Securing responsible AI: Integrating cybersecurity and AI governance at NovexTech solutions

Abstract

This postgraduate-level teaching case explores the governance challenges that arise when artificial intelligence becomes embedded within enterprise cybersecurity and operational decision-making. Set in a mid-sized European IT services firm, NovexTech Solutions, the case examines how a ransomware incident affecting AI-enabled analytics systems exposes limitations in existing governance arrangements. While the organisation successfully restores services using established incident response and business continuity procedures, post-incident reviews reveal deeper concerns related to AI model integrity, accountability, and oversight across the AI development and operational lifecycle. As regulatory expectations intensify under frameworks such as the General Data Protection Regulation (GDPR), the Network and Information Systems Directive 2 (NIS2 Directive), and the European Union Artificial Intelligence Act (EU AI Act), NovexTech faces growing pressure from clients, partners, and broader societal stakeholders to demonstrate coherent and defensible governance. Students are invited to analyse governance fragmentation, evaluate trade-offs between control and innovation, and assess how organisations can structure responsible and resilient governance in AI-enabled environments. The case culminates in a board-level governance dilemma requiring senior leadership to determine whether to maintain parallel cybersecurity and AI governance structures or redesign governance into an integrated framework capable of managing AI-enabled cyber risk while sustaining innovation and regulatory accountability.

Keywords

AI risk management artificial intelligence governance cybersecurity governance enterprise governance design governance integration organisational accountability regulatory compliance

Introduction and organisational context

NovexTech Solutions is a mid-sized European IT services and consulting firm headquartered in Germany, employing approximately 1,200 staff across several EU countries. The organisation provides enterprise technology services to clients operating in highly regulated sectors, including finance, healthcare, and manufacturing. For these clients, reliability, compliance, and resilience are not optional attributes but contractual and regulatory necessities. Service disruptions, data breaches, or governance failures can quickly translate into financial penalties, reputational damage, and loss of trust. As a result, NovexTech’s competitive position depends not only on technical capability, but also on its ability to demonstrate robust governance and risk management practices. Trust has become a commercial asset, and assurance around security, data protection, and emerging technologies increasingly shapes client relationships even before incidents occur.

Over the past 5 years, artificial intelligence has become embedded across NovexTech’s operations and service offerings. Machine learning capabilities are integrated into cybersecurity monitoring platforms to identify anomalous network behaviour across client environments. Automated recruitment tools are used internally and offered to clients to screen large volumes of job applications, influencing hiring decisions at scale. Customer analytics systems support predictive insights into usage patterns and service optimisation, while AI-enabled operational analytics assist with forecasting and performance monitoring. These systems are not isolated experiments; they are embedded within core business processes and relied upon by multiple departments, including security operations, human resources, sales, and client delivery teams. As a result, decisions that were once human-led are now shaped, prioritised, or automated by AI-driven systems, creating new dependencies and forms of organisational risk.

In response to growing awareness of ethical and regulatory expectations surrounding AI, NovexTech launched an internal initiative known as ‘AI with Integrity’. The programme was intended to ensure that AI systems were developed and deployed responsibly, with attention to fairness, transparency, and compliance. A cross-functional committee was established, bringing together representatives from information security, legal and compliance, data science, and human resources. The initiative referenced established regulatory and ethical touchpoints, including obligations under the General Data Protection Regulation (GDPR), the Organisation for Economic Co-operation and Development (OECD) Principles on Artificial Intelligence, and early drafts of the European Union Artificial Intelligence Act (EU AI Act). Its focus was largely on policy development, project approvals, and ethical review at the design stage of new AI initiatives. While ‘AI with Integrity’ signalled organisational intent and awareness, its emphasis remained primarily at the policy and oversight level rather than within day-to-day operational controls.

