National Grid turns to AI for cyber risk and regulatory clarity: lessons for government teams
National Grid is using AI to help risk and compliance teams see what humans can't at scale: patterns buried in backlogs, vulnerabilities that actually matter, and policy shifts that impact controls. Speaking in London, Jody Elliott, head of risk and sustainability, outlined how agents scan unstructured operational data and surface priority issues for human review.
The takeaway is simple: embedding a risk specialist in every agile squad isn't realistic. AI gives large operators a way to keep pace without adding headcount-and still keep humans in charge of the final call.
From backlog noise to risk signals
Across hundreds of technology projects, oversight breaks when everything is manual. Generative AI sifts through stories, features and continuous updates, then flags the items most likely to carry security or regulatory risk.
Instead of reading thousands of lines, teams work the shortlist. The value is focus: less time scanning, more time fixing.
Prioritising cybersecurity threats
National Grid built an AI agent that merges endpoint data (OS, patch levels) with known vulnerabilities and exploit reports. It was quick to stand up, fast to run, and then rigorously validated by operations teams.
The smart move is context. By overlaying HR data, the system highlights whether an exposed device belongs to an executive or a critical operations team. That shifts priorities from "what's technically severe" to "what would hurt the business most."
Monitoring regulatory change
Compliance moves constantly across jurisdictions. National Grid's agent scans updates from frameworks such as SIP, SOX and PCI, compares them to internal controls, and looks across a rolling 12-month window with a view forward.
The output: where policies may need to change, which controls are drifting, and what to prepare for next. Teams get a living map of change rather than a static checklist.
Balancing speed and trust
There's a risk that people over-trust AI outputs. National Grid tackles this with organisation-wide training-from leadership to technical specialists-so teams know when to question results and where human judgement stays non-negotiable.
It's not a one-off. The training is reinforced continually to keep quality and accountability high.
What government teams can copy this quarter
- Start with data you already own: endpoint inventories, vulnerability feeds, exploit signals, control libraries, policy repositories.
- Stand up a lightweight triage agent that joins endpoint data with threat intelligence and known exploited vulnerabilities. Route high-impact items to analysts first.
- Add business context early: mission-critical systems, privileged users, public-facing assets. Prioritisation gets sharper fast.
- Automate regulatory monitoring: track updates across your governing frameworks, map to your control catalogue, and flag gaps monthly.
- Keep a human-in-the-loop review step for every AI recommendation. Document accept/reject decisions for audit.
- Instrument the workflow: measure time-to-triage, patch latency on critical issues, and time-to-policy update after a regulatory change.
- Train the workforce on AI limits, data lineage, and escalation paths. Confidence comes from clarity, not blind trust.
Why this matters for public-sector operators
Government environments face the same volume problem as utilities: sprawling estates, legacy tech, strict oversight. AI helps teams maintain a real-time view without slowing delivery.
The model is practical: use agents to compress detection and analysis, then apply human judgement where stakes are highest-security incidents, control changes and regulatory interpretations.
Helpful resources
- CISA Known Exploited Vulnerabilities Catalog - align triage with what's actively exploited.
- NIST Cybersecurity Framework - a common language for risk, controls and improvement.
- AI for Government - practical guidance for policy, governance and public-sector AI adoption.
- AI Learning Path for Cybersecurity Analysts - build skills for AI-driven triage, detection and SOC workflows.
Bottom line: use AI to compress the grunt work, add business context, and keep humans accountable. That's how large, regulated organisations move fast without losing control.
Your membership also unlocks:
