Tag Archives: Digital Transformation

AI for Deeptech Startups: Balancing Speed and Security

Posted on by

Paul Curwell

7–10 minutes

Key Takeaways

  1. AI is already deeply embedded in how R&D startups operate—handling analysis, reporting, quality monitoring, and workflows.
  2. But every tool and integration you use—especially if ungoverned—can expose your intellectual property (IP) or sensitive data.
  3. Protection doesn’t mean overengineering—startups can use lean frameworks and smart defaults to stay secure without losing momentum.

You’re already using AI—but are you protecting what matters?

If you’re leading a biotech, medtech, advanced manufacturing, or deeptech startup, AI is probably already hard at work in your business. Whether you’re using your LIMS to track experimental data, automating lab tasks with tools like Zapier or N8N, or generating regulatory reports with ChatGPT, you’re benefiting from AI’s ability to deliver speed, insight, and productivity.

And it’s working. You’re innovating faster, making better decisions, and doing more with fewer resources. That’s exactly what investors and partners want to see from early-stage companies. In 2025, you don’t need a 500-person team—you need smart systems.

But the same technologies accelerating your work can also quietly undermine it. If you’re not actively managing how AI interacts with your intellectual property (IP) and sensitive data, you’re leaving the door wide open for mistakes, leaks, or compliance failures that can stall your growth—or sink your business entirely.

Protecting Your R&D When Outsourcing Rapid Prototyping

How AI Is supercharging R&D-intensive startups in 4 use cases

AI isn’t just hype for small innovators—it’s a practical tool delivering real business outcomes. And unlike larger enterprises that spend millions and deploy large teams integrating AI into legacy systems, deeptech SMBs are cloud-native and agile. That gives you a major edge.

Here’s how I see most small, research-driven teams using AI right now:

1. Data Collection and Analysis

Your scientific and engineering teams are automating the aggregation of experimental results, integrating data from sensors, lab systems, and external research. AI helps clean, normalize, and interpret it all—so decisions can be made in days, not months.

You’re also leveraging AI for literature mining and competitive analysis, giving your team a clearer picture of where to focus and how to differentiate.

2. Continuous Control and Quality Monitoring

Whether you’re a medtech firm tracking calibration drift or a materials science startup checking for outliers, AI is helping detect inconsistencies early. This kind of real-time feedback loop improves reproducibility and protects your reputation with regulators and partners.

3. Reporting and Documentation

Grant milestones, regulatory submissions, investor updates—these all take time. AI-generated summaries, charts, and reports help your team stay compliant and communicative without pulling attention away from the actual science.

4. Workflow and Service Management

Your operations are already automated. Zapier, N8N, and Power Automate are running the back office: scheduling lab time, flagging inventory shortages, tracking project milestones. AI helps orchestrate and optimize these workflows so your team stays productive.

This all adds up to serious efficiency gains. But—and it’s a big but—each of these systems and integrations touches sensitive data or protected IP. And that’s where the real risk creeps in.

Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech

Four AI risks most science and tech startups overlook

These are excellent use cases, but like everything, there are pros and cons. Deeptech’s need to understand how AI tools and use cases can generate downside risk for your business:

1. Trade Secrets Floating in the Open

AI models are great at summarising documents and drafting content. But paste your prototype results or lab logs into an unsecured LLM, and you might be training someone else’s model with your trade secrets.

This isn’t a fringe issue. In 2023, employees of one global tech company accidentally leaked sensitive source code through ChatGPT. They were trying to be efficient—but exposed high-value IP instead.

Case Study 1: Global tech’s ChatGPT Blunder: IP Exposure Through Misunderstanding

In 2023, engineers pasted sensitive source code and internal meeting notes into ChatGPT while trying to solve coding problems. They didn’t realise that public AI tools could store and retain this input.

The result? Confidential trade secrets exposed. The company responded by banning the use of generative AI internally. But the damage was done.

Lesson: If your staff don’t understand how AI tools process and retain information, they may accidentally train someone else’s model with your crown jewels.

Practical actions:

  • Identify what qualifies as a trade secret in your business. Write it down.
  • Turn off chat histories in AI tools or use private models.
  • Avoid pasting raw R&D data or code into consumer AI platforms.

2. Data Leaks Through Automation Tools

Automation platforms like Zapier, Make, and N8N are amazing for productivity—but they’re often invisible to risk and compliance teams. If data is moving between systems without encryption or logging, that’s a blind spot.

One startup had lab results automatically emailed to a shared inbox via Zapier. Harmless? Until one of those emails ends up forwarded to the wrong contact triggering a data breach incident.

