Day: March 17, 2026

Categories
AI Today in 5

AI Today in 5: March 17, 2026, The $1tn in Value Wipe-Out Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Open Claw exposes Agentic AI risk. (GovInfoSecurity)
  2. Using AI for comms compliance. (FinTechGlobal)
  3. AI with integrity in FinCrime compliance. (Forbes)
  4. AI in life insurance. (InsuranceNewsNet)
  5. Amazon leads the $1tn wipeout in AI value. (CNBC)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: March 17, 2026, Is the DOJ Corrupt? Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Cyber hacks and Iran. (WSJ)
  • Madagascar’s ABC chief appointed PM. (DM.COM)
  • BoA settles Epstein victims’ lawsuit. (FT)
  • Was there corruption involved in the Live Nation settlement? (BIG)
Categories
Innovation in Compliance

Innovation in Compliance: Venezuela’s Energy Reopening with Loren Steffy

Innovation comes in many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox visits with energy journalist/publisher Loren Steffy to discuss whether a Trump administration announcement regarding Venezuela is meaningful for oil markets, concluding that it mainly increases uncertainty and is unlikely to drive major U.S. oil-company investment.

They note West Texas shale generally needs about $60 oil to break even, making $50 oil politically and economically problematic. They explain that Venezuela’s heavy crude requires specialized extraction technology and extensive, aging infrastructure upgrades to reach the market, potentially costing billions and taking decades, with some estimates placing Venezuela’s break-even price at $80 or higher. They emphasize governance, corruption, degraded PDVSA human capital, contract enforceability, and unresolved debts (including reported $12B owed to ConocoPhillips) as key barriers, making Venezuela “uninvestible” for most majors and suggesting only high-risk players might consider entry amid unclear U.S. strategy.

Key highlights:

  • Venezuela Heavy Crude Basics
  • Infrastructure Rebuild Challenge
  • Human Capital and Governance
  • Old Debts and Legal Risk
  • Government Plan or Subsidies

Resources:

Loren Steffy on LinkedIn

Stoney Creek Publishing 

Innovation in Compliance was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.

Categories
The PfBCon Podcast

The PFBCon Podcast: Legal Must-Knows for Business Podcasters: Protect Your Brand, Content & Reputation with Gordon Firemark

Entertainment and media attorney Gordon Firemark (“the podcast lawyer”) delivers a session on essential legal principles for podcasters using shows as a business or within a business.

Gordon explains that publishing a podcast makes you responsible like a professional media company and outlines key areas to manage risk and build long-term value: forming a legal entity to separate personal and business liability; documenting ownership with written agreements (including “work made for hire” language) for co-hosts, contractors, and contributors; using a “podcast prenup” to define control, revenue, expenses, and exit scenarios; protecting intellectual property through copyright registration and trademark selection/registration (including searching the USPTO and avoiding generic titles), illustrated by a case where waiting to file caused years of trademark conflict; avoiding copyright problems by licensing/using royalty-free content and not relying on fair use as a “get out of jail free” claim; requiring guest release agreements to prevent takedown demands and disputes, including clauses covering editing, repurposing, and AI use; structuring sponsorship and brand deals with clear payment terms and deliverables; complying with FTC disclosure rules for endorsements, affiliate relationships, gifts, and paid interviews; and reducing defamation/privacy risk through fact-checking, respecting NDAs, and using disclaimers for legal/health/financial advice. He closes with resources and where to find him online, including his sites and podcaster community.

Key highlights:

  • Why Podcasters Need Legal Thinking
  • Gordon’s Podcasting Origin Story
  • The Three Pillars of Protection
  • Entities and Ownership Basics
  • Co-Hosts and Podcast Prenup
  • Copyright and Fair Use Myths
  • Trademarks and Naming Your Show
  • Guest Releases and Control
  • Sponsorships and FTC Disclosures
  • Defamation, Privacy, and Disclaimers 

Resources:

Follow Gordon Firemark on:

Entertainment Law Offices of Gordon P. Firemark

LinkedIn

Website

YouTube

Facebook

Instagram

Categories
Blog

COSO Meets GenAI: The Internal Controls Playbook for Compliance

If you are a compliance professional looking at your company’s GenAI rollout and wondering when the grown-ups will finally arrive, I have good news. They just did.

