How Forge Holiday Group Turned AI Ambition Into Governed AI Adoption at Scale
How a fast-moving, PE-backed travel technology group gained the operational confidence to turn its AI ambitions into a reality
- 90%
- Deployment across Forge Holiday Group
- Endpoint + API Coverage
- Coverage across endpoints and AI platforms
- Quantified AI Risk
- In terms of inherent versus residual risk
Company Background
Forge Holiday Group is a high-growth, private equity-backed travel technology company operating a portfolio of holiday letting brands across the UK. Sitting at the intersection of e-commerce, digital product, and customer experience, the company has embraced AI as a strategic operating principle rather than a narrow productivity tool.
That direction was set early by Forge's leadership team, particularly CEO Graham Donoghue, whose background in digital transformation and online travel shaped the company's conviction that AI represented a foundational shift, similar to the rise of the internet itself.
Today, AI agents and AI-enabled workflows are embedded across Forge's technology ecosystem, powering everything from internal development workflows to operational automation and customer-facing initiatives.
But as AI adoption accelerated, Forge faced a challenge few organizations were prepared for: how to govern, quantify, and operationalize AI agent risk following a deliberate and fast pace of adoption, led from the top and embedded across every function.
The Challenge
When Jon Mattey joined Forge from the oil and gas sector, he brought with him a highly structured approach to cyber risk management and risk quantification. At Forge, he encountered a fast-moving, innovation-first culture aggressively pursuing AI adoption across the business.
Initially, Jon focused heavily on public-facing AI risks that involved customer-facing AI experiences and external AI exposure, like booking assistants and chat interfaces.
But after deploying Geordie, his understanding of AI risk fundamentally changed.
What Geordie helped him realize was that the real acceleration of risk was happening elsewhere in endpoint-resident AI agents, developer tooling, unsanctioned workflows, and rapidly proliferating AI-enabled operational processes.
For Jon, this became the foundational challenge.
Requirements
- Visibility across every agent surface Visibility into AI agents operating across endpoints, developer tools, and cloud platforms
- Shadow Agent Discovery Unsanctioned agents emerging organically across the business
- Agent Posture and Access Understanding of what tools, data, and permissions each agent had access to
- Quantified AI Risk A way to quantify AI risk in financial terms consistent with board-level reporting
- Governance at the speed of agent adoption Keep pace with rapid AI adoption without blocking innovation
- Unified endpoint and API coverage Consistent visibility and governance in single platform
- A partner that evolves with the ecosystem A trusted strategic partner capable of evolving alongside the rapidly changing agentic AI landscape
Why Geordie
Forge evaluated multiple emerging vendors in the AI agent security space, but Geordie stood apart for three reasons: the platform's ability to surface tangible, actionable risk, the speed and responsiveness of the Geordie team, and a genuinely bilateral partnership model.
Quantifiable and Actionable Risk
What differentiated Geordie was not just visibility, it was the ability to operationalize and quantify AI risk in a way that aligned with how Forge already thought about cyber risk at the executive level.
Jon already reported security posture internally using financial models based on inherent versus residual risk exposure.
Geordie became the missing layer that allowed Forge to finally apply that framework to the company's AI adoption.
That concept, "return of control," became central to Forge's AI governance model.
Rather than simply identifying AI usage, Geordie enabled Jon to demonstrate how governance and oversight materially reduced downside exposure, while preserving the upside opportunity of AI adoption.
Geordie Changed How Forge Thought About AI Risk
One of the most important aspects of the relationship was that Geordie expanded Forge's understanding of where AI risk actually lived.
Initially, Jon focused primarily on curated, public-facing AI deployments.
But Geordie surfaced an entirely different category of exposure with desktop agents, AI-enabled development tooling, endpoint-resident assistants and ad hoc workflows being built outside centralized AI governance processes.
That visibility fundamentally reshaped Forge's approach to AI security and governance.
Speed of Execution and Responsiveness
Forge also valued how rapidly Geordie responded to emerging concerns and new attack surfaces.