At the same time, cybersecurity governance at NovexTech followed a more traditional and operationally mature model. Responsibility sat with the Chief Information Security Officer (CISO), whose remit covered threat management, incident response, audits, and alignment with established security standards. Cybersecurity governance focused on technical controls, system resilience, and regulatory compliance related to information security. AI governance, by contrast, was framed as a broader ethical and regulatory concern, managed through committees, guidance documents, and reporting mechanisms. Although AI-enabled systems operated within the same technical environments as other enterprise systems, the two governance domains rarely intersected in formal processes. Responsibilities overlapped in practice but were separated structurally, leaving gaps in accountability and assurance that were not immediately visible during routine operations. Senior leadership viewed this separation as both practical and efficient. Cybersecurity governance addressed technical threats, while AI governance managed ethical and regulatory considerations. Few questioned whether risks created by AI-enabled systems might require integrated oversight. The structural separation between cybersecurity and AI governance is summarised in Exhibit 1. The structure reflects a clear functional separation between cybersecurity and AI governance responsibilities.

Exhibit 1.

Governance structure at NovexTech prior to the incident.

These arrangements had not yet been seriously tested. NovexTech’s leadership was confident that existing security controls, compliance processes, and ethical review mechanisms provided adequate coverage for the organisation’s expanding AI footprint. Assumptions about governance coherence, risk ownership, and operational resilience therefore remained largely unchallenged. However, as AI systems became more deeply embedded in critical processes, the distinction between technical security, ethical oversight, and regulatory compliance grew increasingly blurred. The conditions were in place for these assumptions to be tested in ways the organisation had not fully anticipated.

The cyber incident: A governance stress test

In early 2024, NovexTech Solutions experienced a ransomware incident that disrupted a critical part of its cloud-based operating environment. The attack affected development and analytics platforms used internally and by several enterprise clients. While core customer databases remained intact, multiple systems became unavailable for extended periods, preventing project teams from accessing development environments and interrupting analytics-driven reporting services. Internal operations were affected first, as engineers and analysts were unable to resume routine work, but the impact quickly extended to customer-facing dashboards and service-level commitments. Within hours, it became clear that the incident was not a minor technical fault but a significant business disruption. Service availability, an expectation central to NovexTech’s value proposition, had been compromised, raising immediate concerns about contractual obligations and client confidence.

As the security operations team investigated the disruption, additional risks emerged. Security monitoring tools identified a series of phishing attempts targeting senior executives, including members of the executive leadership team. Although no immediate evidence of credential compromise was confirmed, the timing of the phishing activity raised concerns about coordinated efforts to gain privileged access. Leadership worried that compromised credentials could enable lateral movement across systems or facilitate insider-style attacks during the period of reduced visibility. These developments broadened the perceived scope of the incident beyond system availability to include confidentiality and integrity risks. Senior management was briefed, and initial updates were shared with the board, marking the point at which the incident became a governance concern rather than solely an operational issue.

In response, NovexTech activated its established incident response and business continuity procedures. Affected systems were isolated to prevent further spread, and backup restoration processes were initiated in line with existing recovery plans. Communication channels were established to provide regular updates to senior management, while operational teams prioritised the restoration of services with the greatest client impact. Temporary workarounds were introduced to allow limited continuation of critical functions while systems were being recovered. Legal and compliance teams were engaged early to assess notification obligations and regulatory exposure, particularly under GDPR and the NIS2 Directive. Within several days, core systems were restored and normal service levels resumed. From a procedural perspective, the response followed expected protocols, and recovery milestones were largely achieved within anticipated timeframes.

Despite the apparent success of the recovery effort, unease persisted during post-incident reviews. Investigation revealed that the ransomware attack had exploited a vulnerability within an AI-enabled analytics pipeline used to process and generate client reports. While infrastructure-level controls were well defined, governance and security measures surrounding AI-specific components were less mature. Controls governing access to training data, storage of model artefacts, and version management were weaker than those applied to traditional enterprise systems. Logging and monitoring capabilities focused primarily on system performance and availability, offering limited insight into AI model behaviour during the incident. This raised difficult questions about whether models had been manipulated, misused, or silently degraded without detection, even after systems were restored.

