Day: June 3, 2026

Categories
AI Today in 5

AI Today in 5: June 3, 2026, The From No Control to Total Control Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI compliance needs risk management from day one. (FinTech Global)
  2. Driving AI-powered AML. (Finovate)
  3. Traditional KYC is no longer effective. (FinTech Global)
  4. Deskilling in healthcare. (Healthcare Dive)
  5. Trump wants AI companies to get government approval. (NYT)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: June 3, 2026, The Rubicon of Corruption is Crossed Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Trump crosses the Rubicon of corruption.  (Newsweek)
  • Trump to hit Brazil with 25% tariffs. (NYT)
  • Short seller convicted of fraud. (WSJ)
  • Jared Kushner is under an ABC investigation in Albania. (FoxNews)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Why the Compliance Job Market Feels Frozen

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss a recent slowdown in compliance and internal audit hiring, with more layoffs and fewer job openings over the last several months.

Kelly attributes the “frozen” market to broader economic uncertainty; tariffs, the war in Iran driving higher energy costs, and erratic regulatory enforcement, all combined with executives’ indecision about AI’s costs and impact, leading companies and employees to avoid change. They note structural competition at senior levels due to a larger, more experienced talent pool and the limited number of top roles, while acknowledging opportunities in compliance-adjacent paths such as HR, legal, governance, and integrity functions depending on experience and credentials. Kelly suggests focusing on interpersonal and cross-functional skills AI can’t replace and highlights continued demand in trade compliance, whistleblowers, and anti-fraud/False Claims Act work.

Key Highlights

  • Compliance Job Market Shift
  • Why Hiring Feels Frozen
  • AI and Executive Uncertainty
  • Talent Supply and Senior Roles
  • Career Moves and Branding
  • Where Hiring Still Happens

 

Resources

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award winning podcast, Compliance into the Weeds was most recently honored as one of a Top 25 Regulatory Compliance Podcast and a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, Communicator and w3 Award, all for podcast excellence.

Categories
Trekking Through Compliance

Trekking Through Compliance – Episode 3: Compliance Lessons from Where No Man Has Gone Before

In this episode of Trekking Through Compliance, we consider Where No Man Had Gone Before, which aired on September 22, 1966, Star Date 1312.4. In this episode of Trekking Through Compliance, we board the Enterprise as it breaches the edge of the galaxy, and the boundaries of ethical power. When navigator Gary Mitchell is transformed by a mysterious force into a godlike being with unchecked telepathic abilities, his rapid descent into tyranny presents a sobering metaphor for the compliance professional. With rising powers come rising risks, and Kirk must choose between loyalty to a friend and duty to his crew. Today, we explore five key compliance takeaways from Where No Man Has Gone Before, showing how early-stage risk, power imbalances, and ethical hesitation can transform even trusted employees into existential threats for your organization.

Story

This is the first Star Trek episode made (not counting the pilot episode, The Cage), although not the first aired. It differs from subsequent episodes in that there is no “Space, the final frontier” voice-over during the theme song at the beginning.

The Enterprise discovers a 200-year-old ship recorder from the SS Valiant near the galaxy’s edge. Shortly after, the Enterprise passes through an unknown phenomenon that causes major damage and knocks out navigators Gary Mitchell and Dr. Elizabeth Dehner (both of whom have high ESP ratings). When Gary recovers, he begins to acquire telepathic and telekinetic powers. Kirk alarmed at the prospect of having his ship taken over by an increasingly powerful and tyrannical Mitchell, is convinced by Spock to maroon Mitchell at the lithium cracking plant of Delta Vega. Dr. Piper has no explanation for what is happening. Gary kills Lee Kelso and escapes from his imprisonment. Kirk follows him and can destroy him with the help of Dr. Dehner, who is also beginning to acquire the power but kills herself in the process.

Key Highlights

1. Emerging Risks – Early Signs Should Trigger Action, Not Complacency
🖖 Illustrated by: Gary Mitchell’s glowing eyes and ESP abilities appearing shortly after the Enterprise crosses the galactic barrier.
The moment Mitchell begins reading faster, manipulating objects, and demonstrating control over ship systems, it’s clear something’s wrong. But initial responses are muted—like many corporate environments where emerging risks are downplayed. Compliance teams must be trained to treat anomalies seriously, no matter how charismatic or senior the individual.

