Categories
Blog

Building a Compliance Playbook for AI: Board – Level Lessons in Cybersecurity Oversight

Artificial intelligence (AI) has been heralded as one of the most transformative technologies of our time. It promises efficiency, productivity, and entirely new business models. Yet, as with any tool of such power, AI is both a friend and a foe. For corporate directors, compliance officers, and risk professionals, AI presents a dual challenge: leveraging its defensive strengths while preparing for its potential weaponization by malicious actors.

The National Association of Corporate Directors (NACD), in partnership with the Internet Security Alliance (ISA), has released a special supplement to its Directors’ Handbook on Cyber-Risk Oversight devoted entirely to AI in cybersecurity. It is a timely publication. As adoption rates soar, 72% of companies were already using AI in 2024, and the risks are accelerating just as fast. For the compliance community, the report provides a roadmap for oversight, governance, and practical questions boards must ask management.

AI as Both Force Multiplier and Risk Multiplier

On one side of the ledger, AI enhances cybersecurity by automating threat detection, reducing false positives, identifying malware, and analyzing oceans of log data. Used wisely, AI allows companies to “get ahead of theft”. This includes identifying vulnerabilities before criminals exploit them. Generative AI and large language models (LLMs), in particular, can speed detection, enrich threat indicators, and even suggest remediation steps.

However, these same capabilities are available to cybercriminals. AI lowers the barrier of entry for less sophisticated hackers, turbocharges phishing and social engineering campaigns, and allows nation-states to refine cyberattacks at scale. This duality makes AI unique: it amplifies both opportunity and risk simultaneously.

Oversight Imperatives for Boards

The handbook identifies four key imperatives for boards responsible for overseeing AI and cybersecurity.

1. Director of Education – Boards must commit to continuous learning about AI’s risks, benefits, and regulatory developments. Few leaders yet possess the technical grounding needed to appreciate AI’s implications.

2. Threat and Opportunity Awareness – Directors must understand not just the dangers but also the strategic benefits AI can bring.

3. Regulation and Disclosure – Boards must anticipate evolving rules and disclosure obligations. AI oversight will require the same level of rigor as financial and ESG reporting.

4. Board Readiness – Boards must ensure management builds governance structures, ethical use frameworks, and clear communication channels about AI’s role.

Compliance Lessons from the NACD AI in Cybersecurity Handbook

1. Third-Party and Supply Chain Risk Will Intensify

Boards are advised to scrutinize vendors’ AI tools and data sources. As the handbook emphasizes, AI models can be trained on data with questionable provenance, intellectual property, personally identifiable information, or even classified information. Using such models can expose organizations to liability. For compliance professionals, this means conducting enhanced due diligence on third-party AI systems. Ask vendors how they source training data, what models they use, and whether they have human oversight mechanisms in place to ensure quality. AI risk is now a key component of supply chain risk.

2. Transparency Is a Non-Negotiable

AI systems often function as “black boxes.” Their lack of explainability poses reputational and legal risks when decisions cannot be justified. Boards are urged to push for transparency in AI deployment, both internally and in customer-facing applications. For compliance professionals, this means incorporating explainability into your AI governance framework. Require documentation of training data, decision-making logic, and model limitations. If regulators ask, you must be able to demonstrate your homework.

3. Continuous Monitoring Is the New Standard

As highlighted in the AI Seven-Step Governance Program, AI oversight requires more than pre-deployment testing. Continuous monitoring, auditing, and retraining must occur throughout the lifecycle of AI tools to ensure their effective use. For the compliance professional, this means your program must move beyond “check-the-box” vendor certifications. Build ongoing monitoring and assurance processes. Think of AI oversight as dynamic, not static.

4. Regulation Will Come Fast and Furious

The NACD warns that while regulators often lag innovation by three to five years, the window for AI is already shortening. Boards relying on a “wait and see” approach will find themselves overwhelmed when rules arrive. Clearly, the compliance function must do more than wait for the regulators. Even if the US government were inclined to do so, the necessary political will would not exist to allow for an agreement. This means you should align your approach today with emerging frameworks, such as the EU AI Act, the NIST AI Risk Management Framework, and OECD principles. Position your company to demonstrate proactive governance.

