defences</a>.</li> <li>Cyber security companies have jumped on the AI bandwagon. We look at where artificial intelligence is a useful add-on <a href="https://www.computerweekly.com/feature/Making-sense-of-AIs-role-in-cyber-security" target="_blank" rel="noopener">and where it poses potential risks</a>.</li> </ul> </div> </div> </section> In human capital management, trust and data sovereignty are reshaping the way that companies deploy AI. https://cdn.ttgtmedia.com/visuals/German/article/umbrella-protection-adobe.jpg https://www.computerweekly.com/opinion/Why-human-capital-data-is-pulling-AI-back-inside-the-firewall Wed, 13 May 2026 12:30:00 GMT Why human capital data is pulling AI back inside the firewall <p>Luke Gebb, head of global innovation at American Express, agrees that the pace of technology-led change has intensified exponentially during his more than two decades with the financial services firm.</p> <p>“It has, no doubt,” he says, before pointing to <a href="https://www.computerweekly.com/news/366639510/AI-transformation-must-start-at-the-top-but-boards-remain-divided">artificial intelligence (AI) as the next driver of radical business transformation</a>.</p> <p>“There are different waves. You can draw comparisons at this moment to the advent of the internet itself, or the mobile wave. Those comparisons are good. However, the pace of change and innovation we’ve seen recently is probably faster than we’ve seen before.”</p> <p>As head of global innovation, Gebb leads Amex Digital Labs, an innovation hub focused on creating new digital products and features for the firm’s card members. He works across the enterprise to accelerate the adoption and commercialisation of emerging technologies, such as generative AI, agentic commerce and blockchain.</p> <p>Gebb says his team is focused on innovation areas where business units don’t have the time or expertise to turn their ideas into products or services. The team’s goal is to bring these ideas to market, pilot them, see if they work, make them stable, and then graduate these finalised products to the business units.</p> <p>“It’s a fun role,” he says. “We have a permanently interesting job that is always changing as technology trends come and go. Amex has about 120 people working in innovation, trying to push about 20 things into the market each year, where we’re learning from customers and focused on new experiences powered by up-and-coming technologies.”</p> <section class="section main-article-chapter" data-menu-title="Catching the entrepreneurial bug"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Catching the entrepreneurial bug</h2> <p>Gebb joined Amex out of college and worked for the company for the last five years of the 1990s. After working in strategic planning and new business development, he decided to scratch an itch and join a startup.</p> <p>“During my career, it didn’t take me long to figure out that I loved entrepreneurship and new product development,” he says.</p> <p>“I had done a little bit of that work at Amex and got the bug. Then I went to the web 1.0 startup and saw what it can be like in a smaller company with fewer resources and less ability to plan for the long term.”</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Luke-Gebb-Amex-PR-140x180px.jpg" alt="Photo of Luke Gebb, head of global innovation at American Express"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“I’m clearing blockages to innovation for anyone across the company. I’m also connected with a lot of the most groundbreaking projects in the company”</span></strong></span></p> <p><em><span style="color: #34495e;">Luke Gebb, Amex Digital Labs</span></em></p> </blockquote> <p>When the startup failed, Gebb saw there was an opportunity to return to Amex. He rejoined the firm in September 2002 and has since worked in a broad range of roles. The breadth of challenges and experiences has meant there’s always been something new and interesting to get involved with during his 25 years at the firm.</p> <p>“There just kept being great things to do internally,” he says. “I spent a lot of years creating Amex Offers, which is the programme attached to everyone’s card. I ran many entrepreneurial activities in the company. That trend continued and accelerated with the creation of Amex Digital Labs, because it’s basically what we do constantly.”</p> <p>Before his current role, Gebb was senior vice-president of enterprise digital at Amex, leading the company’s web, mobile, partner and digital payments platforms. He formed and has led Digital Labs since September 2017, becoming global head of innovation last October.</p> <p>“The core of my role is running the lab, but I’m also helping lots of other teams around the company accelerate and helping them to elevate issues that get in the way of internal innovators,” he says.</p> <p>“I’m clearing blockages to innovation for anyone across the company. I’m also connected with a lot of the most groundbreaking projects in the company, and just being in touch, trying to help people move as fast as possible and take the best paths.”</p> </section> <section class="section main-article-chapter" data-menu-title="Acting as an interface"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Acting as an interface</h2> <p>So, what blockages can hinder enterprise innovation? Gebb says financial services firms have to navigate a range of governance processes, many of which predate the AI era. His team’s role is to ensure the rest of the business doesn’t encounter choppy waters during the product innovation journey.</p> <p>“We’re just trying to make sure that our processes are customised to the level of risk of a project. By all means, if someone is looking at a new way of moving money, or something else that carries a significant amount of risk, then run it through all the stops,” he says.</p> <p>“But if someone is developing something that helps customers learn how to find a restaurant, it shouldn’t undergo the same level of rigour. Of course, we want to make sure everything we launch works well, but we’re also trying to evolve most of our processes to be risk-adjusted.”</p> <p>As head of innovation, therefore, Gebb holds a crucial role as an interface between the business and its technology professionals. As someone who developed his credentials in consulting and product development, he says he’s more of a business professional than a technologist – and it’s a skillset that works well on a day-to-day basis.</p> <p>“I didn’t start as an engineer,” he says. “But one of the secret sauces of my team and I is an ability to understand deeply what technology makes possible and to work well with engineers, despite, in my case, not having an engineering background.”</p> <p>Innovations continue to bubble up, including AI and other emerging technologies. Gebb says the risks mean he can understand why some people might be concerned by the pace of transformation. However, he also recognises the potential for positive change.</p> <p>“At the end of the day, my optimism wins out,” he says. “Certainly, like anyone, I have days where I’m like, ‘Oh my’ – just read the news on any given day – and I can have my moments of concern. But I think I’m more optimistic than anything else.”</p> </section> <section class="section main-article-chapter" data-menu-title="Developing trusted agentic transactions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Developing trusted agentic transactions</h2> <p>Gebb’s sense of optimism is helping to drive Amex AI-enabled innovations forward. He says these developments focus on two key areas.</p> <p>“The main zones that are dominating what we’re up to these days are <a href="https://www.computerweekly.com/news/366639228/What-it-takes-to-secure-agentic-commerce">agentic commerce</a> and public blockchains,” he says.</p> <p>“They’re the big trend lines of our day. We also continue to run the company’s digital wallets, such as Apple Pay and Google Pay, and enhance them. We work with those companies, and there are good synergies to having those products on the team.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more interviews with financial services IT leaders</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640503/Interview-Jem-Walters-CTO-Vanquis">Jem Walters, CTO, Vanquis</a>: Having come into the company through the acquisition of his money-saving app, the IT chief is bringing an agile and startup culture to the 146-year-old financial services firm.</li> <li><a href="https://www.computerweekly.com/news/366637057/Interview-How-ING-reaps-benefits-of-centralising-AI">How ING reaps benefits of centralising AI</a>: ING bank is using generative AI-powered chatbots with a human in the loop to streamline mortgage applications. It is also testing speech-to-speech model.</li> <li><a href="https://www.computerweekly.com/news/366637309/Interview-Barry-Panayi-group-chief-data-officer-Howden">Barry Panayi, group chief data officer, Howden</a>: The fast-growing insurance firm wants data insights and artificial intelligence to give customer-facing employees all the information they need at their fingertips through data-powered conversational interfaces.</li> </ul> </div> </div> <p>In terms of agentic commerce, Gebb says Amex developments are focused on a few zones. First, enabling payments so that agents can buy products safely and effectively. The firm recently announced the launch of its Amex Agentic Commerce Experiences (ACE) Developer Kit, a new framework designed to create trusted transactions as the industry moves towards AI agents purchasing goods on consumers’ behalf.</p> <p>“It’s setting out our vision and specifications for how we feel agentic commerce should work,” says Gebb.</p> <p>Alongside the launch of the ACE Kit, the company also introduced Amex Agent Purchase Protection, a commitment to protect card members from AI agent errors that lead to charges. Gebb says this careful approach will help to address one of the biggest issues as agent-driven shopping becomes mainstream.</p> <p>“If a registered agent shares card member intent with us and we approve the transaction and it happens, the card member intent was clear, the merchant delivered what they were supposed to, and the [AI] agent is the one with the error, we’re going to cover the card member and credit them so that they are not out of pocket for that kind of situation,” he says.</p> <p>Beyond payments, Gebb says his team is looking at ensuring Amex assets and features, such as offers and booking mechanisms, are available when customers use large language models (LLMs). The team is also building proprietary experiences, so customers using the company’s mobile app and website, for example, can converse with agents about services.</p> <p>Gebb says these developments are advancing at pace and more will become apparent in the next 12 months.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> This is a year of foundations and a year of beginnings. We’ll see transactions start to happen in some of the early logical places where people will trust their [AI] agent to do certain things for them </figure> <figcaption> <strong>Luke Gebb, Amex Digital Labs</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>“This is a year of foundations and a year of beginnings,” he says. “We’ll see transactions start to happen in some of the early logical places where people will trust their agent to do certain things for them.”</p> </section> <section class="section main-article-chapter" data-menu-title="Pioneering new technology services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pioneering new technology services</h2> <p>When it comes to <a href="https://www.computerweekly.com/news/366632063/Global-payments-network-Swift-builds-blockchain-capability">blockchain-centred innovations</a>, Gebb says Amex recently launched a product called Passport, which creates unique NFTs for customers travelling the globe and using the firm’s mobile app.</p> <p>“It’s been created to replicate the feeling of showing someone your physical passport,” he says. “Most of our users have no idea that this service is built on a public blockchain, or that it’s an NFT. Technically, they just like seeing their history, adding things to it, adding memories or pictures or whatever, and being like, ‘Check out all the places I went to’.”</p> <p>Gebb says his team is also exploring <a href="https://www.computerweekly.com/opinion/Inside-the-tech-stack-powering-the-next-wave-of-digital-asset-adoption">stablecoins</a>. Developments in this area are still in their early stages. However, he says the technology continues to grow in importance. More generally, the innovations supported by his team illustrate the broad direction of travel – pioneering the next generation of commercial activity alongside traditional mechanisms.</p> <p>“At the advent of e-commerce, people thought the high street would go away and there would be no physical stores. At the advent of mobile, people thought there would be no websites,” he says. “And here we are in another one of these moments. I think, for the foreseeable medium term, agents will be like an augmentation to how commerce is done.”</p> <p>The basic message, says Gebb, is that websites will continue, as will stores in the real world. While we’re not witnessing a radical change in commerce right now, the human-agent relationship will continue to develop and evolve.</p> <p>“In the medium term, I don’t think agentic commerce and blockchain will replace everything that has come before,” he says. “However, I do think LLMs are getting better at such a rapid rate that people’s trust and use of them will continue to scale, and that will be interesting, as people have trusted agents they use for different things.”</p> </section> Amex is pioneering agentic commerce for its cardholders – just one of a series of digital innovations driving transformation at the company https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Amex-credit-card-Editorial-Use-Only-TOimages-adobe-hero.jpg https://www.computerweekly.com/news/366642805/Interview-Luke-Gebb-head-of-global-innovation-American-Express Wed, 13 May 2026 12:00:00 GMT Interview: Luke Gebb, head of global innovation, American Express <p>The SAP Sapphire conference is being held in Orlando, Fla., on May 11-13.</p> <p>The event is expected to center on topics including Joule, SAP's generative AI copilot, and other AI subjects, including SAP products like Business Data Cloud and Business Technology Platform. Developments such as multi-agent orchestration and agentic AI remain the dominant topics in the tech world.</p> <p>As in past years, the longstanding effort to move customers from SAP ECC to S/4HANA and the 2027 end of support for ECC remain major topics. The conference will likely also include discussion about SAP’s engagement offerings as the company has worked to integrate its engagement technology with other enterprise tools.</p> <p>IT decision-makers should check back here for the latest on SAP announcements and other developments once the conference kicks off.</p> Here are the newest developments from SAP Sapphire in Orlando, Fla., with the enterprise software vendor's 2026 announcements and our writers' takes on the news. https://www.techtarget.com/searchsap/conference/SAP-Sapphire-Now-news-trends-and-analysis Wed, 13 May 2026 09:00:00 GMT SAP Sapphire 2026 news, trends and analysis <p>Isomorphic Labs, a company founded by <a href="https://www.computerweekly.com/news/366627732/UKtech50-2025-winner-Demis-Hassabis-co-founder-and-CEO-DeepMind">Demis Hassabis</a>, which uses frontier artificial intelligence (AI) for drug design and development, has received investment from the UK government’s Sovereign AI fund.</p> <p>Isomorphic’s work builds on the breakthrough success of DeepMind’s AlphaFold, the AI model co-created by Hassabis that demonstrated in 2016 how AI could beat the <em>Go</em> world champion, Leo Sedol.</p> <p>The company is developing a number of proprietary breakthrough AI models, which together form its unified drug design engine across multiple therapeutic areas and drug modalities.</p> <section class="section main-article-chapter" data-menu-title="Backing AI innovators, founders and entrepreneurs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Backing AI innovators, founders and entrepreneurs</h2> <p>Launched in April, the Sovereign AI fund provides grants of £1m up to £9m to fund the creation of strategic AI assets. The programme is initially aimed at high-value AI datasets and autonomous or automated laboratory infrastructure. It is open to UK-registered companies, research organisations, universities and consortia with a credible plan that aligns with the Sovereign AI focus areas. It aims to secure long-term strategic advantage for the UK by growing and anchoring strategically significant AI companies.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Britain has a proud history of world-changing medical breakthroughs. Now, in the AI era, we are backing a brilliant UK firm working on another huge jump forward in science to the benefit of people across the country and around the world </figure> <figcaption> <strong>Liz Kendall, DSIT</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>The government’s goal is to shape Britain’s future in the years ahead, using what it calls “strong, homegrown AI capability”. Its strategy is based on backing AI innovators, founders and entrepreneurs to develop new ideas and bring them to market. According to the Department for Science, Innovation and Technology (DSIT), the UK has the third-largest AI market in the world and more AI startups than anywhere else in Europe.</p> <p>Speaking previously about the <a href="https://www.computerweekly.com/news/366642362/Government-funds-self-learning-AI-company">Sovereign AI fund,</a> science and technology secretary Liz Kendall said it represents the government’s “bet on Britain”, adding that the UK believes in its entrepreneurs and innovators and is “backing them to seize the benefits of AI for the UK”.</p> <p>During a speech at the Royal United Services Institute on 28 April, <a href="https://www.computerweekly.com/news/366642532/Liz-Kendall-talks-up-work-with-middle-power-nations-on-sovereign-tech">Kendall spoke about the importance of AI to the UK economy</a> and its ability to compete globally. “Today, the defining currency is AI,” she said. “And the countries which harness AI will not only lead the race to cure diseases, discover new materials and create trillion-dollar companies, but also build far more powerful militaries,” she said.</p> <p>Kendall believes AI is the engine of both economic power and “hard power”.</p> </section> <section class="section main-article-chapter" data-menu-title="Funding a giant leap forward in science"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Funding a giant leap forward in science</h2> <p>Discussing the funding, Sovereign AI head of ventures Joséphine Kant said: “Isomorphic is one of the most consequential companies being built anywhere in the world today, and it’s being built in Britain. Sovereign AI exists to invest in the companies that will shape what this country becomes next. Sir Demis Hassabis, Max Jaderberg, and the team they have built deserve a country willing to match their ambition with its own, and we intend to make sure it does.” </p> <p>Commenting on the Isomorphic funding, Kendall said: “Britain has a proud history of world-changing medical breakthroughs – from penicillin to MRI scanners. Now, in the AI era, we are backing a brilliant UK firm working on another huge jump forward in science to the benefit of people across the country and around the world.” <br>  <br>At the time of writing, three companies had received funding through the Sovereign AI Fund. Along with Isomorphic, the government previously announced funding for <a href="https://www.ineffable.ai/">Ineffable Intelligence</a>, a company that is developing algorithms that learn through experience, and AI infrastructure firm <a href="https://www.callosum.com/">Callosum</a>. A further six companies have been granted access to the AI Research Resource (AIRR) supercomputer network.