Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
In this roundtable episode, Sarah Hadden and Ellen M. Hunt explore the real art of workplace investigations with guests Lloydette Bai-Marrow and Onyinye Asala-Olojola through these three lenses:
If you are looking for expert advice on how to increase the value of workplace investigations to your organization, tune in on your favorite podcast platform, on Corporate Compliance Insights, and the Compliance Podcast Network
#WorkplaceInvestigations #RootCause #CorrectiveMeasures #Retaliation #EthicalLeadership
Corporate compliance professionals spend a lot of time talking about controls, training, third parties, and investigations. Yet the hard truth is that the most important control environment sits above all of that: leadership behavior and the culture it creates. That is why this NASA investigation report on the Boeing CST-100 Starliner Crewed Flight Test (CFT) is such a useful case study. It is a technical report, to be sure. But it is also a cultural, leadership, and governance report. NASA’s bottom line is unambiguous: technical excellence and safety require transparent communication and clear roles and responsibilities, not as slogans, but as operating requirements that must be institutionalized so safety is never compromised in pursuit of schedule or cost.
If you are a Chief Compliance Officer, General Counsel, or business leader, you should read this report the way you read an enforcement action. Not to gawk. Not to assign blame. But to harvest lessons for your own organization before you have your own high-visibility close call.
The incident(s) that led to the report
The CFT mission launched June 5, 2024, as a pivotal step toward certifying Starliner to transport astronauts to the International Space Station. It was planned as an 8-to-14-day mission but was extended to 93 days after significant propulsion system anomalies emerged. Ultimately, the Starliner capsule returned uncrewed, while astronauts Barry “Butch” Wilmore and Sunita “Suni” Williams returned aboard SpaceX’s Crew-9 Dragon in March 2025. In February 2025, NASA chartered a Program Investigation Team (PIT) to examine the technical, organizational, and cultural factors contributing to the anomalies.
The report describes four major hardware anomaly areas, including Service Module RCS thruster fail-offs that temporarily caused a loss of 6 Degrees of Freedom control during ISS rendezvous and required in-situ troubleshooting to recover enough capability to dock, a Crew Module thruster failure during descent that reduced fault tolerance, and helium manifold leaks where seven of eight Service Module helium manifolds leaked during the mission. The PIT further determined that the 6DOF loss during rendezvous met criteria for a Type A mishap (or at least a high-visibility close call), underscoring how close the program came to a very different ending.
That is the “what.” For compliance professionals, the “so what” is that NASA did not treat this as a purely engineering problem. It treated it as an integrated system failure, in which culture and leadership either reduce risk or magnify it.
Lesson 1: Decision authority is culture, not paperwork
One of the report’s clearest threads is that fragmented roles and responsibilities delayed decision-making and eroded confidence. In the compliance world, unclear decision rights become the breeding ground for “informal governance”: private conversations, end-runs around committees, and decisions that are never fully documented. Over time, that becomes a shadow-control environment that your policies cannot touch.
Compliance action steps
Lesson 2: Transparency is a control, and selective data sharing destroys trust
The report explicitly flags that the lack of data access fueled concerns about selective information sharing. Interviewees described frustration that information could be filtered, selectively chosen, or sanitized, which eroded confidence in the process and people. It also notes reports of questions being labeled “too detailed” or “out of scope” without mechanisms to ensure concerns were addressed. That is the compliance danger zone. When teams believe the narrative matters more than the data, they stop escalating early. They start documenting defensively. They seek safety in silence.
Compliance action steps
Lesson 3: Risk acceptance without rigor becomes “unexplained anomaly tolerance”
NASA calls out “anomaly resolution discipline” and warns that repeated acceptance of unexplained anomalies without root cause can lead to recurrence. That single lesson belongs on a poster in every compliance office. In corporate terms, “unexplained anomalies” are recurring control exceptions, repeat hotline themes, repeated third-party red flags, and audit findings that are “managed” rather than fixed. If leadership normalizes that pattern, it teaches the organization that closure is more important than correction.
Compliance action steps
Lesson 4: Partnerships fail when “shared accountability” is not operationalized
The report emphasizes that shared accountability in the commercial model was inconsistently understood and applied. It also notes that historical relationships and private conversations outside formal forums created perceptions of blurred boundaries, favoritism, and lack of objectivity, whether or not those perceptions were accurate. Compliance teams have seen this movie. Think distributors, joint ventures, outsourced compliance support, and major technology partners. If accountability is shared in theory but siloed in practice, something will fall through the cracks. Usually, it falls right into your lap when regulators arrive.
