By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
Deny all
Accept all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Geordie named "Most Innovative Startup" at RSAC 2026 Conference Innovation Sandbox
No items found.
Customer Stories
|
Agentic AI Risk

How Forge Holiday Group Turned AI Ambition into Governed AI Adoption at Scale

How a fast-moving, PE-backed travel technology group gained the operational confidence to turn its AI ambitions into a reality

Get Started
90%
Deployment across Forge Holiday Group
Endpoint + API Coverage
Coverage across endpoints and AI platforms
Quantified AI Risk
In terms of inherent versus residual risk

Company Background

Forge Holiday Group is a high-growth, private equity-backed travel technology company operating a portfolio of holiday letting brands across the UK. Sitting at the intersection of e-commerce, digital product, and customer experience, the company has embraced AI as a strategic operating principle rather than a narrow productivity tool.

That direction was set early by Forge’s leadership team, particularly CEO Graham Donoghue, whose background in digital transformation and online travel shaped the company’s conviction that AI represented a foundational shift, similar to the rise of the internet itself.

Today, AI agents and AI-enabled workflows are embedded across Forge’s technology ecosystem, powering everything from internal development workflows to operational automation and customer-facing initiatives.

But as AI adoption accelerated, Forge faced a challenge few organizations were prepared for:

How to govern, quantify, and operationalize AI agent risk following a deliberate and fast pace of adoption, led from the top and embedded across every function.

What our chief executive has demonstrated is the potential of AI for us as a business. He has articulated the narrative around AI adoption in a way that has embedded it into the culture. It is what everybody is thinking about and talking about here all the time.

The Challenge

When Jon Mattey joined Forge from the oil and gas sector, he brought with him a highly structured approach to cyber risk management and risk quantification. At Forge, he encountered a fast-moving, innovation-first culture aggressively pursuing AI adoption across the business.

Initially, Jon focused heavily on public-facing AI risks that involved customer-facing AI experiences and external AI exposure, like booking assistants and chat interfaces.

But after deploying Geordie, his understanding of AI risk fundamentally changed.

What Geordie helped him realize was that the real acceleration of risk was happening elsewhere in endpoint-resident AI agents, developer tooling, unsanctioned workflows, and rapidly proliferating AI-enabled operational processes.

For Jon, this became the foundational challenge.

Before Geordie, I was thinking about the risks around us making a public-facing AI-enabled chat capability. When we deployed Geordie, what it actually showed me was I need to be thinking more about some of the stuff that’s emerging in the agentic space on the devices and with the workflows that are starting to crop up.

One area I really struggled to quantify was the risk associated with AI adoption itself. There’s massive upside, but there’s also downside risk. The challenge was understanding and quantifying both.

Requirements

Visibility across every agent surface

Visibility into AI agents operating across endpoints, developer tools, and cloud platforms

Shadow Agent Discovery

Unsanctioned agents emerging organically across the business

Agent Posture and Access

Understanding of what tools, data, and permissions each agent had access to

Quantified AI Risk

A way to quantify AI risk in financial terms consistent with board-level reporting

Governance at the speed of agent adoption

Keep pace with rapid AI adoption without blocking innovation

Unified endpoint and API coverage

Consistent visibility and governance in single platform

A partner that evolves with the ecosystem

A trusted strategic partner capable of evolving alongside the rapidly changing agentic AI landscape

Why Geordie

Forge evaluated multiple emerging vendors in the AI agent security space, but Geordie stood apart for three reasons:

  1. The platform’s ability to surface tangible, actionable risk
  2. The speed and responsiveness of the Geordie team
  3. A genuinely bilateral partnership model

Quantifiable and Actionable Risk

What differentiated Geordie was not just visibility, it was the ability to operationalize and quantify AI risk in a way that aligned with how Forge already thought about cyber risk at the executive level.

Jon already reported security posture internally using financial models based on inherent versus residual risk exposure.

Geordie became the missing layer that allowed Forge to finally apply that framework to the company’s AI adoption.

That concept, “return of control,” became central to Forge’s AI governance model.

Rather than simply identifying AI usage, Geordie enabled Jon to demonstrate how governance and oversight materially reduced downside exposure, while preserving the upside opportunity of AI adoption.

Geordie Changed How Forge Thought About AI Risk

One of the most important aspects of the relationship was that Geordie expanded Forge’s understanding of where AI risk actually lived.

Initially, Jon focused primarily on curated, public-facing AI deployments.

But Geordie surfaced an entirely different category of exposure with desktop agents, AI-enabled development tooling, endpoint-resident assistants and ad hoc workflows being built outside centralized AI governance processes.

That visibility fundamentally reshaped Forge’s approach to AI security and governance.

Speed of Execution and Responsiveness

Forge also valued how rapidly Geordie responded to emerging concerns and new attack surfaces.

At one stage, Jon became concerned about AI-enabled workflows inside Microsoft Power Automate; what he described as “pseudo-agentic workflows.”

Within weeks, the Geordie team built a dedicated Power Automate connector to provide visibility into those AI-driven workflows.

“That was the moment I knew these were the right people to work with.”

