Author: Admin

Categories
AI Today in 5

AI Today in 5: June 4, 2026, The Circular Bet Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Why AI will reshape compliance. (FinTech Global)
  2. How compliance can unlock AI innovation. (TechRadar)
  3. WK expands AI offering for regulated industries. (WoltersKluwer)
  4. 6 top worries for AI in healthcare. (HealthExec)
  5. AI as a ‘circular bet’. (Bloomberg)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: June 4, 2026, The Fighting Tariff Refunds Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • NBA player faces new gambling charges. (Bloomberg)
  • The Trump Administration fights tariff refunds. (NYT)
  • Indonesia arrests ex-head of nutrition for corruption. (AP News)
  • Gunvor claims it was defrauded; offices were raided. (FT)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 4 – AI, Truth, and Corporate Trust

Employees trust that leadership will tell them the truth. Investors trust that disclosures are accurate. Customers trust that representations are reliable. Boards trust that management reporting is complete. Compliance officers trust that records, interviews, hotline reports, emails, chats, invoices, certifications, and audit findings reflect reality.

Artificial intelligence now challenges that foundation. AI can generate text, audio, images, video, records, summaries, identities, and narratives at speed and scale. It can help a compliance function become more effective. It can also make falsehood more convincing, fraud more sophisticated, and manipulation harder to detect.

In the first three posts in this series, we used Magnifica Humanitas to move from governance principle to compliance program design and then to internal controls for shadow AI. In this fourth post, we turn to one of the most important themes in the Encyclical Letter: truth. Pope Leo XIV says the digital transformation requires us to rediscover truth as a common good, protect the dignity of work, and safeguard freedom against dependence and commercialization (Magnifica Humanitas, ¶131). For boards and compliance leaders, that is a powerful governance lesson. Without truth, there is no trust. Without trust, there is no culture. Without culture, no compliance program can be effective.

Truth as a Common Good

Magnifica Humanitas warns that digital platforms and AI systems are transforming public and institutional communication. The Encyclical identifies a core risk: AI can construct distorted narratives, blur the boundary between truth and falsehood, mix facts with opinions, and manipulate content, images, and video (Magnifica Humanitas, ¶132). It also reminds us that truthful information requires verification, cross-checking of sources, responsible argument, and shared practices of trust (Magnifica Humanitas, ¶132).

For the compliance professional, this is not abstract philosophy. It is an operational reality. A corporation is built on records and representations. A company’s compliance program depends on accurate policies, reliable data, trustworthy reporting, credible investigations, authentic communications, and truthful escalation to leadership and the board. If AI weakens the company’s ability to know what is real, AI becomes a compliance risk.

The issue is not only misinformation in public discourse. It is misinformation inside the enterprise. AI-generated falsehood can appear in emails, invoices, employee complaints, due diligence materials, contracts, investigation files, synthetic images, training materials, board reports, and financial documentation. Truth is no longer only an ethical value. It is a control objective.

From Encyclical Principle to Corporate Trust Requirement

The corporate translation is direct. If truth is a common good, information integrity is a governance requirement. If AI can distort narratives and manipulate content, companies need verification controls. If truthful information depends on cross-checking and responsible argument, compliance cannot treat AI outputs as self-authenticating. If communication creates culture, as Magnifica Humanitas teaches, then AI-generated communications must be governed because they shape how employees, customers, investors, and directors understand the company (Magnifica Humanitas, ¶135).

The Encyclical also calls for an ecology of communication grounded in transparency, personal data protection, rigorous verification, and the proper use of digital tools (Magnifica Humanitas, ¶137). In corporate terms, that means controls over high-risk communications, rules for AI-generated content, validation of AI-assisted summaries, protection of the integrity of investigations, and reporting systems that enable the board to trust what it receives.

Synthetic Reality and Corporate Risk

We are entering the age of synthetic reality. Companies must assume that audio may be cloned, video may be fabricated, documents may be AI-generated, and digital identities may be false. This does not mean every communication is suspect. It means the company must build verification protocols for high-risk decisions.