5. Disclosure Expectations Will Rise

AI adoption carries disclosure obligations across transparency, risk assessment, and incident reporting. Boards must assume that regulators and investors alike will demand clear, timely disclosure of AI-related incidents and governance practices. Compliance must lead the way in your corporation to build AI into your disclosure controls and procedures now. Ensure incidents involving AI failures are reported with the same rigor as material cybersecurity breaches.

6. The Board Must Get Educated—and Fast

The handbook emphasizes director education. Boards that lack AI fluency will struggle to provide proper oversight. Worse, they may overestimate management’s ability to mitigate AI risks. You should encourage board training through NACD, Carnegie Mellon’s CERT program, or trusted third-party advisors. Education is no longer optional; it may well become a fiduciary duty.

7. Governance Structures Must Evolve

Some companies are considering dedicated AI committees, while others integrate AI oversight into existing audit or risk committees. Either way, boards need clear lines of accountability. The questions boards should be asking management are listed extensively in the handbook, including:

  • How are competitors using AI?
  • Do we need a Chief AI Officer?
  • What is our exposure if adversaries use AI against us?
  • Have we segregated training data to know its provenance?
  • Are our policies aligned with the EU AI Act’s risk classifications?

Start these conversations today. Board agendas must include AI oversight as a recurring topic.

Building a Compliance Playbook for AI

The compliance professional can translate the NACD’s recommendations into a practical playbook for your program, incorporating the following key concepts.

  • Embed AI governance early – Don’t bolt compliance onto AI projects after the fact. Integrate governance into design and procurement stages.
  • Adopt a human-centered AI approach – Ensure AI is aligned with corporate values and ethical principles, not just efficiency goals.
  • Use risk quantification – Treat AI risk like any other enterprise risk: quantify, compare, and integrate into ERM frameworks.
  • Demand accountability – Require clear responsibility for AI oversight, whether it sits with the Chief Compliance Officer, CIO, or a new Chief AI Officer role.
  • Engage regulators early – Use disclosure and transparency as tools to build trust with regulators and stakeholders.

The Handbook makes clear that AI in cybersecurity is not just a technology issue. It is an enterprise risk, a boardroom issue, and a compliance mandate. For compliance professionals, this means you must step into the AI oversight conversation.

As with the FCPA decades ago, regulators and stakeholders will expect companies to transition from a reactive to a proactive approach. The time to build frameworks, train directors, and embed oversight is now. AI, like every disruptive technology before it, will reward the prepared and punish the complacent. Compliance professionals are uniquely positioned to bridge the technical and governance divide. By applying lessons from the NACD handbook, we can ensure that AI becomes not just a tool for criminals but a force multiplier for integrity, trust, and resilience in the digital age.

Categories
Great Women in Compliance

Great Women in Compliance – Compliance as a Product Differentiator with Susan Cooper

In today’s episode, Lisa Fine speaks with Susan Cooper, Vice President of Regulatory Compliance Programs and Global Data Protection Officer at Meta, discussing her approach to compliance in the technology sector.  Susan discusses the path that led her to her current role, which is unique as her team is embedded within Meta’s product organization.

Being part of the product development team allows compliance to work hand-in-hand with product development through their risk review process, which assesses privacy, security, content safety, and financial risks in a centralized process for over 1,400 products per month.  It is part of their processes.

Susan also discusses how Meta utilizes “privacy-aware infrastructure,” embedding compliance requirements into standardized, reusable code components that can be used throughout the organization. She also provides some advice for compliance professionals, particularly those who are interested in technology companies, including:

  • Learn to speak “tech” if you want to work in tech compliance.
  • Get to know your stakeholders and their concerns;
  • Keep a growth mindset – be willing to ask questions and learn constantly; and
  • Embrace AI and automation tools to scale your work and keep learning about these tools
Categories
Upping Your Game

Upping Your Game – Leveraging Behavioral Analytics in Compliance: A Proactive Approach

In February, the Trump Administration suspended investigations under and enforcement of the FCPA. Many compliance professionals have since wondered what this will mean for corporate compliance programs going forward. Hui Chen challenged compliance professionals with the statement, “It’s time to up your game.”

