Day: June 2, 2026

Categories
Innovation in Compliance

Innovation in Compliance: Data Defensibility: Enterprise Agentic AI: Governance, Auditability, and the AI Gateway Layer with Nikunj Bajaj

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance as he visits with top innovative minds, thinkers and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Nikunj Bajaj, co-founder and CEO of TrueFoundry, about enterprise agentic AI infrastructure, governance, and hidden costs most organizations are not accounting for.

Bajaj describes TrueFoundry’s platform as a single control plane where enterprises can build, ship, and govern agentic AI applications, inspired by Meta’s internal ML stack, which he describes as about a decade ahead of the rest of the industry. He argues enterprises over-focus on model and tool selection when problem definition and effective use are the real constraints. On governance, he identifies two failure modes: avoiding meaningful use cases entirely to sidestep governance risk, or trying to solve all governance problems upfront and never reaching ROI. Successful teams implement application-specific controls iteratively, starting with a few high-value use cases rather than hundreds of low-value ones. He highlights that model inference accounts for only about 20% of total generative AI spend, with the majority concentrated in infrastructure, engineering, and debugging, creating cost allocation and budget control challenges for compliance teams. For auditability, he argues that an agent without full decision traces is “a liability with an API key,” and walks through how end-to-end tracing enables audit readiness, faster debugging, and proactive attack detection. He closes by advocating centralized control via a unified AI gateway while enabling federated development, and tailoring guardrails to whether your exposure surface is external or internal.

Key Highlights

  • Stop Chasing Tools
  • Governance vs Speed
  • Hidden AI Costs
  • Agent Auditability
  • Board Level Priorities

Resources

Connect with Nikunj Bajaj

Learn More About TrueFoundry

Categories
AI Today in 5

AI Today in 5: June 2, 2026 the Exposing Yourself Edition

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, I will bring to you 5 stories about AI stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest about AI.

  1. Compliance gap that can expose your AI systems. (FinTechGlobal)
  2. CT businesses face new AI law. (HBJ)
  3. Anthropic files to go public. (NYT)
  4. OpenAI sued by FL AG. (WSJ)
  5. Anthropic offers Mythos to the EU. (FT)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com. To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out my latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com

Categories
Daily Compliance News

Daily Compliance News: June 2, 2026 the KPMG Sinking Down Under Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • Ex Turks and Caicos PM sentenced to 4 year in prison for corruption. (AP)
  • Storytelling in compliance. (CCI)
  • Another former TD America employee pleads guilty to bribery and corruption. (WashingtonTimes)
  • KPMG Australia Directors agree to reopen investigation. (SMH)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out my latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com

Categories
Trekking Through Compliance

Trekking Through Compliance – Episode 2 – Leadership and Training Lessons from Charlie X

In this episode of Trekking Through Compliance for 2026, we consider leadership and training lessons Charlie X, which aired on September 15, 1966, Star Date 1533.6.

Story

The USS Enterprise meets the merchant vessel Antares to take charge of Charlie Evans, the sole survivor of a transport ship that crashed on Thasus. For fourteen years, seventeen-year-old Charlie grew up alone, stranded in the wreckage, learning to communicate with the ship’s computer systems, which remained intact.

Despite his eagerness to please, Charlie becomes obnoxious since his lack of upbringing has left him with no knowledge of social norms or control of his emotions. He latches on to Captain Kirk as a father figure and develops an infatuation with Yeoman Janice Rand. He demonstrates extraordinary powers of telepathy and matter transmutation. When the Antares is nearly out of sensor range, it transmits a message to the Enterprise. The message is cut off before it can convey a warning. Scanners show that Antares has been reduced to debris.

Realizing Charlie’s powers are too great to be controlled, Kirk opts to divert from Alpha V to at least keep Charlie away from a civilized world where he would wreak havoc. Charlie discovers Kirk’s plans and takes control of the Enterprise.