These findings highlighted a broader challenge. Existing security controls had been designed around servers, applications, and data repositories, but AI-enabled components introduced new attack surfaces that did not fit neatly into established categories. Model integrity could not be assessed using conventional data validation checks, and there was limited assurance that outputs generated during or after the incident had not been affected. While no immediate evidence of misuse was identified, the absence of clear visibility created uncertainty. The incident no longer appeared to be a contained event but a signal that parts of the organisation’s technology landscape had remained outside the scope of routine security oversight.

As discussions continued, governance and accountability questions came to the forefront. Internal stakeholders debated whether AI models should be treated as critical assets and included formally in asset inventories and risk registers. Uncertainty emerged over who was accountable if an AI model had been compromised or produced unreliable outputs as a result of the incident. Security teams focused on containment and recovery, data science teams emphasised the complexity of model behaviour, and compliance functions questioned how assurance could be demonstrated to regulators or clients. No single group could clearly articulate ownership of AI-related cyber risk, revealing blurred responsibilities that had not been apparent before the incident.

Although services were restored and immediate operational risks appeared to be under control, confidence had been shaken. Leadership recognised that technical recovery did not equate to full resolution. Existing governance arrangements had enabled response and recovery but had offered limited guidance on how to assess or manage AI-specific risks exposed by the incident. Attention began to shift away from the mechanics of the attack toward broader questions about the adequacy of governance structures in an environment where AI systems were deeply embedded in critical operations. The incident had been managed, but it had also exposed assumptions that could no longer be taken for granted. The sequence of events and the shift from operational incident response to governance-level concern are summarised in Exhibit 2.

Exhibit 2.

Timeline of the cyber incident at NovexTech.

AI systems under pressure

Although NovexTech’s core systems were restored and services resumed, the incident’s broader implications continued to unfold, prompting a noticeable shift in leadership attention. Initial confidence in the organisation’s ability to manage cyber risk gave way to a more reflective assessment of what the incident had revealed. Senior leaders recognised that while infrastructure recovery had been achieved, unanswered questions remained about the integrity and behaviour of AI-enabled systems operating within that infrastructure. Post-incident reviews began to move beyond servers, networks, and applications to focus on AI components that had previously been treated as peripheral. Assumptions that AI systems were adequately covered by existing security controls were no longer taken for granted. Although the incident had not caused widespread failure of AI systems, it had exposed uncertainty about how those systems might behave under stress and how their risks should be understood, monitored, and governed.

One system that came under renewed scrutiny was NovexTech’s automated recruitment platform. The platform used natural language processing to screen and rank large volumes of job applications, supporting both internal hiring and client-facing recruitment services. The system had been justified on the basis of efficiency and scalability, enabling recruitment teams to manage demand that would otherwise be unmanageable through manual review. Even before the cyber incident, internal stakeholders had raised concerns about transparency and explainability, particularly when candidates questioned screening outcomes. The incident heightened sensitivity around these issues, as leadership considered the implications of relying on opaque decision-making systems in a context of increased risk awareness. Attention turned to whether sufficient documentation, oversight, and assurance mechanisms were in place to justify the system’s use, especially given its potential classification as a high-risk application under emerging AI regulation.

As discussions progressed, it became clear that governance attention across the AI development and operational lifecycle was uneven. Formal oversight was strongest at the point where new AI initiatives were proposed and approved, with ethical reviews and compliance checks conducted before projects commenced. Once systems moved into deployment, however, governance mechanisms became less structured. Responsibility for monitoring, retraining, and ongoing performance assurance often rested informally with technical teams, without consistent reporting or escalation pathways. In practice, governance intensity declined after initial approval, even as systems became more deeply embedded in business processes. This uneven visibility meant that risks associated with data drift, model degradation, or unintended outcomes were not systematically assessed, reinforcing the perception that AI risk was static rather than evolving.