This podcast series, sponsored by Ethico and co-hosted with Ethico co-CEO Nick Gallo, hopes to meet Hui Chen’s challenge. We will discuss how compliance professionals can ‘Up Their Game’ by utilizing currently existing Generative AI (GenAI) tools to enhance their compliance programs significantly. As compliance professionals, it is crucial to recognize that this moment is not merely about incremental improvements but about elevating our profession to an entirely new level of effectiveness, efficiency, and organizational value.

Tom Fox and Nick Gallo explore the role of behavioral analytics in transforming cultural assessments and compliance programs. They discuss how AI and data analytics can help compliance officers transition from a reactive to a proactive approach, thereby enhancing decision-making and promoting positive behavior within organizations. The conversation covers the importance of continuously assessing culture, the challenges of measuring it, and the necessity of thinking in bets—much like a skilled poker player. Tune in to learn how to make smarter, more agile decisions in the compliance realm, and stay ahead of potential issues before they escalate.

Key highlights:

  • Behavioral Analytics in Compliance
  • The Importance of Measuring Culture
  • Evolution of Data Analytics in Compliance
  • Strategies for Gathering Behavioral Data

Resources:

Upping Your Game-How Compliance and Risk Management Move to 2030 and Beyond on Amazon.com

Nick Gallo on LinkedIn

Ethico

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Innovation in Compliance: Brad Stevens: Part 1 – Transforming Outsource Perceptions

Innovation comes in many areas, and compliance professionals need to not only be ready for it but also embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox begins a two-part series with Brad Stevens.

Brad is the Founder and CEO of Outsource Access, to discuss the transformative power of culture in outsourcing. Brad shares his journey from a product disaster to building a thriving business with over 500 employees in the Philippines. Discover how focusing on culture before scaling people has led to Outsource Access’s success and changed perceptions of offshoring.

Key takeaways:

– 🌍 Changing perceptions of outsourcing from sweatshops to growth opportunities.

– 🤝 The importance of treating employees well to foster loyalty and growth.

– 🌟 Building a people-centric business that prioritizes culture.

– 📈 The impact of culture on business growth and client satisfaction.

– 🏆 The ten pillars of culture that drive Outsource Access’s success.

Key highlights:

  • Changing Perceptions of Outsourcing
  • The Journey of Outsource Access
  • Building a People-Centric Business
  • The Ten Pillars of Culture
  • Commitment to Community and Employee Well-Being

Connect with us:

🔸 Outsource Access on LinkedIn

🔸 Outsource Access Website

🔸 Brad Stevens on LinkedIn

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Check out my latest book, Upping Your Game: How Compliance and Risk Management Move to 2023 and Beyond, available from Amazon.com.

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance: Shout Outs & Rants: Episode 160, The What Next Edition

Welcome to this Edition of award-winning Everything Compliance. In this episode, we have the sextet of Matt Kelly, Jonathan Marks, Jonathan Armstrong, Karen Woody, and Karen Moore, with Tom Fox, the Compliance Evangelist, sitting in as host.

  1. Matt Kelly shouts Boston Mayoral candidate Josh Craft, who bowed out of the race.
  2. Jonathan Marks shouts out to Sheinelle Jones, all those who lost loved ones to cancer, and cancer victim caregivers.
  3. Jonathan Armstrong shouts out to the Grand Ole Opry.
  4. Karen Moore rants about ABC and Disney’s decision to suspend Jimmy Kimmel.
  5. Karen Woody shouts out to the Netflix show Adolescence, which swept the Emmys.
  6. Tom Fox shouts out the Community Foundation of the Hill Country, which took in over $100MM in donations for victims of the July 4 flood in 30 days.