COSO has now stepped directly into the GenAI conversation with its new paper, Achieving Effective Internal Control Over Generative AI, and that matters a great deal. For those of us in compliance, internal audit, risk, and governance, COSO is not a shiny new acronym trying to catch the latest tech train. COSO is the train schedule. It is the framework that boards, auditors, controllers, and compliance professionals already understand. And with this publication, COSO has done something very important: it has translated GenAI risk into the language of internal control. That is exactly what the market needed.

Because up until now, too much of the GenAI discussion has lived in one of two places. Either it sat in the innovation lab with people talking breathlessly about transformation, or it sat in the legal department where everyone worried, quite correctly, about hallucinations, privacy, and bias. What has often been missing is the operational bridge between aspiration and assurance. COSO gives us that bridge. It says, in effect, GenAI is not outside your control environment. It is now part of it. And if it is part of it, then it must be governed, tested, monitored, and documented like any other significant business capability.

GenAI Does Not Change the Need for Control. It Changes the Terrain

One of the most important points in the COSO paper is that GenAI does not upend the COSO Internal Control-Integrated Framework. Rather, it changes the environment in which those controls operate. The five familiar COSO components remain the same: control environment, risk assessment, control activities, information and communication, and monitoring activities. What changes is the nature of the underlying risk. GenAI introduces probabilistic outputs, model drift, prompt injection, opaque reasoning, rapid configuration changes, and the adoption of shadow AI outside normal approval channels. That is a very useful framing for compliance officers.

It means we should stop treating AI governance as some exotic side project. If GenAI is used in operations, legal, finance, HR, procurement, investigations, or reporting, it belongs within your existing governance architecture. You do not need to invent a new religion. You need to apply the old disciplines to a new set of facts.

This is where compliance can and should lead. We understand what it means to build controls around fast-moving risk. We understand escalation, role clarity, training, monitoring, and accountability. COSO is effectively telling compliance professionals, “You already know more about governing GenAI than you think. Now apply that muscle memory with precision.”

A Capability-First Approach Is a Game Changer

The most practically useful innovation in the COSO guidance is its capability-first taxonomy. Rather than organizing AI controls by vendor, product name, or technical buzzwords, COSO focuses on what the GenAI system actually does. It identifies eight capability types: data extraction and ingestion; data transformation and integration; automated transaction processing and reconciliation; workflow orchestration; judgment, forecasting, and insight generation; AI-powered monitoring and continuous review; knowledge retrieval and summarization; and human-AI collaboration. That is enormously helpful because it is how compliance people actually work.

We do not manage risk by admiring the label on the software box. We manage risk by understanding what a tool does in a process, what can go wrong, how fast it can go wrong, and how the error propagates downstream. A GenAI tool that summarizes policies creates one set of risks. A GenAI agent that routes approvals, posts transactions, or helps shape regulatory disclosures creates another. COSO provides organizations with a common language for distinguishing among use cases and calibrating controls accordingly. That is not just elegant. It is actionable.

The Five Foundational Truths Every CCO Should Memorize

COSO also offers five foundational characteristics for GenAI internal control, and each should be printed and posted on the wall of every compliance office.

First, GenAI is probabilistic, not deterministic. In plain English, it can sound authoritative and still be wrong. Therefore, outputs must be treated as claims requiring validation, not facts to be accepted by default. Second, GenAI is dynamic. Models, prompts, and retrieval data evolve quickly, so controls and monitoring must keep pace. Third, GenAI is easily scalable, meaning it can scale both productivity and error rates. Fourth, it has a low barrier to entry, which is why shadow AI is such a real problem. Fifth, and perhaps most interestingly, GenAI can help govern GenAI through pattern detection, validation, and monitoring.

There is a lot packed into those five points. For compliance, the biggest takeaway is this: static governance will fail in a dynamic AI environment. Annual reviews will not cut it. A once-a-year policy refresh will not cut it. A single training session on acceptable use will not cut it. GenAI governance has to be living governance.

What COSO Says About the Control Environment

COSO starts where it should: tone, structure, and accountability. The paper says organizations need a GenAI acceptable use policy, clear ethical boundaries, oversight and accountability responsibilities, named owners for each AI tool or platform, role-based training, and accountability mechanisms tied not only to adoption but also to safety, compliance, and performance. Boards and cross-functional oversight groups need visibility into adoption, incidents, changes, and risk indicators.