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about UK tech funding</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366641716/UK-government-accelerates-autonomous-vehicle-development-funding">UK government accelerates autonomous</a> vehicle development funding: Projects exploring how autonomous vehicles could benefit businesses and communities across the UK receive government backing as part of £150m CAM Pathfinder programme.</li> <li>Funding and procurement to target <a href="https://www.computerweekly.com/news/366640318/Funding-and-procurement-to-target-UK-quantum-innovation">UK quantum innovation</a>: The government has ambitions to make the UK the first country to deliver quantum computing at scale, and has set aside £1bn to drive R&D.</li> </ul> </div> </div> </section> Isomorphic, which is building a unified drug discovery product based on artificial intelligence, is the third company to receive Sovereign AI funding from the UK government https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/phamaceutical-drugs-medicine-pills-istock.jpg https://www.computerweekly.com/news/366643093/Sovereign-AI-fund-supports-Hassabis-startup-Isomorphic Wed, 13 May 2026 05:29:00 GMT Sovereign AI fund supports Hassabis startup, Isomorphic <p><a href="https://www.techtarget.com/contributor/Christian-Klein">Christian Klein</a>, SAP’s chief executive officer, led with a picture of a three-eared unicorn during the opening keynote at SAP’s global <a href="https://www.techtarget.com/searchsap/conference/SAP-Sapphire-Now-news-trends-and-analysis">Sapphire event in Orlando</a>.</p> <p>In the main press statement for the event, he added some context: “For the mission-critical processes of our customers, ‘almost right’ just isn’t good enough.</p> <p>“By uniting SAP Business AI Platform with SAP Autonomous Suite, we anchor AI agents in the business processes, data and governance so they can deliver accurate, compliant and secure outcomes, unlocking new sources of revenue and meaningful cost savings.”</p> <p>The no-frills keynote was balanced across the supplier’s top team. <a href="https://www.techtarget.com/searchsap/news/366574881/SAP-chief-AI-officer-Waiting-on-AI-is-the-wrong-strategy">Philipp Herzig</a>, chief technology officer; Muhammad Alam, executive board member responsible for product engineering; and <a href="https://www.techtarget.com/searchsap/news/366618698/Changes-to-SAP-leadership-reflect-AI-cloud-shifts">Sebastian Steinhaeuser</a>, chief operating officer, carried what came across as a collective argument.</p> <p>They were also joined onstage by SAP customers JP Morgan Chase, with its chief financial officer, Jeremy Barnum; H&M, with its chief digital and information officer, Ellen Svanström; and partner representative Rob Fisher, global head of advisory.</p> <p>What the supplier styles as an Autonomous Enterprise includes an AI platform for, avowedly, building, contextualising and governing agents. This is said to add up to an “autonomous suite that executes core business operations and a new user experience” that obviates the need to switch applications, or even be in them.</p> <p>The so-called autonomous suite will deploy more than 50 <a href="https://www.techtarget.com/searchsap/news/366632263/SAP-pitches-role-based-Joule-assistants-as-ERP-work-partners">Joule Assistants</a> across the gamut of business applications, covering finance, supply chain, procurement, human capital management and customer experience. <a href="https://www.techtarget.com/searchsap/news/366553638/SAP-joins-generative-AI-crowd-with-Joule">Joule</a> has been SAP’s term for its generative AI technology since September 2023.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Sapphire</h3> <ul class="default-list"> <li>Sapphire 2025: <a href="https://www.computerweekly.com/news/366624161/Sapphire-2025-SAP-mints-business-AI-flywheel-with-Palantir-on-board">SAP mints business AI flywheel with Palantir on board</a>.</li> <li><a href="https://www.techtarget.com/searchsap/news/366623967/SAP-should-balance-AI-talk-with-customer-concerns-at-Sapphire">SAP will focus on Joule, agentic AI and Business Data Cloud at Sapphire</a>; experts say it should also show how it can help customers deal with real-world issues.</li> <li><a href="https://www.computerweekly.com/news/366588552/SAP-Sapphire-2024-AI-in-all-its-forms-but-not-only-AI">SAP Sapphire 2024</a>: AI in all its forms – but not only AI.</li> </ul> </div> </div> <p>These assistants will, it is said, automate end-to-end processes. One example the supplier gave is an Autonomous Close Assistant that can, it is claimed, compress the financial close process from weeks to days by automating journal entries, reconciliation and error resolution.</p> <p>The company said it will bring its <a href="https://www.techtarget.com/searchsap/definition/SAP-HANA-Cloud-Platform">Business Technology Platform</a> (BTP) and its Business Data Cloud under the banner of its SAP Business AI Platform as a single, governed environment. <a href="https://www.techtarget.com/searchsap/definition/SAP-HANA-Cloud-Platform">BTP</a> is SAP’s platform-as-a-service product that has provided a development and <a href="https://www.techtarget.com/searchsoftwarequality/definition/runtime">runtime</a> environment for building cloud-based enterprise applications.</p> <p>An SAP Knowledge Graph system, which is said to give AI agents a map of business entities, processes and relationships across a customer’s SAP landscape, will add specific business context, according to the supplier.</p> <p>SAP is also launching Joule Studio as what it describes as its AI-first system for building enterprise agents, applications and agentic workflows.</p> <section class="section main-article-chapter" data-menu-title="Agentic AI fund"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Agentic AI fund</h2> <p>The company announced a €100m fund for SAP partners to help customers deploy SAP-built AI assistants and agents. The fund is also available to partners that extend or build new partner agents on the new SAP Business AI Platform using Joule Studio, the supplier said.</p> <p>SAP also highlighted a raft of partnerships it believes to be strategic. Two are with <a href="https://www.computerweekly.com/news/366640417/Health-workers-call-for-Palantir-to-be-booted-from-NHS-contracts">Palantir</a> and Accenture for data migration, and another is with agentic AI specialist Conduct for cloud enterprise resource planning migrations.</p> <p>It is also collaborating with Anthropic, Amazon Web Services, Google Cloud and Microsoft, as well as Mistral AI and Cohere, to deliver what were described as sovereign model options on SAP’s cloud infrastructure.</p> <p>The supplier will endeavour to say what these and other announcements will mean for SAP customers in Europe next week in Madrid, from 20-21 May.</p> </section> SAP CEO Christian Klein and his top team trumpeted the advent of the ‘autonomous enterprise‘ during the opening keynote at the supplier’s global Sapphire event in Orlando https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/SAP-Sapphire-2025-Christian-Klein-hero.jpg https://www.computerweekly.com/news/366643054/Sapphire-2026-SAP-heralds-dawn-of-autonomous-enterprise Wed, 13 May 2026 04:45:00 GMT Sapphire 2026: SAP heralds dawn of ‘autonomous enterprise’ <p>Microsoft has addressed around 140 newly discovered common vulnerabilities and exposures (CVEs) <a href="https://msrc.microsoft.com/update-guide/releaseNote/2026-may" target="_blank" rel="noopener">in its May Patch Tuesday update</a>, but for the first time in a long time, the latest monthly drop contains no zero-day flaws, meaning that none of the issues in scope have been actively exploited or publicly disclosed.</p> <p>But while a less panic-inducing drop will be welcomed by security teams around the world, the May 2026 Patch Tuesday update contains almost 20 critical severity flaws that will inevitably draw the attention of threat actors in the coming days and weeks.</p> <p>Jack Bicer, <a href="https://www.action1.com/" target="_blank" rel="noopener">Action1</a> director of vulnerability research, said: “Although the absence of zero-days is a positive sign, the high number of critical vulnerabilities – particularly compared to recent months – means organisations should still move quickly to evaluate and deploy updates across affected systems.”</p> <p>This month’s update is also particularly significant as it heralds a critical Secure Boot certificate expiration deadline on 26 June, a few weeks from now. Devices that fail to receive <a href="https://www.darkreading.com/endpoint-security/microsoftoriginal-windows-secure-boot-certificates-expire" target="_blank" rel="noopener">updated Secure Boot certificates</a> – which are now rolling out – face potentially catastrophic failures or as-yet-undiscovered security flaws that may prove impossible to fix.</p> <p>“The May 2026 update cycle is a high-stakes bridge to the 26 June certificate expiration deadline, making fleet-wide rotation to new trust anchors the month’s absolute priority,” said Rain Baker, senior incident response specialist at <a href="https://nightwing.com/cyber-defense/" target="_blank" rel="noopener">Nightwing’s ShadowScout</a> team.</p> <p>“For those who haven’t patched for last month’s releases for the <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server" target="_blank" rel="noopener">Windows Shell and Microsoft Defender bypass flaws</a>, it is imperative that security teams give these the highest priority,” added Baker.</p> <section class="section main-article-chapter" data-menu-title="Bugs abounding"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Bugs abounding</h2> <p>Among some of the critical updates issued this month is a fix for a Windows DNS Client remote code execution (RCE) flaw tracked as <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41096" target="_blank" rel="noopener">CVE-2026-41096</a>. This vulnerability stems from a heap-based buffer overflow condition in Windows NetLogon and could enable an unauthenticated actor to take over the target system by sending it a malicious DNS response.</p> <p>“Because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly,” said Action1’s Bicer. “Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks. </p> <p>“This CVE requires immediate attention considering its severity rating, network-based attack vector, no authentication requirements and no user interaction. DNS-related vulnerabilities are especially dangerous because they target foundational network services that are broadly exposed across enterprise infrastructure.”</p> <p>Also drawing attention is <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42898" target="_blank" rel="noopener">CVE-2026-42898</a>, another RCE issue,which is in on-premise versions of Microsoft Dynamics 365, which bears a common vulnerability scoring system (CVSS) score of 9.9. Again, this issue requires no user interaction and, because it can affect systems beyond the original security scope of the vulnerable component, carries an extreme risk to enterprises.</p> <p>Previous attacks on Dynamics 365 infrastructure have exposed important, privileged data, and because CRM environments plug into so many other important systems, successful exploitation could lead to wholesale compromise.</p> <p>Meanwhile, Automox chief technology officer Jason Kikta weighed in on <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089" target="_blank" rel="noopener">CVE-2026-41089</a>, an RCE flaw in Windows Netlogon, and CVE-2026-40402, an elevation of privilege (EoP) vulnerability in Hyper-V.</p> <p>“CVE-2026-41089 – CVSS 9.8 out of 10 – is a stack-based buffer overflow in Windows Netlogon,” said Kikta. “An attacker sends a crafted network request to a domain controller. No authentication required. No user interaction required. If you’ve been doing this long enough, the description language sounds sadly familiar.</p> <p>“I'd be careful drawing <a href="https://www.computerweekly.com/news/252489539/Race-to-patch-as-Microsoft-confirms-Zerologon-attacks-in-the-wild" target="_blank" rel="noopener">a direct line to Zerologon</a>. The underlying bug is a stack overflow, not a crypto protocol flaw, and Microsoft has not labeled this one as wormable. The mechanism is different, but the blast radius is still ugly when you’re talking about pre-auth code execution on a domain controller.”</p> <p>The Hyper-V issue can be exploited by a low-privileged account inside a guest virtual machine (VM) to execute code on the host with system-level privileges. Kikta warned that one compromised guest could serve as a pivot point for every other VM on the same host, and add the host fabric into the bargain. Hosted desktop environments and shared virtualisation platforms are likely to be swiftly targeted.</p> <p>“Multi-tenant VDI, on-premise virtualisation with untrusted workloads, or any Hyper-V host running guests you don't fully control. Same-week, same-day patch depending on what’s on top of it,” Kikta advised.</p> </section> <section class="section main-article-chapter" data-menu-title="Patch apocalypse?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Patch apocalypse?</h2> <p>Although lacking in zero-days, Redmond’s latest meaty update will do little to assuage the concerns of onlookers alarmed at the supposedly earth-shattering vulnerability discovery capabilities of <a href="https://www.computerweekly.com/news/366641789/A-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide" target="_blank" rel="noopener">Anthropic’s Claude Mythos frontier AI model</a>.</p> <p>Chris Goettl, vice-president of security product management at <a href="https://www.ivanti.com/" target="_blank" rel="noopener">Ivanti</a>, said that these concerns were being taken seriously by many key software suppliers and other tech firms that are becoming far more aggressive in their patching in response to the changes of the past few weeks.</p> <p>“<a href="https://blogs.oracle.com/security/accelerating-vulnerability-detection-and-response-at-oracle" target="_blank" rel="noopener">Oracle announced a new release cadence starting in May 2026</a> to address the acceleration of vulnerability detection introduced by Mythos and other AI security models; monthly Critical Security Patch Update (CSPUs) will fill in the two-month gap between their quarterly Critical Patch Update (CPU),” he said.</p> <p>“Apple is another early participant in Project Glasswing and has seen a recent spike in the number of exposures resolved. They typically average around 20 CVEs per iOS security update [but] <a href="https://www.zerodayinitiative.com/blog/2026/5/12/the-apple-macos-security-update-review" target="_blank" rel="noopener">for their most recent update on May 11</a>, there is a spike of 52 CVEs resolved. Across the 11 Apple updates, the CVE counts range from 25 at the low end to 52 on the high end and Apple backported changes all the way to iPhone 6s and iOS 15. While there are not actively exploited vulnerabilities, there are a lot of updates to manage.”</p> <p>Meanwhile, Mozilla, the backers of the Firefox browser, which is said to have had more than 270 vulnerabilities identified after Claude Mythos was applied to it, has also moved to a more aggressive weekly cadence for its security updates since the release of Firefox 150.0.0 in April 2026 – version 150.0.3 of Firefox dropped earlier today (12 May).</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Patch Tuesday</h3> <ul style="list-style-type: square;" class="default-list"> <li><strong><strong>April 2026: </strong></strong>Microsoft’s latest Patch Tuesday update may be one of the largest in history, <a href="https://www.computerweekly.com/news/366641679/April-Patch-Tuesday-brings-zero-days-in-Defender-SharePoint-Server" target="_blank" rel="noopener">with more than 160 issues in scope</a>.</li> <li><strong>March 2026: </strong>Zero-days in .NET and SQL Server, and a handful of critical RCE bugs, form the nucleus of Microsoft’s <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366639784/Microsoft-patches-zero-days-in-NET-and-SQL-Server">March Patch Tuesday update</a>.</li> <li><strong>February 2026: </strong>Microsoft releases patches for six zero-day flaws in its latest monthly update, <a href="https://www.computerweekly.com/news/366638958/February-Patch-Tuesday-Microsoft-drops-six-zero-days" target="_blank" rel="noopener">many of them related to security feature bypass issues</a>.</li> <li><strong>January 2026: </strong>January brings a larger-than-of-late Patch Tuesday update out of Redmond, but an uptick in disclosures <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366637296/Microsoft-patches-112-CVEs-on-first-Patch-Tuesday-of-2026">is often expected at this time of year</a>.</li> <li><strong>December 2025: </strong>The final Patch Tuesday update of the year brings 56 new CVEs, bringing the year-end total <a href="https://www.computerweekly.com/news/366636275/Microsoft-patched-over-1100-CVEs-in-2025" target="_blank" rel="noopener">to more than 1,100</a>.</li> <li><strong>November 2025:</strong> An elevation of privilege vulnerability in Windows Kernel tops the list of issues to address in the <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366634166/Microsoft-users-warned-over-privilege-elevation-flaw">latest monthly Patch Tuesday update</a>.</li> <li><strong>October 2025:</strong> Windows 10 is no longer supported, but that does not mean it is not impacted <a href="https://www.computerweekly.com/news/366632872/Patch-Tuesday-Windows-10-end-of-life-pain-for-IT-departments" target="_blank" rel="noopener">by the latest Patch Tuesday update</a>.</li> <li><strong>September 2025:</strong> Nearly half the CVEs Microsoft disclosed in its September security update, including one publicly known bug, <a href="https://www.darkreading.com/application-security/eop-flaws-again-lead-microsoft-patch-day" target="_blank" rel="noopener">enable escalation of privileges</a> (Dark Reading).</li> <li><strong>August 2025:</strong> Microsoft rolls out fixes for over 100 CVEs <a href="https://www.computerweekly.com/news/366629273/Eight-critical-RCE-flaws-make-Microsofts-latest-Patch-Tuesday-list" target="_blank" rel="noopener">in its August Patch Tuesday update</a>.</li> <li><strong>July 2025:</strong> Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366627196/July-Patch-Tuesday-brings-over-130-new-flaws-to-address">mercifully light on zero-days</a>.</li> <li><strong>June 2025:</strong> Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still <a href="https://www.computerweekly.com/news/366625818/June-Patch-Tuesday-brings-a-lighter-load-for-defenders" target="_blank" rel="noopener">warrant close attention</a>.</li> <li><strong>May 2025:</strong> Microsoft fixes five exploited, and two publicly disclosed, zero-days <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366623992/May-Patch-Tuesday-brings-five-exploited-zero-days-to-fix">in the fifth Patch Tuesday update of 2025</a>.</li> </ul> </div> </div> </section> No zero-day flaws were addressed in May’s Patch Tuesday update but as usual there is much for admins to chew over in the coming days https://cdn.ttgtmedia.com/visuals/German/article/upgrade-computer-adobe.jpg https://www.computerweekly.com/news/366642908/Microsoft-releases-rare-zero-day-free-Patch-Tuesday-update Tue, 12 May 2026 18:02:00 GMT Microsoft releases rare zero-day free Patch Tuesday update <p>Sustainability and strategy don’t always seem like natural bedfellows in a profit-driven world, but Simon Ninan, global head of strategy at <a href="https://www.computerweekly.com/feature/Hitachi-Vantara-VSP-One-leads-revamped-storage-portfolio">Hitachi Vantara</a>, wants to make it a reality, finding fresh approaches that deliver for customers, products, profit and the planet together. </p> <p>He says that if you want to see something better tomorrow, you have to start today. And for Ninan, it’s about finding a way through conflicting requirements. His core strategy team aims to combine knowledge, experience and ideas so that “one plus one equals five” and solves sustainability and <a href="https://www.computerweekly.com/ezine/Computer-Weekly/Viewing-business-through-a-sustainability-lens">business</a> challenges together.