Compliance action steps
Lesson 5: Burnout is a risk factor, and meeting chaos is a governance failure
The report’s recommendations recognize the operational reality: high-pressure environments can degrade decision quality. It calls for “pulse checks,” rotation of high-pressure responsibilities, contingency staffing, and time protection for deep work to proactively address burnout and improve decision-making under mission conditions. Compliance professionals should take that to heart. Crisis cadence is sometimes unavoidable. Permanent crisis cadence is a leadership choice. And it carries predictable consequences: shortcuts, missed details, weakened documentation, and poor judgment.
Compliance action steps
Lesson 6: Accountability must be visible, not performative
NASA does not bury the human dimension. The report contains leadership recommendations to speak openly with the joint team about leadership accountability, including concurrence with the report and reclassification as a mishap, and to hold a leadership-led stand-down day focused on reflection, accountability concerns, and rebuilding trust. For corporate leaders, this is where trust is won or lost after a crisis. Employees can tolerate a hard outcome. They struggle to tolerate spin. If your organization communicates externally with confidence but internally with vagueness, your culture learns the wrong lesson: optics first, truth second.
Compliance action steps
Lesson 7: Trust repair requires a plan, not a pep talk
One of the most useful artifacts in the report is a sample Organizational Trust Plan. It sets a goal to rebuild trust by establishing clear expectations, open accountability, and shared commitment to safety and mission success. It includes objectives around transparent communication, acknowledging past challenges, reinforcing shared values, and structured engagement. It then lays out action steps: leadership engagement, facilitated sessions, outward expressions of accountability, teamwide rollout, training and coaching, and communication through a written plan and regular updates.
That is exactly the kind of operational discipline compliance leaders should bring to culture work. Culture does not change because someone gives a speech. Culture changes when the organization changes how it makes decisions, treats dissent, and follows through.
Five key takeaways for the compliance professional
In the end, the Starliner lesson for compliance is simple: controls matter, but culture decides whether controls work when it counts. If leadership cannot run disagreements well, cannot share data broadly, and cannot demonstrate accountability after the fact, the best-written compliance program in the world will fail the moment the pressure rises.
Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.
Top AI stories include:
For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.
Innovation comes in many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes Tim Khamzin, Founder & CEO of Vivox AI, to discuss building explainable, trusted AI agents for financial crime compliance teams.
Tim describes his background in banking operations automation, including large-scale digital transformation and the development of compliance products, and explains how large language models since 2023–2024 enable the automation of unstructured compliance work without extensive model training. He outlines key challenges in AML/KYC operations—15% of bank headcount tied to compliance, heavy manual repetitive investigations across multiple systems, and cultural resistance to adopting technology.
Tim emphasizes “explainability” through consistent, repeatable investigations with audit logs and screenshots that mirror human workflows, and “trust” through transparency, compliant vendor choices, and clear communication of limitations. Tim introduces Vivox compliance analyst, “Rachel,” a platform of collaborating agents that supports onboarding, customer due diligence, and false-positive reduction, improved via structured human feedback (thumbs up/down) to learn firm-specific standards.
He explains how Vivox stays aligned with evolving regulations by engaging with bodies such as the UK FCA and tracking frameworks such as the EU AI Act and Singapore guidance, with a focus on auditability and explainability. Tim predicts most compliance work will shift to AI agents, with humans handling complex cases and a new role of “compliance engineer” emerging to configure and evaluate agents, alongside industry consolidation and operating-system-style vendor platforms.
Key highlights:
Resources:
Tim Khamzin on LinkedIn
Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
In this episode of the PfBCon Podcast, John Largent, Founder and CEO of Largent Media, dives deep into the world of podcast networks.
John discusses the advantages of joining a network, how to elevate your podcast’s reach, and the importance of consistency and collaboration within networks. John also touches on potential challenges, including meeting benchmarks and maintaining quality standards. With practical examples and insights from his extensive experience, this episode is a must-listen for anyone looking to take their podcast to the next level.
Key highlights:
Resources:
Follow John Largent on:
Visit Largent Media on:
Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.
Top AI stories include:
For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
Artificial intelligence is no longer a future-state technology risk. It is a current-state governance issue. If AI is being deployed inside governance, risk, and compliance functions, then it is already shaping how your company detects misconduct, prioritizes investigations, manages regulatory obligations, and measures program effectiveness. That makes AI risk a board agenda item, not a management footnote.
In an innovation-forward organization, the goal is not to slow AI adoption. The goal is to professionalize it. Board of Directors and Chief Compliance Officers (CCOs) should approach AI the way they approached cybersecurity a decade ago: move it from “interesting updates” to a structured reporting cadence with measurable controls, clear accountability, and director education that raises the collective literacy of the room.