2. Leadership and Ethical Courage – Friendship vs. Responsibility
🖖 Illustrated by: Kirk’s emotional struggle to deal with Mitchell, his long-time friend.
Kirk hesitates, understandably so, because of his relationship with Mitchell. But ultimately, he chooses duty over sentiment. Compliance officers are often put in a similar spot: when someone close to leadership violates ethical norms, will the organization act? Ethical courage means prioritizing institutional integrity over personal comfort.

3. Power Without Accountability – Why Guardrails Matter
🖖 Illustrated by: Mitchell’s growing powers and his assertion of superiority over the crew.
With no checks on his abilities, Mitchell quickly develops a god complex. This is a chilling representation of what happens when key employees—CFOs, procurement officers, or engineers—operate without oversight. Just because someone is brilliant or “indispensable” doesn’t mean they’re beyond the reach of your compliance program.

4. Escalation Protocols and the Role of Outside Advisers
🖖 Illustrated by: Spock’s insistence that Mitchell be isolated and marooned.
Spock plays the role of outside counsel—offering unemotional advice grounded in logic. Every company needs this voice. Internal politics often cloud judgment; a good compliance officer, like Spock, keeps the focus on what must be done to protect the enterprise. His advice to act decisively is what ultimately saves the crew.

5. Shared Risk and Collective Action – The Role of Allies in Enforcement
🖖 Illustrated by: Dr. Dehner’s decision to sacrifice herself to stop Mitchell.
Dehner, who initially defends Mitchell, comes to see the threat he poses and joins Kirk in neutralizing him. Her journey mirrors that of employees who shift from enabling bad behavior to becoming whistleblowers or allies in enforcement. Compliance success depends on empowering people like Dehner to act before it’s too late.

Final StarLog Reflections

Where No Man Has Gone Before gives us a blueprint for compliance at the edge of the unknown. It reminds us that rapid change, whether from new tech, new hires, or new business environments, demands rapid, courageous compliance responses. Waiting too long to act can mean the difference between course correction and catastrophe.

 

Resources

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alph

Fiona is an AI generated voice

Categories
Blog

From the Tower of Babel to the Boardroom: Part 3 – Shadow AI and Internal Controls

Shadow AI is the internal controls problem of the artificial intelligence age.

It is not hard to understand why employees use AI tools without waiting for formal approval. These tools are fast, accessible, practical, and often embedded into platforms employees already use. A business development professional may use AI to draft a proposal. A lawyer may use it to summarize a contract. A finance employee may use it to analyze a spreadsheet. A compliance analyst may use it to review due diligence materials. A manager may use it to draft performance feedback. The use case may be productive. The intent may be benign. The risk may still be real.

That is the compliance challenge. Shadow AI is not simply unauthorized technology use. It is ungoverned decision support, unapproved data transfer, undocumented reliance, uncontrolled output, and untested automation. It creates risk in confidentiality, privilege, privacy, intellectual property, cybersecurity, employment decisions, books and records, third-party management, investigations, and board reporting. Most importantly, it creates a visibility gap. The company cannot govern what it cannot see.

In the first post in this series, we used Magnifica Humanitas to frame the choice between Babel and Nehemiah. In the second post, we moved from principle to program design and argued that AI governance belongs inside the compliance program. Now we turn to the first practical test: whether the company can convert hidden AI use into governed AI use.

The Magnifica Humanitas Lesson: Opaque Power Is a Governance Risk

Magnifica Humanitas warns that technology is never neutral in practice because it takes on the characteristics of those who devise, finance, regulate, and use it (Magnifica Humanitas, para. 9). For a corporate audience, that is the first lesson of shadow AI. When employees use AI outside approved channels, the company may not know what technology is being used, what data is being transferred, what outputs are being relied upon, or what assumptions are being embedded into business decisions.

The Encyclical also warns that control over platforms, infrastructure, data, and computing power can become concentrated, opaque, and difficult to oversee (Magnifica Humanitas, para. 95). Inside a company, shadow AI creates a similar problem on a smaller but very practical scale. Power moves away from approved systems, documented workflows, and accountable owners into individual employee practices that may be invisible to legal, compliance, privacy, cybersecurity, internal audit, and the board.