</p> <p>“I grew up in Bangalore, India,” he says. “Bangalore has changed a lot. It used to be known as green – now there’s so much traffic, a lot of the greenness is gone. It’s a shame.”</p> <p>In India, there’s still “incredibly intense” competition for resources as the country races to catch up, but in a “fair” way. Ideas around balancing those issues are often inculcated as you grow up, says Ninan.</p> <p>Similarly, it seemed to him that the longevity of companies and the “hardiness or value” embedded in their vision can be deeply connected.</p> <p>Comparisons with the US, where he arrived after studying computer science and engineering, were stark. Growth delivered clear benefits to the population, but at the same time, he saw “a land of excess”, where resources were often wasted.</p> <p>“I have continued consistently to think about how a little can potentially go a long way. How can we drive better decisions, and avoid innovation for innovation’s sake, technology for technology’s sake?” he says. “It’s about fusing business and technology. And there’s opportunity in that.”</p> <section class="section main-article-chapter" data-menu-title="Long-term vision shapes sustainability strategy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Long-term vision shapes sustainability strategy</h2> <p>Ninan joined Hitachi Vantara in 2019, following seven years as an executive at Japan-headquartered parent Hitachi, and before that at Monitor Deloitte. </p> <p>At the board and corporate levels, Hitachi has a culture of going beyond short-term strategic planning.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Simon-Ninan-Hitachi-Vantara-140x180px.jpg" alt="Photo of Simon Ninan, global head of strategy at Hitachi Vantara"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“I have continued to think about how a little can potentially go a long way. How can we drive better decisions, and avoid innovation for innovation’s sake, technology for technology’s sake? It’s about fusing business and technology. And there’s opportunity in that”</span></strong></span></p> <p><em><span style="color: #34495e;">Simon Ninan, Hitachi Vantara</span></em></p> </blockquote> <p>That begins by asking how the world might look 30, 50 or even 70 years from today, and planning for “mega-trends”, such as in terms of productivity and artificial intelligence (AI), socio-politics and climate change. The strategic time frame is the next two generations at minimum, including innovating around products and solutions that benefit society at large.</p> <p>That long-term focus is “very interesting and unique”, says Ninan.</p> <p>“We also talk about ageing demographics, or changing demographics. Emerging markets, availability of resources, productivity, the digital divide,” Ninan says. “Big hurdles that society will face. Then, working backward as it were, Hitachi asks what we can do today.”</p> </section> <section class="section main-article-chapter" data-menu-title="Japanese principles guide collaborative approach"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Japanese principles guide collaborative approach</h2> <p>Hitachi founder Namahei Odaira originally tied the company philosophy to the Japanese principles of “wa”, “makoto” and “kaitakusha-seishin”.</p> <p>At Hitachi, the harmony-related concept of “wa” encourages respect for others’ opinions and promotes open, fair and impartial discussion. In sustainability, this translates into a highly collaborative, cross-functional approach that connects efforts across the full lifecycle of products and operations, and to ensure impacts are understood holistically, says Ninan.</p> <p>“Makoto” is about sincerity – approaching issues with openness, honesty and respect, “in the spirit of true teamwork”.</p> <p>“In <a href="https://www.computerweekly.com/opinion/IT-Sustainability-Think-Tank-How-IT-sustainability-entered-the-mandate-era-during-2025">sustainability</a>, this is reflected in transparency, proactive data collection and reporting, and a commitment to go beyond simply meeting requirements to delivering on the spirit of our goals,” says Ninan.</p> <p>“Kaitakusha-seishin” may be best translated as “pioneering spirit”. Ninan says that at Hitachi, this emphasises a striving for leadership through pursuing new challenges and higher goals, but building on a commitment to innovation that goes beyond mere compliance, to driving positive impacts for society and the planet. That mission is now being extended to other parts of the world where Hitachi operates.</p> <p>“I find that really powerful, because it says you can make trade-offs in your bottom line for a bigger goal,” he adds. “It’s very ambitious. We have a double bottom line. Every company tries to make sure it delivers profit, but the double bottom line means it’s not just about the shareholders; it’s about the stakeholders and the value you’re delivering – your customers, your partners, your employees.”</p> </section> <section class="section main-article-chapter" data-menu-title="Tackling Scope 3 emissions in datacentres"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tackling Scope 3 emissions in datacentres</h2> <p>Today’s sustainability challenges for the team include weighing up the challenges and potential benefits of <a href="https://www.computerweekly.com/feature/AI-drives-storage-array-makers-to-embrace-data-management">AI</a> enablement, for example. Also, there’s a need to rethink the value of hybrid cloud data solutions versus the return on investment in data, says Ninan.</p> <p>The most recent “major strategy refresh” with a medium- to long-term perspective at Hitachi Vantara was three years ago. It involved “extensive embedding” of Hitachi’s sustainability reporting into Hitachi Vantara, with Ninan as one of the executives presiding. </p> <p>That challenge had become “a huge proposition” with related opportunities around green IT and sustainability. Ninan had noticed that while Scope 1 and Scope 2 emissions were handled quite well, Scope 3 emissions accounting still needed work.</p> <p>“It didn’t do a really good job of Scope 3. Yet <a href="https://www.computerweekly.com/feature/Interview-CyrusOne-on-the-sustainable-innovation-that-drives-datacentre-business-outcomes">datacentres are a most impactful industry for global sustainability</a>,” he says.</p> <p>Sustainability is also important because so many datacentre projects are being cancelled. Ninan says that trend will increase, not least because <a href="https://www.computerweekly.com/feature/Datacentre-developers-tout-benefits-to-local-communities-but-do-they-deliver">people often don’t want datacentres in their backyard</a>, whether for environmental reasons or otherwise.</p> <p>“They’re now leery about the effects of AI. They’ve also seen bills go up, and they worry about water resources,” he adds.</p> </section> <section class="section main-article-chapter" data-menu-title="Cross-functional teams drive sustainability goals"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cross-functional teams drive sustainability goals</h2> <p>Ninan’s team includes one other person, plus four entirely focused on product sustainability, helped by another <a href="https://www.computerweekly.com/news/366638707/Interview-Sarwar-Khan-on-shaping-BTs-green-future-and-delivering-sustainability-at-scale">sustainability</a> director and the sustainability lead analyst at Hitachi Digital, which is a centre of excellence shared across multiple Hitachi divisions.</p> <p>Also, Ninan’s team works bi-weekly with people who have a 20% or so commitment to sustainability in addition to their day jobs in finance, HR, logistics, operations and the like. Formal executive committee governance meetings happen quarterly. </p> <p>Hitatch Vantara has reported multiple <a href="https://www.hitachivantara.com/content/dam/hvac/pdfs/analyst-content/helping-make-the-world-a-better-place-2024-sustainability-report.pdf">sustainability awards for its tech</a>, including around AI, and high ratings from the likes of EnergyStar and EcoVadis. It launched a sustainability service level agreement (SLA) last year. </p> <p>Hitachi Vantara’s <a href="https://www.computerweekly.com/feature/An-action-plan-for-net-zero-compatible-with-budget-contraints">net-zero</a> target is 2040, following the Science-based Targets Initiative (SBTi) – a “more aggressive” target than its parent’s 2050.</p> <p>“And we have our state-of-the-art distribution centres, particularly one in the Netherlands, that have launched a whole bunch of new initiatives around logistics, distribution, biodiversity and so on,” he says. </p> <p>Ninan points out that customers today are more often “buying outcomes”, rather than being 100% focused on product. And he suggests that if more tech companies don’t wake up, poor sustainability can and will hit profits – if it hasn’t already.</p> <p>IT companies will lose customers and their credibility. In his view, <a href="https://www.computerweekly.com/feature/Pure-AVK-self-powered-Dublin-datacentre-dodges-grid-constraints">datacentre</a> operators could “make or break” sustainability goals, and it’s crucial for those in the industry to lead the way. </p> <p>Which is also an opportunity, not just for marketing narratives or even benchmarking, but to drive innovation, he says.</p> <p>So that’s what Ninan and his cross-functional team does – sponsoring and overseeing strategy and building sustainability together. Not least because it often takes people a long time to appreciate the importance of sustainability.</p> <p>“I make a lot of noise about that,” he says. “I’ve had to become a real champion for sustainability.”</p> </section> <section class="section main-article-chapter" data-menu-title="Bridging US and European sustainability narratives"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Bridging US and European sustainability narratives</h2> <p>In the US, especially, narratives on sustainability can differ from those in many other regions and markets. In Europe, sustainability is seen as crucial simply because the planet depends on it.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> I’ve had to become a real champion for sustainability </figure> <figcaption> <strong>Simon Ninan, Hitachi Vantara</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>However, US arguments typically must be formulated in dollars and cents. In the US, if you can’t make the economics work, if you can’t show how profits will be realised, it’s much more difficult to reach a consensus.</p> <p>Europe sometimes creates burdensome regulations and reporting requirements in an effort to get everyone on board, but that’s seen as a necessary evil.</p> <p>“You can’t have that ‘necessary evil’ conversation in the US. They say, ‘Tell me how it’s going to improve my revenue, and profits, and maybe then I’ll pay attention to it’,” says Ninan.</p> <p>“Then, of course, you have changing political administrations – and you hear they want to deregulate, as a matter of national competitiveness and innovation, with greenness potentially coming in at some future date or time.”</p> </section> <section class="section main-article-chapter" data-menu-title="Making the business case for green technology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Making the business case for green technology</h2> <p>The challenge – and partly the fun – for Ninan and his team is to keep figuring out how to straddle the different <a href="https://www.techtarget.com/sustainability/feature/How-to-lead-on-sustainability-in-the-rise-of-greenhushing">narratives</a>, to explain how sustainability is good for businesses that are governed quarter to quarter by the markets. That includes via outreach, with public relations activities such as podcasts or thought leadership articles also a really interesting part of his job.</p> <p>“That’s where I talk about Hitachi Vantara products a bit, and that datacentres are about 3% of greenhouse gas emissions globally, of power consumed, and how that’s multiplying with the AI and internet of things revolutions,” says Ninan.</p> <p>Then his strategy might include pointing out projections for datacentre growth. If datacentre footprints triple in the next five years, as some estimates suggest, that will create problems for businesses.</p> <p>Power grids can’t handle it. They’re not ready, and resources such as energy and water are lacking. Economies can’t currently sustain that sort of datacentre demand; investment is required to meet the “real value” proposition, which typically boils down to cost savings, he says.</p> <p>“So, we explain that if you deploy our <a href="https://www.techtarget.com/searchstorage/opinion/Hitachi-Vantara-expands-in-hybrid-and-multi-cloud-storage">storage</a> and data solutions in datacentres, because of the proprietary technology, we can optimise how data is moved, stored and processed. We can reduce power consumption in datacentres by 30% to 60% compared to the average,” he says. “Forget the cost of buying the bits. Sure, we’ll do a great job for you there, but we’ll save you longer-term costs.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more IT sustainability interviews</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366638707/Interview-Sarwar-Khan-on-shaping-BTs-green-future-and-delivering-sustainability-at-scale">Sarwar Khan on shaping BT’s green future and delivering sustainability at scale</a>: How the sustainability practice enables BT to move on ‘tough topic’ targets that increase innovation, efficiency and success across its product portfolio.</li> <li><a href="https://www.computerweekly.com/feature/Interview-CyrusOne-on-the-sustainable-innovation-that-drives-datacentre-business-outcomes">CyrusOne on the sustainable innovation that drives datacentre business outcomes</a>: Sustainability initiatives continue to drive competitive advantage in addition to cutting costs, reveals Kyle Myers of colocation giant CyrusOne.</li> </ul> </div> </div> </section> We talk to Hitachi Vantara’s Simon Ninan about how the company looks to the far horizon when trying to match business needs with those of society https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/IT-sustainability-interviews-hero.jpg https://www.computerweekly.com/news/366642586/Interview-Hitachi-Vantara-takes-long-view-on-business-and-sustainability Tue, 12 May 2026 09:40:00 GMT Interview: Hitachi Vantara takes long view on business and sustainability <p>Enterprise software providers are rushing to introduce artificial intelligence (AI) into their platforms, which has a consequential impact on the technologies executives buy and the roles professionals fulfil.</p> <p>Into this maelstrom of AI-enabled change comes <a href="https://www.techtarget.com/searchhrsoftware/definition/Workday">Workday</a>, a cloud-based enterprise resource planning (ERP) firm that has made significant recent changes – including co-founder <a href="https://www.techtarget.com/searchhrsoftware/news/366640361/Workdays-new-old-CEO-reveals-Sana-agentic-AI-updates">Aneel Bhusri returning as chief executive officer and the introduction of Sana</a>, a new unified AI interface for Workday – to stay competitive and adapt to the growing importance of AI in business operations.</p> <p>So, what do the changes the technology giant envisions mean for senior executives in HR, finance and other business functions, and the staff these business leaders oversee? Computer Weekly visited Workday’s EMEA headquarters in Dublin for an innovation media event to hear more about the company’s roadmap and the implications for users.</p> <section class="section main-article-chapter" data-menu-title="Workday’s competitive position"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Workday’s competitive position </h2> <p>It was clear at the event that the rapid pace of AI-powered change enabled by Workday and other technology companies is very much the initial shift in a grander transformation.</p> <p>While employees at most firms have started dabbling in generative AI (GenAI) services, Kathy Pham, vice-president for AI at Workday, says the <a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM">large language models (LLMs)</a> powering these technologies are limited in their influence. These probabilistic LLMs are usually trained on information across the internet, not within the enterprise firewall, and don’t have access to contextual financial records, customer details and HR information within businesses.</p> <p>“They’re disconnected,” says Pham, referring to these LLMs, adding that successful providers will help their customers achieve better outputs via a deterministic approach to AI. That’s where Workday comes in, with the company aiming to create agents, including through its next-generation service Sana, that are powered by concrete enterprise data points.</p> <p>“We believe agents need a deep understanding of how work happens,” says Pham. “And most importantly for me, this is where the right engineering comes into play, paired with a good, responsible AI team that provides the context across security, AI, systems, data and unified processes. We bring all that together when we build systems for our customers.”</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Kathy-Pham-Workday-140x180px.jpg" alt="Photo of Workday's Kathy Pham"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“We believe agents need a deep understanding of how work happens. This is where the right engineering comes into play, paired with a good, responsible AI team that provides the context across security, AI, systems, data and unified processes. We bring all that together when we build systems for our customers”</span></strong></span></p> <p><em><span style="color: #34495e;">Kathy Pham, Workday</span></em></p> </blockquote> <p>Work on this shift is already underway. During the <a href="https://www.computerweekly.com/news/366634678/Workday-sets-out-to-reinvent-ERP-with-agentic-AI-platform/">Rising conference in Barcelona in November 2025</a>, senior Workday executives described the company’s desire to provide an agentic AI platform that disrupts traditional ERP services. Gerrit Kazmaier, president of product and technology at Workday, positioned the platform in his keynote as a “front door to work”.</p> <p>In Dublin, Pham says Workday will use a deterministic approach to become this front door to work. She says employees should be able to log in to Workday and use built-in agentic services to ask natural-language questions about key issues, such as payroll variations across regions, and receive personalised answers from enterprise data sources.</p> <p>At the heart of Workday’s deterministic approach to AI sits <a href="https://www.computerweekly.com/blog/CW-Developer-Network/Workday-acquires-agentic-AI-search-learning-specialist-Sana">Sana</a>. Pierre Gousset, vice-president of solutions at Workday, describes Sana as the intelligent entry point for accessing data and taking AI-enabled actions. “It’s where organisations build, orchestrate and manage agents that can deliver work across HR, finance, IT and beyond,” he says.</p> <p>“With Sana, you get access to an AI that is not only powerful, but that also lives inside Workday’s deepest understanding of your data, people, job architectures, organisational structures, approval chains and compensation bounding. That gives us an unfair advantage that we think no other AI can replicate.”</p> <p>While Workday is eager to position Sana as a step change in business-focused AI, the platform shouldn’t be seen in isolation from other enterprise applications. To that end, Gousset says integrating Sana with other providers’ services gives Workday’s agents the best possible access to data that will drive end-to-end process automation.