Today, we consider 5 strategic playbooks designed for a Board of Directors and a CCO operating in an industry-agnostic environment, building AI in-house, without a model registry yet, and with a cross-functional AI governance committee chaired and owned by Compliance. The program must also work across multiple regulatory regimes, including the DOJ Evaluation of Corporate Compliance Programs (ECCP), the EU AI Act, and a growing patchwork of state laws. We end with a proposal for a Board of Directors Boot Camp on their responsibilities to oversee AI in their organization.
Playbook 1: Put AI Risk on the Calendar, Not on the Wish List
If AI risk is always “important,” it becomes perpetually postponed. The first play is procedural: create a standing quarterly agenda item with a consistent structure.
Quarterly board agenda structure (20–30 minutes):
This cadence does two things. First, it forces repeatability. Second, it creates institutional memory. Boards govern better when they can compare quarter-over-quarter progress, not when they receive one-off deep dives that cannot be benchmarked.
Playbook 2: Build the AI Governance Operating Model Around Compliance Ownership
In your design, Compliance owns AI governance and its use throughout the organization, supported by a cross-functional AI governance committee. That is a strong model, but only if it is explicit about responsibilities.
Three lines of accountability:
Boards should ask one simple question each quarter: Who is accountable for AI governance, and how do we know it is working? If the answer is “everyone,” then the real answer is “no one.” Your model makes the answer clear: Compliance owns it, and the committee operationalizes it.
Playbook 3: Create the AI Registry Before You Argue About Controls
You have no model registry yet. That is the first operational gap to close, because you cannot govern what you cannot inventory. In a GRC context, this is not a “nice to have.” Without an inventory, you cannot prove coverage, you cannot scope an audit, you cannot define reporting, and you cannot explain to regulators how you know where AI is influencing decisions.
Minimum viable AI registry fields (start simple):
Boards do not need the registry details. They need the coverage metric and the assurance that the registry is complete enough to support governance.
Playbook 4: Align to the ECCP, EU AI Act, and State Laws Without Creating a Paper Program
Many organizations make a predictable mistake: they respond to multiple frameworks by producing multiple binders. That creates activity, not effectiveness. A better approach is to use a single control architecture to map to multiple requirements. The board should see one integrated story:
This mapping becomes powerful when it ties back to the board dashboard. The board is not there to read statutes. The board is there to govern outcomes.
Playbook 5: Use a Board Dashboard That Measures Coverage, Control Health, and Outcomes
You asked for a combined dashboard and narrative with 8–10 KPIs. Here is a board-level set designed for AI in governance, risk, and compliance functions, with in-house build, internal audit, and red teaming for assurance.
Board AI Governance KPIs (8–10)
1. AI Inventory Coverage Rate
Percentage of AI use cases captured in the registry versus estimated footprint.
2. Risk Classification Completion Rate
Percentage of registered use cases risk-classified (EU AI Act style tiers or internal tiers).
3. Pre-Deployment Review Pass Rate
Percentage of deployments that cleared required testing and approvals on first submission.
4. Model Change Control Compliance
Percentage of model changes executed with documented approvals, testing evidence, and rollback plans.
5. Explainability and Documentation Score
Percentage of in-scope use cases with complete documentation, rationale, and user guidance.
6. Monitoring Coverage
Percentage of production use cases with active monitoring for drift, anomalies, and performance degradation.
7. Issue Closure Velocity
Median days to close AI governance issues, by severity.
8. Internal Audit Coverage and Findings Trend
Number of audits completed, rating distribution, repeat findings, and remediation status.
9. Red Team Findings and Remediation Rate
Number of material vulnerabilities identified and percentage remediated within the target time.
10. Escalations and Incident Rate
Number of AI-related incidents or escalations (including near-misses), with severity and lessons learned.
These KPIs do not require vendor controls and align with an in-house build model. They also support both board oversight and compliance management.
AI Director Boot Camp
Your board has a medium level of literacy and needs a boot camp. I agree. Directors do not need to become engineers. They need a common vocabulary and a governance frame. The recommended boot camp design is one-half day, making it highly practical. It should include the following.
The deliverable from the boot camp should be a one-page “Director AI Oversight Guide” with the KPIs, escalation triggers, and the quarterly agenda structure.
The Bottom Line for Boards and CCOs
This is the moment to treat AI risk like a board-governed discipline. The organizations that get it right will not be the ones with the longest AI policy. They will be the ones with the clearest operating model, the most reliable reporting cadence, and the strongest evidence of control effectiveness.
If Compliance owns AI governance, then Compliance must also own the proof. That proof is delivered through a registry, a quarterly board agenda item, a balanced KPI dashboard, and assurance through internal audit and red teaming. Add a director boot camp to create shared understanding, and you have the beginnings of a program that is innovation-forward and regulator-ready.
That is the strategic playbook: not fear, not hype, but governance.
