This piece isn’t a formal academic paper so much as a documented narrative — an exploration of goal-based regulation from the perspective of someone who’s spent time on both sides of the assurance table. My work at NCC Group involves helping organisations translate regulatory expectations into defensible arguments and evidence across transport, energy, and other cyber-physical domains. As a former academic, engineer and now consultant my experiences have shaped how I see regulation: not as a set of rules to follow, but as a conversation about what “safe enough” or “secure enough” really mean in practice.
What follows is an attempt to make sense of that conversation. Rather than claiming to settle the theory, I aim to unpack how goal-based regulation is being interpreted across sectors: maritime, automotive, aviation, rail, energy, and cyber, and what that tells us about the wider shift toward outcome-focused assurance. It’s part reflection, part synthesis: how assurance looks when it’s built from real systems and real audits, not just from policy intent. My hope is that by tracing how reasoning and evidence evolve in practice, this piece contributes to the larger question of how regulation can stay credible in a world that changes faster than its checklists.