</p> <p>“Sana is designed to work with the broader enterprise ecosystem, and we deliver this through secure integrations with platforms like Salesforce, Databricks, Snowflake, Google and Microsoft 365, and we want to make this possible because we want Sana to be used not only to answer questions in Workday, but to trigger actions across all enterprise systems.”</p> <p>Gousset detailed four key capabilities of Sana’s agents: asking questions of data across enterprise systems; helping professionals take actions based on this insight; building outputs via dashboards, reports and documents; and automating processes to create multi-step workflows. He says the final capability – automating workflows – is where Sana moves from being an assistant to a system that executes work with professionals.</p> <p>While this agentic transformation sounds powerful in practice, it’s important to remember that other providers are making similar shifts. And though embracing emerging technology allows specialists like Workday to create new data-led services, the rise of AI also creates risks for software firms, not least the potential for disintermediation.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Clare-Hickie-1-Workday-140x180px.jpg" alt="Photo of Workday's Clare Hickie"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“Our success will be built on the foundations established by the deterministic guardrails we’ve put in place. These foundations will help organisations evolve successfully into the world of AI”</span></strong></span></p> <p><em><span style="color: #34495e;">Clare Hickie, Workday</span></em></p> </blockquote> <p>Some industry experts have suggested that <a target="_blank" href="https://www.deloitte.com/us/en/insights/industry/technology/technology-media-and-telecom-predictions/2026/saas-ai-agents.html" rel="noopener">as many as 35% of software-as-a-service (SaaS) tools could be replaced by AI agents</a> by 2030. In a one-to-one interview in Dublin, Computer Weekly asked Workday’s chief technology officer, Clare Hickie, whether disintermediation is on her executive team’s radar.</p> <p>“I can see why you asked the question, because I can see what’s being said in the media right now, and I can see some of the curiosity that may be applied based on where we are in the world in this transitional period from an AI perspective,” she says. “However, what I will say, and it’s no more than what we’ve said at this event, is that AI is often probabilistic, which means it can be wrong, whereas we operate via a deterministic application stack.”</p> <p>In an uncertain world, Hickie says CIOs will look for the degree of certainty that trusted software providers can supply. She says it’s here that Workday excels, with a strong history of building services for major enterprises in risk-averse sectors that will require deterministic AI solutions for intractable challenges.</p> <p>“We can never be wrong when it comes to payments,” she says. “We can’t be wrong when it comes to financial close, audits and compliance. And so our success will be built on the foundations established by the deterministic guardrails we’ve put in place. These foundations will help organisations evolve successfully into the world of AI.”</p> </section> <section class="section main-article-chapter" data-menu-title="New technologies, new skills"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New technologies, new skills </h2> <p>The key to Workday becoming the “front door to work” will be the extent to which CIOs and other buyers use the firm’s technologies to support an AI-enabled workplace transformation.</p> <p>Gousset demonstrated at the event how Sana’s agents can automate processes across enterprise ecosystems to help line-of-business employees manage tasks, such as onboarding new employees and producing reports, and add repeatable workflows, such as getting executive-level sign-offs.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Pierre-Gousset-Workday-140x180px.jpg" alt="Photo of Workday's Pierre Gousset"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“Think about how much time you save by not having to work across multiple systems. This is a new type of experience, where AI is the UI, and you replace dozens of enterprise systems with a conversational experience, which is more intuitive but also more intelligent”</span></strong></span></p> <p><em><span style="color: #34495e;">Pierre Gousset, Workday</span></em></p> </blockquote> <p>“Think about how much time you save by not having to work across multiple systems,” he says. “This is a new type of experience, where AI is the UI [user interface], and you replace dozens of enterprise systems with a conversational experience, which is more intuitive but also more intelligent. This capability is how businesses will transform work.”</p> <p>Hickie says the underlying aim of these and other services is to ensure agents do more than answer questions and summarise information. By combining data with enterprise context, Workday wants to develop agents that create a step change in workplace productivity.</p> <p>“By context, we mean that agents understand skills, decision lines, approvals, security and where friction points actually are,” she says. “And it’s that context that allows us to deliver 100% positive outcomes, but equally, more importantly, that layer of productivity that is really required when it comes to AI and agents in particular.”</p> <p>Examples discussed at the event included a Recruiting Agent that helps recruiters break their reliance on manual processes, allowing them to spend less time filling roles and more time discovering talent. Another example was Workday’s Payroll Agent, which unifies data and context to create a service that helps staff spend less time on compliance-focused tasks.</p> <p>“This capability is just a starting point for Workday,” says Hickie. “How we see these agents being delivered is through a level of depth and breadth. It’s not always about the singular role that an agent will explicitly perform. Many of these agents will be able to complete end-to-end workflows.”</p> <p>This higher level of automation raises important questions about the future of work, not just for the professionals who fulfil these tasks, but also for companies like Workday that are enabling this workplace transformation. Workday CEO Bhusri acknowledged the scale of change in a press conference in March.</p> <p>“What sometimes keeps me awake at night is that low-level HR work is going to be replaced by agents; there is no getting around that. And what the industry needs to own, including Workday, is that we have to find a way to take care of the employees who are dislocated.”</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Chandler-Morse-Workday-140x180px.jpg" alt="Photo of Workday's Chandler Morse"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“Our team has been working both in the US, at the federal and state and local level, and with the European Commission, so a policy response to issues [around AI-enabled disruption] is top of mind for us”</span></strong></span></p> <p><em><span style="color: #34495e;">Chandler Morse, Workday</span></em></p> </blockquote> <p>In Dublin, Chandler Morse, chief corporate affairs officer at Workday, acknowledged the concerns about AI-enabled disruption. He says Workday is urging lawmakers to consider employer incentives for reskilling.</p> <p>“Our team has been working both in the US, at the federal and state and local level, and with the European Commission, so a policy response to those issues is top of mind for us,” he says.</p> <p>Beyond policy, Bhusri suggested in the March press conference that Sana itself could provide a potential solution to the intractable challenge of worker dislocation, automating low-level manual tasks while helping to retrain employees in the new skills required. In Dulin, Gousset says Workday views agents as extensions of a company’s workforce.</p> <p>“Agents are not going to replace humans,” he says. “Most agents will work hand in hand with humans to accomplish certain tasks. Therefore, you need, organisationally, not only technically, to be able to define which part of your processes are going to be managed jointly by humans and agents.”</p> <p>Here, he pointed to Workday’s Agent System of Record. This tooling helps organisations to consider the permissions and skills required for agents and humans in an AI-powered workplace transformation: “It’s really about building that framework to help enterprises rethink their process gradually, together with AI.”</p> <p>What’s clear, says Hickie, is that the pace of change is only going to quicken. Yes, Workday technology is helping power a workplace transformation, but the company also wants to help employees and their bosses embrace new roles and skills required in an age of AI.</p> <p>“Our technology is helping others manage that change from a development perspective,” she says. “We’re working out where the skills gaps are in the roles that are starting to be defined, and we also want to help individuals train, learn and develop within their current roles. We’re just moving into this moment of change.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about agentic AI and enterprise applications</h3> <ul class="default-list"> <li>Workday’s new (old) CEO reveals <a href="https://www.techtarget.com/searchhrsoftware/news/366640361/Workdays-new-old-CEO-reveals-Sana-agentic-AI-updates">Sana agentic AI updates</a>: How doing work in Workday could become simpler with agentic AI.</li> <li>Oracle is turning corporate software <a href="https://www.computerweekly.com/news/366642385/Oracle-is-turning-corporate-software-over-to-AI-agents">over to AI agents</a>: As Oracle rolls out a slew of agentic AI tools and applications, a senior company executive explains how enterprise workflows are changing and why software pricing models may be due for a shake-up.</li> <li>Inside SAP R&D on the <a href="https://www.techtarget.com/searcherp/podcast/Inside-SAP-RD-on-the-convergence-of-agentic-and-physical-AI">convergence of agentic and physical AI</a>: In this podcast, Yaad Oren, SAP’s head of research and innovation and managing director of SAP Labs US, says smarter, autonomous physical AI devices are poised for business use.</li> </ul> </div> </div> </section> On a visit to Workday’s Dublin EMEA HQ, we find the supplier aiming to leverage agentic artificial intelligence to improve enterprise operations with its Sana platform, said to enable automation and reskilling for an AI-driven workplace https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/HR-recruitment-leadership-staff-workforce-tomertu-adobe.jpg https://www.computerweekly.com/feature/Workday-majors-on-Sana-acquisition-to-forward-agentic-AI-programme Tue, 12 May 2026 08:30:00 GMT Workday majors on Sana acquisition to forward agentic AI programme <p>A deal between Europe and the US could lead to unprecedented access by the US Department of Homeland Security (DHS) – which operates US <a href="https://www.computerweekly.com/news/366641058/NCSC-warns-high-risk-individuals-of-Signal-and-WhatsApp-social-engineering-attacks">Immigration and Customs Enforcement</a> (ICE) – to the biometric data of European citizens.</p> <p>Europe and the US are holding talks on a framework agreement for an Enhanced Security Border Partnership (EBSP) between the US and the European Union (EU) that will provide the US with access to data on EU citizens.</p> <p>The UK’s Home Office confirmed it has received a request from the US DHS to access fingerprint records in relation to the EBSP programme, but said no negotiations were underway.</p> <p>The agreement between Europe and the US will allow “a reciprocal exchange of information” for security screening, identity verification and visa applications.</p> <p>Critics say that given the sensitivity of the data involved and the widely criticised actions of ICE officers against US citizens, there is a strong public interest in understanding exactly what the European authorities are negotiating.</p> <p>But negotiations are shrouded in secrecy. The author of this article has been trying to obtain the documents for months under Freedom of Information (FOI) laws, but the Council of the European Union has refused to release them, arguing that their disclosure would harm international relations.</p> <p>It said that the council enjoys a “wide discretion” in determining whether disclosure of a document to the public would undermine the public interest.</p> <section class="section main-article-chapter" data-menu-title="Continuous systematic transfers of data"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Continuous systematic transfers of data</h2> <p>A <u><a href="https://url.us.m.mimecastprotect.com/s/hFiOCKrY6nH90RwL8FMf4U5XbrF?domain=statewatch.org">draft of the agreement proposed by Europe</a></u> has been leaked to <u><a href="https://url.us.m.mimecastprotect.com/s/Z0faCL9YPoHX5zOLNsqhkUyFPJt?domain=statewatch.org/">Statewatch</a></u>, which reported that the EBSP “would involve mutual continuous and systematic transfers of biometric data”, understood to include fingerprints, photographs and genetic data.</p> <p>Statewatch, a non-profit that monitors human rights in the UK and Europe, warned that data exchanged under the proposal could be used for a wide range of purposes by the US.</p> <p>This includes preventing or arresting people travelling to the US who have expressed opposition to US policies in Europe, or for automated discriminatory profiling of travellers, including EU citizens.</p> <p>The US is also holding separate negotiations with other countries participating in the Visa Waiver Program (VWP), a US government scheme that allows nationals of participating countries to travel to the US for tourism or business for up to 90 days without a visa.</p> <p>US authorities expect EBSP to be in place by 31 December 2026.</p> </section> <section class="section main-article-chapter" data-menu-title="UK is negotiating with US on ESBP"> <h2 class="section-title"><i class="icon" data-icon="1"></i>UK is negotiating with US on ESBP</h2> <p>The UK Home Office told Computer Weekly, following a FOI request, that it had received a request from the US Department of Homeland Security (DHS) regarding an Enhanced Security Border Partnership with the UK, but that “negotiations are not underway”.</p> <p>Asked which UK databases the US is seeking access to, the Home Office said the US was seeking access to UK fingerprint data, but mentioned no other biometrics.</p> <p>“The US has requested the ability to check the fingerprints of UK citizens applying for a US visa against the UK national criminal fingerprint databases as a condition of ongoing membership of the US Visa Waiver Program,” it said.</p> <p><u><a href="https://url.us.m.mimecastprotect.com/s/0qtLCM8E9pH9Gn8jxFJi8U853fw?domain=linkedin.com/">Sophie In’t Veld</a></u>, former Dutch member of the European Parliament and a vocal critic of the post-9/11 EU-US data agreements, told Computer Weekly it was hard to see who would defend the rights of European citizens.</p> <p>“The government leaders are falling all over each other with grand statements about European digital autonomy, but they happily give away our most sensitive data, without any legal protection whatsoever, to an administration that is anti-democratic and hostile to Europe and Europeans,” she said.</p> <p>Journalists in Europe and Australia, another country participating in the VWP, who have tried to access information about the EDPS under Freedom of Information laws have received either denial or heavily redacted documents.</p> <p>This author has requested documents from Italy’s Home Office, which refused to reply, with the Council of the European Union, which denied access.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about border security technology</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366615119/Starmer-announces-tech-enabled-crackdown-on-people-smuggling">Starmer announces tech-enabled crackdown on people smuggling</a>: The UK government has announced a further £75m of funding for its Border Security Command, meaning it will now have £150m over two years to spend on new technologies and staff.</li> <li><a href="https://www.computerweekly.com/news/366611613/Home-Office-eVisa-scheme-is-broken-says-Open-Rights-Group">Home Office eVisa scheme is ‘broken’, says Open Rights Group</a>: Digital rights campaigners say the Home Office’s plan to make its new electronic Visa scheme a real-time online-only process is part and parcel of the ‘hostile environment’ around immigration status.</li> <li><a href="https://www.computerweekly.com/news/366610395/Data-sharing-for-immigration-raids-ferments-hostility-to-migrants">Data sharing for immigration raids ferments hostility to migrants</a>: Data sharing between public and private bodies for the purposes of carrying out immigration raids helps to prop up the UK’s hostile environment by instilling an atmosphere of fear and deterring migrants from accessing public services.</li> </ul> </div> </div> </section> The UK has received a request from the US to share biometric data of citizens, as Europe negotiates a similar deal with US Department of Homeland Security https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/digital-network-biometrics-fingerprint-adobe.jpeg https://www.computerweekly.com/news/366643013/Europe-and-US-negotiate-deal-to-share-citizens-biometric-data-UK-also-approached Tue, 12 May 2026 07:15:00 GMT Europe and US negotiate deal to share citizens’ biometric data, UK also approached <p>Process mining company Celonis has acquired MIT-linked decision intelligence supplier Ikigai Labs to flesh out its offer to eliminate artificial intelligence (AI) “blind spots” from business IT. Linked to the acquisition is the launch of what the supplier calls a “context model” that functions as a real-time <a href="https://www.techtarget.com/searcherp/definition/digital-twin">digital twin</a> of business operations for customers.</p> <p>In a press statement, the company said: “As organisations … attempt to deploy enterprise AI, they face a critical challenge of ensuring AI does not have blind spots in understanding how their businesses operate. Without this understanding, AI agents cannot make a real impact, so companies struggle to see meaningful returns on their enterprise AI investments.”</p> <p>The supplier claimed its Celonis Context Model (CCM) “fixes this by providing a dynamic, real-time digital twin of operations, which translates the business into a language AI understands”.</p> <p>It added: “Built on process data and business knowledge from every system, application, device and interaction across the business, it gives enterprise AI the operational clarity it needs to reason correctly, act reliably and deliver results at scale.”</p> <p>Dan Brown, chief product officer and executive vice-president of engineering at Celonis, stated in a <a href="https://www.celonis.com/blog/the-context-model-the-missing-piece-of-the-enterprise-ai-tech-stack" target="_blank" rel="noopener">blogpost</a>: “AI models don’t know about how your specific invoices are related to your shipping records because that data is proprietary, private and fragmented across internal systems, applications and devices. And without that deterministic foundation – the ground truth of your operational reality – no AI agent can be trusted to make reliable real-time decisions and take actions that effectively drive your business outcomes.”</p> <section class="section main-article-chapter" data-menu-title="Enabling better business decisions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Enabling better business decisions</h2> <p>Celonis said its acquisition of Ikigai would “bring state-of-the-art enterprise <a href="https://www.techtarget.com/searchbusinessanalytics/definition/decision-intelligence">decision intelligence</a> and cutting-edge AI innovation – which includes planning, simulation and forecasting capabilities – to the CCM”.