Pope Leo also identifies three risks in private AI use that map directly to employee behavior: the ease of getting results, the impression of objectivity, and the simulation of human communication. He warns that these features can encourage overreliance, ready-made answers, and weakened judgment (Magnifica Humanitas, para. 100). That is exactly why shadow AI matters. The risk is not only that employees use the wrong tool. The deeper risk is that employees begin to rely on AI outputs without understanding the assumptions, limitations, data sources, or error rates behind them.

From Encyclical Principle to Internal Control Requirement

The corporate translation is straightforward: if AI is never merely technical when it affects rights, opportunities, status, freedom, reputation, or work, then shadow AI cannot be treated as a minor IT exception (Magnifica Humanitas, para. 102). It is a governance issue. It is a controls issue. It is a compliance issue.

Magnifica Humanitas says responsibility must be clearly defined at every stage, including those who design, develop, use, and rely on AI for concrete decisions. Accountability requires the ability to identify who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, para. 105). In corporate language, that means AI use cases need owners, approvals, controls, escalation paths, incident processes, documentation, and remediation.

The Encyclical also cautions that abstract ethics are not enough. Responsible AI requires rigorous evaluation, independent oversight, informed users, and safeguards capable of governing AI’s effects (Magnifica Humanitas, para. 106). For the CCO, that is the bridge from principle to controls. Shadow AI must be made visible, classified by risk, controlled at the data layer, reviewed by accountable humans, tested by independent functions, and reported to the board.

Shadow AI Is a Control Environment Issue

A company may have an AI policy and still have a shadow AI problem. A policy tells employees what is expected. A control tells the company whether the expectation is working.

This is where COSO becomes essential. COSO has warned that generative AI is moving into daily operations faster than traditional governance models anticipated and that internal control must be applied to risks such as uncontrolled adoption, opaque reasoning, prompt manipulation, model drift, cyber exposure, and configuration change. That is the heart of the matter. Shadow AI is not solved by a memo from legal. It is solved through the control environment.

The company needs leadership expectations, risk assessment, control activities, information and communication, and monitoring. Those are not technology terms. They are governance terms. The CCO should work with legal, IT, cybersecurity, privacy, HR, procurement, internal audit, and the business to create a practical AI control structure. The first line should own the business use case. The second line should set standards, review risk, and monitor compliance. The third line should test design and operating effectiveness. The board should receive reporting that shows whether the system is working.

The DOJ ECCP Question

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging risks, including new technologies such as AI. It asks how companies govern AI in commercial operations and in the compliance program, how they monitor reliability and trustworthiness, how they limit AI to intended uses, how they preserve human decision-making, how accountability is assigned, and how employees are trained.

That logic tracks closely with Magnifica Humanitas. Pope Leo supplies the accountability mandate; the DOJ supplies the compliance program test. If responsibility must be defined and harm must be capable of challenge and remediation, then the company must be able to show that AI tools are known, approved, monitored, limited to intended uses, and subject to human oversight (Magnifica Humanitas, para. 105).

A company with uncontrolled shadow AI has a predictable compliance problem. It may not be able to show that it has identified AI risk. It may not be able to show that employees were trained effectively. It may not be able to show that AI tools are limited to intended uses. It may not be able to show that human review exists where consequential decisions are made. It may not be able to show that compliance has visibility into AI use. For the CCO, the question is direct: can we explain how AI is actually being used in the company, or only how we hope it is being used?

From Prohibition to Governed Use

The wrong response to shadow AI is a blanket prohibition that employees ignore. AI is here to stay. Employees will use it because it saves time and improves work product. The better response is governed adoption.

The company should begin with an AI use-case inventory. This should capture approved tools, embedded AI in existing platforms, vendor-provided AI, internally developed AI, pilot projects, and employee use of public tools. It should identify the business owner, purpose, data used, vendor involved, risk rating, approval status, required human review, and applicable controls.

Next, the company should create a clear classification model. Low-risk uses, such as drafting generic internal communications, may require basic training and disclosure. Medium-risk uses, such as summarizing non-sensitive business materials, may require approved tools and data restrictions. High-risk uses, such as employment decisions, customer eligibility, financial reporting, investigations, regulated communications, or third-party risk scoring, should require formal review, documented controls, human oversight, and periodic testing.