The Arup deepfake fraud demonstrates the corporate risk. The Guardian reported that in 2024, public reporting stated that engineering firm Arup was victimized in a deepfake scam involving its Hong Kong office, where fraudsters reportedly used AI-generated video impersonations in a call that led to the transfer of approximately $25 million. That incident should be understood as more than a cyber story. It is a governance story, a finance controls story, a human factors story, and a compliance story.

A traditional approval process may fail when a trusted executive appears to be present on a video call. A fraud-prevention control may fail when an employee believes their identity has already been verified. A payment control may fail when urgency, authority, secrecy, and synthetic trust converge. The compliance lesson is clear: in an AI-enabled environment, trust must be verified when the risk is high.

AI and the Integrity of Corporate Information

Boards and CCOs should treat the integrity of corporate information as part of AI governance. This includes information created by AI, information summarized by AI, and information used to make AI-supported decisions.

Consider internal investigations. AI can help summarize documents, cluster communications, identify patterns, and organize timelines. But Magnifica Humanitas reminds us that AI lacks moral conscience, does not understand what it produces, and does not bear responsibility for its consequences (Magnifica Humanitas, ¶99). A compliance investigator cannot delegate credibility findings to a machine. AI can support the investigation record. It cannot become the investigation record.

Consider hotline reporting. AI may help triage allegations, identify themes, translate complaints, and route issues. But if the system misclassifies a serious allegation as low risk, strips away nuance, or fails to identify indicators of retaliation, the company may miss a critical signal. Consider board reporting. A polished AI-generated report may look authoritative while masking weak data, incomplete controls, or unsupported conclusions. In compliance, elegance is not evidence.

The DOJ ECCP and Trustworthy AI

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging technology risks, including AI. It asks how companies govern AI in commercial operations and in their compliance programs; whether controls monitor trustworthiness and reliability; whether AI is limited to intended uses; what human decision-making baseline is used; how accountability is enforced; and how employees are trained.

This is where the Encyclical’s moral mandate and the DOJ’s compliance test meet. Magnifica Humanitas says responsibility must be clearly defined at every stage and that accountability requires identifying who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, ¶105). The ECCP asks whether a company has converted that accountability into governance, controls, training, monitoring, and evidence. For CCOs, the question is not whether AI can help compliance. It can. The question is whether compliance can explain how AI-supported information is validated, reviewed, escalated, corrected, and documented.

NIST, COSO, and the Control Language of Trust

NIST provides a practical vocabulary for this discussion. The NIST AI Risk Management Framework identifies trustworthy AI characteristics, including validity and reliability; safety, security, and resilience; accountability and transparency; explainability and interpretability; privacy enhancement; and fairness, with harmful bias managed. For this post, reliability and transparency matter most. Reliability asks whether an output can be trusted for the intended purpose. Transparency asks whether the company can understand, explain, and govern the system.

COSO also matters here. COSO’s internal control framework is designed to help organizations achieve operations, reporting, and compliance objectives, and COSO’s GenAI guidance translates that internal-control discipline into AI governance. In the AI context, companies need controls over the creation, use, review, approval, and communication of AI-generated or AI-assisted information. This is where CCOs, internal audit, finance, legal, and IT must work together. The company should identify where authenticity matters most and design controls accordingly.

Practical Controls for AI, Truth, and Trust

A practical compliance program should include controls for AI-enabled truth risk.

First, companies should adopt verification protocols for high-risk communications. Payment instructions, executive requests, wire transfers, confidential transactions, changes to vendor banking information, M&A activity, crisis communications, and sensitive employment decisions should require independent verification outside the original communication channel.

Second, companies should require labeling or disclosure where AI-generated content is used in official corporate communications and authenticity matters. Third, companies should protect investigations from unverified AI outputs. AI-generated summaries should be treated as work aids, not evidence. Investigators should validate source documents, preserve original records, and document human review.

Fourth, companies should train employees on synthetic fraud. Magnifica Humanitas warns that AI-enabled manipulation of images and videos can make exploitation and deception more insidious (Magnifica Humanitas, ¶141). Employees should learn the red flags: urgency, secrecy, unusual payment instructions, refusal to use normal channels, unexpected video calls, requests to bypass controls, and pressure from apparent senior leaders.

Fifth, companies should create an incident response process for AI-enabled deception. A deepfake attempt, a synthetic invoice, a cloned executive voice, a fake employee profile, or an AI-generated document should be reportable, investigated, tracked, and remediated.