</p> <p>Ikigai was co-founded in 2019 by <a target="_blank" href="https://devavrat.mit.edu/" rel="noopener">Devavrat Shah</a> (CTO and CEO) and <a href="https://www.techtarget.com/whatis/feature/How-to-opt-out-of-AI-training-across-social-media-platforms">Kamal Ahluwalia</a>. Shah holds a professorial chair of AI at MIT. By its own account, on its website, <a target="_blank" href="https://www.ikigailabs.io/" rel="noopener">Ikigai Labs</a> specialises in processing and analysing structured enterprise data, such as tabular and time series data.</p> <p>It offers a <a href="https://www.techtarget.com/searchenterpriseai/tip/Top-generative-AI-tool-categories">generative AI (GenAI) platform</a> built on proprietary large graphical models (LGMs), which are said to be designed for structured enterprise data, in contrast with <a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM">large language models (LLMs)</a> that focus on unstructured text.</p> <p>As part of the acquisition agreement, Celonis will gain exclusive rights to MIT-owned patents, which Ikigai had licensed from MIT, and MIT will become a shareholder in Celonis. </p> <p>In an interview with Computer Weekly, Celonis president Carsten Thoma said: “If you look at the noise level out there, CIOs are completely confused.</p> <p>“Two years ago, we decided that we wanted to have something like a holistic business graph that can serve as the brains of an operation for a company. We knew from our own insights that application landscapes are super-fragmented, that data lakes are competing, that AI is on the horizon, but that some of the AI is very hard to deploy in an efficient manner.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Carsten-Thoma-Celonis-140x180px.jpg" alt="Photo of Carsten Thoma, Celonis"> </div> <p><span style="font-size: 14pt;"><strong><span style="color: #34495e;">“AI is only as good as the context it has. Every organisation needs to give its enterprise AI a holistic, living model of how a business truly operates. This has never been possible until now”</span></strong></span></p> <p><em><span style="color: #34495e;">Carsten Thoma, Celonis</span></em></p> </blockquote> <p>“We took a step back and thought about what customers need to master those challenges and navigate in a way that they don’t blow the budget, that they don’t start 10 pilots in AI where eight yield no results, where they can really take a position of strength, courage and intelligence to execute on the future.</p> <p>“We had a few pieces in place already with our process intelligence platform, and then there were a few pieces missing. The last piece is the large graphical model we are acquiring now with Ikigai.”</p> <p>Thoma said that it now offers a “robust and future-proof approach to provide a control tower and platform for operational context and intelligence”, adding: “It is important to understand we are domain agnostic and system agnostic from the operational context model [point of view] because other vendors talk about specific domains.”</p> <p>In the press statement, Thoma said: “AI is only as good as the context it has. Every organisation needs to give its enterprise AI a holistic, living model of how a business truly operates. This has never been possible until now. And with Ikigai, we’re making our platform even stronger, extending its intelligence beyond how your business runs today to how it should – and could – run tomorrow.”</p> <p>Devavrat Shah, now chief scientist for enterprise AI at Celonis, said: “Ikigai was built on a simple but firm conviction: better enterprise decisions require AI that works with enterprise data. Ikigai has proven foundation model technology for structured data at scale; Celonis has encoded enterprise processes. Together, we provide the fullest operational representation of business reality.”</p> </section> <section class="section main-article-chapter" data-menu-title="Context essential for trusted AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Context essential for trusted AI</h2> <p>Jerome Revish, chief technology officer for digital and technology services at Celonis customer Cardinal Health, a US health services company, said, in support of Celonis’s contextual message, that in the healthcare industry, “precision is paramount” and “AI that’s only right most of the time” is simply not acceptable.</p> <p>“We use AI as a tool to accelerate operational insight – process context enables agents to support our team in acting with precision. Defining guardrails then gives us the confidence to act,” added Revish. “Ultimately, context is what makes the difference between AI that’s impressive in a demo and AI that’s trusted and safe to deploy.”</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Context is what makes the difference between AI that’s impressive in a demo and AI that’s trusted and safe to deploy </figure> <figcaption> <strong>Jerome Revish, Cardinal Health</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Rafael Domene, CIO at Consentino, a Spanish company that makes and distributes surfaces for architecture and design, and whose brands include Silestone, Dekton and Sensa, was also aligned with the contextual message.</p> <p>“Our goal is to build a digital workforce of AI agents that can run and improve our business operations at scale. What we’ve learned is that an agent is only as good as the context you give it,” he said.</p> <p>“When you provide AI with a real understanding of your processes – the data, the business rules, the decision logic – it stops being a tool you experiment with and becomes one you trust to act. That’s what makes the difference between an agent that makes a recommendation and one that runs a process,” added Domene.</p> <p>Chicago-based snacks maker Mondelez International, whose brands include Cadbury, Oreo and Toblerone, is another Celonis customer that says the supplier is helping with its agentic AI programme of work.</p> <p>“We’re in the middle of one of the most consequential technology transformations in our history while simultaneously building the foundation for agentic AI,” said Filippo Catalano, chief information and digital officer at Mondalez.</p> <p>“We’ve learned you cannot sustainably deploy and run trusted AI agents across a landscape as complex and varied as ours, unless those agents understand and act based on the reality of how your processes run across every market, system and function – not just how they were designed in theory,” he added.</p> </section> <section class="section main-article-chapter" data-menu-title="‘Context graph thesis made real’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>‘Context graph thesis made real’</h2> <p>Celonis says its platform brings data together with zero-copy integrations to sources like Amazon Web Services, <a href="https://www.techtarget.com/searchbusinessanalytics/news/366625695/Latest-Databricks-tools-use-AI-to-simplify-AI-development">Databricks</a> and <a href="https://www.techtarget.com/searchdatamanagement/news/366631393/Microsoft-adds-new-AI-development-OneLake-tools-to-Fabric">Microsoft Fabric</a>, as well as pre-built connectors to Oracle and other enterprise resource planning (ERP) and customer relationship management (CRM) platforms.</p> <p>It says it has also built integrations with agentic platforms, including Amazon Bedrock, Anthropic’s Claude Cowork, IBM Watsonx Orchestrate, Microsoft Copilot and Agent365, and Oracle Cloud Infrastructure Enterprise AI.</p> <p>Celonis’s <a href="https://www.techtarget.com/searcherp/tip/6-process-mining-steps-for-CIOs-IT-leaders">competitors in the process mining and process intelligence market</a> include SAP Signavio, UiPath and IBM Process Mining.</p> <p>For one of Ikigai Labs’ investors, Foundation Capital, general partner Ashu Garg added: “This is our context graph thesis made real. Celonis has built the deepest operational understanding of how enterprises actually function – as a live, process-native model of how work happens, why it breaks and what should happen next.</p> <p>“With the acquisition of Ikigai Labs, they’ve added the decision intelligence and simulation capabilities that make it truly effective.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about process mining and decision intelligence</h3> <ul class="default-list"> <li>What is <a href="https://www.techtarget.com/searchcio/definition/process-mining">process mining</a>, and why is it essential in the enterprise? We look at the benefits, drawbacks, use cases and future of process mining.</li> <li>What adding a <a href="https://www.techtarget.com/searcherp/podcast/What-adding-a-decision-intelligence-platform-can-do-for-ERP">decision intelligence platform</a> can do for ERP: In this podcast, Tom Oliver of AI supplier Faculty makes the case for decision intelligence technology as the solution to the data silo problems of today’s composable ERP.</li> <li><a href="https://www.techtarget.com/searchbusinessanalytics/tip/Decision-intelligence-changes-operations-across-industries">Decision intelligence changes operations</a> across industries: Decision intelligence speeds up the process of delivering data to decision-makers efficiently, improving operations across industries.</li> </ul> </div> </div> </section> Celonis has acquired MIT-linked Ikigai to aid in its drive to eliminate artificial intelligence blind spots from enterprise IT, and launched a ‘context model’ digital twin, said to give AI operational clarity https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/lightbulbs-planning-process-improvement-EtiAmmos-adobe.jpg https://www.computerweekly.com/news/366642978/Celonis-acquires-MIT-linked-decision-intelligence-firm-Ikigai Tue, 12 May 2026 06:50:00 GMT Celonis acquires MIT-linked decision intelligence firm Ikigai <p>Alwin Bakkenes, head of <a href="https://www.computerweekly.com/news/366618219/InterviewVolvos-engineering-lead-discusses-tech-stacks">software engineering at Volvo Cars</a>, reckons that leading a team to develop the technology stack powering the next generation of mobility at the automotive giant is one of the best jobs you can imagine.</p> <p>“I’m not saying it’s always easy, but it’s incredibly rewarding and great fun,” he says. “People are passionate about our products, and you get instant feedback on the quality of what you do from consumers – whether that’s from friends, family or a community like Reddit. There’s just so much feedback, and that motivates and makes us better.”</p> <p>Bakkenes reports to Volvo CTO Anders Bell and is a member of the extended executive management team that oversees operational governance. “I’m part of that group because software, of course, has a massive transformational impact on the company,” he says.</p> <p>On a day-to-day basis, Bakkenes’ team works closely with technology and content partners to deliver customer experiences, with innovations in safe automation, core computing architecture and Android-based infotainment services. His team manages technology associated with Volvo’s <a href="https://www.computerweekly.com/news/366641586/Qualcomm-expands-strategic-advanced-driver-assistance-systems-immersive-eyewear-collaborations">advanced driver assistance systems (ADAS)</a> and an in-house artificial intelligence (AI) factory.</p> <p>“We also manage mobile network contracts because we operate in 85-plus countries globally,” he says. “So, we have a large scope, and our work defines a big part of how the vehicles behave and helps us to create different types of relationships with our customers.”</p> <section class="section main-article-chapter" data-menu-title="Connecting vehicles"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Connecting vehicles</h2> <p>Bakkenes joined Volvo in November 2022, having previously been vice-president at Aptiv, chairman of the board of directors at Smashing Ideas, and executive vice-president for automotive at Luxsoft.</p> <p>One of his big achievements at Volvo has been leading the digital transformation that accompanied the unveiling of the <a href="https://www.volvocars.com/intl/news/articles/ex60-the-most-intelligent-volvo/">EX60</a>, the first car designed to launch with Google Gemini AI assistant and connectivity delivered by the Snapdragon Auto Connectivity Platform from Qualcomm Technologies.</p> <p>As Computer Weekly discovered in January, <a href="https://www.computerweekly.com/news/366637420/Volvo-EX60-hits-accelerator-on-in-vehicle-connectivity-and-AI">the EX60 is the most intelligent Volvo</a> and can travel 810km on a single charge. The car also has the latest iteration of HuginCore, the manufacturer’s in-house-developed core system for its software-defined vehicles (SDVs).</p> <p>“Volvo Cars has always been known for safety,” says Bakkenes, referring to the journey the in-house software team has taken during its digital transformation. “Over the years, after we started to do innovations in terms of collision avoidance – because, of course, avoiding a collision is better than protecting people in a collision – we started to bring computer vision and radar into cars.”</p> <p>Bakkenes says the software team learned that getting data from cars digitally would enable them to do even more. “So, we started making every single car connected and started doing more in-house development. We built an AI factory and built an in-house team of some 3,000 developers that build this software stack for us,” he says.</p> <p>“One of our biggest accomplishments with the optimisation work that we did for the EX60, where we did our second-generation zonal architecture, was that we really simplified the approach. We reduced weight, a lot of packaging space, we made the technology much more efficient and made it applicable to every single car in our cycle plan.”</p> </section> <section class="section main-article-chapter" data-menu-title="Digitising the stack"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Digitising the stack</h2> <p>Bakkenes says the result of this digital transformation is that Volvo has transitioned from a mechanically oriented company to an organisation that successfully manages its technology base, with HuginCore sitting at the heart of its future automotive innovations.</p> <p>“We now have a single tech stack strategy for our cars, which ultimately gives us more time to spend on building fantastic customer features and experiences,” he says. “And that’s one of the biggest parts of the journey that we’ve been on over the past few years.”</p> <p>HuginCore features an electrical architecture, a core computer, zone controllers and software. The name Hugin comes from Nordic mythology – Odin had two ravens, Hugin and Munin. Bakkenes says Hugin was the raven who flew to scout and then whispered in Odin’s ear about everything in the vicinity.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Alwin-Bakkenes-Volvo-PR-140px.jpg" alt="Headshot of Alwin Bakkenes."> </div> <p><strong><span style="color: #34495e;">“We now have a single tech stack strategy for our cars, which ultimately gives us more time to spend on building fantastic customer features and experiences”</span></strong></p> <p><em><span style="color: #34495e;">Alwin Bakkenes, Volvo Cars</span></em></p> </blockquote> <p>“That’s like what we are doing with the core system,” he says. “HuginCore perceives the world around it and gives us the right information to make decisions on avoiding collisions and more. It’s the core system and tech stack that we’re standardising on. And, of course, it’s much more than a piece of compute. It’s vehicle architecture, cloud infrastructure and factory infrastructure.”</p> <p>Beginning with the EX60 implementation, Bakkenes says the aim is to ensure the company builds its innovations around this stack, rather than using multiple platforms. “Which is ultimately not how modern tech companies, like Apple, would do things,” he says, referring to the company’s shift to becoming a company that manages its technology foundation.</p> <p>“For example, we have a partnership with a UK company called Brief that is really good at database analytics on battery cells and how you store energy as fast as possible. So, not only do we have a good, robust 800-volt system, we’re able to push a lot of energy into the cells for a prolonged period of time, meaning that we avoid the standard curves of charging cars.”</p> </section> <section class="section main-article-chapter" data-menu-title="Delivering innovation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Delivering innovation</h2> <p>The progress made by Bakkenes and his team was recognised recently, with Volvo <a href="https://www.volvocars.com/uk/media/press-releases/A015B3D74C214AE3/">achieving S&P Global Mobility Level 5 capability in SDVs</a>, the highest category in its assessment of automotive software maturity. Notably, Volvo is the only legacy manufacturer to have achieved this rating.</p> <p>“They looked at what we were doing,” says Bakkenes, referring to the evaluation process. “We explained to them how we work and what the architecture looks like. Having a fully software-defined architecture means we should create significant customer benefits. So, we’re proud. It’s recognition that we’re doing good work.”</p> <p>The recognition from S&P Global highlights Volvo’s attempts to improve vehicle functionality through software, including over-the-air updates to add safety features, unlock faster charging speeds, increase driving range and enhance user experiences. Bakkenes says the company’s digitisation is all about leaving behind traditional domain-based architectures.</p> <p>The new approach being pioneered by Volvo focuses on three levels: a high-performance compute cluster where the team works with key partners, such as Nvidia and Qualcomm; zonal architecture with high-integrity applications that require low latency and fast response times, such as for safety-critical functions, including brakes and acceleration; and infotainment, where Volvo works closely with Google and its Android operating system (OS).</p> <p>“We work very heavily with partners to build the foundations for that strategy. We work with Nvidia on developing the safety-critical, high-performance execution environment, so we can execute high-integrity applications on compute clusters, such as ADAS,” he says.</p> <p>“We also work with Google deeply and closely, because the Android platform creates an openness and an ecosystem that is a fantastic foundation to build a modern infotainment system, which has customer-facing functionality, such as Gemini for conversational AI and Google Maps, and an open app store that we use to bring in massive amounts of content.”</p> </section> <section class="section main-article-chapter" data-menu-title="Embracing AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Embracing AI</h2> <p>Volvo continues to hone its approach to SDVs. As Computer Weekly reported at the time, <a href="https://www.computerweekly.com/news/366624216/Google-gets-in-gear-with-Volvo-to-drive-connected-vehicle-AI/">the company extended its partnership with Google in May 2025.</a> Volvo believes that with Gemini in the car, drivers can better understand what they want through natural conversations.</p> <p>As well as using AI services to boost internal operational efficiency, Bakkenes says the company uses emerging technology in two key product areas.</p> <p>First, in collision-avoidance systems. With a strong heritage in vehicle safety, Volvo has collected millions of data points since 2020, all with customer consent, to improve ADAS.</p> <p>“We’ve seen that building AI models that we train on what happens and what will go wrong – thereby preventig things from happening – is incredibly valuable,” he says. “So, we literally built a company, a subsidiary called Zenseact, which is part of my scope. I’m the chairman of the company, and it’s deeply integrated into our way of working in engineering.”</p> <p>Second, Bakkenes says his team is focused on customer-oriented, AI-enabled products. Using tools such as Gemini, drivers will use in-car systems to plan routes, help schedule activities and organise their lives. “AI is not just about telling you things,” he says. “It’s about becoming more agentic and taking care of tasks in your life.”