Case Study 2: Global tech company’s AI Team Accidentally Exposes 38TB of Data

In another 2023 case, another big tech’s own AI research team uploaded a GitHub repo with an incorrectly configured Azure SAS token. This gave public access to 38TB of internal data—including private research, credentials, and backups.

This wasn’t a cyberattack. It was a configuration error—just one line of code—and it put an entire research group’s IP at risk.

Lesson: Even world-class AI teams can slip up if access controls and cloud permissions aren’t managed carefully.

Practical actions:

  • Audit your integrations quarterly. Know where data is flowing.
  • Limit the exposure of sensitive data in workflows.
  • Apply the same scrutiny to no-code tools as you do cloud providers.
The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know

3. Misconfigured Cloud Environments

Being cloud-native doesn’t mean being secure. Startups often move quickly, spinning up instances, sharing buckets, and adding users without much structure. The result? Sensitive IP and research data sitting in misconfigured storage with public access enabled.

Case Study 3: Biotech’s AI Feature Abused to Extract Genetic Data

Attackers didn’t hack the biotech’s core systems. They reused leaked credentials to log into user accounts and exploited the company’s DNA Relatives feature—powered by AI—to harvest massive amounts of genealogical and genetic data.

The breach wasn’t about a flaw in the AI—it was about poor monitoring and a lack of foresight into how AI-powered features could be abused at scale.

Lesson: AI features can scale risk just as fast as they scale value. You need visibility and governance to keep both in check.

Practical actions:

  • Use native controls like IAM, DLP, and logging in AWS, GCP, or Azure.
  • Review access privileges regularly—especially after staff or contractor changes.
  • Don’t assume your default setup is safe—check it.

4. Regulatory Risk and Data Sovereignty

If you’re collecting personal or regulated data—think clinical trial results, biospecimens, or identifiable research participant data—you’re accountable under privacy laws. And regulators won’t accept “we’re a startup” as an excuse.

Practical actions:

  • Store regulated data in compliance with local data laws.
  • Map where your data lives and who can access it.
  • Delete data you no longer need—less data, less risk.

You Don’t Need an Army—You Just Need a Plan

Information security and data protection doesn’t have to be expensive or complicated. You just need to know what matters most—and build guardrails that suit your size and stage.

That’s why frameworks like SMB1001 exist. Designed for small, R&D-heavy businesses, it gives you a clear path to understanding what’s critical, setting sensible access controls, and documenting how you manage risk—all in a way that supports growth, not bureaucracy.

You don’t need ISO 27001 on day one. But you do need to show investors and partners that your IP and data aren’t flying blind through a tangle of automations and unvetted tools.

The 3 SMB Risk Management frameworks you need to protect your business

Final Thoughts: AI Is Fuel for Growth—If You Protect the Engine

AI is your multiplier. It helps small teams outperform larger competitors, serve customers faster, and bring complex products to market on a startup budget.

But if your trade secrets leak or research data ends up in the wrong hands, that advantage disappears overnight. Worse, you might not even know it’s happened until it costs you a deal, a grant, or a key staff member.

So if you’re using AI—and I know you are—take these three steps now:

  1. Map where your IP and sensitive data live.
  2. Review how they flow through AI and automation tools.
  3. Use a framework like SMB1001 to set practical controls that grow with you.

The best part? Once you’ve got this in place, you’re not just secure—you’re investable, credible, and ready to scale.

Further Reading

  1. ENISA (2023). Threat Landscape Report 2023 – Supply Chain Threats on SMBs
  2. Forbes (2023). Samsung Engineers Leak Confidential Data to ChatGPT
  3. Curwell, P. (2024). Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech
  4. Curwell, P. (2025). The 3 SMB Risk Management frameworks you need to protect your business
  5. Curwell, P. (2025). The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know
  6. Curwell, P. (2025). Protecting Your R&D When Outsourcing Rapid Prototyping

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Developing a Service Catalogue for fraud, security and integrity teams

Posted on by

Author: Paul Curwell

What is a Service Catalogue and why is it important?

Service Catalogues are receiving increased attention from Chief Operating Officers and business managers as organisations continue the digital transformation journey for internally-facing shared services teams. A Service Catalogue comprises the list of the service offerings (the ‘services menu’) for a functional team, making it easy for internal customers (stakeholders) to understand and access the team’s services.