Board Oversight and Corporate Trust

For boards, AI and truth raise a serious oversight issue. Directors rely on management reporting to fulfill their duties. If AI affects the integrity of that reporting, boards need to understand the control environment.

The Caremark lesson is not that directors must become forensic AI experts. Directors must make a good-faith effort to ensure that reasonable information and reporting systems are in place for central compliance risks. In Marchand v. Barnhill (Bluebell Ice Cream), the Delaware Supreme Court emphasized the importance of board-level monitoring and reporting systems for mission-critical compliance risks.

Magnifica Humanitas gives this oversight obligation a deeper accountability mandate. It says AI governance requires defined responsibility, justification of decisions, monitoring, challenge, and remediation (Magnifica Humanitas, ¶105). The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management can authenticate what matters, identify AI-enabled truth risks, escalate concerns, and remediate failures.

5 Lessons for the CCO
  1. Treat truth as a compliance control. Accurate records, authentic communications, validated reports, and reliable investigation files are essential to the effectiveness of compliance programs. Truth must be designed into the control environment.
  2. Build verification into high-risk processes. Payment approvals, executive instructions, vendor bank changes, crisis communications, and sensitive decisions should require independent verification.
  3. Govern AI-assisted evidence. AI can support investigations and reporting, but human review, source validation, preservation of original records, and documentation must remain mandatory.
  4. Train employees to challenge synthetic reality. Deepfakes, cloned voices, fake identities, and AI-generated documents should be part of fraud, cyber, finance, and compliance training.
  5. Report information integrity risk to the board. Boards need evidence that management has identified AI-enabled truth risks and designed controls to prevent, detect, respond to, and remediate them.
Conclusion: Corporate Trust Must Be Protected

Magnifica Humanitas reminds us that truth is a common good. That is a moral principle, but it is also a compliance principle. A company cannot govern itself if it cannot trust its information. A board cannot oversee what management cannot verify. A CCO cannot certify program effectiveness if the underlying records, reports, and communications are unreliable.

Compliance professionals should embrace AI. It can improve risk detection, strengthen monitoring, support investigations, and expand analytical capacity. But AI also requires vigilance, responsibility, transparency, governance, and human primacy. In the age of synthetic reality, compliance must help the company protect truth as part of the control environment.

In the next and final post in this five-part series, we will broaden the lens again. We will examine the Human Supply Chain of AI: Workforce Transformation, Third-Party Risk, and Modern Slavery. That post will tie together the human impact of AI, the dignity of work, vendor risk, data governance, and the compliance responsibility to look beyond the visible interface to the people, suppliers, and systems that make AI possible.

Categories
Beyond the Label

Beyond the Label Podcast: Flood Response and Resilience: Hill Country’s Crisis Counseling Program (CCP) with Sarah Stricker

Hosts Kelsi Wilmot and Tyler Townsend welcome guest Sarah Stricker, Director of Crisis Counseling Program at Hill Country MHDD Centers to the Beyond the Label podcast to share community updates from Mental Health Month, including proclamations in all 19 counties and clinic events, and then shift to the 2025 flood response and recent severe storms.

Sarah describes her background (military corpsman, nursing, neurofeedback, residential trauma treatment) and her current work leading the Crisis Counseling Program (CCP), which provides non-traditional, community-based support by showing up at events, connecting people to resources, and coordinating local help. The group discusses storm-related triggers, grounding and validation techniques, and how people can be affected even without direct losses (survivor’s remorse, secondary and vicarious trauma). They share coping strategies; music, guitar and songwriting, being outdoors, and sports all and invite community topic suggestions via Hill Country MHDD’s Facebook and YouTube.