A Thasian ship approaches and restores the Enterprise and its crew to their proper forms. The Thasian commander says that his race gave Charlie his powers so he could survive in their world, but these powers (which they can’t remove from him) make him too dangerous to live among humans. Charlie begs Kirk not to let the aliens have him since the Thasians lack any physical form or capacity for love. However, the Thasians reject Kirk’s argument that Charlie belongs with his kind, with a final echoing wail of “I wanna stay!

Commentary

The episode explores the story of Charlie Evans, a young man with dangerous telekinetic powers, and draws parallels to modern compliance and mental health issues. Tom discusses the responsibilities that come with power, the importance of training and supervision, handling unpredictable behavior, clear communication, crisis management, and addressing misconduct. He also reflects on recent real-world events, such as the Uvalde school shooting and the challenges of addressing mental health in compliance programs.

Key highlights:

1. The Responsibilities of Power—Strength Without Structure

🖖 Illustrated by: Charlie turning crew members into nothingness when they anger him.

Charlie is gifted with tremendous abilities but lacks any ethical framework or boundaries. This is a vivid metaphor for what happens when individuals inside an organization gain influence or access without training or accountability. Think of an unmonitored executive with access to financial controls or an engineer with override access but no compliance training—a ticking time bomb.

2. Training and Supervision—It’s Not Optional, It’s Essential

🖖 Illustrated by: Kirk’s attempt to guide Charlie and his later regret at not recognizing the full scope of the risk.

Charlie’s guardianship was left to chance. No proper onboarding, no safety protocols. Sound familiar? In corporate compliance, onboarding isn’t just about day one—it’s about culture shaping. Organizations must ensure that individuals with a higher risk potential receive both guidance and oversight from the outset.

3. Unpredictable Behavior and Ethical Culture—From Red Flag to Alarm Bell

🖖 Illustrated by: Charlie’s mood swings and escalating aggression, which are repeatedly ignored until it’s too late.

The crew notices early signs—jealousy, possessiveness, emotional outbursts—but tolerates them. This reflects the real-world danger of brushing off early signs of a toxic culture. A strong compliance function identifies behavioral red flags before they escalate into corporate crises.

4. Communication and Escalation Protocols—Say Something, Do Something

🖖 Illustrated by: Janice Rand’s discomfort and unease around Charlie, which she initially tries to manage on her own.

Rand’s growing fear underscores the difficulty of speaking up, especially when someone powerful appears to be protected. Her reluctance reminds us that a speak-up culture is not automatic. Companies must establish genuine channels for complaints, empower employees to utilize them, and respond promptly and transparently.

5. Crisis Management—Too Late is Still Too Late

🖖 Illustrated by: The crew’s loss of control over the Enterprise, forcing alien intervention to remove Charlie.

The crew fails to contain the situation internally. It takes external, godlike beings to restore order—a cautionary tale for compliance leaders. If a company waits until the crisis has gone public or regulatory bodies step in, internal credibility is lost. Crisis planning and early intervention are crucial in protecting the organization before outside authorities are required to intervene.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

From the Tower of Babel to the Boardroom: Part 2 – AI Governance Is a Compliance Issue

In the first post in this series, we used Magnifica Humanitas to frame the choice facing every board and compliance leader in the age of artificial intelligence. Companies can build a new Tower of Babel, driven by speed, scale, efficiency and power without adequate governance. Or they can follow the path of Nehemiah, rebuilding with discipline, shared responsibility, accountability and the human person at the center. That choice now moves from principle to program design.

AI governance cannot remain in the innovation lab, the IT department or the digital transformation office. It belongs inside the compliance program. Not because compliance should own every AI decision, and not because the CCO should become the chief technologist. AI governance belongs in compliance because AI creates the very risks compliance programs are designed to manage: legal risk, ethical risk, data risk, third-party risk, culture risk, internal controls risk, reporting risk, investigation risk and board oversight risk.