Service Catalogues also create boundaries that define what a functional team will and will not do, particularly when developed in consultation with, and approved by, senior management. Optional or ‘nice to have’ services may simply not be feasible or affordable at a point in time – the service catalogue process provides a mechanism to agree these offerings and then align them with performance scorecards, resource availability, corporate strategy and internal policies.

Illustrative Service Catalogue
Illustrative Service Catalogue (Curwell, 2003)

How do you build one?

Building a Service Catalogue is a relatively straight forward process involving data collection and interviews or workshops. I typically use Microsoft Excel as my tool of choice for building the initial service catalogue. Once built, I may move this to Microsoft Sharepoint, JIRA or other solutions (see below) depending on the client’s strategy. There are six main steps involved in building a Service Catalogue:

  • Step 1 – Review the organisational chart and position descriptions: Organisational charts usually show the functions within a Business Unit (BU) or team which typically align to the main categories of service offering.
  • Step 2 – identify the main service offerings within each service category: this typically involves interviews or workshops with people in the respective team. The aim here is to understand everything team members do on a day to day basis, and to try and categorise these into distinct services.
  • Step 3 – populate the Service Catalogue template: based on responses gathered from Step 2.
  • Step 4 – remove duplications and deconflict services: sometimes there is a tendancy for team members to view a service as being completely distinct, when it is actually a variation of another service. Ideally, variation should be avoided where possible as this generates waste and errors (in lean six sigma language). If variations are required,
  • Step 5 – process map each service and prepare SOPs: Once each service has been identified, the business process should be mapped and any opportunities to streamline or increase process efficiency implemented. Standard Operating Procedures (SOPs) should be prepared for each service offering which align to the process map.
  • Step 6 – align the Service Catalogue with performance metrics, team resourcing and HR position profiles: Once developed, it is important to assign performance metrics to the team, such as the turnaround time (SLA) which an internal customer has to wait for a process to be completed (e.g. building passes for new hires will be issued within 24 business hours of lodging a request form). Team metrics, tracked through tools like Kanban boards, allow team leaders to implement daily standups with their team to focus effort on the highest priority tasks and remediate delayed or overdue tasks.
An example of a Service Catalogue template
An example of a Service Catalogue template (Curwell, 2023)

As illustrated by the six step methodology above, building a Service Catalogue is a relatively straightforward process that helps focus the attention of internal teams on core business.

A basis for improving governance, performance and team resourcing

Service Catalogues contribute to better governance and performance outcomes, enabling functional team leaders to clearly define what they do, how they do it, and the value it contributes to the business. Non-customer facing support functions are always under cost and resource pressure in any business: Service Catalogues should also align with performance scorecards to track service delivery against agreed KPIs.

white shirt sitting behind counter under television
Photo by PhotoMIX Company on Pexels.com

Employee position descriptions should align with the Service Catalogue, ensuring staff holding those roles are able to effectively perform the required functions without being over or under qualified. Capturing service delivery performance metrics, including time taken to execute each service and the number of requests for that service over a defined period of time also provides the data required to ‘right size’ the team headcount to suit business requirements, required service levels, and risk appetite.

Service Catalogues – an enabler of digital transformation

Every manager knows that resources are always limited – there is always more you should, could, or would like to be doing but time, cost and quality is a handbrake. Digital transformation is increasingly being adopted by internally facing services teams such as security, fraud, HR, finance, legal and others. The adoption of digital transformation tools, such as case management solutions, workflow management tools and process automation offers the chance to minimise manual handling and allow users to self-service, reducing demands on support staff.

lens display business market
Photo by RODNAE Productions on Pexels.com

Having done a few of these activities before, I often find that the Office of the CIO has procured an IT Service Management tool which can be easily adapted and redeployed for other non-IT Service Management tasks with an incremental increase in spend (typically licensing and configuration). Once developed, Service Catalogues are increasingly being implemented in online tools such as:

  • Atlassian JIRA – extremely popular and easy to use, Australian company Atlassian’s web-based JIRA solution makes it easy to track tasks and integrate workflows and decisioning for service requests.
  • ServiceNow IT Service Management – An increasingly popular and common option, ServiceNow is being rolled out as part of enterprise implementations to transform internal operations.
  • Microsoft SharePoint – One of the more enduring and common corporate intranet solutions, SharePoint can help streamline processes and workflows using a combination of SharePoint lists and tools such as Power Automate and Power Apps from a web browser.

These solutions provide simple opportunities to streamline and enhance service delivery and performance of internal services teams, and can form the basis for digital transformation across all shared services teams in any business. In a future article, I will provide a guide on implementing your Service Catalogue in JIRA.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.