Key highlights:

  • Podcast Mission and May Events
  • Storms and Flood Response Focus
  • What the Crisis Counseling Program Does
  • Community Outreach and Destigmatizing
  • Coping With Storm Anxiety
  • Survivor Guilt and Secondary Trauma
  • Autopilot Brain and Resilience Tricks
  • Favorite Coping Strategies Roundtable 

Resources: 

Hill Country MHDD

Categories
AI Today in 5

AI Today in 5: June 3, 2026, The From No Control to Total Control Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI compliance needs risk management from day one. (FinTech Global)
  2. Driving AI-powered AML. (Finovate)
  3. Traditional KYC is no longer effective. (FinTech Global)
  4. Deskilling in healthcare. (Healthcare Dive)
  5. Trump wants AI companies to get government approval. (NYT)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: June 3, 2026, The Rubicon of Corruption is Crossed Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Trump crosses the Rubicon of corruption.  (Newsweek)
  • Trump to hit Brazil with 25% tariffs. (NYT)
  • Short seller convicted of fraud. (WSJ)
  • Jared Kushner is under an ABC investigation in Albania. (FoxNews)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Why the Compliance Job Market Feels Frozen

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it in greater depth. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss a recent slowdown in compliance and internal audit hiring, with more layoffs and fewer job openings over the last several months.

Matt attributes the “frozen” market to broader economic uncertainty, tariffs, the war in Iran, which is driving higher energy costs, and erratic regulatory enforcement, all of which, combined with executives’ indecision about AI’s costs and impact, lead companies and employees to avoid change. They note structural competition at senior levels due to a larger, more experienced talent pool and the limited number of top roles, while acknowledging opportunities in compliance-adjacent paths such as HR, legal, governance, and integrity functions, depending on experience and credentials. Matt suggests focusing on interpersonal and cross-functional skills AI can’t replace and highlights continued demand in trade compliance, whistleblowers, and anti-fraud/False Claims Act work.

Key highlights:

  • Compliance Job Market Shift
  • Why Hiring Feels Frozen
  • AI and Executive Uncertainty
  • Talent Supply and Senior Roles
  • Career Moves and Branding
  • Where Hiring Still Happens

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 3 – Compliance Lessons from Where No Man Has Gone Before

In this episode of Trekking Through Compliance, we consider Where No Man Had Gone Before, which aired on September 22, 1966, Star Date 1312.4. In this episode of Trekking Through Compliance, we board the Enterprise as it breaches the edge of the galaxy and the boundaries of ethical power. When a mysterious force transforms navigator Gary Mitchell into a godlike being with unchecked telepathic powers, his rapid descent into tyranny serves as a sobering metaphor for the compliance professional. With rising powers come rising risks, and Kirk must choose between loyalty to a friend and duty to his crew. Today, we explore five key compliance takeaways from Where No Man Has Gone Before, showing how early-stage risks, power imbalances, and ethical hesitations can transform even trusted employees into existential threats to your organization.

Story

This is the first Star Trek episode produced (not counting the pilot episode, The Cage), although not the first to air. It differs from subsequent episodes in that there is no “Space, the final frontier” voice-over during the theme song at the beginning.

The Enterprise discovers a 200-year-old ship recorder from the SS Valiant near the galaxy’s edge. Shortly after, the Enterprise passes through an unknown phenomenon that causes major damage and knocks out navigators Gary Mitchell and Dr. Elizabeth Dehner (both of whom have high ESP ratings). When Gary recovers, he begins to acquire telepathic and telekinetic powers. Kirk, alarmed at the prospect of having his ship taken over by an increasingly powerful and tyrannical Mitchell, is convinced by Spock to maroon Mitchell at the lithium cracking plant of Delta Vega. Dr. Piper has no explanation for what is happening. Gary kills Lee Kelso and escapes from his imprisonment. Kirk follows him and can destroy him with the help of Dr. Dehner, who is also beginning to acquire the power but kills herself in the process.

Key highlights:

1. Emerging Risks – Early Signs Should Trigger Action, Not Complacency

🖖 Illustrated by: Gary Mitchell’s glowing eyes and ESP abilities appearing shortly after the Enterprise crosses the galactic barrier.

The moment Mitchell begins reading faster, manipulating objects, and demonstrating control over ship systems, it’s clear something’s wrong. But initial responses are muted—as in many corporate environments, where emerging risks are downplayed. Compliance teams must be trained to treat anomalies seriously, regardless of the individual’s charisma or seniority.

2. Leadership and Ethical Courage – Friendship vs Responsibility

🖖 Illustrated by: Kirk’s emotional struggle to deal with Mitchell, his long-time friend.