The members of Everything Compliance are:

The host, producer, and sometime panelist of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com.  The award-winning Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The Culture Audit

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we have a 5-part series on audits adjacent to compliance. In Part 2, we consider the Culture Audit.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Daily Compliance News

Daily Compliance News: September 23, 2025, The Shuttering Offices Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • DOJ shuts down bribery investigation of Homan. (HuffPost)
  • 2 former Haitian officials were designated for bribery. (DOJ Press Release)
  • Singapore execs found guilty in Wirecard fraud. (FT)
  • K&L Gates is shutting down its China offices. (Reuters)
Categories
AI Today in 5

AI Today in 5: September 23, 2025, The $100bn Edition

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI, so start your day, sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5, all from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  • Nvidia invests $100 billion in OpenAI. (NYT)
  • What is ‘human agency’? (FT)
  • AI investment as the new diplomacy. (Bloomberg)
  • UN wants Red Lines around AI. (NBC News)
  • Compliance in the age of AI. (Forbes)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Word of the Week

Word of the Week with Kenneth O’Neal – The Importance of Standard in Leadership and Daily Life

Each week, Kenneth O’Neal discusses a word that describes a principle or value of the Qualities of Success. We suggest that you incorporate the Word of the Week into your thoughts, deeds, and actions. You might currently possess the quality and desire to develop it to a higher level.  You could replace a bad habit with a good habit. Write an action step and use it daily to develop the Quality in your life. In this episode, Kenneth discusses the word – Standard.

Kenneth O’Neal and Rick Phipps explore the word’s origins and how it evolved from a military term to a measure of quality and principle. Kenneth emphasizes the role of standards in reflecting integrity, discipline, and commitment to excellence. He showcases historical examples, such as Joan of Arc, Martin Luther King Jr., and George Washington, as standard bearers. Kenneth also discusses the importance of trust as a fundamental standard and highlights how it is exemplified by first responders, local business owners, the military, and healthcare professionals. He concludes with a personal anecdote about setting standards in childhood and encourages businesses to call for a free assessment to enhance their own standards.

Key highlights:

  • Word of the Week: Standard
  • Historical Context of ‘Standard’
  • Characteristics of a Standard Bearer
  • Trust as the Ultimate Standard

Resources:

KRONEAL Consulting

Categories
Blog

Third Parties, Timing, and Trials: Compliance Lessons from the Zaglin FCPA Conviction

Despite the Trump Administration, the Foreign Corrupt Practices Act (FCPA) has again demonstrated its reach and staying power. An article in Law360 reported that this month, a federal jury in Miami convicted Carl Alan Zaglin, a Georgia businessman and the former CEO of military clothing supplier Atlanco, on all counts of FCPA and money laundering charges. The case centered on a scheme to bribe Honduran officials in exchange for lucrative contracts with the Honduran National Police, worth over $10 million.

For the compliance professional, the Zaglin case serves as a stark reminder: the risks of bribery and corruption remain high, particularly in international contracting involving law enforcement and defense agencies. But it also provides clear compliance lessons that organizations can implement today. Finally, the lessons from this case would make a great presentation to the Board of Directors.

The Case in Brief

Zaglin, as majority owner and CEO of Atlanco, worked with Tactical Products Group and intermediaries to secure uniform contracts with the Honduran government. Prosecutors demonstrated that beginning in 2015, Atlanco executives entered into sham “brokerage agreements” with a Florida-based intermediary, Aldo Nestor Marchena. Marchena then routed more than $2 million in illicit payments through offshore accounts in Belize and the U.S., as well as direct cash payments, to Honduran officials.

Although Zaglin argued that the contracts were awarded before the payments were made, the jury rejected this defense. The DOJ’s position was clear: the payments were designed to ensure favorable treatment and sustain Atlanco’s business advantage. Acting Assistant Attorney General Matthew R. Galetto underscored the broader message: bribing officials undermines the rule of law and distorts competitive markets.

The outcome? A guilty verdict on conspiracy to violate the FCPA, substantive FCPA violations, and conspiracy to commit money laundering. Zaglin now faces sentencing in December 2025. His co-conspirators, including Marchena and two former Honduran officials, pleaded guilty earlier this year.