NIST’s AI Risk Management Framework provides useful architecture through its Govern, Map, Measure, and Manage functions. ISO/IEC 42001 provides the management-system approach, including policies, responsibilities, risk management, transparency, monitoring, performance evaluation, corrective action, and continual improvement. For shadow AI, these frameworks point to the same conclusion as the Encyclical: move from ad hoc use to structured accountability.

The Controls That Matter

A defensible shadow AI control program should include several core elements.

First, the company needs an approved tools list and a prohibited tools list. Employees should know what is permitted, what is restricted, and what is banned.

Second, the company needs data controls. Employees should not place confidential information, personal data, trade secrets, privileged information, customer data, source code, or sensitive business information into unapproved AI tools. Magnifica Humanitas warns that data and digital infrastructure can become new forms of power when control is concentrated and opaque (Magnifica Humanitas, paras. 108-109). Data governance is therefore not an administrative detail. It is the foundation of responsible AI controls.

Third, the company needs approval workflows for high-risk use cases. The higher the risk, the more formal the review should be.

Fourth, the company needs human review and recourse. AI should support judgment, not replace it. For consequential decisions, a person must remain accountable, and affected individuals should have a channel to challenge errors. This reflects the Encyclical’s insistence that decisions should be capable of being justified, monitored, challenged, and remedied (Magnifica Humanitas, para. 105).

Fifth, the company needs monitoring and testing. Internal audit should be able to test whether employees are following the policy, whether approved tools are operating within scope, and whether exceptions are remediated.

Finally, the company needs an AI incident process. Employees should know how to report accidental data disclosure, hallucinated output, inappropriate reliance, biased output, suspected vendor misuse, or unauthorized AI use. The goal should not be punishment first. The goal should be visibility, correction, and learning.

5 Lessons for the CCO
  1. Govern what employees actually use, not merely what policy permits. The first step is visibility. Create a process for employees and business units to disclose AI use without fear that every disclosure will trigger discipline.
  2. Control data before it leaves the enterprise. The most immediate shadow AI risk is often data leakage. Define prohibited data categories, approved tools for sensitive information, and vendor restrictions on model training or reuse.
  3. Assign accountability at every stage. Every material AI use case should have a business owner, risk owner, control owner, approval status, review cycle, and escalation path.
  4. Require human review and recourse for consequential uses. AI can assist, summarize, flag, and recommend. It should not replace accountable human judgment where rights, opportunities, employment, reputation, or legal obligations are involved.
  5. Test, remediate, and report evidence. AI governance must generate proof. Monitor usage, test controls, track incidents, remediate exceptions, and report meaningful metrics to the board.
Conclusion: Hidden Use Must Become Governed Use

Shadow AI is the modern Babel inside the corporation. It may look productive, efficient, and innovative. Yet if it operates without transparency, accountability, controls, or human judgment, it creates a structure the company does not understand and cannot govern.

Magnifica Humanitas reminds us that technology must remain at the service of the human person and not become a system of invisible control (Magnifica Humanitas, para. 171). That principle becomes real in the compliance program through internal controls. CCOs should help the company turn hidden use into governed use.

In the next post, we will move from hidden AI use to the broader question of trust. We will examine AI, Truth, and Corporate Trust, and consider how synthetic content, misinformation, deepfakes, false documentation, and AI-generated narratives create a new compliance risk for boards, management, and the CCO.

Categories
Great Women in Compliance

Great Women in Compliance: Wildly Effective, 10 Years Later

Author and compliance professional Kristy Grant-Hart on the 10th anniversary of her book. 

Sarah Hadden sits down with Kristy Grant Hart to discuss the 10th anniversary edition of her influential book, How to Be a Wildly Effective Compliance Officer. They explore how the compliance profession has evolved over the past decade — from a rules-and-regulations mindset toward a more human-centered approach grounded in influence, resilience, storytelling, and leadership.

They also dig into some of the book’s more debated ideas, including personal branding, visibility, networking, and whether being “wildly effective” requires becoming an influencer.

Along the way, they tackle burnout, resilience, AI’s rapidly expanding role and why human judgment remains irreplaceable. This is a candid and energizing conversation about what it really takes to thrive in compliance today — and why the future of the profession is bright.

