Day: March 17, 2026

Categories
AI Today in 5

AI Today in 5: March 17, 2026 the $1tn Wipe-Out Edition

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, I will bring to you 5 stories about AI stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest about AI.

  1. Open Claw exposes Agentic AI risk. (GovInfoSecurity)
  2. Using AI for comms compliance. (FinTechGlobal)
  3. AI with integrity in fin crime compliance. (Forbes)
  4. AI in life insurance. (InsuranceNewsnet)
  5. Amazon leads in the $1tn value wipeout of value from AI. (CNBC)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
Daily Compliance News

Daily Compliance News: March 17, 2026 the Corruption at the DOJ? Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • Cyber hacks and Iran. (WSJ)
  • Madagascar ABC chief appointed PM. (com)
  • BoA settles Epstein victims lawsuit. (FT)
  • Was there corruption involved in the Live Nation settlement? (BIG)
Categories
Innovation in Compliance

Innovation in Compliance – Venezuela’s Energy Reopening with Loren Steffy

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance as he visits with top innovative minds, thinkers and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with  energy journalist/publisher Lauren Steffey discuss whether a Trump administration announcement regarding Venezuela is meaningful for oil markets, concluding it mainly increases uncertainty and is unlikely to drive major U.S. oil-company investment.

They note West Texas shale generally needs about $60 oil to break even, making $50 oil politically and economically problematic. They explain Venezuela’s heavy crude requires specialized extraction technology and extensive, aged infrastructure upgrades to reach market, potentially costing billions and taking decades, with some estimates placing Venezuela’s break-even as high as $80. They emphasize governance, corruption, degraded PDVSA human capital, contract enforceability, and unresolved debts (including reported $12B owed to ConocoPhillips) as key barriers, making Venezuela “uninvestible” for most majors and suggesting only high-risk players might consider entry amid unclear U.S. strategy.

Key Highlights

  • Venezuela Heavy Crude Basics
  • Infrastructure Rebuild Challenge
  • Human Capital and Governance
  • Old Debts and Legal Risk
  • Government Plan or Subsidies

Resources

Loren Steffy on LinkedIn

Stoney Creek Publishing

 

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
The PfBCon Podcast

The PFBCon Podcast: Legal Must-Knows for Business Podcasters: Protect Your Brand, Content & Reputation with Gordon Firemark

Entertainment and media attorney Gordon Firemark (“the podcast lawyer”) delivers a session on essential legal principles for podcasters using shows as a business or within a business.

Gordon explains that publishing a podcast makes you responsible like a professional media company and outlines key areas to manage risk and build long-term value: forming a legal entity to separate personal and business liability; documenting ownership with written agreements (including “work made for hire” language) for co-hosts, contractors, and contributors; using a “podcast prenup” to define control, revenue, expenses, and exit scenarios; protecting intellectual property through copyright registration and trademark selection/registration (including searching the USPTO and avoiding generic titles), illustrated by a case where waiting to file caused years of trademark conflict; avoiding copyright problems by licensing/using royalty-free content and not relying on fair use as a “get out of jail free” claim; requiring guest release agreements to prevent takedown demands and disputes, including clauses covering editing, repurposing, and AI use; structuring sponsorship and brand deals with clear payment terms and deliverables; complying with FTC disclosure rules for endorsements, affiliate relationships, gifts, and paid interviews; and reducing defamation/privacy risk through fact-checking, respecting NDAs, and using disclaimers for legal/health/financial advice. He closes with resources and where to find him online, including his sites and podcaster community.

Key highlights:

  • Why Podcasters Need Legal Thinking
  • Gordon’s Podcasting Origin Story
  • The Three Pillars of Protection
  • Entities and Ownership Basics
  • Co-Hosts and Podcast Prenup
  • Copyright and Fair Use Myths
  • Trademarks and Naming Your Show
  • Guest Releases and Control
  • Sponsorships and FTC Disclosures
  • Defamation, Privacy, and Disclaimers 

Resources:

Follow Gordon Firemark on:

Entertainment Law Offices of Gordon P. Firemark

LinkedIn

Website

YouTube

Facebook

Instagram

Categories
Blog

COSO Meets GenAI: The Internal Controls Playbook for Compliance

If you are a compliance professional looking at your company’s GenAI rollout and wondering when the grown-ups are finally going to arrive, I have good news. They just did.