Kirk hesitates, understandably so, because of his relationship with Mitchell. But ultimately, he chooses duty over sentiment. Compliance officers are often put in a similar spot: when someone close to leadership violates ethical norms, will the organization act? Ethical courage means prioritizing institutional integrity over personal comfort.

3. Power Without Accountability – Why Guardrails Matter

🖖 Illustrated by: Mitchell’s growing powers and his assertion of superiority over the crew.

With no checks on his abilities, Mitchell quickly develops a god complex. This is a chilling representation of what happens when key employees—CFOs, procurement officers, or engineers—operate without oversight. Just because someone is brilliant or “indispensable” doesn’t mean they’re beyond the reach of your compliance program.

4. Escalation Protocols and the Role of Outside Advisers

🖖 Illustrated by: Spock’s insistence that Mitchell be isolated and marooned.

Spock serves as outside counsel—offering unemotional advice grounded in logic. Every company needs this voice. Internal politics often cloud judgment; a good compliance officer, like Spock, keeps the focus on what must be done to protect the enterprise. His advice to act decisively is what ultimately saves the crew.

5. Shared Risk and Collective Action – The Role of Allies in Enforcement

🖖 Illustrated by: Dr. Dehner’s decision to sacrifice herself to stop Mitchell.

Dehner, who initially defends Mitchell, comes to see the threat he poses and joins Kirk in neutralizing him. Her journey mirrors that of employees who shift from enabling bad behavior to becoming whistleblowers or allies in enforcement. Compliance success depends on empowering people like Dehner to act before it’s too late.

Final StarLog Reflections

Where No Man Has Gone Before gives us a blueprint for compliance at the edge of the unknown. It reminds us that rapid change, whether from new tech, new hires, or new business environments, demands rapid, courageous compliance responses. Waiting too long to act can mean the difference between course correction and catastrophe.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Fiona is an AI-generated voice

Categories
Blog

From the Tower of Babel to the Boardroom: Part 3 – Shadow AI and Internal Controls

Shadow AI is the internal-controls problem of the artificial-intelligence age.

It is not hard to understand why employees use AI tools without waiting for formal approval. These tools are fast, accessible, practical, and often embedded into platforms employees already use. A business development professional may use AI to draft a proposal. A lawyer may use it to summarize a contract. A finance employee may use it to analyze a spreadsheet. A compliance analyst may use it to review due diligence materials. A manager may use it to draft performance feedback. The use case may be productive. The intent may be benign. The risk may still be real.

That is the compliance challenge. Shadow AI is not simply unauthorized technology use. It is ungoverned decision support, unapproved data transfer, undocumented reliance, uncontrolled output, and untested automation. It poses risks to confidentiality, privilege, privacy, intellectual property, cybersecurity, employment decisions, books and records, third-party management, investigations, and board reporting. Most importantly, it creates a visibility gap. The company cannot govern what it cannot see.

In the first post in this series, we used Magnifica Humanitas to frame the choice between Babel and Nehemiah. In the second post, we moved from principle to program design and argued that AI governance should be embedded in the compliance program. Now we turn to the first practical test: whether the company can convert hidden AI use into governed AI use.

The Magnifica Humanitas Lesson: Opaque Power Is a Governance Risk

Magnifica Humanitas warns that technology is never neutral in practice because it takes on the characteristics of those who devise, finance, regulate, and use it (Magnifica Humanitas, para. 9). For a corporate audience, that is the first lesson of shadow AI. When employees use AI outside approved channels, the company may not know which technology is being used, what data is being transferred, what outputs are being relied on, or what assumptions are being embedded in business decisions.

The Encyclical also warns that control over platforms, infrastructure, data, and computing power can become concentrated, opaque, and difficult to oversee (Magnifica Humanitas, para. 95). Inside a company, shadow AI creates a similar problem on a smaller but very practical scale. Power shifts away from approved systems, documented workflows, and accountable owners toward individual employees’ practices that may be invisible to legal, compliance, privacy, cybersecurity, internal audit, and the board.