Magnifica Humanitas makes this point in moral language. Pope Leo writes that the use of AI is never a purely technical matter when it enters processes that affect people’s lives, rights, opportunities, status and freedom (Magnifica Humanitas, ¶102). For the modern compliance professional, that is familiar terrain. These are the risks an effective compliance program must identify, assess, control, monitor and remediate.

AI Is Not an Adjacent Risk

The first mistake companies make is treating AI as an adjacent risk. The business says AI is a productivity tool. IT says AI is a systems issue. Legal says AI is a regulatory issue. Privacy says AI is a data issue. Cybersecurity says AI is an access issue. HR says AI is a workforce issue. Internal audit says AI is a controls issue. Procurement says AI is a vendor issue. They are all correct.

That is precisely why AI governance must be cross-functional, risk-based and integrated into the compliance program. AI does not respect organizational charts. It moves through data, workflows, vendors, platforms, communications, decisions and employee behavior. It may be embedded inside software already used by the company. It may be adopted by employees without formal approval. It may be deployed by vendors before procurement or legal fully understands how the tool works. It may be used by compliance itself for monitoring, investigations, hotline triage, third-party due diligence, sanctions screening or training.

The DOJ Has Already Put AI on the Compliance Agenda

The Department of Justice has made clear that AI is now part of compliance program evaluation. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a process for identifying and managing emerging risks, including risks related to new technologies such as AI. It asks how the company assesses the impact of AI on compliance with criminal laws, whether AI risk is integrated into enterprise risk management, how the company governs AI in commercial operations and in the compliance program, whether controls monitor trustworthiness and reliability, whether AI is limited to intended uses, what human decision-making baseline is used, how accountability is enforced and how employees are trained.

This is where the Encyclical and the ECCP align. Pope Leo calls for responsibility to be clearly defined at every stage, from those who design and develop AI systems to those who use them and rely on them for concrete decisions (Magnifica Humanitas, ¶105). The DOJ asks whether the company has translated that responsibility into risk assessment, controls, testing, training and accountability.

For CCOs, the message is direct. AI governance should be reflected in the risk assessment, policies and procedures, training, third-party risk management, internal controls, monitoring, investigations, discipline, incentives and board reporting. A company that cannot explain how it governs AI will struggle to explain how its compliance program is keeping pace with the business.

The CCO’s Role in AI Governance

The CCO does not need to own AI. The CCO does need a seat at the table. Compliance should help design the company’s AI governance model. That model should include a cross-functional AI governance committee with representation from compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance and the business. It should define approval rights for high-risk use cases. It should establish documentation standards. It should require risk classification. It should identify prohibited uses. It should provide escalation channels for AI incidents and concerns.

This is the corporate version of Nehemiah’s wall. Pope Leo writes that everyone is given a section of the wall and that shared responsibility across disciplines and communities is the way to build for the common good (Magnifica Humanitas, ¶13). AI governance works the same way. Legal cannot do it alone. IT cannot do it alone. Compliance cannot do it alone. The governance model must assign roles so the whole enterprise can rebuild with discipline.

The CCO should also insist on an AI use-case inventory. This is the foundational control. The company cannot govern what it cannot see. The inventory should include the business owner, tool name, vendor, purpose, data categories, decision impact, risk rating, applicable policies, human review requirements, testing history, approval date, renewal date and control owner.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. The Encyclical does not give companies an AI procedure manual. It gives them governing principles. The compliance task is to translate those principles into requirements that can be owned, tested, evidenced and improved. Pope Leo is explicit that digital processes should not be imposed from above in opaque or unilateral ways, but should be directed toward the common good with transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable access to data and avenues for recourse (Magnifica Humanitas, ¶71).

Human dignity becomes human impact assessment and human review. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional participation, with decisions made close enough to the risk to be informed and accountable. Solidarity becomes attention to affected employees, customers, communities and vulnerable populations. Social justice becomes bias testing, access, recourse and a refusal to let opaque systems create hidden exclusion.