COSO has now stepped directly into the GenAI conversation with its new paper, Achieving Effective Internal Control Over Generative AI, and that matters a great deal. For those of us in compliance, internal audit, risk, and governance, COSO is not a shiny new acronym trying to catch the latest tech train. COSO is the train schedule. It is the framework that boards, auditors, controllers, and compliance professionals already understand. And with this publication, COSO has done something very important: it has translated GenAI risk into the language of internal control. That is exactly what the market needed.

Because up until now, too much of the GenAI discussion has lived in one of two places. Either it sat in the innovation lab with people talking breathlessly about transformation, or it sat in the legal department where everyone worried, quite correctly, about hallucinations, privacy, and bias. What has often been missing is the operational bridge between aspiration and assurance. COSO gives us that bridge. It says, in effect, GenAI is not outside your control environment. It is now part of it. And if it is part of it, then it must be governed, tested, monitored, and documented like any other significant business capability.

GenAI Does Not Change the Need for Control. It Changes the Terrain

One of the most important points in the COSO paper is that GenAI does not upend the COSO Internal Control-Integrated Framework. Rather, it changes the environment in which those controls operate. The five familiar COSO components remain the same: control environment, risk assessment, control activities, information and communication, and monitoring activities. What changes is the nature of the underlying risk. GenAI introduces probabilistic outputs, model drift, prompt injection, opaque reasoning, rapid configuration changes, and shadow AI adoption outside normal approval channels. That is a very useful framing for compliance officers.

It means we should stop treating AI governance as some exotic side project. If GenAI is being used in operations, legal, finance, HR, procurement, investigations, or reporting, then it belongs inside your existing governance architecture. You do not need to invent a new religion. You need to apply the old disciplines to a new set of facts.

This is where compliance can and should lead. We understand what it means to build controls around fast-moving risk. We understand escalation, role clarity, training, monitoring, and accountability. COSO is effectively telling compliance professionals, “You already know more about governing GenAI than you think. Now apply that muscle memory with precision.”

A Capability-First Approach Is a Game Changer

Perhaps the most practically useful innovation in the COSO guidance is its capability-first taxonomy. Rather than organizing AI controls by vendor, product name, or technical buzzword, COSO looks at what the GenAI system actually does. It identifies eight capability types: data extraction and ingestion; data transformation and integration; automated transaction processing and reconciliation; workflow orchestration; judgment, forecasting, and insight generation; AI-powered monitoring and continuous review; knowledge retrieval and summarization; and human-AI collaboration. That is enormously helpful because it is how compliance people actually work.

We do not manage risk by admiring the label on the software box. We manage risk by understanding what a tool does in a process, what can go wrong, how fast it can go wrong, and how the error propagates downstream. A GenAI tool that summarizes policies creates one set of risks. A GenAI agent that routes approvals, posts transactions, or helps shape regulatory disclosures creates another. COSO gives organizations a common language for distinguishing among those use cases and calibrating controls accordingly. That is not just elegant. It is actionable.

The Five Foundational Truths Every CCO Should Memorize

COSO also offers five foundational characteristics for GenAI internal control, and each one should be printed out and taped to the wall of every compliance office.

First, GenAI is probabilistic, not deterministic. In plain English, it can sound authoritative and still be wrong. Therefore, outputs must be treated as claims requiring validation, not facts to be accepted by default. Second, GenAI is dynamic. Models, prompts, and retrieval data evolve quickly, so controls and monitoring must keep pace. Third, GenAI is easily scalable, which means it can scale both productivity and error. Fourth, it has a low barrier to entry, which is why shadow AI is such a real problem. Fifth, and perhaps most interestingly, GenAI can help govern GenAI through pattern detection, validation, and monitoring.

There is a lot packed into those five points. For compliance, the biggest takeaway is this: static governance will fail in a dynamic AI environment. Annual reviews will not cut it. A once-a-year policy refresh will not cut it. A single training session on acceptable use will not cut it. GenAI governance has to be living governance.