A second system attracting attention was NovexTech’s AI-driven cybersecurity threat detection platform. Marketed as a differentiating capability, the system used machine learning to identify anomalous patterns across client networks and to escalate alerts for investigation. The platform was valued for its speed and ability to surface potential threats that traditional rule-based systems might miss. However, the incident prompted questions about governance arrangements surrounding its use. Analysts struggled to explain certain alerts in ways that were meaningful to clients or auditors, and accountability for false positives or undetected threats was not clearly defined. In some cases, automated responses were triggered with limited human oversight, raising concerns about decision-making authority and responsibility. The system exemplified a growing tension: AI functioned simultaneously as a security control and as a source of organisational risk.

These issues surfaced differing priorities across the organisation. Security teams emphasised the need to reduce uncertainty and strengthen controls around AI-enabled systems, particularly those involved in decision-making. Data science teams cautioned that excessive restrictions could slow innovation and reduce the effectiveness of adaptive models. Human resources and legal teams focused on fairness, transparency, and compliance risks associated with people-facing AI systems, while commercial leaders remained concerned about maintaining competitiveness and client confidence. Leadership found itself balancing speed, accountability, trust, and regulatory expectations, with no clear consensus on how risks should be prioritised. Governance challenges were no longer confined to technical implementation but reflected deeper organisational and cultural tensions.

Gradually, a broader realisation emerged. AI-related risks could not be neatly separated into ethical, security, or operational categories. Issues of bias, accountability, and societal impact intersected with concerns about system integrity and resilience in ways that traditional security approaches did not fully address. Managing these risks in isolation, through separate governance mechanisms, appeared increasingly inadequate. Attention began to turn toward the governance structures themselves and whether they were fit for an environment in which AI systems played an active role in shaping organisational decisions.

The incident had acted as a catalyst, shifting the problem from one of system performance to one of governance design. What remained unresolved was whether NovexTech’s existing governance structure was capable of managing AI-enabled risk, or whether more fundamental organisational change was required. To assess this question, it became necessary to examine how governance responsibilities were currently structured across the organisation.

Governance fragmentation

At NovexTech, governance responsibilities were formally distributed across several well-defined functions. Cybersecurity governance sat under the remit of the Chief Information Security Officer (CISO), whose responsibilities included threat management, security controls, audits, and incident response. This function operated with a strong operational and technical orientation, focusing on system resilience and service continuity. Data protection and privacy compliance were overseen by the Data Protection Officer (DPO), who managed GDPR obligations, breach notification processes, and privacy impact assessments. Separately, AI governance was coordinated through an ethics and governance committee that reviewed proposed AI initiatives, assessed alignment with organisational principles, and considered regulatory implications. Each function exercised authority within its defined scope, and decision-making responsibilities were clearly articulated. However, these responsibilities were structured in parallel, with limited formal mechanisms to address risks that spanned multiple domains.

In day-to-day operations, the separation between governance streams became more pronounced. Cybersecurity risk registers were maintained independently of AI governance documentation, and incident response planning focused primarily on traditional systems and data assets. AI risk reviews tended to occur at the point of project approval, often as qualitative assessments conducted outside operational workflows. As a result, AI models were not consistently recorded as critical assets within security inventories, and risks associated with their behaviour were rarely translated into actionable controls. Security audits assessed infrastructure performance and access management but did not routinely examine AI model behaviour or decision outputs. Coordination between teams relied largely on informal communication rather than embedded processes, making integration dependent on individual initiative rather than organisational design.

Post-incident discussions brought questions of accountability and assurance into sharper focus. Uncertainty emerged over who held responsibility for the integrity of AI models once they were deployed into production environments. It was unclear whether accountability for bias, misuse, or degraded performance rested with data science teams, operational owners, or governance bodies. Questions were also raised about who would formally sign off on AI-related security risks and who could credibly assure regulators or clients that appropriate controls were in place. Auditing AI-driven decisions proved challenging, particularly where automated systems influenced outcomes without clear documentation of decision pathways. These issues highlighted gaps not in technical competence, but in governance design, where responsibilities overlapped or disappeared at critical points.