For Forge, the responsiveness itself became proof that Geordie understood the velocity and unpredictability of the agentic AI ecosystem.

A True Bilateral Partnership

The relationship with Forge and Geordie created a collaborative feedback loop where Forge helped shape the platform and Geordie helped shape Forge’s understanding of AI risk.

“We chose Geordie because of the relationship. We built a trusted, consistent, bilateral relationship from the outset.”

Jon describes Geordie not as a vendor, but as a genuine strategic partner.

I’m a huge advocate for risk quantification. The top-line metric I report into the executive team is based around inherent and residual risk in financial terms. Geordie helps me articulate the return of control and the reduction of risk that comes with our AI adoption

I’d be lying if I said I was the one informing Geordie where agentic AI was going. They challenged some of my misconceptions and helped me understand where the risk was actually emerging.

Every vendor wants to call themselves a partner. Very few actually achieve that. In the case of Geordie, it genuinely has.

The Implementation

Geordie’s deployment at Forge followed a dual-pronged architecture, reflecting how agentic AI risk distributes across modern enterprises.

The first layer focused on the endpoint environments, though initially, Jon questioned whether endpoint visibility was truly necessary, assuming most meaningful activity would occur cloud-side.

Geordie challenged that assumption and demonstrated the importance of endpoint telemetry in understanding local AI behavior, unsanctioned workflows and AI-enabled actions occurring outside centralized systems.

The second deployment layer focused on API-level integrations across the broader AI ecosystem. 

Between the endpoint and API deployments, Geordie is now in-use across more than 90% of Forge’s technology ecosystem.

We’ve got Geordie deployed across at least 90% of our tech ecosystem now, and the visibility it gives me helps me articulate the return of control, the reduction of risk, and how well we’re managing AI adoption.

The Results

90%

Coverage across 90%+ of Forge's tech ecosystem

Full agent inventory

Visibility into agents running on endpoints that had not previously been inventoried

Agent Risk Framework

Quantified risk reduction for executive leadership

The clearest result from the Geordie deployment was a shift in what Jon was able to see, understand, and communicate to leadership about AI agent risk across the business.

Before Geordie, his attention had been largely focused on the public-facing AI risk. The deployment revealed a more complex and distributed agent landscape than anticipated, covering endpoint-resident agents, task-oriented workflow agents, and everything in between. That visibility changed the risk conversation fundamentally.

Geordie also enabled Jon to move from assertions about risk to quantified, documented evidence. Using a financial risk quantification model consistent with how Forge reports security performance to its executive team, the platform allowed Jon to articulate risk in monetary terms for AI agent adoption specifically, a capability that had not existed before.

Practically, the deployment delivered:
- Coverage across 90%+ of Forge's tech ecosystem within the deployment window
- Visibility into agents running on endpoints that had not previously been inventoried
- A connector built and delivered within weeks of the request
- The ability to articulate a quantified return of control and risk reduction to executive leadership
- Confidence to continue and accelerate AI adoption rather than constrain it

The Future

Forge's ambition is to continue building on the partnership with Geordie as both the platform and the AI agent ecosystem evolve. The immediate priority is deeper operational integration to the security operations workflow.

Jon sees the relationship with Geordie continuing as a partnership. For example, a recent visit to the Geordie team brought together Forge's CISO, CTO, and Chief Product Officer to understand not just what Geordie had built, but how the company itself was operating its own AI-enabled operating model. 

Forge also sees Geordie as the foundation for staying ahead of the regulatory curve. When the Five Eyes released AI agentic adoption guidance, Jon's assessment was clear: as a result of the Geordie partnership, Forge was already well ahead of where most businesses will find themselves when they read that guidance for the first time.

"As a result of the partnership with Geordie, we are so much further ahead than I think a lot of businesses will feel when they read that guidance."

I would love to continue working with Geordie as not just a solution, but as a partner that can help keep us abreast of this emergent space. Everything is changing and keeping up with it as a CISO is a lot of work. Having that partnership to evolve around not just the solution but the support that comes with it is something I think is extremely valuable.

Summary of Benefits

Forge Holiday Group is one of the UK’s most ambitious adopters of agentic AI, and Geordie has become the governance and security foundation enabling that strategy.

Across a deployment footprint spanning more than 90% of Forge’s technology ecosystem, Geordie helped Forge:

  • Discover emerging AI risk exposure
  • Quantify AI risk in financial terms
  • Operationalize governance
  • Articulate measurable “return of control”
  • Continue deploying AI aggressively without compromising security

But perhaps most importantly, the relationship fundamentally changed how Forge understood AI risk itself.

What Geordie ultimately provided was a new operating model for understanding, quantifying, and governing AI agents at enterprise scale.

For security leaders navigating the same pressure, Forge’s experience demonstrates that AI agent security is not what slows AI adoption.

It is what makes it possible.

Geordie makes me successful in my role by helping me practice what I preach in making the business go faster safely. It enables us to be a first mover and to adopt agentic AI in a way that is safe for the business.

Footer graphic with abstract geometric patterns and gradients

Know your agents. Govern with certainty.

Book a Demo