Published: 22 February 2026
Reading time: 11-14 minutes
Key framework introduced: The Governance-Resilience Connection (inherited governance vs. designed governance)

I ran two agencies. One survived when a major client froze payments during an internal investigation. The other closed. The difference wasn't talent, client relationships, or market conditions. It was structure.

Here's what I didn't understand at the time: the structure that saved XEIOH wasn't something I'd built for resilience. It was imposed on us by the pharmaceutical clients we served — Sanofi, Boehringer Ingelheim, Roche, AstraZeneca, Smith & Nephew. Companies that don't let marketing materials move without documented approval chains, version control, and sign-off from their own compliance teams. I'd built the processes to keep clients. The resilience was a side effect I only recognised in hindsight.

That's actually the more important lesson. You don't have to design governance for the worst-case scenario. You just have to have it.

For nearly fifteen years, I ran two agencies simultaneously in South Africa. XEIOH and Zonke Ignition operated in the same market, and drew on shared resources. From the outside, they looked like variations on the same thing. From the inside, they were structured very differently.

XEIOH served pharmaceutical clients. That single fact determined almost everything about how it operated. The work we produced — campaign localisations, promotional materials, healthcare communications — had to pass through the client's own regional approval process before it could be used. Not our approval. Theirs. The MLR teams at Sanofi and Roche weren't checking our work as a courtesy. They were gatekeepers inside a global compliance infrastructure, and every piece of output we produced had to meet their standards before their name went near it.

That meant XEIOH ran documented processes whether we liked it or not. Version control wasn't optional — you can't run a compliant pharmaceutical approval chain without it. Audit trails weren't a nice-to-have — they were what you handed to the client when they needed to demonstrate regulatory readiness. Briefing documents, review stages, sign-off records: all of it existed because the clients required it as a condition of the relationship.

Zonke was different. It served clients where the work moved faster and the governance requirements were lighter. Good clients, good work, good relationships. The agency ran on experience, trust, and the kind of informal systems that work perfectly well when nothing is going wrong. Most of the time, nothing was going wrong.

Then something went wrong.

A major client froze payments during an internal investigation. Zonke was the agency owed the money. The payments stopped. The pressure arrived immediately.

XEIOH was caught in the blast radius through shared resources. Same crisis. Same market. Same external pressure. Different outcome.

Zonke couldn't hold. The informal systems that had served it well under normal conditions weren't designed to absorb structural stress. There were no documented processes to fall back on, no formal frameworks to organise a response, no paper trail to support recovery conversations with creditors or other clients. What existed was relationships, goodwill, and reputation — all genuinely valuable, none of it sufficient when the pressure became structural rather than operational. Zonke closed.

XEIOH survived.

I didn't fully understand why at the time. I was in the middle of it, managing the immediate damage, not analysing governance structures. The insight came later, and slowly — which is probably why it's more useful than a strategic foresight story would be.

The honest answer is that XEIOH held because Sanofi and AstraZeneca had required it to.

Not metaphorically. Literally. The documented processes that provided operational continuity during the crisis existed because pharmaceutical clients make them a condition of supplier relationships. When you localise promotional materials for a global pharmaceutical company, the work doesn't move on your say-so. It goes through the client's regional medical-legal-regulatory team — MLR, in the industry shorthand — before a single version is approved for use. That team operates under the company's global compliance policies. Which means the agency producing the work has to run processes that can interface with those policies at every stage.

In practice, that meant this: every brief was documented before creative work began. Every version of every asset was numbered, tracked, and archived. Every review stage had a named owner and a recorded outcome. When the MLR team came back with changes — and they always came back with changes — the revision history showed exactly what had changed, who had requested it, and why. When a final version was approved, the approval was recorded with the date, the signatory, and the distribution scope. Nothing moved without a paper trail. Not because we'd decided that was good practice. Because the client's compliance infrastructure required it before they'd put their name on the work.

This wasn't a light administrative layer. Pharmaceutical companies operating in the EU and UK under ABPI governance requirements — and the global companies we worked with set their standards accordingly — maintain documented processes with three-year retention requirements on promotional materials. They conduct supplier audits. They require agencies to operate within their approval chains, not alongside them. XEIOH wasn't a supplier that worked for these companies. It was a delivery partner embedded inside their compliance infrastructure.

The texture of that, day-to-day, was: briefing templates that captured every relevant detail before creative commenced. Version control that made it possible to reconstruct the history of any asset at any point. Approval records that could be produced on request. A team that understood why these processes existed and ran them as a matter of course, not as a burden. It wasn't bureaucratic — it was just how pharmaceutical marketing gets done when the client's name is on the output and their compliance team is signing off the final version.

XEIOH hadn't designed this system for resilience. We'd designed it to keep clients. The governance infrastructure existed to make us a usable supplier to companies with serious compliance obligations. It was client-facing, not crisis-facing.

But when the external pressure arrived, that infrastructure turned out to matter enormously.