NIST AI RMF and ISO/IEC 42001 as Practical Architecture

Two frameworks can help compliance leaders translate AI principles into program structure. They give operational force to Pope Leo’s warning that it is not enough to invoke ethics in the abstract. He calls instead for robust frameworks, independent oversight, informed users and institutions capable of governing AI’s effects (Magnifica Humanitas, ¶106). That is precisely the move compliance must make, from AI principles to an AI management system.

The NIST AI Risk Management Framework organizes AI risk management around four functions: Govern, Map, Measure and Manage. For compliance leaders, that is highly practical. Govern means the company has assigned authority, accountability, policies and risk appetite. Map means the company understands the context, purpose, users, affected stakeholders and potential impact of each AI use case. Measure means the company evaluates performance, reliability, bias, data quality, security and control effectiveness. Manage means the company prioritizes risks, implements controls, monitors outcomes, remediates problems and documents decisions.

ISO/IEC 42001 provides a management-system model. It focuses on establishing, implementing, maintaining and continually improving an AI management system. For a compliance program, that supplies the discipline of policy, objectives, roles, processes, risk assessment, controls, monitoring, performance evaluation, corrective action and continual improvement.

From Policy to Controls

A policy is necessary, but it is not sufficient. A company can have a well-written AI policy and still have a weak AI governance program. The issue is whether the policy has operational effect.

Pope Leo explains why. Technology is never neutral because it takes on the characteristics of those who devise, finance, regulate and use it (Magnifica Humanitas, ¶9). He later adds that every technical tool embodies choices and priorities through what it measures, ignores, optimizes and how it classifies people and situations (Magnifica Humanitas, ¶104). For compliance, that means the control environment must reach design, data, use, monitoring, output and remediation.

COSO has warned that generative AI creates risks from cyber exposure, prompt manipulation, opaque reasoning, model drift and frequent configuration changes that can affect operations, reporting and compliance if not addressed with robust internal controls. That is the compliance challenge. AI governance must become control activity.

Compliance Can Use AI Responsibly

Compliance should not stand outside the AI transformation. AI can help compliance become more effective. It can identify patterns in transactional data. It can assist with third-party risk scoring. It can support sanctions screening. It can help analyze hotline trends. It can improve training design. It can help prioritize monitoring. It can summarize large document sets in investigations. It can support control testing.

Magnifica Humanitas is direct on this point. AI may imitate functions of human intelligence, but it does not possess conscience, experience, responsibility or the capacity to judge good and evil (Magnifica Humanitas, ¶99). It can also create excessive reliance, the impression of objectivity and a weakening of personal judgment (Magnifica Humanitas, ¶100). Compliance professionals should use AI, but they should never surrender professional judgment to it. Human primacy remains the central control.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI is now part of legal, ethical, operational, data, third-party and culture risk. The Encyclical reminds us that AI touches rights, opportunities, status and freedom when it enters consequential decisions (Magnifica Humanitas, ¶102).
  2. Build and maintain an AI inventory because governance begins with visibility. Every AI use case should have an owner, purpose, risk rating, data classification, control set, approval status and review cycle.
  3. Govern compliance’s own AI use because accountability starts at home. Compliance should use AI, but it must document purpose, controls, human review, validation and accountability.
  4. Move from policy to controls because technology is never neutral. AI governance requires approval workflows, data restrictions, testing, monitoring, escalation, remediation and auditability (Magnifica Humanitas, ¶9, ¶104).
  5. Report evidence to the board because accountability requires more than aspiration. Boards need dashboards and documentation showing where AI is used, what risks exist, what controls apply, who is accountable and whether the governance program is effective (Magnifica Humanitas, ¶105).
Conclusion: From Governance Principle to Control Discipline

Magnifica Humanitas challenges us to place the human person at the center of technological transformation. For compliance leaders, that means AI must be governed through risk assessment, controls, accountability, transparency, human oversight and evidence. The DOJ ECCP makes clear that prosecutors will ask how companies govern AI in the business and in compliance. NIST AI RMF and ISO/IEC 42001 provide practical architecture for doing so. COSO gives the internal controls discipline.

