Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
Innovation comes in many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox visits with energy journalist/publisher Loren Steffy to discuss whether a Trump administration announcement regarding Venezuela is meaningful for oil markets, concluding that it mainly increases uncertainty and is unlikely to drive major U.S. oil-company investment.
They note West Texas shale generally needs about $60 oil to break even, making $50 oil politically and economically problematic. They explain that Venezuela’s heavy crude requires specialized extraction technology and extensive, aging infrastructure upgrades to reach the market, potentially costing billions and taking decades, with some estimates placing Venezuela’s break-even price at $80 or higher. They emphasize governance, corruption, degraded PDVSA human capital, contract enforceability, and unresolved debts (including reported $12B owed to ConocoPhillips) as key barriers, making Venezuela “uninvestible” for most majors and suggesting only high-risk players might consider entry amid unclear U.S. strategy.
Key highlights:
Resources:
Loren Steffy on LinkedIn
Innovation in Compliance was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.
Entertainment and media attorney Gordon Firemark (“the podcast lawyer”) delivers a session on essential legal principles for podcasters using shows as a business or within a business.
Gordon explains that publishing a podcast makes you responsible like a professional media company and outlines key areas to manage risk and build long-term value: forming a legal entity to separate personal and business liability; documenting ownership with written agreements (including “work made for hire” language) for co-hosts, contractors, and contributors; using a “podcast prenup” to define control, revenue, expenses, and exit scenarios; protecting intellectual property through copyright registration and trademark selection/registration (including searching the USPTO and avoiding generic titles), illustrated by a case where waiting to file caused years of trademark conflict; avoiding copyright problems by licensing/using royalty-free content and not relying on fair use as a “get out of jail free” claim; requiring guest release agreements to prevent takedown demands and disputes, including clauses covering editing, repurposing, and AI use; structuring sponsorship and brand deals with clear payment terms and deliverables; complying with FTC disclosure rules for endorsements, affiliate relationships, gifts, and paid interviews; and reducing defamation/privacy risk through fact-checking, respecting NDAs, and using disclaimers for legal/health/financial advice. He closes with resources and where to find him online, including his sites and podcaster community.
Key highlights:
Resources:
Follow Gordon Firemark on:
If you are a compliance professional looking at your company’s GenAI rollout and wondering when the grown-ups will finally arrive, I have good news. They just did.
COSO has now stepped directly into the GenAI conversation with its new paper, Achieving Effective Internal Control Over Generative AI, and that matters a great deal. For those of us in compliance, internal audit, risk, and governance, COSO is not a shiny new acronym trying to catch the latest tech train. COSO is the train schedule. It is the framework that boards, auditors, controllers, and compliance professionals already understand. And with this publication, COSO has done something very important: it has translated GenAI risk into the language of internal control. That is exactly what the market needed.
Because up until now, too much of the GenAI discussion has lived in one of two places. Either it sat in the innovation lab with people talking breathlessly about transformation, or it sat in the legal department where everyone worried, quite correctly, about hallucinations, privacy, and bias. What has often been missing is the operational bridge between aspiration and assurance. COSO gives us that bridge. It says, in effect, GenAI is not outside your control environment. It is now part of it. And if it is part of it, then it must be governed, tested, monitored, and documented like any other significant business capability.
GenAI Does Not Change the Need for Control. It Changes the Terrain
One of the most important points in the COSO paper is that GenAI does not upend the COSO Internal Control-Integrated Framework. Rather, it changes the environment in which those controls operate. The five familiar COSO components remain the same: control environment, risk assessment, control activities, information and communication, and monitoring activities. What changes is the nature of the underlying risk. GenAI introduces probabilistic outputs, model drift, prompt injection, opaque reasoning, rapid configuration changes, and the adoption of shadow AI outside normal approval channels. That is a very useful framing for compliance officers.
It means we should stop treating AI governance as some exotic side project. If GenAI is used in operations, legal, finance, HR, procurement, investigations, or reporting, it belongs within your existing governance architecture. You do not need to invent a new religion. You need to apply the old disciplines to a new set of facts.
This is where compliance can and should lead. We understand what it means to build controls around fast-moving risk. We understand escalation, role clarity, training, monitoring, and accountability. COSO is effectively telling compliance professionals, “You already know more about governing GenAI than you think. Now apply that muscle memory with precision.”
A Capability-First Approach Is a Game Changer
The most practically useful innovation in the COSO guidance is its capability-first taxonomy. Rather than organizing AI controls by vendor, product name, or technical buzzwords, COSO focuses on what the GenAI system actually does. It identifies eight capability types: data extraction and ingestion; data transformation and integration; automated transaction processing and reconciliation; workflow orchestration; judgment, forecasting, and insight generation; AI-powered monitoring and continuous review; knowledge retrieval and summarization; and human-AI collaboration. That is enormously helpful because it is how compliance people actually work.
We do not manage risk by admiring the label on the software box. We manage risk by understanding what a tool does in a process, what can go wrong, how fast it can go wrong, and how the error propagates downstream. A GenAI tool that summarizes policies creates one set of risks. A GenAI agent that routes approvals, posts transactions, or helps shape regulatory disclosures creates another. COSO provides organizations with a common language for distinguishing among use cases and calibrating controls accordingly. That is not just elegant. It is actionable.
The Five Foundational Truths Every CCO Should Memorize
COSO also offers five foundational characteristics for GenAI internal control, and each should be printed and posted on the wall of every compliance office.
First, GenAI is probabilistic, not deterministic. In plain English, it can sound authoritative and still be wrong. Therefore, outputs must be treated as claims requiring validation, not facts to be accepted by default. Second, GenAI is dynamic. Models, prompts, and retrieval data evolve quickly, so controls and monitoring must keep pace. Third, GenAI is easily scalable, meaning it can scale both productivity and error rates. Fourth, it has a low barrier to entry, which is why shadow AI is such a real problem. Fifth, and perhaps most interestingly, GenAI can help govern GenAI through pattern detection, validation, and monitoring.
There is a lot packed into those five points. For compliance, the biggest takeaway is this: static governance will fail in a dynamic AI environment. Annual reviews will not cut it. A once-a-year policy refresh will not cut it. A single training session on acceptable use will not cut it. GenAI governance has to be living governance.
What COSO Says About the Control Environment
COSO starts where it should: tone, structure, and accountability. The paper says organizations need a GenAI acceptable use policy, clear ethical boundaries, oversight and accountability responsibilities, named owners for each AI tool or platform, role-based training, and accountability mechanisms tied not only to adoption but also to safety, compliance, and performance. Boards and cross-functional oversight groups need visibility into adoption, incidents, changes, and risk indicators.
That is a direct message to compliance leaders. If nobody owns the prompts, the retrieval connectors, the model configurations, the escalation path, or the approval structure, then nobody owns the risk. And in a regulatory environment moving steadily toward AI accountability, “nobody owned it” is not a defense. It is an indictment.
I particularly liked COSO’s emphasis that prompts, system prompts, and retrieval connectors should be treated as governed configurations. That is exactly right. Too many companies still treat prompting like an informal user habit rather than a control-relevant configuration choice. In a high-impact context, the prompt is not casual. It is part of the system.
Risk Assessment Must Get More Dynamic
COSO’s discussion of risk assessment is equally strong. It calls for use cases to have clearly defined objectives, acceptable and unacceptable boundaries, and success criteria. It also warns that organizations must first ask whether GenAI is even the right tool for the task. In some cases, traditional automation or deterministic systems may be safer and more reliable. The risk assessment should account for hallucinations, drift, provenance gaps, prompt injection, bias, third-party dependencies, and significant changes such as vendor updates, connector changes, or evolving regulations.
This is where compliance earns its keep. We are the ones who should be asking: What if the model changes quietly? What if the source data becomes stale? What if the retrieval layer excludes a critical policy update? What if the system routes something to the wrong approver? What if the tool is used in a context where a simpler and safer solution would do the job better?
COSO is right to emphasize scenario analysis and living risk registers. In the GenAI era, risk registers that only update annually are museum pieces.
Human-in-the-Loop Is Not Optional
When COSO turns to control activities, it gets very practical. It says GenAI outputs should be subject to human corroboration proportionate to risk, and in high-impact business, legal, or regulatory contexts, AI assistance should be segregated from authoritative decision-making. The paper also calls for version control, audit trails, access restrictions, change management, source citation requirements, segregation of duties, confidence thresholds, and documented approvals for configuration changes. That is the heart of responsible AI governance.
I was also struck by COSO’s discussion of reliance in an ICFR setting. The paper draws an important distinction between situations in which management relies on AI output as evidence of control effectiveness and situations in which a human independently re-performs the work. When true reliance exists, the evidentiary expectations rise: documented prompts, model versions, sampling rationale, exception resolution, and retained evidence.
Even beyond financial reporting, that concept is vital for compliance. The moment your team starts relying on GenAI output for sanctions reviews, due diligence summaries, monitoring alerts, investigative chronology, or policy interpretation, you have to ask a simple question: What is our evidence that this output was reliable enough to trust?
Monitoring Is Where the Real Work Begins
COSO’s final major lesson is that monitoring GenAI is not a one-and-done exercise. Organizations need continuous metrics and periodic deep reviews. They need to track precision, recall, exception volumes, latency, fairness, drift, and outcome quality. They need retraining triggers, rollback protocols, remediation logs, and playbooks for common AI control failures. COSO also makes the excellent point that in probabilistic systems, control failure may no longer be a simple pass-fail matter. Organizations may need multi-metric tolerance ranges across dimensions such as accuracy, bias, leakage, explainability, and change velocity.
That is a sophisticated and realistic view. Compliance teams should take it seriously because it reflects the world we are moving into. AI control effectiveness will not be judged solely by whether a control exists on paper. It will be judged by whether the organization can show that it monitors performance, investigates deviations, remediates failures, and adapts as the technology changes.
The Bottom Line
The real genius of the COSO GenAI framework is that it takes AI out of the abstract and puts it where it belongs: inside the machinery of governance. It turns the conversation from “Do we have an AI policy?” to “Do we have effective internal control over AI use?” That is a far better question.
For compliance officers, the action items are clear. Inventory your GenAI use cases. Classify them by capability. Identify owners. Assess risk dynamically. Put human review where the stakes justify it. Govern prompts and configurations, such as controlled assets. Monitor continuously. And do not let your AI strategy outrun your control environment.
Because in the end, the organizations that benefit most from GenAI will not be the ones that moved fastest with the fewest guardrails. They will be the ones who figured out how to innovate with discipline. That is not bureaucracy. That is a competitive advantage.
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
In this episode, Tom Fox welcomes back Hughes Hubbard partner Mike DeBernardis to discuss the Southern District of New York’s new corporate enforcement voluntary self-disclosure program for financial crimes and why SDNY leadership, including Jay Clayton, likely issued it: to encourage self-disclosure that saves enforcement resources and supports DOJ’s focus on individual accountability.
They compare the policy to the (former) DOJ’s Corporate Enforcement Policy, highlighting notable distinctions such as SDNY’s narrower scope (financial/market integrity offenses) and a revised approach to aggravating factors that excludes common CEP considerations like seriousness, pervasiveness, and senior management involvement, while carving out categories including foreign bribery and sanctions evasion, potentially reducing forum shopping. They also examine a “conditional declination” within two to three weeks, its implications for investigation speed and timeliness, and added pressure from whistleblower programs and compressed internal triage timelines.
Key highlights:
Resources:
Mike DeBernardis on LinkedIn
Tom Fox
For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com
Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.
Top AI stories include:
For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.
There is a question I continue to hear from compliance professionals, boards, and senior executives alike: “When will generative AI finally be good enough for us to trust it?” As discussed by Bharat Anand and Andy Wu in their recent Harvard Business Review article The GenAI Playbook for Organizations they believe this is the wrong question.
The better question, and the one every Chief Compliance Officer should be asking right now, is this: “Where can we use GenAI effectively today, with the right controls, to make our compliance program more efficient, more resilient, and more business relevant?” This is their core insight, and they argue that leaders should stop obsessing over whether GenAI is perfect and instead focus on where it can create value now and how strategy, not speed alone, wins.
For the compliance profession, that insight lands with particular force. We are not in the business of chasing shiny objects. We are in the business of managing risk, enabling growth, and preserving trust. GenAI is not a parlor trick. It is becoming an operating reality. The question is no longer whether compliance should engage. The question is whether compliance will lead with discipline or lag while the business adopts AI without it.
Stop Asking Whether AI Is Smart. Start Asking Where Errors Matter.
One of the most useful contributions of the article is its simple yet powerful framework: evaluating GenAI use cases through two lenses. First, what is the cost of error? Second, does the task rely primarily on explicit data or on tacit human judgment? That is gold for compliance.
Too many organizations still evaluate AI in sweeping, binary terms. Either they think it is magical or too dangerous to touch. Neither position is helpful. Compliance officers need a more operational lens. We need to break work into tasks and then ask where automation is appropriate, where human oversight is essential, and where human judgment must remain firmly in control. That is exactly how mature compliance programs should approach GenAI. Not with ideology. With risk assessment.
The “No Regrets” Zone for Compliance
The article identifies a “no regrets” zone: low cost of error, explicit knowledge, and high potential for immediate deployment. Examples include summarizing documents, screening resumes, or handling routine inquiries. In compliance, many early wins live here.
Think about policy summarization, training-content adaptation, meeting-note extraction, initial hotline trend coding, third-party questionnaire triage, basic control documentation, and first-draft responses to routine business questions. None of these tasks should be delegated blindly. But many can be accelerated responsibly.
For instance, a compliance team buried under requests from procurement, HR, sales, and legal can use GenAI to produce first-pass summaries of policies, draft FAQs, organize issue logs, and identify recurring themes from employee questions. That does not replace the compliance professional. It frees that professional to focus on what matters most: judgment, influence, escalation, and strategic problem-solving.
This is where many compliance teams have been and continue to be too timid. They have waited for perfection in a space where perfection was never the benchmark. The benchmark should be whether the tool improves speed, lowers administrative friction, and allows compliance personnel to move up the value chain.
The “Quality Control” Zone Is the Compliance Sweet Spot
The article also identifies a “quality control” zone, where the knowledge is explicit but the cost of error is high. In those cases, GenAI can do substantial work, but humans must verify, review, and retain accountability. The authors cite legal drafting, software development, and financial due diligence as examples. That is the very heartland of compliance.
Consider sanctions screening narratives, third-party due diligence memos, internal investigation chronologies, risk assessment documentation, compliance testing workpapers, and board reporting drafts. These are exactly the kinds of tasks where GenAI can accelerate the heavy lifting, but should never be the final word.
This is also where compliance can bring discipline to the rest of the enterprise. The business may want speed. Compliance must insist on verified speed. A practical model is straightforward: (1)
GenAI drafts Humans review Controls document Leaders own.
That is not anti-innovation. That is responsible innovation. It is also consistent with what regulators increasingly expect: not the absence of AI, but governance around its use. Whether one looks to the DOJ’s emphasis on effective controls and continuous improvement in the Evaluation of Corporate Compliance Programs, the NIST AI Risk Management Framework, or the growing global focus on AI governance, the message is the same: effective AI governance requires continuous improvement. If your company uses AI in a consequential process, you had better know where it is being used, who is checking it, what data feeds it, and how errors are caught.
The “Human-First” Zone Must Stay Human
The article is particularly strong in its warning about tasks that require tacit knowledge and carry a high cost of error: strategy, sensitive personnel decisions, crisis leadership, and other matters where judgment, ethics, and context are central. In those cases, GenAI may support, but it should not decide. Compliance professionals should print that out and tape it to the wall.
Some activities must remain human-led. Decisions about discipline, executive accountability, remediation after a serious investigation, disclosure strategy, culture assessment, or whether a business relationship “feels wrong” despite facially acceptable paperwork are not suitable for AI-driven decision-making. They require experience, intuition, moral clarity, and often courage.
That does not mean AI has no role. It can assemble facts, surface patterns, propose draft communications, and model possible outcomes. But it cannot own the judgment. In a compliance function, the more consequential the decision, the more important it is that a human being stands behind it. That is not nostalgia. That is governance.
Broad Access Without Chaos
One of the article’s more provocative arguments is that organizations should mandate broad access to GenAI tools because value creation begins when employees can experiment and discover useful applications. At the same time, the authors warn of bottlenecks that trap innovation in slow approval processes. I agree with the spirit of that point, but from a compliance perspective, there must be an important qualifier: broad access does not mean unmanaged access. This is where the compliance function can truly be a business enabler. Compliance should not be the department of “no AI.” It should be the department of “safe AI at scale.” That means several things.
That is what a mature AI governance program looks like. It is also the same risk management protocol that every compliance professional uses daily.
Data Is the Real Compliance Story
Another important insight from the article is that competitive advantage will come not merely from adopting GenAI but from pairing it with proprietary data, redesigned workflows, and complementary organizational assets. The authors emphasize centralizing data, identifying what data is not yet being collected, and redesigning the organization around AI-enabled learning loops. For compliance, this should be a wake-up call.
Most compliance functions are sitting on a treasure trove of underused data: hotline reports, training metrics, policy attestations, third-party files, gifts and entertainment data, investigation outcomes, audit findings, HR trends, distributor analytics, and culture survey results. Yet in many companies, that information remains fragmented across systems and functions.
If compliance wants to be strategic in the AI era, it has to take data architecture seriously, not simply for reporting, but for insight. The future compliance advantage will go to organizations that can connect signals across functions and convert them into earlier detection, smarter resource allocation, and more tailored interventions. In other words, the future of compliance is not just controls. It is controls plus intelligence.
Three Questions Every CCO Should Ask This Week
So, where does this leave the compliance officer trying to lead in real time? I suggest three immediate questions. First, which compliance tasks are in the “no regrets” zone and should be piloted now? Second, which tasks sit in the “quality control” zone and require a formal human-in-the-loop process? Third, which decisions are so consequential, contextual, or values-laden that they must remain unmistakably human-first?
If you cannot answer those questions, your company does not yet have a GenAI compliance strategy. It has experimentation without governance or caution without direction. Neither is sustainable.
The GenAI era will not reward the fastest organization. It will reward the organization that best aligns technology, governance, data, and human judgment. That is the compliance challenge. It is also a compliance opportunity. Compliance has always been about more than preventing misconduct. At its best, it helps a company make better decisions, allocate trust wisely, and compete with integrity. GenAI does not change that mission. It sharpens it. The playbook is here. The real question is whether compliance will run it.
In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books released in March as reported by the New York Times.
Resources:
Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.
Top AI stories include:
For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.