What COSO Says About the Control Environment

COSO starts where it should: tone, structure, and accountability. The paper says organizations need a GenAI acceptable use policy, clear ethical boundaries, oversight responsibility, named owners for each AI tool or platform, role-based training, and accountability mechanisms tied not only to adoption but to safety, compliance, and performance. Boards and cross-functional oversight groups need visibility into adoption, incidents, changes, and risk indicators.

That is a direct message to compliance leaders. If nobody owns the prompts, the retrieval connectors, the model configurations, the escalation path, or the approval structure, then nobody owns the risk. And in a regulatory environment moving steadily toward AI accountability, “nobody owned it” is not a defense. It is an indictment.

I particularly liked COSO’s emphasis that prompts, system prompts, and retrieval connectors should be treated as governed configurations. That is exactly right. Too many companies still treat prompting like an informal user habit rather than a control-relevant configuration choice. In a high-impact context, the prompt is not casual. It is part of the system.

Risk Assessment Must Get More Dynamic

COSO’s discussion of risk assessment is equally strong. It calls for use cases to have clearly defined objectives, acceptable and unacceptable boundaries, and success criteria. It also warns that organizations must first ask whether GenAI is even the right tool for the task. In some cases, traditional automation or deterministic systems may be safer and more reliable. The risk assessment should account for hallucinations, drift, provenance gaps, prompt injection, bias, third-party dependencies, and significant changes such as vendor updates, connector changes, or evolving regulations.

This is where compliance earns its keep. We are the ones who should be asking: What if the model changes quietly? What if the source data becomes stale? What if the retrieval layer excludes a critical policy update? What if the system routes something to the wrong approver? What if the tool is used in a context where a simpler and safer solution would do the job better?

COSO is right to emphasize scenario analysis and living risk registers. In the GenAI era, risk registers that only update annually are museum pieces.

Human-in-the-Loop Is Not Optional

When COSO turns to control activities, it gets very practical. It says GenAI outputs should be subject to human corroboration proportionate to risk, and in high-impact business, legal, or regulatory contexts, AI assistance should be segregated from authoritative decision-making. The paper also calls for version control, audit trails, access restrictions, change management, source citation requirements, segregation of duties, confidence thresholds, and documented approvals for configuration changes. That is the heart of responsible AI governance.

I was also struck by COSO’s discussion of reliance in an ICFR setting. The paper draws an important line between situations where management depends on AI output as evidence supporting control effectiveness and situations where a human independently re-performs the work. When true reliance exists, the evidentiary expectations rise: documented prompts, model versions, sampling rationale, exception resolution, and retained evidence.

Even beyond financial reporting, that concept is vital for compliance. The moment your team starts relying on GenAI output for sanctions reviews, due diligence summaries, monitoring alerts, investigative chronology, or policy interpretation, you have to ask a simple question: What is our evidence that this output was reliable enough to trust?

Monitoring Is Where the Real Work Begins

COSO’s final major lesson is that monitoring GenAI is not a one-and-done exercise. Organizations need continuous metrics and periodic deep reviews. They need to track precision, recall, exception volumes, latency, fairness, drift, and the quality of outcomes. They need retraining triggers, rollback protocols, remediation logs, and playbooks for common AI control failures. COSO also makes the excellent point that in probabilistic systems, control failure may no longer be a simple pass-fail matter. Organizations may need multi-metric tolerance ranges across dimensions such as accuracy, bias, leakage, explainability, and change velocity.

That is a sophisticated and realistic view. Compliance teams should take it seriously because it reflects the world we are moving into. AI control effectiveness will not be judged solely by whether a control exists on paper. It will be judged by whether the organization can show that it monitors performance, investigates deviations, remediates failures, and adapts as the technology changes.

The Bottom Line

The real genius of the COSO GenAI framework is that it takes AI out of the abstract and puts it where it belongs: inside the machinery of governance. It turns the conversation from “Do we have an AI policy?” to “Do we have effective internal control over AI use?” That is a far better question.

For compliance officers, the action items are clear. Inventory your GenAI use cases. Classify them by capability. Identify owners. Assess risk dynamically. Put human review where the stakes justify it. Govern prompts and configurations like controlled assets. Monitor continuously. And do not let your AI strategy outrun your control environment.

Because in the end, the organizations that benefit most from GenAI will not be the ones that moved fastest with the fewest guardrails. They will be the ones that figured out how to innovate with discipline. That is not bureaucracy. That is competitive advantage.