Here's why. When a client freezes payments and the financial pressure starts building, what you need isn't inspiration or relationship capital. You need to keep operating. You need your team to know what they're doing without someone managing every decision. You need your other clients to receive consistent work. You need to be able to demonstrate to anyone asking — creditors, other clients, potential partners — that the agency is a functioning, structured operation.

Formalised governance doesn't make a crisis not happen. What it does is give you something to stand on while it's happening. The documented processes continued to run. The approval workflows didn't collapse. The other client relationships didn't deteriorate because the work kept meeting the required standard. XEIOH had operational continuity built in — not because we'd planned for this scenario, but because the pharmaceutical sector had planned for every scenario and required us to reflect that planning in our own operations.

UK research into corporate governance and firm survival finds that governance attributes add explanatory power beyond financial metrics when predicting which companies fail and which don't — and that this protective effect operates before a crisis, not during it. By the time the pressure arrives, the governance either exists or it doesn't. You can't build it in the fire.

That finding maps precisely onto what happened. XEIOH's governance existed before the crisis because pharmaceutical clients had required it before the crisis. When the fire arrived, the structure was already there.

This is the part I want to be careful about, because the easy version of this story does Zonke a disservice.

Zonke wasn't ungoverned. It wasn't poorly run. The informal systems it operated weren't inadequate for the context — they were appropriate for the context. Experienced team, clear client relationships, work delivered reliably. In normal conditions, informal governance does most of what you need it to do. The unwritten rules get followed. The experienced people make the right calls. The relationships carry the decisions that don't have a formal process behind them.

The problem isn't informal governance. The problem is what informal governance can't do under extraordinary external pressure.

When the crisis arrived, Zonke had no documented processes to fall back on. The response that was needed — maintaining operations, managing creditor relationships, demonstrating organisational stability to other clients — required the kind of structured, evidence-based, consistently executable capability that informal systems can't reliably provide under stress.

Management research is clear on this distinction. The academic literature on SME resilience identifies "blind drift" as the mechanism through which firms become vulnerable. Not dramatic failure events. The gradual erosion of structure through unwritten workarounds and relationship-based substitutions — the slow, invisible process by which informal replaces formal until the organisation reaches a moment of stress and finds it has less underneath it than it thought. Nobody decides to drift. It just happens, one reasonable shortcut at a time.

Zonke hadn't drifted into dysfunction. It had simply never had the formalised infrastructure that would have been needed for this specific, extraordinary event.

Relationships, reputation, goodwill — these are real assets. They matter enormously in normal conditions. Under structural stress, they're not enough. Creditors don't accept goodwill as evidence of operational continuity. Other clients don't maintain confidence on the basis of relationships when the evidence of consistent delivery stops arriving. The informal governance that had worked perfectly well for years turned out to be context-dependent in a way that wasn't visible until the context changed catastrophically.

The contrast isn't competence versus incompetence. It's structure appropriate for normal conditions versus structure that holds under abnormal ones.

I want to be honest about the retrospective nature of this insight, because that honesty is more useful than a strategic foresight story.

I didn't build XEIOH's governance for resilience. I built it to satisfy client requirements. I didn't anticipate that formalised processes would provide operational continuity during a payment crisis. I didn't design the approval workflows as a crisis management tool. The resilience was a consequence I recognised only after the event — working backwards from survival to understand what had made survival possible.

That matters because most agency owners aren't going to design governance from scratch for worst-case scenarios. The scenario feels abstract until it isn't, and by then it's too late to build the infrastructure. What they will do — what most already do to some degree — is build governance in response to what clients and markets require of them.

The Zonke/XEIOH story isn't a lesson in strategic planning. It's a lesson in what inherited governance actually means. XEIOH had formalised structure because pharmaceutical clients required it as a condition of the relationship. That requirement — imposed externally, maintained operationally, never originally intended as a resilience mechanism — turned out to be the difference between survival and closure when an extraordinary external event arrived.

There's a concept in organisational research for this: structures that get adopted because powerful external actors require them, not because the organisation designed them. The label doesn't matter. What matters is that the governance is real regardless of why it was built.

But here's the critical distinction. Inherited governance only provides resilience if it's genuinely operational — embedded in how the work actually gets done — rather than existing only as documentation. Processes that live in a policy folder and nowhere else don't hold under pressure. Processes that run through every piece of work do.

XEIOH's pharmaceutical governance wasn't paperwork. It ran through every brief, every version, every approval. That's why it held.

Here's why this story matters right now, for agencies that have never served a pharmaceutical client in their lives.

The pattern is repeating.

UK agencies are building AI dependencies faster than their operational structures can manage them. Tools are being adopted, workflows are being automated, client deliverables are being produced with AI assistance — and in most agencies, the governance around all of this is informal. Experienced people making reasonable calls. Unwritten guidelines that most of the team follows most of the time. Nothing documented, nothing reviewable, nothing that would hold up if a client asked to see it.

This is where the sector was with data protection before GDPR arrived. It's where it was with information security before Enterprise clients started requiring supplier assessments. And it's where it is now with AI — sitting in the gap between adoption and governance, assuming the gap won't become visible at a bad moment.