Pope Leo also identifies three risks in private AI use that map directly to employee behavior: the ease of getting results, the impression of objectivity, and the simulation of human communication. He warns that these features can encourage overreliance, ready-made answers, and weakened judgment (Magnifica Humanitas, para. 100). That is exactly why shadow AI matters. The risk is not only that employees use the wrong tool. The greater risk is that employees begin to rely on AI outputs without understanding the assumptions, limitations, data sources, or error rates that underpin them.

From Encyclical Principle to Internal Control Requirement

The corporate translation is straightforward: if AI is never merely technical when it affects rights, opportunities, status, freedom, reputation, or work, then shadow AI cannot be treated as a minor IT exception (Magnifica Humanitas, para. 102). It is a governance issue. It is a control issue. It is a compliance issue.

Magnifica Humanitas says responsibility must be clearly defined at every stage, including those who design, develop, use, and rely on AI for concrete decisions. Accountability requires the ability to identify who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, para. 105). In corporate language, that means AI use cases need owners, approvals, controls, escalation paths, incident processes, documentation, and remediation.

The Encyclical also cautions that abstract ethics are not enough. Responsible AI requires rigorous evaluation, independent oversight, informed users, and safeguards capable of governing AI’s effects (Magnifica Humanitas, para. 106). For the CCO, that is the bridge between principles and controls. Shadow AI must be made visible, classified by risk, controlled at the data layer, reviewed by accountable humans, tested by independent functions, and reported to the board.

Shadow AI Is a Control Environment Issue

A company may have an AI policy and still have a shadow AI problem. A policy tells employees what is expected of them. A control tells the company whether the expectation is working.

This is where COSO becomes essential. COSO has warned that generative AI is moving into daily operations faster than traditional governance models anticipated and that internal control must be applied to risks such as uncontrolled adoption, opaque reasoning, prompt manipulation, model drift, cyber exposure, and configuration change. That is the heart of the matter. A memo from legal does not solve the shadow AI problem. It is solved through the control environment.

The company needs to define leadership expectations, conduct risk assessments, establish control activities, ensure information and communication, and implement monitoring. Those are not technology terms. They are governance terms. The CCO should work with legal, IT, cybersecurity, privacy, HR, procurement, internal audit, and the business to create a practical AI control structure. The first line should own the business use case. The second line should set standards, review risk, and monitor compliance. The third line should test design and operating effectiveness. The board should receive reports showing whether the system is working.

The DOJ ECCP Question

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging risks, including new technologies such as AI. It asks how companies govern AI in commercial operations and in the compliance program, how they monitor reliability and trustworthiness, how they limit AI to intended uses, how they preserve human decision-making, how accountability is assigned, and how employees are trained.

That logic tracks closely with Magnifica Humanitas. Pope Leo supplies the accountability mandate; the DOJ supplies the compliance program test. If responsibility must be defined and harm must be capable of challenge and remediation, then the company must be able to show that AI tools are known, approved, monitored, limited to intended uses, and subject to human oversight (Magnifica Humanitas, para. 105).

A company with uncontrolled shadow AI has a predictable compliance problem. It may not be able to show that it has identified an AI risk. It may not be possible to demonstrate that employees were effectively trained. It may not be possible to show that AI tools are limited to intended uses. It may not be possible to demonstrate that human review is in place for consequential decisions. It may not be able to show that compliance has visibility into AI use. For the CCO, the question is direct: can we explain how AI is actually being used in the company or only how we hope it is?

From Prohibition to Governed Use

The wrong response to shadow AI is a blanket prohibition that employees ignore. AI is here to stay. Employees will use it because it saves time and improves work product. The better response is governed adoption.

The company should begin with an AI use-case inventory. This should capture approved tools, embedded AI in existing platforms, vendor-provided AI, internally developed AI, pilot projects, and employee use of public tools. It should identify the business owner, purpose, data used, vendor involved, risk rating, approval status, required human review, and applicable controls.

Next, the company should create a clear classification model. Low-risk uses, such as drafting generic internal communications, may require basic training and disclosure. Medium-risk uses, such as summarizing non-sensitive business materials, may require approved tools and data restrictions. High-risk uses, such as employment decisions, customer eligibility, financial reporting, investigations, regulated communications, or third-party risk scoring, should require formal review, documented controls, human oversight, and periodic testing.