Organisational tensions further complicated the situation. Security teams advocated for tighter controls and clearer oversight of AI-enabled systems, emphasising the need to reduce uncertainty and improve assurance. Data science teams expressed concern that increased governance requirements could slow development cycles and limit the adaptability of models. Product and delivery teams worried that additional controls might undermine competitiveness in a market where responsiveness and innovation were key differentiators. Senior leadership faced the challenge of balancing these competing priorities while maintaining trust with clients and regulators. Differences in risk tolerance and operational focus made consensus difficult, reinforcing the sense that governance choices involved strategic trade-offs rather than purely technical decisions.

Over time, it became apparent that existing arrangements were unlikely to scale with the organisation’s growing reliance on AI. Fragmented governance structures required increasing levels of coordination to function effectively, and ad hoc solutions were proving insufficient. Leadership began to recognise that governance needed to be defensible, coherent, and transparent, not only in routine operations but under scrutiny. Early indicators suggested that external expectations around accountability and assurance would continue to intensify, increasing the cost of ambiguity. What had once been manageable at team level was now emerging as a strategic concern, setting the stage for broader questions about how governance should be structured going forward.

Regulatory and societal pressure

Alongside internal reflection, NovexTech faced an external environment in which regulatory expectations were becoming increasingly demanding. Compliance obligations extended beyond traditional data protection concerns under GDPR to encompass broader requirements for cyber resilience and reporting under the NIS2 Directive. At the same time, the forthcoming EU AI Act signalled a shift toward risk-based governance of AI systems, with heightened expectations for documentation, oversight, and accountability. These regulatory regimes addressed different dimensions of risk but overlapped in their demand for demonstrable governance. Regulators were no longer satisfied with high-level policies alone; they expected evidence of how responsibilities were assigned, how risks were monitored, and how decisions were justified in practice. For NovexTech, fragmented governance structures made it difficult to present a coherent picture of control across cybersecurity and AI-enabled systems.

Market pressures reinforced these concerns. Following the incident, several clients sought reassurance regarding the security and governance of AI-enabled services. Questions focused not only on system availability but also on accountability for decisions influenced or made by AI, particularly in security monitoring and recruitment contexts. Clients requested greater transparency around risk management practices, auditability of AI-driven processes, and clarity on escalation procedures should failures occur. Due diligence questionnaires became more detailed, and contractual discussions increasingly referenced assurance obligations and shared responsibility for risk. While NovexTech had existing responses to many of these queries, they were often drawn from separate governance domains and lacked consistency. This fragmentation made it harder to provide clear, unified assurances, affecting client confidence and complicating commercial negotiations.

Beyond regulation and contractual obligations, societal expectations also shaped the organisation’s risk landscape. Public discourse around AI fairness, transparency, and misuse continued to intensify, influencing how organisations deploying AI were perceived. NovexTech’s automated recruitment platform raised questions about fairness and explainability that could affect its employer brand, while its AI-driven security services carried reputational implications if opaque decisions led to unintended consequences for clients or employees. Leadership recognised that trust in AI-enabled systems extended beyond compliance, touching on broader societal confidence. A single high-profile failure – whether related to biased outcomes or security misjudgements – could undermine credibility built over years. These considerations amplified the impact of regulatory scrutiny and increased the cost of governance failure.

Gradually, governance came to be viewed not merely as a compliance function but as a strategic capability. Leadership acknowledged that fragmented arrangements weakened the organisation’s ability to demonstrate accountability, both internally and externally. Incremental adjustments and informal coordination were no longer sufficient to meet rising expectations for transparency and assurance. Attention turned toward the governance structures themselves and whether they were capable of supporting secure and responsible AI use at scale. The executive leadership team now faced a strategic choice: should NovexTech strengthen coordination across existing governance functions, or redesign its structure to integrate cybersecurity and AI oversight under a unified framework? The answer would shape the organisation’s ability to sustain trust, resilience, and legitimacy in an increasingly demanding environment. The decision would shape not only governance structure but the organisation’s long-term strategic positioning in AI-enabled markets.