At one stage, Jon became concerned about AI-enabled workflows inside Microsoft Power Automate; what he described as "pseudo-agentic workflows."
Within weeks, the Geordie team built a dedicated Power Automate connector to provide visibility into those AI-driven workflows.
For Forge, the responsiveness itself became proof that Geordie understood the velocity and unpredictability of the agentic AI ecosystem.
A True Bilateral Partnership
The relationship with Forge and Geordie created a collaborative feedback loop where Forge helped shape the platform and Geordie helped shape Forge's understanding of AI risk.
Jon describes Geordie not as a vendor, but as a genuine strategic partner.
The Implementation
Geordie's deployment at Forge followed a dual-pronged architecture, reflecting how agentic AI risk distributes across modern enterprises.
The first layer focused on the endpoint environments, though initially, Jon questioned whether endpoint visibility was truly necessary, assuming most meaningful activity would occur cloud-side.
Geordie challenged that assumption and demonstrated the importance of endpoint telemetry in understanding local AI behavior, unsanctioned workflows and AI-enabled actions occurring outside centralized systems.
The second deployment layer focused on API-level integrations across the broader AI ecosystem.
Between the endpoint and API deployments, Geordie is now in-use across more than 90% of Forge's technology ecosystem.
The Results
- 90%+
- Coverage across Forge's tech ecosystem within the deployment window
- Full agent inventory
- Visibility into agents running on endpoints that had not previously been inventoried
- Weeks
- From feature request to delivered Power Automate connector
The clearest result from the Geordie deployment was a shift in what Jon was able to see, understand, and communicate to leadership about AI agent risk across the business.
Before Geordie, his attention had been largely focused on the public-facing AI risk. The deployment revealed a more complex and distributed agent landscape than anticipated, covering endpoint-resident agents, task-oriented workflow agents, and everything in between. That visibility changed the risk conversation fundamentally.
Geordie also enabled Jon to move from assertions about risk to quantified, documented evidence. Using a financial risk quantification model consistent with how Forge reports security performance to its executive team, the platform allowed Jon to articulate risk in monetary terms for AI agent adoption specifically, a capability that had not existed before.
The Future
Forge's ambition is to continue building on the partnership with Geordie as both the platform and the AI agent ecosystem evolve. The immediate priority is deeper operational integration to the security operations workflow.
Jon sees the relationship with Geordie continuing as a partnership. For example, a recent visit to the Geordie team brought together Forge's CISO, CTO, and Chief Product Officer to understand not just what Geordie had built, but how the company itself was operating its own AI-enabled operating model.
Forge also sees Geordie as the foundation for staying ahead of the regulatory curve. When the Five Eyes released AI agentic adoption guidance, Jon's assessment was clear: as a result of the Geordie partnership, Forge was already well ahead of where most businesses will find themselves when they read that guidance for the first time.
Summary of Benefits
Forge Holiday Group is one of the UK's most ambitious adopters of agentic AI, and Geordie has become the governance and security foundation enabling that strategy.
Across a deployment footprint spanning more than 90% of Forge's technology ecosystem, Geordie helped Forge discover emerging AI risk exposure, quantify AI risk in financial terms, operationalize governance, articulate measurable "return of control," and continue deploying AI aggressively without compromising security.
But perhaps most importantly, the relationship fundamentally changed how Forge understood AI risk itself.
What Geordie ultimately provided was a new operating model for understanding, quantifying, and governing AI agents at enterprise scale.
For security leaders navigating the same pressure, Forge's experience demonstrates that AI agent security is not what slows AI adoption. It is what makes it possible.
Take control of AI agent uncertainty
Get a single source of truth for every autonomous agent your organization runs.
“We're seeing the iceberg that rocked the Titanic — weeks in advance rather than the moment it appears on screen. We're able to take a snapshot of the entire ecosystem and have adult, grown-up conversations about what's responsible and what's not. We can quantify everything now.”
