OneAdvanced: Where AI, Security and Compliance Meets

Enterprise AI integration introduces new attack vectors, making responsible and compliant adoption a necessity for keeping security risks at bay. 

For organisations operating in critical and regulated sectors, the convergence of cybersecurity, AI and enterprise risk demands sustained board-level oversight, cultural alignment and operational discipline.

Achieving recognised standards is important, but the real challenge lies in embedding them into the fabric of decision making, engineering practice and strategic planning.

OneAdvanced is a leading provider of sector-focused software solutions that power the world of work. The company delivers cloud-based systems spanning finance, HR and payroll, health and care, education and public sector services, supporting thousands of organisations across the UK and beyond.

Following a defining cyberattack in 2022, OneAdvanced undertook a structural and cultural reset, strengthening accountability, transparency and resilience across the organisation. The subsequent pursuit of ISO 42001 reflects not simply compliance, but a deliberate commitment to responsible AI governance at scale.

In this conversation with Cyber Magazine, Simon Walsh, CEO of OneAdvanced details how the company bounced back a cyberattack to become a leader in compliance and governance. 

What were the key steps taken by OneAdvanced to receive the ISO 42001 certification?

Achieving ISO 42001 has not been a standalone initiative; it’s the culmination of a broader commitment to how OneAdvanced governs security, risk and AI. We treat AI with the same rigour and board-level oversight as any other critical business function.

The first step was establishing a formal AI management system aligned with ISO 42001 and defining clear policies for responsible AI design, development and deployment.

We’ve embedded risk assessment into our AI lifecycle, including model selection, training data governance, explainability, bias mitigation and human oversight.

We also clarified accountability by introducing defined executive ownership for AI governance, supported by cross-functional representation from security, legal, engineering and product. This ensured AI risk continues to be treated as enterprise risk, not simply a technical concern.

Finally, we are working to integrate our AI controls into existing assurance frameworks, including ISO 27001, to enable coherent, joined-up governance rather than parallel processes. 

Although we continue to refine our approach, especially given the fast-paced nature of developments, our AI certification is very much treated as more than just a compliance exercise.

How did the experience of the 2022 cyberattack change the way the board and executive team think about cybersecurity and AI?

The 2022 cyberattack was a defining moment. It shifted cybersecurity from being viewed primarily as an operational risk to being recognised as a core pillar of enterprise resilience and customer trust.

At the board level, cyber moved from periodic reporting to sustained, structured oversight. We introduced clearer risk appetite discussions, more granular metrics and regular deep dives. The conversation matured from “Are we compliant?” to “Are we resilient, and can we evidence it?”

Importantly, as AI adoption accelerated, lessons learnt from the attack reinforced the need to proactively govern emerging technologies. The board recognised that innovation and security must advance together. That understanding directly informed our decision to pursue ISO 42001 accreditation and to formalise AI governance at enterprise scale.

Today, cybersecurity and AI oversight are embedded in strategic planning, M&A activity and product development. The attack was challenging for us and, even more importantly, our customers, but it acted as a catalyst for lasting reform, strengthening both executive accountability and organisational maturity.  

What were the structural changes implemented to strengthen accountability, transparency and data governance across the organisation following the breach?

Following the attack, we undertook a structural reset to improve clarity of ownership and governance. Cybersecurity accountability was formalised at the executive level, with defined reporting lines to the board and clearer segregation of duties across technology, security and risk functions.

We enhanced our risk management framework, aligning it more explicitly to recognised standards such as NIST and ISO 27001, ensuring traceability between risks, controls and executive reporting. This has greatly improved transparency and enabled evidence-based decision-making.

From a data governance perspective, we strengthened asset management, classification and retention processes. A more robust configuration management database (CMDB) and service mapping approach was introduced to ensure critical systems were fully understood and monitored. We also formalised data retention and deletion programmes to improve lifecycle governance.