The decision point

In the weeks following the incident and subsequent reviews, governance became the central strategic issue and was formally escalated to the executive committee and board. The meeting was convened to address growing concern that cybersecurity risk, AI governance, and regulatory expectations were no longer separable issues. Board members acknowledged that while operational teams had managed the immediate disruption effectively, the organisation now faced a more strategic challenge. Questions centred on accountability, assurance, and the organisation’s ability to demonstrate control over AI-enabled systems to regulators, clients, and partners. Incremental adjustments at team level were seen as insufficient. Senior leadership requested a clear recommendation on how governance should be structured to support secure and responsible AI use going forward. The Chief Executive Officer was tasked with preparing the recommendation for the board.

Option 1: Strengthened coordination within existing structures

One option under consideration was to maintain NovexTech’s existing parallel governance structures while strengthening coordination between them. Under this approach, cybersecurity governance would remain under the leadership of the CISO, focusing on threat management, incident response, and technical controls. AI governance would continue to be managed through policy-driven oversight and ethics committees, with increased information sharing, joint reviews, and clearer escalation pathways between functions. This option appealed to some leaders because it minimised organisational disruption and preserved familiar roles and responsibilities. However, it relied heavily on effective coordination and informal collaboration, raising concerns that fragmentation could persist and that accountability might remain diffuse under pressure.

Option 2: Integrated cyber-AI governance framework

An alternative option involved redesigning governance to integrate cybersecurity and AI oversight into a single, coherent framework. This approach would align risk management across cyber and AI domains, providing end-to-end oversight across the AI lifecycle, from design and deployment through to monitoring and review. Clear lines of accountability would be established for AI-enabled systems, supporting more consistent assurance to regulators and clients. Proponents argued that integration could strengthen governance coherence and improve regulatory defensibility. At the same time, leadership recognised that this option would require organisational change, cultural adjustment, and potentially slower decision-making during implementation. There were concerns about resistance from teams accustomed to existing structures and about the impact on innovation speed in a competitive market. The key distinctions between the two governance approaches are summarised in Exhibit 3.

Exhibit 3.

Comparison of governance structure options.

The decision was further complicated by practical constraints. An upcoming external audit and several key client contract renewals increased time pressure, while resources for large-scale organisational change were limited. Uncertainty surrounding the final form and enforcement of emerging AI regulation added to the challenge, as did differing levels of maturity in understanding AI-related risks across the organisation. Delaying a decision carried its own risks, but committing to a new governance model without complete clarity also posed challenges. As the meeting concluded, the board deferred judgement, requesting a detailed recommendation. The future shape of NovexTech’s governance framework and its ability to operate securely and responsibly in an AI-enabled environment now depended on a decision that had yet to be made. How should NovexTech structure its governance to manage AI-enabled risk while sustaining innovation, accountability, and trust?

Learning objectives and discussion questions

Learning objectives

By the end of the case discussion, students should be able to:

1. Evaluate how cybersecurity incidents in AI-enabled organisations reveal governance and risk management limitations beyond traditional incident response and business continuity frameworks.

2. Apply core information security principles (confidentiality, integrity, and availability) to analyse risks associated with AI-enabled systems and decision-making processes.

3. Assess how organisational governance structures influence accountability, oversight, and risk ownership across the AI development and operational lifecycle.

4. Examine how regulatory frameworks and responsible AI principles shape organisational governance strategies in AI-enabled environments.

5. Evaluate strategic trade-offs between governance integration, regulatory compliance, innovation, and organisational resilience in response to emerging AI risks.