NIST’s AI Risk Management Framework provides useful architecture through its Govern, Map, Measure, and Manage functions. ISO/IEC 42001 provides the management-system approach, including policies, responsibilities, risk management, transparency, monitoring, performance evaluation, corrective action, and continual improvement. For shadow AI, these frameworks point to the same conclusion as the Encyclical: move from ad hoc use to structured accountability.

The Controls That Matter

A defensible shadow AI control program should include several core elements.

First, the company needs an approved tools list and a prohibited tools list. Employees should know what is permitted, what is restricted, and what is banned.

Second, the company needs data controls. Employees should not place confidential information, personal data, trade secrets, privileged information, customer data, source code, or sensitive business information into unapproved AI tools. Magnifica Humanitas warns that data and digital infrastructure can become new forms of power when control is concentrated and opaque (Magnifica Humanitas, paras. 108-109). Data governance is therefore not an administrative detail. It is the foundation of responsible AI controls.

Third, the company needs approval workflows for high-risk use cases. The higher the risk, the more formal the review should be.

Fourth, the company needs human review and recourse. AI should support judgment, not replace it. For consequential decisions, a person must remain accountable, and affected individuals should have a channel to challenge errors. This reflects the Encyclical’s insistence that decisions should be capable of justification, monitoring, challenge, and remedy (Magnifica Humanitas, para. 105).

Fifth, the company needs to be monitored and tested. Internal audit should be able to test whether employees are following the policy, whether approved tools are operating within scope, and whether exceptions are remediated.

Finally, the company needs an AI incident process. Employees should know how to report accidental data disclosure, hallucinated output, inappropriate reliance, biased output, suspected vendor misuse, or unauthorized AI use. The goal should not be punishment first. The goal should be visibility, correction, and learning.

5 Lessons for the CCO
  1. Govern what employees actually use, not merely what policy permits. The first step is visibility. Create a process for employees and business units to disclose AI use without fear that each disclosure will trigger disciplinary action.
  2. Control data before it leaves the enterprise. The most immediate shadow AI risk is often data leakage. Define prohibited data categories, approved tools for sensitive information, and vendor restrictions on model training or reuse.
  3. Assign accountability at every stage. Every material AI use case should have a business owner, a risk owner, a control owner, an approval status, a review cycle, and an escalation path.
  4. Require human review and recourse for consequential uses. AI can assist, summarize, flag, and recommend. It should not replace accountable human judgment where rights, opportunities, employment, reputation, or legal obligations are involved.
  5. Test, remediate, and report evidence. AI governance must generate proof. Monitor usage, test controls, track incidents, remediate exceptions, and report meaningful metrics to the board.
Conclusion: Hidden Use Must Become Governed Use

Shadow AI is the modern Babel inside the corporation. It may look productive, efficient, and innovative. Yet if it operates without transparency, accountability, controls, or human judgment, it creates a structure the company does not understand and cannot govern.

Magnifica Humanitas reminds us that technology must remain at the service of the human person and not become a system of invisible control (Magnifica Humanitas, para. 171). That principle becomes real in the compliance program through internal controls. CCOs should help the company transition from hidden use to governed use.

In the next post, we will move from the hidden use of AI to the broader question of trust. We will examine AI, Truth, and Corporate Trust, and consider how synthetic content, misinformation, deepfakes, false documentation, and AI-generated narratives create a new compliance risk for boards, management, and the CCO.

Categories
Great Women in Compliance

Great Women in Compliance: Wildly Effective, 10 Years Later

Author and compliance professional Kristy Grant-Hart on the 10th anniversary of her book. 

Sarah Hadden sits down with Kristy Grant Hart to discuss the 10th anniversary edition of her influential book, How to Be a Wildly Effective Compliance Officer. They explore how the compliance profession has evolved over the past decade — from a rules-and-regulations mindset toward a more human-centered approach grounded in influence, resilience, storytelling, and leadership.

They also dig into some of the book’s more debated ideas, including personal branding, visibility, networking, and whether being “wildly effective” requires becoming an influencer.

Along the way, they tackle burnout, resilience, AI’s rapidly expanding role and why human judgment remains irreplaceable. This is a candid and energizing conversation about what it really takes to thrive in compliance today — and why the future of the profession is bright.