</p> <p>While Volvo has made significant advances in AI with the launch of the EX60, the company is eager to ensure that drivers of older vehicles can also benefit from its data-powered services. To that end, the company recently announced that <a href="https://www.volvocars.com/uk/media/press-releases/B6E914771F82F5C4/">Google Gemini is rolling out to Volvo vehicles dating back more than five years</a>. Bakkenes suggests this decision is a step change in how drivers interact with cars and how manufacturers support them.</p> <p>“We’re bringing Gemini to every car we’ve produced since 2020,” he says. “Six years ago, we had no idea what a transformer-based conversational assistant was or would become. So, the fact that we can bring Gemini to those cars is fantastic.”</p> </section> <section class="section main-article-chapter" data-menu-title="Scaling improvements"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Scaling improvements</h2> <p>Bakkenes reflects on the digital transformation changes he’s overseen during the past few years and suggests his team is approaching what he calls “harvest time”.</p> <p>“We now have a foundation where we have a good architecture,” he says. “We have a large amount of high-performance computing to grow and develop in the future. The foundation of the technology is there, and it’s about applying and scaling it.”</p> <p>Bakkenes says the desire to push Gemini-powered services to older vehicles shows that his team’s efforts aren’t just focused on tomorrow’s technology – they’re also focused on supporting long-standing customers who have committed money to the car company. </p> <p>“The harvesting part is about us saying, ‘OK, so now we can put more energy into enhancing the experiences’, and that means refining the user interface implementation, and tweaking and optimising it until you get a product that fits day-to-day usage perfectly,” he says. “We want our cars to keep improving over time.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more interviews with automotive IT leaders</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640716/Interview-Thierry-Martin-head-of-enterprise-data-and-analytics-Toyota-Motor-Europe">Interview: Thierry Martin, head of enterprise data and analytics, Toyota Motor Europe</a> – A sketch artist by night, and a vehicle engineer by training, Toyota Europe’s data chief is bringing elements of both capabilities to bear in delivering better data insights and building a foundation for AI.</li> <li><a href="https://www.computerweekly.com/news/366628079/Interview-How-ITSM-helps-deliver-results-at-McLaren-Racing">Interview: How ITSM helps deliver results at McLaren Racing</a> – We speak to Dan Keyworth, director of business technology at McLaren Formula One Team, about how IT keeps the F1 team on track.</li> <li><a href="https://www.computerweekly.com/news/366615343/CIO-interview-Steve-OConnor-Aston-Martin">CIO interview: Steve O’Connor, Aston Martin</a> – Skills gaps, electrification and customisation driving need for change, says Aston Martin CIO Steve O’Connor.</li> </ul> </div> </div> </section> As cars become increasingly software-driven and AI-enabled, the Volvo software chief is at the cutting edge of connected vehicles and advanced mobility tools for drivers and passengers https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/Volvo-EX90-CREDIT-Volvo-Cars-Group-PR-hero2.jpg https://www.computerweekly.com/news/366642570/Interview-Alwin-Bakkenes-head-of-software-engineering-Volvo-Cars Tue, 12 May 2026 06:30:00 GMT Interview: Alwin Bakkenes, head of software engineering, Volvo Cars <p>“AI [artificial intelligence] can create a 30-page research paper for you out of thin air based on fake science,” warns Jill Luber, chief technology officer at Elsevier. As a publisher of scientific and medical journals and papers, she says: “We’ve seen a major increase in “<a href="https://www.techtarget.com/searchenterprisedesktop/opinion/Will-2026-be-the-year-deepfakes-go-mainstream">fabricated science</a>” and it is our job to protect the publishing world from that.”</p> <p>It is a topic Luber recently spoke about at the London Book Fair. “It is very worrying, and we’ve seen a major increase in fabricated science,” she says.</p> <p>“Creating and publishing science that’s not real clearly has implications because there’s a <a href="https://www.computerweekly.com/news/366642597/Closing-the-AI-trust-gap-in-MENA-Why-visibility-governance-and-data-quality-matter-more-than-hype">level of trust</a> with what you read in scientific journals, and if we start to erode that trust, I think that’s when we’re in real trouble.”</p> <p>Elsevier is around 145 years old, and over that time, it has experienced three major technological disrupters: the printing press, digital content via the internet, and now AI. </p> <p>Putting the fake science warning to one side, Luber believes AI has a significant role to play in supporting researchers to make sense of vast volumes of information contained in academic research papers. For Luber, among the major benefits of using AI tools to support research is that it is able to look through all the text in the literature Elsevier holds.</p> <p>“AI can bubble up concepts and link together different articles,” she says.</p> <p>Without AI’s help, this would normally take a human hours and hours, and may even be impossible for someone to do.</p> <div class="podcastdownload alignCenter"> <audio id="podcastPlayer" src="https://cdn.ttgtmedia.com/rms/podcasts/Jill%20Luber%20podcast_mixdown.mp3" type="audio/mp3" controls="controls"></audio> <p><a type="audio/mpeg" href="https://cdn.ttgtmedia.com/rms/podcasts/Jill%20Luber%20podcast_mixdown.mp3">Download this podcast</a></p> </div> <p>And with regards to fake science, she says: “AI can help us find and stop fake publications and fake articles before they get into our journals.”</p> <p>AI gives researchers the ability to dig through the content, understanding information it contains, finding connections and surfacing existing concepts. Just as significantly, Luber says, it also reveals what she calls “white space”, the information that is not covered in the research papers. </p> <p>Before AI, researchers used keyword searches to surface relevant pieces of research, as Luber explains: “Within the digital world, we did have very strong search algorithms that we could index entire sets of data. You would type in keywords for concepts you’re looking for and the search engine would look across all of the literature based on those keywords, and then surface up the information as a list of hits.” </p> <p>AI provides researchers with the ability to move beyond keyword searches and instead search whole concepts and neighbouring concepts – not just keywords. </p> <p>This helps researchers identify the veracity of any research articles surfaced by the AI engine. “What’s really important in science is reproducibility,” she says. “We have the ability now to look through all our content and find the research that has been reproduced.”</p> <p>There is a higher level of trust associated with those articles where the research is reproducible, versus the research that no one has been able to reproduce.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI guardrails</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366637344/AI-governance-provides-guardrails-for-faster-innovation">AI governance provides guardrails</a> for faster innovation: Dataiku’s field chief data officer for Asia-Pacific and Japan discusses how implementing AI governance can accelerate innovation while mitigating the risks of shadow AI.</li> <li>Why OpenClaw agents are the <a href="https://www.computerweekly.com/news/366640697/Why-OpenClaw-agents-are-the-next-big-enterprise-challenge">next big enterprise challenge</a>: As users flock to deploy OpenClaw agents for everything from gig work to shopping, IT leaders warn that bringing these autonomous systems into the enterprise will require strict guardrails and a mix of AI models.</li> </ul> </div> </div> <p>While there are clearly plenty of benefits of using AI to support research, Luber notes that there is a big risk that a large language model (LLM) can hallucinate and provide erroneous information. There is also the ever-present danger of bias. These have a direct impact on the quality and integrity of the research that can be done using AI tools. In fact, there is also a very real risk that researchers may trust the output produced by the AI tool, rather than investigate further into the insights that can now be so easily presented to them.</p> <p>When researchers are using AI tools to analyse legitimate research: “If you’re using the model just to ask the question, there is a real risk of hallucinations. But we are seeing some models trained on specific science and health domains and they are getting better at answering domain-specific questions.” </p> <p>Like many people working in AI, Luber recognises the importance of human oversight. This is analogous to the peer review human oversight that is well-established in academic publishing.</p> <p>Elsevier’s primary AI tool is LeapSpace, using human evaluation, where different domain experts test the quality and accuracy of the outputs the models generate based on the questions asked. Luber says the evaluation looks at whether the correct information is being captured and, significantly, if the output is actually harmful. “We use human evaluation to continue to help us tweak the LLMs and the products that use them,” she adds.</p> <section class="section main-article-chapter" data-menu-title="Vibe coding"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Vibe coding</h2> <p>Within the technology function at Elsevier, Luber says AI is used in software development. However, before any code is released into production, there is a human review. </p> <p>Discussing how Elsevier is using AI to support software development, she says: “It does make it easier, but I’m also finding new needs for my technology team. There’s this new concept of AI engineer emerging.”</p> <p>She says the business is encouraging vibe coding, enabling people with no technical background to create dashboards, web pages and applications. </p> <p>However, the software development team has an important role to play in vibe coding. “What we’re finding is you can only get so far, then you’re going to need the intervention of the technology team to harden some of the processes and dashboard,” says Luber.</p> <p>As an example, she says the finance team creates lots of reports on an ongoing basis. “With AI tools, they can build a new automated agentic workflow themselves that can create these reports. However, these AI agents need to be more productionised: <a href="https://www.techtarget.com/searchsecurity/tip/Vibe-coding-security-risks-and-how-to-mitigate-them">it’s safe; it's secure</a>; it has the right access, it’s up and running and we understand the cost. That’s when you really need an engineer to intervene and help bring it up to production-level quality.”</p> <p>As a result, Elsevier now has software engineers dedicated to the finance function.</p> <p>“This is a new need for my team to support some of the areas of the business that are taking advantage of AI to make their jobs better,” adds Luber. “But they still need our support to do that.”</p> <p>While vibe coding does change the number of software developers needed, Luber feels that software engineers are used in places the businesses previously did not require their expertise.</p> <p>“Vibe coding is actually really cool and it helps me do my job better,” she says. “Even if you don’t know how to write the code, you can still create the processes to use it.”</p> </section> We speak to Jill Luber, chief technology officer at academic publisher Elsevier, about how large language models can support researchers https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/chemistry-science-medicine-research-adobe.jpeg https://www.computerweekly.com/news/366643005/Executive-interview-Pros-and-cons-of-AI-in-academic-research Tue, 12 May 2026 05:15:00 GMT Executive interview: Pros and cons of AI in academic research <p>As the much-vaunted Cyber Security and Resilience Bill looks set to continue its progress through parliament following <a href="https://www.bbc.com/news/articles/c2324yp7ygyo" target="_blank" rel="noopener">the King’s Speech on Wednesday 13 May</a>, the UK government has urged businesses to sign up to its Cyber Resilience Pledge.</p> <p><a href="https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats" target="_blank" rel="noopener">First trailed last month</a> by security minister Dan Jarvis at the National Cyber Security Centre’s (NCSC’s) annual CyberUK conference, the pledge will launch later this year, and sets out three concrete actions that organisations should be taking: making cyber security a board-level responsibility; signing up to the NCSC’s Early Warning Service; and requiring Cyber Essentials certification across their supply chains.</p> <p>“Cyber security is now fundamental to economic growth, job creation and the resilience of the services people rely on every day,” said cyber security minister Baroness Lloyd.</p> <p>“The UK has a world‑class cyber sector that is creating skilled jobs and protecting our economy – and government is doing more by investing in its own defences, legislating to require more of essential services and setting clear national standards,” she said.</p> <p>“As threats evolve, businesses of all sizes need to step up and take practical action now,” added Lloyd.</p> <p>“The Cyber Resilience Pledge is a clear call for companies to strengthen their defences, protect their customers, and play their part in keeping the UK secure and competitive.”</p> <section class="section main-article-chapter" data-menu-title="Cyber growth"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber growth</h2> <p>The pledge forms part of a wider series of actions to shore up Britain’s cyber defences in light of fast-evolving, artificial intelligence (AI)-enabled threats, and boost the nation’s cyber sector.</p> <p>According to newly released figures, the cyber security industry contributed £14.7bn to the economy in 2025, up 11%, with the number of British security firms growing by 20% to 2,063, and the number of people employed in the sector up by 2,300.</p> <p>The government urged business leaders to harness the expertise and innovation of this new wave of startups to drive adoption of more secure technology – such as the use of memory safe programming languages such as Java or Rust, which can help protect against illicit memory access by bad actors. Westminster highlighted research undertaken by the AI Security Institute (AISI) and warned that traditional cyber protections alone are no longer enough.</p> <p>It also highlighted the growing number of AI-centric security products and services, the availability of which grew by 68% in 2025, reinforcing the UK’s status as an innovation leader, and an early responder to new security threats, and added that the AISI’s advanced capabilities demonstrated that the country is not standing still in response to the problem.</p> <p>The government’s latest announcement on the topic comes as the International Monetary Fund warns that AI-powered cyber attacks may <a href="https://www.computerweekly.com/news/366642863/AI-cyber-attack-threatens-global-financial-crisis-warns-International-Monetary-Fund" target="_blank" rel="noopener">precipitate a global financial crisis</a> if left unchecked.</p> <p>The organisation said the debut of frontier models such as Mythos highlighted significant governance challenges, and warned that inconsistent oversight from country to country could weaken the interconnected financial system – a risk it deemed particularly acute for emerging and developing economies.</p> <p>The IMF called for more international coordination, information-sharing, and expanded capacity if global financial stability is to be preserved.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about UK cyber policy</h3> <ul class="default-list"> <li>UK government says half of all small businesses have been cyber breached in the recent past as <a href="https://www.computerweekly.com/news/366639041/Government-wages-cyber-campaign-as-half-the-UKs-SMEs-are-breached" target="_blank" rel="noopener">it urges them to ‘lock the door’</a>.</li> <li>The UK government unveils a £120m Cyber Action Plan to help reinforce and promote IT security resilience <a href="https://www.computerweekly.com/news/366636896/UK-government-to-spend-210m-on-public-sector-cyber-resilience" target="_blank" rel="noopener">across the country's public services</a>.</li> <li>The government’s annual cyber security report reveals UK businesses are still struggling with <a href="https://www.computerweekly.com/news/366642507/Almost-half-of-UK-businesses-hit-by-cyber-attacks" target="_blank" rel="noopener">the impact of attacks and breaches</a>.</li> </ul> </div> </div> </section> Westminster renews calls for business leaders to sign up to its yet-to-be-launched Cyber Resilience Pledge, and highlights growth, and challenges, for the UK’s cyber economy https://cdn.ttgtmedia.com/visuals/German/article/mobile-network-security-adobe.jpg https://www.computerweekly.com/news/366642938/UK-government-renews-calls-to-sign-Cyber-Resilience-Pledge Mon, 11 May 2026 12:34:00 GMT UK government renews calls to sign Cyber Resilience Pledge <p>Britain’s corporate cyber chiefs are too polite when they deal with innovative startup cyber security companies. Chief information security officers (CISOs) prefer to be non-committal, rather than tell startup companies what is wrong with their product and why they won’t buy it – and that is not helpful for innovation.</p> <p>That is the view of Alastair Paterson, CEO and co-founder of <a href="https://www.harmonic.security/">Harmonic Security</a>, who is also the driving force behind the <a href="https://www.computerweekly.com/news/366640332/Cyber-flywheel-aims-to-kick-start-UK-cyber-security-startups">cyber flywheel</a>, an initiative that aims to grow more successful cyber security startups in the UK.</p> <p>CISOs tell startups that fail to impress, “maybe I will get back to you, I wish you the best of luck. Because they don’t want to say, ‘This doesn’t work for me’,” said Paterson. “What the startup needs to hear is, ‘I’m not going to buy this right now, but if you do A B and C, then I’ll be interested.’”</p> <p>Paterson spoke to Computer Weekly following his second cyber flywheel event, hosted by the Foreign and Commonwealth Office in April. Around 150 people from venture capital companies and innovative startups, along with 50 CISOs, talked in person to see how they could work together to develop innovative technology.</p> <section class="section main-article-chapter" data-menu-title="Design partnerships"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Design partnerships </h2> <p>A closer collaboration between businesses, government and startups can often be found in places such as the US and Israel through design partnerships. It is common for CISOs to work with startups to help them develop solutions to their most pressing cyber security problems. Before Paterson founded <a href="https://www.harmonic.security/">Harmonic</a>, a company which developed technology to secure use of multiple forms of AI in organisations, he spoke to nearly 50 CISOs to find out what they were struggling with.</p> <p>“I didn’t tell them what I was planning to do at Harmonic, but I asked them a set of questions around the problem area of AI [artificial intelligence] adoption in the enterprise to try to understand their pain points,” he said.</p> <p>At the end of the call, Paterson asked if they might be interested in a technology that solved those problems. He was looking for companies that were “jumping out of their seats” at the chance to get on board. “They are the ones that are going to invest the time with you and deploy the technology early,” he added.