From a watching brief to an agentic leap: NatWest Boxed's practical path to AI adoption

In the world of technology, there are few forces as simultaneously hyped and transformative as Artificial Intelligence. For a medium-sized tech-led business like NatWest Boxed, our approach to AI could not be one of speculative investment. It had to be thoughtful, practical, and grounded in value.

Our story isn’t about building a foundational model; it’s about pragmatic adoption, establishing robust governance and using existing assets to become an agile AI leader - a "fast-follower" that aims to leapfrog the competition.

Phase 1: The watchful, low-cost start

When the generative AI wave broke, my first instinct wasn't to dive headfirst into a multi-million-pound internal development project. It was to be watchful. Like many leaders, I was aware of the hype, the security risks, and the potential for runaway costs. As a bank, security and compliance are non-negotiable.

Our initial, low-cost strategy was simple: Leverage the accessible AI capabilities already embedded within our existing SaaS ecosystem.

This meant turning on features we already paid for: the summarisation tools in our communication suite, the code-completion features in our development environment, and the intelligent search in our knowledge management system. This was AI adoption through the 'front door' - a low-cost-of-entry strategy to familiarise our teams with the power and pitfalls of the technology in a controlled, vendor-governed environment. It led to immediate productivity gains within our Operations and Technology teams and also enabled us to test our governance process with manageable use cases.

Phase 2: Building the AI muscle

Low-cost access was merely the on-ramp. To scale, we had to face the reality of the technology’s limitations, particularly its potential for hallucination and the risks to our sensitive data. Our cloud-native platform, which integrates dozens of specialised services around our proprietary core ledger, demanded a tailored governance framework.

We quickly established a cross-functional AI Governance Council to test, vet, and roll out capabilities:

• Securing the platform: We created a 'Data Sandboxing' protocol, ensuring no proprietary data would interact with public LLMs unless it was anonymised, aggregated, or processed by a strictly isolated, auditable model.

• Defining 'Acceptable Use': Clear guidelines were distributed company-wide, focusing on factual verification and intellectual property rights. AI became a powerful co-pilot, not a solo driver.

• Vetting for trust: Before adopting any new AI-enabled tool or integration, it had to pass a security and compliance audit that measured its data handling practices against our most stringent SaaS provider requirements.

This period of tested governance was not a drag on momentum; it was the essential foundation that allowed us to move faster later. It instilled trust across the organisation, transforming AI from a security concern into a strategic asset.

Phase 3: Pragmatic Automation with AI

Having started with accessible AI and built a robust governance model, we are now ready for the next phase. Intelligently automating critical, time-consuming processes that reduces engineer toil, lowers operational risk, with quantifiable impact.

Leveraging our team's deep expertise in microservices and API-driven architecture, we are focussing on freeing up our engineers to remove the toil from their everyday to focus on build.

1. Vulnerability management: A real example of sophisticated automation roll out. Instead of our engineers having to monitor for and remediate new vulnerabilities, we have introduced an agent that takes care of the majority of this work with immediate and immediate saving in time and money.

2. Augmentation of code refactoring: For our engineers, agents are now being used not just to suggest the next line of code, they are being used to complete increasingly complex coding tasks. Such as, upgrading software libraries used across our platform utilising the library’s provided documentation and proposing the complete, tested code change for approval - a massive multiplier for our 300-person team.

We have dozens of more ideas to implement in engineering and that’s before we focus on operations and products teams. For the first time I have felt confident enough to accelerate and build in significant AI-led efficiencies into P&L next year.

Our goal is ambitious: to transform our cloud-native platform into an Agent-Native Platform. By having the foundational confidence to delegate complex, multi-step tasks to governed AI agents, we expect to achieve a leap forward in operational efficiency and velocity flexing the AI muscle we have built.

Boxed's journey demonstrates that AI leadership isn't just for the hyperscalers. It is accessible to medium-sized, focused companies that choose a path of pragmatic adoption, rigorous governance, and strategic ambition. We started watchful, became a fast-follower with low-cost integration, and are now positioned to leapfrog the competition by making the bold move into agentic autonomy.