The compliance profession should embrace AI. It can make compliance more effective, more data-driven and more responsive. But embracing AI does not mean surrendering judgment to it. The right model is not fear. The right model is governed adoption.

In the next post, we will move from formal AI governance to the most immediate AI control challenge inside many companies: Shadow AI and Internal Controls. Employees are already using AI tools because they are fast, useful and accessible. The compliance question is whether the company can turn hidden use into governed use before shadow AI becomes the next major control failure.

Categories
Blog

Charlie X: Power Without Boundaries – A Compliance Nightmare

Today, we explore the explosive volatility of Charlie X—a story about unchecked power, emotional instability, and the dire consequences of failing to enforce rules and structure. Charlie Evans, a teenage orphan raised by aliens, is taken aboard the Enterprise, possessing extraordinary telekinetic abilities but lacking social training, emotional discipline, and accountability. That combination proves disastrous. We consider how Charlie’s descent into violence mirrors risks faced by compliance professionals when misconduct is ignored, misbehavior is tolerated, and power is given without oversight. In today’s corporate world, “Charlie X” is less about space and more about leadership responsibility, psychological safety, and early intervention.

Key Highlights and Star Trek Case Studies:

1. The Responsibilities of Power—Strength Without Structure

This is illustrated by Charlie turning crew members into nothingness when they anger him.

Charlie is gifted with tremendous abilities but lacks any ethical framework or boundaries. This is a vivid metaphor for what happens when individuals inside an organization gain influence or access without training or accountability. Think of an unmonitored executive with access to financial controls or an engineer with override access but no compliance training—a ticking time bomb.

2. Training and Supervision—It’s Not Optional, It’s Essential

This is illustrated by Kirk’s attempt to guide Charlie and his later regret at not recognizing the full scope of the risk.

Charlie’s guardianship was left to chance, with no proper onboarding and no safety protocols in place. Sound familiar? In corporate compliance, onboarding isn’t just about day one—it’s about culture shaping. Organizations must ensure that individuals with a higher risk potential receive both guidance and oversight from the outset.

3. Unpredictable Behavior and Ethical Culture—From Red Flag to Alarm Bell

This is illustrated by Charlie’s mood swings and escalating aggression, which are repeatedly ignored until it’s too late.

The crew notices early signs, such as jealousy and possessiveness, but tolerates them. This reflects the real-world danger of brushing off early signs of a toxic culture. A strong compliance function identifies behavioral red flags before they escalate into corporate crises.

4. Communication and Escalation Protocols—Say Something, Do Something

This is illustrated by Janice Rand’s discomfort and unease around Charlie, which she initially tries to manage on her own.

Rand’s growing fear underscores the difficulty of speaking up, especially when someone powerful appears to be protected. Her reluctance reminds us that a speak-up culture is not automatic. Companies must establish genuine channels for complaints, empower employees to utilize them, and respond promptly and transparently.

5. Crisis Management—Too Late is Still Too Late

This is illustrated by the crew’s loss of control over the Enterprise, forcing alien intervention to remove Charlie.

The crew fails to contain the situation internally. It takes external, godlike beings to restore order—a cautionary tale for compliance leaders. If a company waits until the crisis has gone public or regulatory bodies step in, internal credibility is lost. Crisis planning and early intervention are crucial in protecting the organization before outside authorities are required to intervene.

Final ComplianceLog Reflections

Charlie X reminds us that power without oversight is perilous, that emotional and psychological health must be part of our compliance focus, and that red flags must not be ignored simply because they come wrapped in charm or vulnerability. Compliance is not simply about policies, procedures, or even rules but rather readiness, responsiveness, and respect for the human element.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha