Can you build AI without leaving the Microsoft stack you already pay for?

Yes. Logi Trans builds its automations and agents inside the Microsoft package it already licenses and is certified on, which keeps everything within an audited security boundary and avoids paying for a separate AI platform.

Why would a logistics company get ISO 27001 certified?

Because large oil-industry tenders increasingly demand proof of how you store and secure data. Certifying as an IT company (Logi Trans is certified by DNV) turns building AI inside that boundary into a routine task rather than a risk.

What is the hardest part of adopting AI in a traditional business?

Adoption, not the technology. The real work is training people to use the tools correctly and safely, rolling them out to the willing first, and designing interfaces clean enough that reluctant users actually open them.

Building AI inside the Microsoft stack you already own

Logi Trans moves freight along the Norwegian coast: oil-industry routes between the supply bases, weight intervals fine-tuned by the kilo, police escorts for the loads too big to move quietly. It is also certified to ISO 27001 as if it were a software company. I wanted to understand why a haulier had made that particular choice.

Logi Trans worked this out themselves, with one in-house developer and a clear idea of what they wanted. I went to see Cathrine Ogne, who directs the Logi Trans group, and Ragnar Olsen, their commercial director, because the companies quietly getting this right are far more interesting to me than the ones talking about it. They have been at it for three or four years, most of recorded history in AI terms, and have stood up at the Offshore Norge innovation conference to talk about it.

What struck me is what they didn't do. They didn't hand their data to a startup. They didn't sign a six-figure annual licence for a bespoke "AI platform." They looked at the Microsoft stack they were already paying for, already certified on, already running the entire business in, and decided that was where the building would happen.

A red Logi Trans electric Volvo truck and flatbed trailer parked on tarmac.

Why would a haulage company certify to ISO 27001?

On paper it makes little sense. ISO 27001 is the information-security standard you associate with cloud providers, not with a company whose core product is a lorry arriving on time. Logi Trans is one of the few in its industry to hold it, certified by DNV alongside the more expected 9001, 14001 and 45001 for quality, environment and working conditions.

The logic is commercial. When you bid for the big oil-industry tenders, the paperwork now asks hard questions: how you handle data, who can access what, how systems are logged. Ragnar's reasoning was blunt: they certified as an IT company because that is what serious IT innovation in a regulated supply chain increasingly requires. Clean-desk policies, layered authorisation, logging portals, having to log deeper into a system to reach its sensitive parts.

That certification turns out to be the thing that makes everything else possible. Once your security architecture is audited and signed off, building AI inside it stops being a risk conversation. The fence is already there. You are adding tools behind it.

What they actually built

Strip away the strategy talk and there are concrete systems doing concrete work. The centre of gravity is their transport management system, TMS X. It is their operating system, their booking portal and their invoicing portal at once. Orders, transports, pickups, deliveries, the invoice at the end: it all runs there.

The first real win was removing the typing. A customer places an order through their own ERP system; the transport booking lands directly in TMS X over an API or EDI flow, which sets the whole job in motion. From there Logi Trans pulls the files straight to the drivers and subcontractors who do the moving, and the customer is updated automatically, through their API if they have one, or through Logi Trans's own booking portal if they don't. No email. Nobody re-keying an order from one screen into another.

That sounds modest. It isn't. The old way was a person reading each incoming order and entering it into the next system by hand, all day, every day. Cathrine described the before state simply as "a lot of manual registration." Taking it away gave them capacity back: more throughput from the same team, people freed to talk to customers and drivers instead of acting as a relay between two databases.

Build inside the stack you already own

This is the part I keep returning to, because it is the most repeatable. Logi Trans's working rule is simple: as long as it stays inside the Microsoft package they already license, it works. Same security, same certification, already paid for. Stay inside that boundary and a new automation stops being a procurement project and becomes an afternoon's work.

They hired one developer last year to sit with exactly these tasks. They have started building small Power Apps to automate workflows. They use external trainers for the upskilling rather than pretending to do everything in-house. And they are waiting on a new, Microsoft-based version of their TMS platform, due in about a year, that will let them run agents on top of it in parallel.

I put it to Ragnar that this is the right strategy for more or less any medium-sized-and-up business: build within the security architecture you already have, inside the stack you already run. Whether that stack is Microsoft's or Google's matters less than the discipline of staying inside it. In Norway it happens to be Microsoft nearly everywhere; the principle holds either way. This is really the build-versus-buy question, answered by reading the licence you already signed. Working out what you genuinely own, and what actually needs buying, is a conversation we have constantly.

Why is adoption harder than the technology?

Here is the uncomfortable truth every honest version of this story reaches: the technology was never the hard part. Getting people to use it well was.

Cathrine has been deliberate about not forcing it. They have not pushed Copilot onto people with no interest in it, partly because of the per-seat cost, mostly because forced tools get used badly or not at all. They started at leadership level with the genuinely curious, then made it "half-forced" for the middle managers, who have to start using it before it reaches everyone else. The curious teach themselves. The rest, in her words, sit and wait until it gets pulled down over their heads.

The guardrails matter as much as the rollout. Her first priority is training people not to treat ChatGPT as an encyclopedia, but to use it only for what they can verify themselves, and never to paste sensitive information into a tool that might remember it. She made the point with a domestic example: her kids come home repeating things they read on ChatGPT as if they were the evening news. That instinct, uncorrected, is the last thing you want loose inside a company handling commercial data.

Then there is design, which Ragnar lit up about. They run dashboards for delivery precision and tracking, and he is adamant that the first screen has to be clean and intuitive or people simply won't use it. He has been shown solutions that, in his words, "look like the 80s": heavy, ugly, dead on arrival. Make it as advanced as you like underneath; the surface has to be easy. We spend most of our build work on exactly this gap, between "technically works" and "people actually use it." It is the difference between a system people adopt and a licence nobody opens.

What comes next: tender and pricing agents

The roadmap is where it gets interesting for anyone in a bid-heavy industry. Ragnar walked through three agents they have weighed up. A tender agent to read the enormous, technical tender documents the oil industry produces. A pricing agent you feed the matrices and tariffs, and get a number back quickly. An auto-response agent for the steady trickle of customers who just want a fast answer without going through a person.

The tender one is the most compelling. Oil-and-gas tenders are vast, and the cruel joke is that a small operator receives exactly the same hundred-page monster as a multinational. Most of the effort is reading and understanding before you can even begin to answer. That is ideal work for a ring-fenced, local agent with access to the right internal information: the sort that drafts maybe ninety per cent of a response and leaves a human the last ten, plus the final read. Pricing is similar but messier: their matrices cover the whole Norwegian coast with a European tariff layered on top, much of it repetitive, the difference often just weight intervals. The hard cases stay human. Is the load out of gauge? Is it big enough to need a police escort, which never comes with a fixed price?

Model trucks on a hand-drawn map of routes, illustrating a coast-wide transport network.

None of it is live yet. They haven't needed it. But Ragnar's read matched mine: it is coming, and when the need is real they will build it, inside the same fence as everything else.

The quiet version of an AI strategy

What stayed with me, driving away, was how undramatic the whole thing is. No moonshot. No rip-and-replace. A coast-long haulage business got itself properly certified, hired one builder, trained the willing, and started making the tools it needed out of the software already sitting on every desk.

They didn't buy an AI strategy. They noticed they already owned one.