The result is a more integrated, transparent governance model aligned to our responsibility as a trusted provider to critical sectors.

Were there any cultural changes needed to ensure security and AI governance became embedded priorities across the organisation, rather than just compliance exercises?

Absolutely. Frameworks and certifications only endure if culture supports them. After 2022, we focused heavily on shifting mindsets across the organisation.

We moved away from positioning security as a gatekeeper and instead reinforced it as an enabler of trust and innovation. Security Champions were embedded across engineering and product teams, helping translate policy into practical decision-making.

Training evolved beyond awareness sessions to scenario-based exercises that directly linked security and AI risk to customer impact.

For AI governance specifically, we emphasised responsible innovation. Product teams are encouraged to experiment, but within clearly defined guardrails covering bias, explainability and human oversight.

Security and AI governance are now viewed as integral to how we power the world of work safely. They are not periodic compliance obligations, but non-negotiable core components of a professional engineering discipline.

How are you ensuring that the standards introduced through ISO 42001 are maintained and continually improved over time?

ISO 42001 is not a static certification; it requires active management and continual improvement. We have embedded its requirements into our broader governance rhythm and continue to optimise our approach wherever possible.

AI risk assessments are now part of standard product lifecycle governance. Any new AI capability undergoes documented review covering ethical considerations, data provenance, model transparency and human oversight. These reviews are tracked and auditable.

We also conduct periodic internal audits and management reviews, with defined metrics reported to the executive team and board. This includes monitoring model performance, drift, bias indicators and security posture across AI-enabled systems.

Continuous improvement is supported by threat intelligence, regulatory horizon scanning and participation in industry forums. As regulatory expectations evolve, so do our internal controls.

Crucially, ISO 42001 controls are integrated with our ISO 27001 and broader enterprise risk management processes. This avoids fragmentation and ensures AI governance evolves alongside our security and resilience programmes. It’s not always perfect right now, but we are working hard to improve it every day.

For organisations accelerating AI adoption, what lessons from your own experience would you emphasise to boards and leadership teams?

First, treat AI governance as a board-level issue from the outset. AI risk intersects with reputation, regulatory exposure, operational resilience and customer trust. Delegating it solely to technology teams is insufficient.

Second, establish clear accountability. Define executive ownership and ensure cross-functional representation across security, legal, product and risk. AI cannot sit in a silo.

Third, embed governance into delivery processes rather than layering it on afterwards. Responsible AI design, including explainability, bias mitigation and human oversight, must be part of the engineering discipline.

Fourth, invest in transparency. Boards need meaningful metrics, not technical jargon. Reporting should translate AI risk into clear business impact and customer outcomes.

Finally, learn from adversity. Our 2022 experience reinforced that resilience and governance are long-term capabilities. AI can be transformative, but only if underpinned by strong control environments and a culture of accountability.

The opportunity is significant, but so is the responsibility.

Cybersecurity is a constantly evolving challenge, especially with the rapid progress of AI. How is OneAdvanced working to stay ahead?

Staying ahead requires combining technology, governance and talent. At OneAdvanced, we are investing in AI-enhanced defensive capabilities to improve detection, response and behavioural analysis across our environments. Automation enables faster triage and more consistent control enforcement.

We continuously benchmark our security posture against recognised frameworks and regulatory expectations, particularly given our role supporting customers in critical and regulated sectors. Regular independent assessments provide external validation and challenge.

We are also further strengthening identity and access controls, vulnerability management and resilience engineering to reduce attack surface and improve recovery capability. Cyber resilience is as important as prevention.

On the AI front, we maintain structured oversight of emerging risks, including model manipulation, data poisoning and supply chain exposure. Our AI management system ensures innovation proceeds within defined guardrails.

Ultimately, staying ahead is about discipline and adaptability. Threat actors evolve rapidly, particularly with AI. Our responsibility is to ensure that the organisations who rely on us can operate securely and with confidence.