</p> </section> <section class="section main-article-chapter" data-menu-title="How CISOs can benefit from working with startups"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How CISOs can benefit from working with startups</h2> <p>The UK, said Paterson, needs more design partnerships where companies and government work with startups to solve the cyber security problems that are not being solved by others, adding: “If there is one thing we can do to make things better, it would be to back our companies and foster those type of relationships in the UK, because that is where innovative solutions get created.”</p> <p>He argued that CISOs and their organisations can benefit from working with a startup engineering team that is highly motivated to solve the security problems their organisations are facing. “The CISO personally can benefit because they are right on the bleeding edge and can understand what is possible,” he said. “It’s pretty cool if you have helped shaped early solutions and get known as an early adopter and an innovator.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Companies that pitched at the Cyber flywheel in April</h3> <ul class="default-list"> <li><a href="https://www.ossprey.com/">Ossprey</a> – detects and removes malicious code in open source software.</li> <li><a href="https://overmind.tech/about-us">Overmind</a> – predicts and mitigates risks of infrastructure before it is deployed.</li> <li><a href="https://www.fortyx.co/">Fortyx</a> – AI powered data loss prevention.</li> <li><a href="https://refute.com/">Refute</a> – detects and responds to disinformation campaigns.</li> <li> <a href="https://innerworks.me/">Innerworks</a> – AI powered security layer trained on real adversaries.</li> <li> <a href="https://aisy.ai/our-story">Aisy.AI</a> – prioritises fixing security vulnerabilities based on threat.</li> <li> <a href="https://www.cofide.io/">Cofide</a> – secures workloads and AI agents in any cloud environment.</li> </ul> </div> </div> <p>There are notable exceptions but security leaders in the UK tend to keep startup founders at arms-length, making it difficult to develop collaborations. As a result, some UK startups have had to go to the US to find design partners. One reason is that, compared to locations where collaborations are the norm, the UK has a smaller number of cyber security startups for potential design partners to choose from.</p> <p>The UK is around where Israel was 10 years ago, said Paterson, but he notes that it is changing fast as the UK produces more credible cyber security startups.</p> <p>There can also be practical difficulties – for example, if organisations have sensitive data, such as healthcare records, they are probably not going to want to put that in a startup, which would more likely be an environment that has not been fully security tested.</p> <p>But there are ways around that, such as by working with startups to develop proof-of-concept models and follow security standards such as ISO 27001, which provides a framework for organisations to protect sensitive data.</p> </section> <section class="section main-article-chapter" data-menu-title="Top three problems for CISOs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Top three problems for CISOs</h2> <p>If cyber startups are going to persuade companies to use their technology, they need to offer benefits that outweigh the disruption, effort and pain their technology takes to roll out. Most big business can run three proof-of-concept projects a year, so if they are to get a look in, startups need to solve one of the CISO’s top three problems.</p> <p>“If it’s a top three priority and there is no solution on the market from the likes of CrowdStrike and Palo Alto, companies are going to want to engage with the startup,” said Paterson.</p> <blockquote> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/computerweekly/Alastair-Paterson-HarmonicSecurity-140px.jpg" alt="Headshot of Alastair Paterson."> </div> <p><strong><span style="color: #34495e;">“The CISO personally can benefit because they are right on the bleeding edge and can understand what is possible”</span></strong></p> <p><em><span style="color: #34495e;">Alastair Paterson, Harmonic Security</span></em></p> </blockquote> <p>Government departments are engaging in the cyber flywheel and saying the right things, he added, but he would like to see more government CISOs forming design partnerships with startups.</p> <p>At the meeting in April, 50 CISOs pledged to hold a 30-minute meeting with at least one of the startup founders present at the event. There were also spin-offs from the event, including a peer group where startups can come together and discuss the issues they are facing, and a WhatsApp group.</p> <p>With Harmonic taking off – it has doubled in size to 80 people in six months and deployed its technology in more than 100 companies – Paterson has less time to run the cyber flywheel project, but he is hopeful that other people will step in.</p> <p>“If you can get CISO’s agreeing, ‘This is our top set of five challenges that we are going to face over the next five years’, and then you put your challenges in in front of a bright, ambitious set of founders that want to go and build solutions, that would be a sort of magic,” he said.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">  Read more about the cyber flywheel</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366640332/Cyber-flywheel-aims-to-kick-start-UK-cyber-security-startups">Cyber flywheel aims to kick-start UK cyber security startups</a> – Company founder rallies CISOs, venture capital funders and government leaders to back startups in cyber security</li> <li>Infosecurity Europe launches cyber security startups stream – Infosecurity Europe 2026 will feature a <a href="https://www.computerweekly.com/news/366638558/Infosecurity-Europe-launches-cyber-security-startups-stream">cyber security startup exhibition zone</a> and a competition for business support, in conjunction with the UK cyber flywheel organisation.</li> </ul> </div> </div> <ul class="default-list"></ul> </section> Cyber flywheel initiative aims to nudge chief information security officers (CISOs) to join ‘design partnerships’ with startups to solve pressing cyber security problems https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/security-breach-artbase-adobe.jpg https://www.computerweekly.com/news/366642956/Security-chiefs-too-polite-for-startups-says-cyber-flywheel-founder-Alastair-Paterson Mon, 11 May 2026 11:20:00 GMT Security chiefs ‘too polite’ for startups, says cyber flywheel founder Alastair Paterson <p>Elsevier, the Dutch academic publisher of scientific and medical journals and papers, is around 145 years old and, over that time, it has experienced three major technological disrupters: the printing press, digital content via the world wide web and now artificial intelligence (AI). </p> <p>For Jill Luber, chief technology officer at Elsevier,  AI can be used to help researchers understand vast volumes of information. She says AI is able to look through all the text in the <a href="https://www.techtarget.com/pharmalifesciences/news/366630356/Elsevier-launches-PharmaPendium-AI-to-boost-RD-compliance">literature Elsevier</a> holds: “AI can bubble up concepts and link together different articles.” Without AI’s help, this would normally take a human hours and hours and may even be impossible for someone to do. </p> <p>According to Luber, AI gives researchers the ability to dig through the content, understanding information it contains, finding connections and surfacing existing concepts. Just as significant, Luber says it also reveals what she calls “white space”, the information that is not covered in the research papers. </p> <p>Before AI, researchers used keyword searches to surface relevant pieces of research, as Luber explains: “Within the digital world, we did have very strong search algorithms that we could index entire sets of data. You would type in keywords for concepts you're looking for and the search engine would look across all of the literature based on those keywords and then surface up the information, as a list of hits.” </p> <p>AI provides researchers with the ability to move beyond keyword searches and instead search whole concepts and neighboring concepts, not just keywords. </p> <p>This helps researchers identify the veracity of any research articles surfaced by the AI engine. “What's really important in science is reproducibility. We have the ability now to look through all our content and find the research that has been reproduced,” she says. There is a higher level of trust associated with those articles where the research is reproducible, versus the research that no one has been able to reproduce.</p> <p>While there are clearly plenty of benefits in using AI to support research, Luber notes that there is a big risk that a large language model (LLM) may hallucinate, and provide erroneous information. There is also the ever-present danger of bias. These have a direct impact on the <a href="https://www.techtarget.com/healthtechanalytics/feature/Investigating-how-GenAI-can-support-clinical-decision-making">quality and integrity</a> of the research that can be done using AI tools. There is also a very real risk that researchers may trust the output produced by the AI tool, rather than investigate further into the insights that can now be so easily presented to them.</p> <p>“As publishers we have a real responsibility to protect the academic publishing world from the AI that can create a 30-page research paper out of thin air on fake science. It is our job to protect the publishing world from that,” she says. “It is very worrying, and we've seen a major increase in fabricated science.”</p> <p>It is a topic Luber recently spoke about at the <a href="https://www.londonbookfair.co.uk/en-gb/conferences-and-events/session-details.4727.257620.keynote-jill-luber-cto-elsevier-responsible-by-design-why-academic-publishing-is-central-to-the-future-of-ai.html">London Book Fair.</a></p> <p>While researchers should be aware of the risks of hallucinations when using AI tools to analyse legitimate research, Luber says: “We are seeing some models trained on specific science and health domains and they are getting better at answering domain-specific questions.” </p> <p>Like many people working in AI, she recognises the importance of human oversight. This is analogous to the peer review human oversight that is well-established in academic publishing.</p> <p>Elsevier’s primary AI tool is LeapSpace. This uses human evaluation, where different domain experts test the quality and accuracy of the outputs the models generate based on the questions asked. Luber says the evaluation looks at whether the correct information is being captured and, significantly, if the <a href="https://www.techtarget.com/searchenterpriseai/definition/responsible-AI">output is actually harmful</a>. “We use human evaluation to continue to help us tweak the LLMs and the products that use them,” she adds. </p> We speak to Jill Luber, CTO of academic publisher, Elsevier, about creating AI tools to support researchers and protecting against fake science https://www.computerweekly.com/podcast/Integrity-with-AI-A-Computer-Weekly-Downtime-Upload-podcast Mon, 11 May 2026 10:08:00 GMT Integrity with AI: A Computer Weekly Downtime Upload podcast <p>Commerzbank will cut 3,000 jobs, around 8% of its workforce, as it increases <a href="https://www.computerweekly.com/news/366640627/HSBC-gets-its-first-artificial-intelligence-chief">artificial intelligence</a> (AI) investment set at €600m over the next four years.</p> <p>The bank expects €500m in additional value to be added each year through the AI investments from 2030 onwards.</p> <p>As part of its Momentum 2030 plan, the job cuts and AI investment at the bank comes at a time when Italy’s UniCredit is attempting a takeover.</p> <p>“With Momentum 2030, the bank will leverage the potential of AI even more,” said a Commerzbank statement.</p> <p>It said it “is continuing to scale its proven business model and is more firmly reflecting the potential of AI into its planning. In doing so, the bank is accelerating profitable growth, increasing efficiency and advancing technological innovation faster than previously planned.”</p> <p>AI applications are already in use at the bank, which said it is “increasing productivity and service quality, delivering measurable benefits for customers and employees alike”.</p> <p>As examples, Commerzbank said it will launch a complaints management process using agentic AI as an AI model that analyses large volumes of data to more precisely detect money laundering and financial crime, known as Hawk AI.</p> <section class="section main-article-chapter" data-menu-title="Identifying risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Identifying risks</h2> <p>It is also using AI-supported analysis of annual reports to identify risks at an early stage.</p> <p>“In the next phase of development, Commerzbank will consistently deploy AI agents to support entire processes – ranging from account switching and know-your-customer procedures and document checks to the drafting of contracts,” said the bank. “This will significantly reduce labour-intensive tasks.”</p> <p>As well as enabling a workforce reduction of 3,000 people, the bank said AI investments will enable it to “free up and partially redeploy around 10% of its capacities”.</p> <p>In its latest quarterly results, for the first three months of the year, the bank reported an 11% increase in profit, which reached €1.4bn, while revenue grew 5% to €3.2bn.</p> <p>“We started the year with record-level results,” said Commerzbank CEO Bettina Orlopp. “This proves that our strategy is working – and that it has more potential than originally planned. We are growing more strongly than expected, and our new targets through 2030 reflect this – ambitious while remaining reliable in their execution. Every alternative must be measured against this.”</p> <p>The bank is expecting full-year revenues to grow to €15bn by 2028, and to €16.8bn by 2030.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read about AI regulation in banking</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366641563/UK-financial-regulators-rush-to-assess-risks-of-Anthropic-AI-model">Banks called in by regulators as latest artificial intelligence model identifies thousands of software vulnerabilities</a>.</li> <li><a href="https://www.computerweekly.com/news/366637579/UK-government-appoints-banking-tech-bosses-as-AI-champions">Appointment of artificial intelligence champions from banking sector comes as MPs make stern warning about AI risks in financial services</a>.</li> <li><a href="https://www.computerweekly.com/news/366641830/More-finance-firms-join-FCAs-AI-testing-initiative">Barclays, Experian and UBS are among the latest finance firms to join the Financial Conduct Authority’s AI testing initiative</a>.</li> </ul> </div> </div> <p>It is not alone as a large traditional bank transforming through AI. In February, <a href="https://www.computerweekly.com/news/366639445/Santander-pins-1bn-business-value-gain-on-AI">Santander said it expects its investments in AI to deliver €1bn in business value</a>, through cost-cutting and revenue growth.</p> <p>Presenting its plan for the next two years at an event in London, it said data and AI are important parts of its wider <a href="https://www.santander.com/en/press-room/features/santander-global-businesses">One Transformation</a> digital programme.</p> <p>At the investor event, Santander presented its 2026-28 plans, which included a target to increase its customer base from 180 million today to 200 million by 2028. Santander announced its planned acquisition of TSB last year, which will see the bank’s UK customer base grow by about five million.</p> <p>The bank also outlined the business value that data and AI will deliver by 2028.</p> <p>It said that by 2028, it expects to generate over €1bn of business value annually, in terms of cost savings and revenues, from data and AI initiatives.</p> <p>According to Lloyds Banking Group’s <i>Financial institutions sentiment survey for 2025</i>, <a href="https://www.computerweekly.com/news/366630147/Number-of-UK-banks-reporting-AI-driven-productivity-improvements-doubles">59% of surveyed firms reported AI-driven productivity gains</a> in the past 12 months, compared with 32% in the 2024 survey.</p> <p>Banks also reported rising returns from AI in other areas. The survey found that 21% of respondents believe AI is directly driving business growth, compared with 8% in the survey a year ago.</p> <p>Meanwhile, a third (33%) of respondents said AI is enhancing customer experiences, up from 14% in the previous survey. The same number said they have deeper customer insights through AI, compared with 18% in last year’s survey.</p> </section> Part of the German bank’s transformation will see a total of 3,000 jobs cut across the business https://cdn.ttgtmedia.com/visuals/German/article/Artificial-intelligence-robot-datacenter-adobe.jpg https://www.computerweekly.com/news/366642998/Commerzbank-to-cut-3000-jobs-as-it-leverages-AI-even-more Mon, 11 May 2026 08:15:00 GMT Commerzbank to cut 3,000 jobs as it ‘leverages AI even more’ <p>The <a href="https://english.rekenkamer.nl/">Netherlands Court of Audit</a> recently published a blunt assessment of the Dutch central government’s readiness for quantum technology. The verdict was uncomfortable reading for a country that presents itself as a European frontrunner in the field.</p> <p>While the Netherlands has built a thriving quantum research ecosystem and secured an academic leading position, the majority of government organisations have yet to take a single concrete step towards protecting their systems against the <a href="https://www.computerweekly.com/news/366640684/Shrinking-PQC-timeline-highlights-immediate-risk-to-data-security">cryptographic threat that quantum computers</a> will eventually pose.</p> <p>The report, <a href="https://english.rekenkamer.nl/documents/2026/02/04/focus-on-quantum-technology-in-central-government"><em>Focus on quantum technology in central government</em></a>, surveyed 63 government organisations. It found that 71% had not begun preparations to defend against <a href="https://www.techtarget.com/searchsecurity/opinion/Is-post-quantum-cryptography-the-next-Y2K">the quantum threat</a>. Only four organisations (6%) had incorporated the quantum threat into their risk management frameworks. Just 15 had opened any dialogue with their suppliers about quantum-safe products. No designated executives are responsible for the issue at most institutions.</p> <p>The timing matters. The Dutch intelligence service AIVD <a href="https://www.aivd.nl/actueel/nieuws/2024/12/03/aivd-cwi-en-tno-publiceren-vernieuwd-handboek-voor-quantumveilige-cryptografie">has warned</a> that Q-Day, the point at which a sufficiently powerful <a href="https://www.techtarget.com/searchcio/tip/Attention-CISOs-Quantum-computing-security-risks-are-here">quantum computer could crack current asymmetric encryption</a>, could arrive as early as 2030. That leaves fewer than four years for organisations to complete what experts describe as a complex, organisation-wide migration.</p> <section class="section main-article-chapter" data-menu-title="The threat is real"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The threat is real</h2> <p>To understand why the Court of Audit is concerned, it helps to understand what the Dutch government uses encryption for. The list is not short – protecting confidential information held on citizens and businesses, controlling access to vital infrastructure such as flood defences and bridges, authenticating logins via <a href="https://www.computerweekly.com/news/366638606/US-bid-for-Dutch-ID-infrastructure-raises-sovereignty-concerns">DigiD</a> (the national digital identity system used by millions), and verifying the integrity of passports and official documents.