The gap is starting to close. Not because agencies are building governance strategically, but because clients are beginning to require it — exactly as pharmaceutical clients required it from agencies like XEIOH.

The UK Government Communication Service now requires all contracted and framework agency suppliers to have documented AI governance in place and safeguards embedded in their operations. Cabinet Office Procurement Policy Note 02/24 recommends that buyers assess AI use across their supplier base and conduct additional due diligence where governance is absent or unclear. These aren't aspirational guidelines. They're procurement requirements — the kind that determine whether an agency makes it through a tender process or doesn't.

On the advertiser side, ISBA reported in late 2024 that 8% of UK advertisers had already amended agency contracts to include specific AI terms, with 42% in the process of doing so. The CIPR's State of the Profession survey found that only 52% of agency and consultancy respondents had a documented workplace AI policy — compared to 74% in-house at private sector clients. The clients are ahead of their agencies. That gap has a commercial consequence.

The mechanism is identical to what happened in pharmaceutical marketing. The client has a compliance obligation or a governance expectation. The client requires the supplier to reflect that obligation in their own operations. The supplier builds the governance — not for resilience, not for strategic reasons, but to keep the client. And the governance that gets built turns out to matter for reasons that weren't the original motivation.

Think about what that looks like in practice. An agency wins a public sector contract. The contract requires documented AI governance — which tools are approved, how data is classified before it enters those tools, what human review process applies to AI-generated outputs. The agency builds those processes to satisfy the contract requirement. A year later, a different client asks in a procurement questionnaire: how does your agency handle AI and client data? The agency has a real answer. Not because it anticipated the question. Because it had already built the structure.

That's the XEIOH pattern. Governance adopted for one reason. Resilience discovered for another.

The agency without documented AI processes isn't just exposed to the risk of losing a specific contract. It's in the same position Zonke was in — running informal systems that work well enough until the moment when something external changes the conditions. A client investigation. A data incident. A procurement process that asks questions the agency can't answer. An Enterprise client whose legal team has started requiring supplier AI assessments as standard.

The agencies that have built this structure — for whatever reason they built it — can answer that question. The ones that haven't are hoping it doesn't get asked.

Most agencies won't build AI governance strategically. The scenario feels abstract until it isn't. What they will do is build it because a client requires it — or they'll find themselves explaining to a client why they can't answer a governance question that the agency down the road answered without hesitation.

The question isn't whether your agency needs documented AI governance. The question is whether you build it before or after the moment when its absence becomes visible.

The XEIOH/Zonke story is a survival narrative. But it isn't really about surviving crises.

It's about the difference between having structure and not having it — and discovering which category you're in at the moment when it matters most. Zonke's informal governance was appropriate right up until it wasn't. XEIOH's formalised governance was a client requirement right up until it became a survival mechanism.

The lesson isn't "build governance for disasters." It's simpler than that: the agencies with formalised structures, for whatever reason they built them, are the ones that hold up when unpredictable conditions arrive. And unpredictable conditions always arrive.

What that structure actually looks like — the specific processes, the documented frameworks, the practical system that gives your agency a real answer when the question arrives — that's Chapter 7.

Next Chapter: Chapter 7: Three Simple Rules — The Practical Framework for Governing AI Without an IT Department publishes 01 March 2026

XEIOH's survival and Zonke's closure illustrate what governance structure means in practice. But what does that structure actually look like for an agency with 5–50 people, no dedicated compliance team, and AI tools already in use across the business? Chapter 7 introduces the Three Simple Rules framework — the practical system that gives your agency a real answer when any client, pitch, or procurement process asks.

Get new chapters via email | Download the AI Readiness Checklist

Ready to audit your agency's Shadow AI usage? The frameworks in this chapter are designed for immediate implementation.

Book an AI Readiness Assessment (£500) — 90-minute assessment of your current AI usage, readiness gaps, and priority actions.

Download the AI Readiness Checklist — Self-assessment tool used in client audits. Diagnose your gaps in 10 minutes.

This chapter provides general information about AI governance practices for UK professional services agencies. It is not legal, regulatory, or professional advice.

Regulatory requirements vary by sector, client base, and operational context. The examples and frameworks presented here reflect common patterns across agency operations but may not address sector-specific obligations (e.g., healthcare communications agencies subject to ABPI Code, legal marketing subject to SRA regulations, financial services agencies under FCA oversight).

For compliance questions specific to your agency's regulatory environment, consult qualified legal counsel familiar with UK GDPR, ICO guidance, and your sector's requirements.

Research methodology: All statistics, case studies, and regulatory references are documented with sources. Where examples are used without specific attribution, they represent composite patterns observed across multiple agencies rather than individual client situations.

Commercial disclosure: Brains Before Bots offers Shadow AI governance services to UK agencies (Shadow AI Audits, Governance-Ready Pilot Blueprints, and Momentum Advisory retainers). This book is designed to provide standalone value whether or not you engage our services. The frameworks are implementable with internal resources.

Next Chapter: Chapter 7: Three Simple Rules — The Practical Framework for Governing AI Without an IT Department | Table of Contents

Questions or feedback? Email hello@brainsb4bots.com