Why This Case Matters

On the surface, the Zaglin conviction is yet another entry in the DOJ’s FCPA enforcement docket. Of course, this case was brought under the prior Biden Administration, but the Trump Administration did allow it to move forward. But peel back the layers, and we find enduring themes that every company cannot ignore:

  • The role of third-party intermediaries. Once again, the FCPA violation flowed through a so-called “agent” who submitted fake invoices.
  • The false comfort of after-the-fact rationalizations. Zaglin’s defense—that contracts were awarded before the payments—shows the lengths to which executives will stretch logic to justify bribes.
  • The focus on high-risk sectors. Defense, law enforcement, and government procurement remain top-tier corruption risks.

This case could have been prevented with a stronger compliance program, rigorous third-party due diligence, and an empowered compliance function. Or even perhaps a CEO who was committed to doing business ethically and in compliance with the FCPA

Five Compliance Lessons from the Zaglin Conviction

1. Third Parties Are Still the Achilles’ Heel

The Atlanco scheme revolved around Marchena, the intermediary who served as the conduit for illicit payments. Atlanco executives papered the arrangement with sham brokerage agreements—classic red flags. Fake invoices, offshore transfers, and large unexplained payments are textbook hallmarks of corruption risk.

Lesson for compliance professionals: Never take third-party relationships at face value. Conduct rigorous due diligence, both at onboarding and throughout the relationship. Look for the red flags: lack of a clear value proposition, offshore accounts, and vague consulting services. Ensure your contracts include audit rights, anti-corruption certifications, and termination provisions that are enforceable and legally binding.

2. Timing Does Not Erase Intent

Zaglin’s defense hinged on timing, that contracts were awarded before bribes were paid. However, FCPA enforcement is not solely about timing; it is about corrupt intent. Payments made to reward past contracts or to secure future business still fall squarely within the statute. For compliance professionals, the lesson is clear. You must train executives and sales teams to understand that bribes are not limited to pre-award influence. “Thank-you” payments, facilitation to speed up processes, or post-award cash still qualify as corrupt payments. While domestically, the US Supreme Court allows such gratuities, they remain illegal under the FCPA.

3. Money Laundering Is Often the Companion Charge

Prosecutors alleged that over $2 million in bribes were laundered through accounts in Belize and the United States. The money laundering charge not only increases potential penalties but also expands the jurisdiction and investigative tools available to prosecutors.

For compliance professionals, the lesson is clear. Compliance cannot be siloed. Anti-corruption compliance must integrate with anti-money laundering (AML) monitoring. Cross-functional teams, including compliance, finance, and legal, should collaborate to identify unusual payments, offshore transfers, or the use of cash. A payment flagged by AML teams may also be a corruption risk.

4. High-Risk Industries Demand Higher Controls

This case involved contracts with a foreign national police force. Defense, security, and law enforcement procurement are notoriously high-risk sectors, given their reliance on government contracts, large transaction values, and political sensitivities. For compliance professionals, the lesson is clear. Never forget that sector risk matters. Indeed, it was one of the risks identified in the FCPA Resource Guide, 1st edition, and brought forward into the 2nd edition. A compliance program in high-risk industries must include enhanced controls—more detailed due diligence, additional documentation, and heightened oversight. One-size-fits-all compliance will not work. The higher the risk, the higher the controls must be.

5. DOJ Will Pursue Trials, Not Just Settlements

It is worth noting that Zaglin was the only defendant to go to trial; his co-conspirators pled guilty. The DOJ secured convictions on every count. The case sends a clear message: the government will not shy away from trials, even in complex international bribery cases. For compliance professionals, the lesson is clear. Even under this Administration, the enforcement risk is real. Companies cannot gamble on the odds of non-detection. The reputational damage, financial costs, and operational disruption of an FCPA trial can devastate a business.

Final Thoughts

The conviction of Carl Alan Zaglin underscores the DOJ’s continuing focus on international corruption. For compliance professionals, it serves as yet another reminder that the fundamentals — third-party management, AML integration, sector-specific risk controls, and empowered compliance — remain non-negotiable. They are essential.

As Acting Assistant Attorney General Galetto put it: bribery undermines the rule of law and distorts markets. Compliance professionals must be the guardians against that distortion. By learning from cases like this, organizations can not only avoid costly enforcement actions but also compete on a level playing field where integrity, not bribery, wins the contract.