</p> <p>If quantum computers render current encryption obsolete, all of these applications are at risk. The consequences range from identity fraud and disrupted benefit payments to compromised infrastructure and exposed state secrets.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Because the precise timing of Q-Day remains uncertain, many institutions have simply not prioritised the issue </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>There is a further complication that makes the 2030 timeline more urgent than it might first appear. Security researchers and the Court of Audit itself have flagged the risk of so-called <a href="https://www.computerweekly.com/news/366640684/Shrinking-PQC-timeline-highlights-immediate-risk-to-data-security">“harvest now, decrypt later” attacks</a>, in which malicious actors, including state-level adversaries, are already intercepting and stockpiling encrypted data. They cannot read it today, but they are betting they will be able to once quantum computing matures. That means sensitive Dutch government data being transmitted now may already be at risk of future exposure. The threat is not waiting for Q-Day to begin.</p> <p>The Court of Audit identifies three main obstacles to progress: a lack of technical capacity, a shortage of expertise, and, perhaps most critically, an absence of urgency within organisations. Because the precise timing of Q-Day remains uncertain, many institutions have simply not prioritised the issue.</p> <p>That reasoning has a flaw. Migrating to <a href="https://www.computerweekly.com/news/366543419/Handbook-helps-Dutch-organisations-migrate-to-quantum-safe-communication">post-quantum cryptography (PQC)</a> is not a quick fix. It requires organisations to first audit where cryptography is embedded across their systems, negotiate with suppliers, update infrastructure and retrain staff. The Court of Audit warns that organisations risk not starting in time.</p> <p>Even the adoption of a government‑wide cryptography framework has not yet translated into concrete action in most organisations. In March 2025, the Dutch CIO Council formally adopted the <a href="https://www.nldigitalgovernment.nl/wp-content/uploads/sites/11/2026/02/Framework-Cryptography-Policy-Central-Government.pdf">Framework cryptography policy for the Central Government</a>, which makes a cryptography policy mandatory for all central government bodies, but the Court of Audit finds that many organisations have not yet aligned their own policies with this framework.</p> <p>The governance picture compounds the problem. Most organisations have not designated an executive responsible for quantum readiness. Without clear ownership, the migration tends to remain an unassigned task – acknowledged in principle, actioned by no one.</p> </section> <section class="section main-article-chapter" data-menu-title="Legal frameworks lag behind"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Legal frameworks lag behind</h2> <p>The security gap has a legal dimension that adds further complexity. <a href="https://www.linkedin.com/in/victordepous/">Victor de Pous</a>, an Amsterdam-based ICT lawyer who has tracked Dutch digital policy for decades, points to a structural paradox in how information security law is currently constructed.</p> <p>Existing legislation, including the General Data Protection Regulation, the NIS2 Directive and the Cyber Resilience Act, is deliberately written to be technology-neutral. The intention is that organisations should be able to identify and apply appropriate security measures themselves, following what regulators describe as “the state of the art”.</p> <p>“At the regulation of post‑quantum cryptography, a paradox arises,” De Pous wrote in his <em>Newsware</em> newsletter, noting that information security legislation is designed to be technology‑neutral, yet the quantum threat is so profound and complex that organisations “apparently cannot independently keep up with the ‘state of the art’ in this area”.</p> <p>In practice, de Pous argued, this approach is not working. His conclusion that further regulation is all but inevitable does not rest on the claim that it is the only conceivable solution. It rests, rather, on a historical lesson from information security law: open norms and self-regulation have repeatedly proved insufficient to deliver timely and adequately high levels of security.</p> <p>The evolution from NIS1 to NIS2 illustrates how legislators gradually give such open norms more concrete shape, not only through judicial interpretation, but through additional legislation, guidance and implementing rules. The quantum threat, in his view, will follow the same pattern.</p> <p>De Pous pointed to several recent examples, including the modernisation of the 1995 Archives Act, the adaptation of competition law for government open source releases, and the transposition of the <a href="https://www.computerweekly.com/opinion/What-does-the-EUs-NIS-2-cyber-directive-cover">NIS2 Directive</a>, as “telling examples of digital-domain legislative processes with long delays”, reinforcing his view that this is a structural feature of the Dutch regulatory landscape rather than an exception. He sees no reason to assume quantum-specific regulation will move faster.</p> </section> <section class="section main-article-chapter" data-menu-title="Investment without implementation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Investment without implementation</h2> <p>The contrast with the investment side of the quantum picture is stark. Since 2021, the Netherlands has channelled €615m from its National Growth Fund into <a href="https://quantumdelta.nl/">Quantum Delta NL</a>, a public-private programme designed to develop the country’s quantum ecosystem across five regional hubs in Delft, Eindhoven, Leiden, Twente and Amsterdam. The programme has delivered tangible results: a quantum network connecting The Hague and Delft, three operational quantum sensor test facilities, and a fund for quantum startups. The National Growth Fund’s advisory committee has praised the programme’s progress.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The Court of Audit’s findings place the Dutch government in an uncomfortable position. Having invested heavily in quantum technology and positioned itself as a European leader, the gap between its ambitions and its internal security preparations is unusually visible </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Quantum Delta NL projects that quantum technology could create between 8,000 and 18,000 jobs in the Netherlands by 2040, with the Quantum Delta programme alone potentially generating between €1.5bn and €2.5bn in economic value. Quantum technology has been designated as one of 10 priority technology areas in the country’s National Technology Strategy, and in March 2026, the Netherlands and Germany jointly launched the <a href="https://quantumzeitgeist.com/rvo-germany-quantum-rd-call-2/">TechBridge initiative</a> – a collaborative research and development programme targeting quantum applications in the aerospace sector, developed in partnership with Quantum Delta NL and Airbus Tech Hub Netherlands.</p> <p>The investment in the opportunity side of quantum is real, sustained and internationally recognised. The readiness for the threat side is not.</p> <p>In its formal response to the Court of Audit, the government described the migration to post‑quantum cryptography as “not optional, but necessary”, while noting that the migration is complex given the range of dependencies involved.</p> <p>A government-wide Quantum Strategy is currently being developed by the Ministry of Economic Affairs in collaboration with other ministries. It was expected to be presented to parliament in the second quarter of 2026. At the time of writing, neither its concrete targets nor its budget had been made public.</p> <p>That timing is not coincidental. The European Commission is expected to publish its proposed <a href="https://www.european-quantum-act.com/">Quantum Act</a> in the same period, which will set binding requirements and investment frameworks across member states. The Netherlands has stated it welcomes the European strategy, while seeking to preserve room for national choices and ecosystems. How those two timelines interact, and whether Dutch policy will be shaped proactively or reactively by the EU framework, remains to be seen.</p> </section> <section class="section main-article-chapter" data-menu-title="EU-wide challenge"> <h2 class="section-title"><i class="icon" data-icon="1"></i>EU-wide challenge</h2> <p>The Netherlands is not alone in facing this challenge. No European Union member state has fully completed the transition to post-quantum cryptography, and the European Commission has acknowledged that migrations will be difficult and time-consuming across the board.</p> <p>But the Court of Audit’s findings place the Dutch government in an uncomfortable position. As a country that has invested heavily in quantum technology and positioned itself as a European leader, the gap between its ambitions and its internal security preparations is unusually visible.</p> <p>The 71% figure carries weight precisely because it comes not from a commercial supplier or a lobbying body, but from the independent institution tasked with auditing the Dutch state’s financial management and policy effectiveness. When the Court of Audit says most government organisations have not started, that assessment has not been publicly contested.</p> <p>The government has acknowledged the scale of the problem and the need to accelerate preparations for post‑quantum cryptography, but it has not yet presented a funded, time‑bound plan to fix it. For organisations now weighing up their own PQC migration, and for any entity that exchanges sensitive data with Dutch government systems, that gap is the most important number in the report.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about post-quantum security</h3> <ul class="default-list"> <li>Quantum computers <a href="https://www.techtarget.com/searchsecurity/video/An-explanation-of-quantum-cryptography">threaten to break today’s encryption protocols.</a> Post-quantum cryptography aims to develop new algorithms resistant to quantum attacks before it’s too late.</li> <li>Google sets out a timeline for its <a href="https://www.computerweekly.com/news/366640650/Google-targets-2029-for-post-quantum-cyber-readiness">migration to post-quantum cryptography</a>, saying it will complete its migration before the end of the 2020s</li> <li>The promise of quantum processors solving complex problems at extraordinary speeds offers numerous business opportunities. But <a href="https://www.techtarget.com/searchcio/tip/Attention-CISOs-Quantum-computing-security-risks-are-here">what risks does this new technology present?</a></li> </ul> </div> </div> </section> The Dutch government has invested €615m to build a world-class quantum technology ecosystem, but many institutions have not started any quantum-specific preparations to protect themselves against the security threat https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/quantum-quantique-AdobeStock_429545226-hero.jpeg https://www.computerweekly.com/news/366642917/The-Netherlands-leads-in-quantum-technology-but-lags-on-quantum-security Mon, 11 May 2026 07:09:00 GMT The Netherlands leads in quantum technology but lags on quantum security <p>In the existing state, identity is human-centric. Today’s <a href="https://www.computerweekly.com/resources/Identity-and-access-management-products" target="_blank" rel="noopener">identity and access management</a> (IAM) systems were designed for a world dominated by human users and static applications. Identities are provisioned, authenticated, and authorised using models such as role-based access control (RBAC) and multifactor authentication (MFA), with decisions made at login time. Even with <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network" target="_blank" rel="noopener">the evolution toward zero-trust</a>, the core assumption remains largely unchanged: identities are known, bounded, and relatively stable.</p> <p>However, <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-agents" target="_blank" rel="noopener">agentic AI systems</a> break these assumptions. The transition to agentic systems has fundamentally altered the security landscape. We are no longer just securing "users"; we are securing a massive, autonomous web of <a href="https://www.techtarget.com/searchsecurity/definition/What-is-machine-identity-management" target="_blank" rel="noopener">non-human identities</a> (NHIs) that move at machine speed. Autonomous agents dynamically invoke tools, access APIs, generate sub-agents, and operate across multiple domains without direct human intervention. These agents often use shared credentials, ephemeral tokens, or implicit trust boundaries, leading to identity ambiguity, weak attribution, and expanded attack surfaces. In short, the current IAM stack is misaligned with the fluid, autonomous nature of AI agents.</p> <section class="section main-article-chapter" data-menu-title="The need for a new identity stack"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The need for a new identity stack</h2> <p>The rise of agentic AI systems introduces a new class of identities, autonomous, non-human actors such as AI agents, bots, and services, that operate independently, dynamically, and at scale. Unlike human identities, these entities can be created on demand, delegate tasks to other agents, and interact across multiple systems without direct oversight, posing challenges for attribution, control, and trust. For example, agents move faster than human oversight, and the ‘kill switch’ has moved from a button to an autonomous circuit breaker. Traditional identity models, built around static users and roles, are insufficient to govern this fluid ecosystem. As a result, there is a critical need for an evolved identity framework that can uniquely identify these actors, track their provenance, enforce fine-grained and contextual access, and continuously validate their behavior to ensure secure and accountable operations.</p> </section> <section class="section main-article-chapter" data-menu-title="A look into the modern identity stack for agentic systems"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A look into the modern identity stack for agentic systems</h2> <ul class="default-list"> <li><i>Agent identity and provenance:</i> Every AI agent must have a unique, verifiable identity tied to its origin, whether created by a human, system, or another agent. Provenance ensures traceability, enabling organizations to understand who initiated an action and under what authority. This establishes accountability and prevents anonymous or rogue agent behavior.<br><br></li> <li><i>Ephemeral credentialing:</i> Instead of long-lived credentials, agents should use short-lived, task-specific tokens that are automatically issued and revoked. This minimizes exposure in case of compromise and aligns access strictly with the duration and scope of a task. It enforces the <a href="https://www.techtarget.com/searchsecurity/tip/Benefits-and-challenges-of-zero-standing-privileges" target="_blank" rel="noopener">zero-standing privilege</a> (ZSP) principle.<br><br></li> <li><i>Contextual Authorisation:</i> Access decisions should be dynamic and based on real-time context, such as behavior, environment, and risk signals. Rather than static roles, permissions adapt continuously to the agent's actions and location, ensuring tighter, more relevant control.<br><br></li> <li><i>Delegation and chain of trust:</i> Agentic systems often involve multiple layers of delegation covering user communication to agent and agent communication with tools. A clear and enforceable chain of trust is required to track authority and limit how far and wide permissions can propagate, thereby preventing privilege escalation.<br><br></li> <li><i>Identity threat detection and response (ITDR):</i> Systems must continuously monitor agent actions, reassess risk, and adjust permissions in real time. For example, continuous verification now monitors <a href="https://medium.com/@ema.ilic9/know-when-to-stop-77e03a4517df" target="_blank" rel="noopener">semantic drift</a>, in which an agent’s actions gradually deviate from its original intent or authorised purpose. It helps detect subtle misuse, compromised workflows, or manipulated prompts that may not trigger traditional security alerts.  <br><br></li> <li><i>Observability and attribution:</i> A robust audit trail is essential for capturing who performed which action, through which agent, and with which tools. This level of visibility ensures accountability, supports incident response, and builds trust in autonomous systems by making their actions transparent and explainable.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Identity as a real-time control plane in agentic systems"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Identity as a real-time control plane in agentic systems</h2> <p>Identity will evolve into a real-time control plane for agentic systems, not just an access gateway. Key shifts will include:</p> <ul class="default-list"> <li>Identity becomes behavioural as trust is continuously scored rather than statically assigned.</li> <li>Agents become first-class principals, managed, governed, and audited like human users.</li> <li>Policies must be adaptive as AI-driven policies evolve alongside threats and usage patterns.</li> <li>Zero-trust becomes zero-standing privilege, in which access exists only for the duration of a verified task.</li> <li>Identity integrates with execution frameworks as every tool call is authenticated, authorised, and logged.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Inference"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inference</h2> <p>The rise of agentic AI systems demands a fundamental rethink of identity. Static credentials and perimeter-based trust models are no longer sufficient. Agent identity management needs a shift from RBAC to ABAC. The new identity stack must be dynamic, contextual, and deeply integrated into the execution fabric of AI systems, ensuring that every action, whether initiated by a human or an autonomous agent, is verifiable, accountable, and secure by design.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">The Computer Weekly Security Think Tank on AI identity</h3> <ul style="list-style-type: square;" class="default-list"> <li>Mike Gillespie, Advent IM: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/The-impact-of-AI-driven-ID-solutions-on-enterprise-environments">AI-driven identity must exist in a robust compliance framework</a>.</li> <li>Ellie Hurst. Advent IM: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Identity-and-AI-Questions-of-data-security-trust-and-control">Identity and AI: Questions of data security, trust and control</a>.</li> <li>Ted Ernst, Gartner: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Why-AI-is-forcing-a-reset-of-the-identity-stack">Why AI is forcing a reset of the identity stack</a>.</li> <li>Jacob Connell, Quorum Cyber: <a href="https://www.computerweekly.com/opinion/Why-AI-agents-are-triggering-a-rethink-of-enterprise-identity" target="_blank" rel="noopener">Why AI agents are forcing a rethink of enterprise identity.</a></li> </ul> </div> </div> </section> The Computer Weekly Security Think Tank considers the intersection of AI and IAM. In this article, explore the changing nature of the identity stack and learn what will change as identity evolves into a real-time control plane for agentic systems. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/A-new-frontier-Identity-stack-evolves-for-agentic-systems Fri, 08 May 2026 09:45:00 GMT A new frontier: Identity stack evolves for agentic systems ComputerWeekly.com 60 editor@computerweekly.com