That is a direct message to compliance leaders. If nobody owns the prompts, the retrieval connectors, the model configurations, the escalation path, or the approval structure, then nobody owns the risk. And in a regulatory environment moving steadily toward AI accountability, “nobody owned it” is not a defense. It is an indictment.

I particularly liked COSO’s emphasis that prompts, system prompts, and retrieval connectors should be treated as governed configurations. That is exactly right. Too many companies still treat prompting like an informal user habit rather than a control-relevant configuration choice. In a high-impact context, the prompt is not casual. It is part of the system.

Risk Assessment Must Get More Dynamic

COSO’s discussion of risk assessment is equally strong. It calls for use cases to have clearly defined objectives, acceptable and unacceptable boundaries, and success criteria. It also warns that organizations must first ask whether GenAI is even the right tool for the task. In some cases, traditional automation or deterministic systems may be safer and more reliable. The risk assessment should account for hallucinations, drift, provenance gaps, prompt injection, bias, third-party dependencies, and significant changes such as vendor updates, connector changes, or evolving regulations.

This is where compliance earns its keep. We are the ones who should be asking: What if the model changes quietly? What if the source data becomes stale? What if the retrieval layer excludes a critical policy update? What if the system routes something to the wrong approver? What if the tool is used in a context where a simpler and safer solution would do the job better?

COSO is right to emphasize scenario analysis and living risk registers. In the GenAI era, risk registers that only update annually are museum pieces.

Human-in-the-Loop Is Not Optional

When COSO turns to control activities, it gets very practical. It says GenAI outputs should be subject to human corroboration proportionate to risk, and in high-impact business, legal, or regulatory contexts, AI assistance should be segregated from authoritative decision-making. The paper also calls for version control, audit trails, access restrictions, change management, source citation requirements, segregation of duties, confidence thresholds, and documented approvals for configuration changes. That is the heart of responsible AI governance.

I was also struck by COSO’s discussion of reliance in an ICFR setting. The paper draws an important distinction between situations in which management relies on AI output as evidence of control effectiveness and situations in which a human independently re-performs the work. When true reliance exists, the evidentiary expectations rise: documented prompts, model versions, sampling rationale, exception resolution, and retained evidence.

Even beyond financial reporting, that concept is vital for compliance. The moment your team starts relying on GenAI output for sanctions reviews, due diligence summaries, monitoring alerts, investigative chronology, or policy interpretation, you have to ask a simple question: What is our evidence that this output was reliable enough to trust?

Monitoring Is Where the Real Work Begins

COSO’s final major lesson is that monitoring GenAI is not a one-and-done exercise. Organizations need continuous metrics and periodic deep reviews. They need to track precision, recall, exception volumes, latency, fairness, drift, and outcome quality. They need retraining triggers, rollback protocols, remediation logs, and playbooks for common AI control failures. COSO also makes the excellent point that in probabilistic systems, control failure may no longer be a simple pass-fail matter. Organizations may need multi-metric tolerance ranges across dimensions such as accuracy, bias, leakage, explainability, and change velocity.

That is a sophisticated and realistic view. Compliance teams should take it seriously because it reflects the world we are moving into. AI control effectiveness will not be judged solely by whether a control exists on paper. It will be judged by whether the organization can show that it monitors performance, investigates deviations, remediates failures, and adapts as the technology changes.

The Bottom Line

The real genius of the COSO GenAI framework is that it takes AI out of the abstract and puts it where it belongs: inside the machinery of governance. It turns the conversation from “Do we have an AI policy?” to “Do we have effective internal control over AI use?” That is a far better question.

For compliance officers, the action items are clear. Inventory your GenAI use cases. Classify them by capability. Identify owners. Assess risk dynamically. Put human review where the stakes justify it. Govern prompts and configurations, such as controlled assets. Monitor continuously. And do not let your AI strategy outrun your control environment.

Because in the end, the organizations that benefit most from GenAI will not be the ones that moved fastest with the fewest guardrails. They will be the ones who figured out how to innovate with discipline. That is not bureaucracy. That is a competitive advantage.