Discussion questions

A. Incident and technical risk

1. To what extent did NovexTech’s incident response and business continuity arrangements address the operational disruption caused by the ransomware attack, and where did limitations become apparent when AI-enabled systems were incorporated into the analysis?

2. How should the CIA triad be interpreted in the context of AI-enabled analytics and security systems, and what aspects of confidentiality, integrity, or availability were most challenged in this case?

B. Lifecycle governance and accountability

3. In what ways did governance gaps across the AI development and operational lifecycle contribute to uncertainty during the post-incident review, and which stages of the AI lifecycle appeared least visible to existing governance and control mechanisms?

4. How might organisational accountability for AI-driven decisions such as automated recruitment screening or security alert escalation be clarified when outcomes are difficult to explain or audit?

C. Regulatory and societal pressure

5. What strategic trade-offs arise when organisations like NovexTech attempt to balance regulatory compliance (GDPR, NIS2, and EU AI Act) with innovation and operational efficiency in AI-enabled services?

6. How do societal expectations around fairness, transparency, and trust amplify the impact of technical or security failures in AI-enabled systems, particularly in people-facing applications?

D. Strategic governance decision

7. Given the options presented, how should NovexTech evaluate the feasibility and risks of maintaining parallel governance structures versus adopting an integrated cybersecurity and AI governance framework?

8. What criteria should guide NovexTech in determining whether governance integration is necessary, and how should governance effectiveness be evaluated over time?

9. What organisational, cultural, or operational barriers might NovexTech face when implementing an integrated governance framework, and how could these challenges be managed?

Footnotes

Acknowledgements

The authors thank colleagues and students at Coventry University for informal feedback on early versions of this teaching case. No third-party writing or editing assistance was used.

ORCID iD

David Oyebisi

Ethical considerations

Not applicable. This teaching case is based on a fictionalised organisation and scenario and does not involve human participants, personal data, or human subject research. As such, formal ethical approval was not required.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

Data sharing is not applicable to this article as no datasets were generated or analysed during the development of this teaching case.*

Use of artificial intelligence tools

Generative artificial intelligence tool (e.g. ChatGPT) was used in a limited and supportive capacity during manuscript preparation to assist with language refinement, structural organisation, and clarity of expression. All substantive content, case design, pedagogical framing, analysis, and final editorial decisions were developed and approved by the authors, who retain full responsibility for the accuracy, integrity, and originality of the work.

Author biographies

David Oyebisi is a Lecturer in Information Technology Management and Course Director for the BSc Information Technology Management programme in the School of Science at Coventry University, United Kingdom. He has over 8 years of experience teaching across undergraduate and postgraduate programmes in areas including digital technologies, enterprise systems, and information security. His academic responsibilities include module leadership, supervision of undergraduate and master’s research projects, and service as an Academic Conduct Officer. David is a PhD candidate in the Centre for Computational Science and Mathematical Modelling at Coventry University. His doctoral research focuses on Data Science and Artificial Intelligence, with particular emphasis on the opportunities and challenges of generative AI in higher education. He previously completed degrees in Informatics and Information Technology Management, with research focus on information security, and holds a Postgraduate Certificate in Academic Practice in Higher Education. He is a Fellow of the Higher Education Academy (FHEA).

Dr Stella-Maris Orim is an Assistant Professor in Information Systems and Course Director for the MSc Management of Information Systems and Technology (MIST) programme at Coventry University, United Kingdom. She is a Senior Fellow of the Higher Education Academy (SFHEA) and holds professional designations including Certified Information Privacy Technologist (CIPT), Artificial Intelligence Governance Professional (AIGP), and Chartered Manager (CMgr MCMI). Her teaching and academic leadership focus on information systems governance, digital transformation and the strategic management of technology in organisational contexts. She is actively engaged in postgraduate education and curriculum development in information systems and digital management disciplines. Dr Orim’s research and professional interests centre on information systems governance, data privacy, and emerging technology management. Her scholarly work and academic profile are available via ResearchGate, ORCID and Academia.edu.