Categories
Blog

Episode 3 – Where No Man Has Gone Before: Power, Ego, and the Ethics of Control

In this episode of Trekking Through Compliance, we consider Where No Man Had Gone Before, which aired on September 22, 1966, Star Date 1312.4. In this episode of Trekking Through Compliance, we board the Enterprise as it breaches the edge of the galaxy, and the boundaries of ethical power. When navigator Gary Mitchell is transformed by a mysterious force into a godlike being with unchecked telepathic abilities, his rapid descent into tyranny presents a sobering metaphor for the compliance professional. With rising powers come rising risks, and Kirk must choose between loyalty to a friend and duty to his crew. Today, we explore five key compliance takeaways from Where No Man Has Gone Before, showing how early-stage risk, power imbalances, and ethical hesitation can transform even trusted employees into existential threats for your organization.

Story

This is the first Star Trek episode made (not counting the pilot episode, The Cage), although not the first aired. It differs from subsequent episodes in that there is no “Space, the final frontier” voice-over during the theme song at the beginning.

The Enterprise discovers a 200-year-old ship recorder from the SS Valiant near the galaxy’s edge. Shortly after, the Enterprise passes through an unknown phenomenon that causes major damage and knocks out navigators Gary Mitchell and Dr. Elizabeth Dehner (both of whom have high ESP ratings). When Gary recovers, he begins to acquire telepathic and telekinetic powers. Kirk alarmed at the prospect of having his ship taken over by an increasingly powerful and tyrannical Mitchell, is convinced by Spock to maroon Mitchell at the lithium cracking plant of Delta Vega. Dr. Piper has no explanation for what is happening. Gary kills Lee Kelso and escapes from his imprisonment. Kirk follows him and can destroy him with the help of Dr. Dehner, who is also beginning to acquire the power but kills herself in the process.

Key Highlights

1. Emerging Risks – Early Signs Should Trigger Action, Not Complacency
🖖 Illustrated by: Gary Mitchell’s glowing eyes and ESP abilities appearing shortly after the Enterprise crosses the galactic barrier.
The moment Mitchell begins reading faster, manipulating objects, and demonstrating control over ship systems, it’s clear something’s wrong. But initial responses are muted—like many corporate environments where emerging risks are downplayed. Compliance teams must be trained to treat anomalies seriously, no matter how charismatic or senior the individual.

2. Leadership and Ethical Courage – Friendship vs. Responsibility
🖖 Illustrated by: Kirk’s emotional struggle to deal with Mitchell, his long-time friend.
Kirk hesitates—understandably so—because of his relationship with Mitchell. But ultimately, he chooses duty over sentiment. Compliance officers are often put in a similar spot: when someone close to leadership violates ethical norms, will the organization act? Ethical courage means prioritizing institutional integrity over personal comfort.

3. Power Without Accountability – Why Guardrails Matter
🖖 Illustrated by: Mitchell’s growing powers and his assertion of superiority over the crew.
With no checks on his abilities, Mitchell quickly develops a god complex. This is a chilling representation of what happens when key employees—CFOs, procurement officers, or engineers—operate without oversight. Just because someone is brilliant or “indispensable” doesn’t mean they’re beyond the reach of your compliance program.

4. Escalation Protocols and the Role of Outside Advisers
🖖 Illustrated by: Spock’s insistence that Mitchell be isolated and marooned.
Spock plays the role of outside counsel—offering unemotional advice grounded in logic. Every company needs this voice. Internal politics often cloud judgment; a good compliance officer, like Spock, keeps the focus on what must be done to protect the enterprise. His advice to act decisively is what ultimately saves the crew.

5. Shared Risk and Collective Action – The Role of Allies in Enforcement
🖖 Illustrated by: Dr. Dehner’s decision to sacrifice herself to stop Mitchell.
Dehner, who initially defends Mitchell, comes to see the threat he poses and joins Kirk in neutralizing him. Her journey mirrors that of employees who shift from enabling bad behavior to becoming whistleblowers or allies in enforcement. Compliance success depends on empowering people like Dehner to act before it’s too late.

Final StarLog Reflections

Where No Man Has Gone Before gives us a blueprint for compliance at the edge of the unknown. It reminds us that rapid change, whether from new tech, new hires, or new business environments, demands rapid, courageous compliance responses. Waiting too long to act can mean the difference between course correction and catastrophe.

 

Resources

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha