Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 3 – Compliance Lessons from Where No Man Has Gone Before

In this episode of Trekking Through Compliance, we consider Where No Man Had Gone Before, which aired on September 22, 1966, Star Date 1312.4. In this episode of Trekking Through Compliance, we board the Enterprise as it breaches the edge of the galaxy and the boundaries of ethical power. When a mysterious force transforms navigator Gary Mitchell into a godlike being with unchecked telepathic powers, his rapid descent into tyranny serves as a sobering metaphor for the compliance professional. With rising powers come rising risks, and Kirk must choose between loyalty to a friend and duty to his crew. Today, we explore five key compliance takeaways from Where No Man Has Gone Before, showing how early-stage risks, power imbalances, and ethical hesitations can transform even trusted employees into existential threats to your organization.

Story

This is the first Star Trek episode produced (not counting the pilot episode, The Cage), although not the first to air. It differs from subsequent episodes in that there is no “Space, the final frontier” voice-over during the theme song at the beginning.

The Enterprise discovers a 200-year-old ship recorder from the SS Valiant near the galaxy’s edge. Shortly after, the Enterprise passes through an unknown phenomenon that causes major damage and knocks out navigators Gary Mitchell and Dr. Elizabeth Dehner (both of whom have high ESP ratings). When Gary recovers, he begins to acquire telepathic and telekinetic powers. Kirk, alarmed at the prospect of having his ship taken over by an increasingly powerful and tyrannical Mitchell, is convinced by Spock to maroon Mitchell at the lithium cracking plant of Delta Vega. Dr. Piper has no explanation for what is happening. Gary kills Lee Kelso and escapes from his imprisonment. Kirk follows him and can destroy him with the help of Dr. Dehner, who is also beginning to acquire the power but kills herself in the process.

Key highlights:

1. Emerging Risks – Early Signs Should Trigger Action, Not Complacency

🖖 Illustrated by: Gary Mitchell’s glowing eyes and ESP abilities appearing shortly after the Enterprise crosses the galactic barrier.

The moment Mitchell begins reading faster, manipulating objects, and demonstrating control over ship systems, it’s clear something’s wrong. But initial responses are muted—as in many corporate environments, where emerging risks are downplayed. Compliance teams must be trained to treat anomalies seriously, regardless of the individual’s charisma or seniority.

2. Leadership and Ethical Courage – Friendship vs Responsibility

🖖 Illustrated by: Kirk’s emotional struggle to deal with Mitchell, his long-time friend.

Kirk hesitates, understandably so, because of his relationship with Mitchell. But ultimately, he chooses duty over sentiment. Compliance officers are often put in a similar spot: when someone close to leadership violates ethical norms, will the organization act? Ethical courage means prioritizing institutional integrity over personal comfort.

3. Power Without Accountability – Why Guardrails Matter

🖖 Illustrated by: Mitchell’s growing powers and his assertion of superiority over the crew.

With no checks on his abilities, Mitchell quickly develops a god complex. This is a chilling representation of what happens when key employees—CFOs, procurement officers, or engineers—operate without oversight. Just because someone is brilliant or “indispensable” doesn’t mean they’re beyond the reach of your compliance program.

4. Escalation Protocols and the Role of Outside Advisers

🖖 Illustrated by: Spock’s insistence that Mitchell be isolated and marooned.

Spock serves as outside counsel—offering unemotional advice grounded in logic. Every company needs this voice. Internal politics often cloud judgment; a good compliance officer, like Spock, keeps the focus on what must be done to protect the enterprise. His advice to act decisively is what ultimately saves the crew.

5. Shared Risk and Collective Action – The Role of Allies in Enforcement

🖖 Illustrated by: Dr. Dehner’s decision to sacrifice herself to stop Mitchell.

Dehner, who initially defends Mitchell, comes to see the threat he poses and joins Kirk in neutralizing him. Her journey mirrors that of employees who shift from enabling bad behavior to becoming whistleblowers or allies in enforcement. Compliance success depends on empowering people like Dehner to act before it’s too late.

Final StarLog Reflections

Where No Man Has Gone Before gives us a blueprint for compliance at the edge of the unknown. It reminds us that rapid change, whether from new tech, new hires, or new business environments, demands rapid, courageous compliance responses. Waiting too long to act can mean the difference between course correction and catastrophe.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Fiona is an AI-generated voice

Categories
Blog

From the Tower of Babel to the Boardroom: Part 3 – Shadow AI and Internal Controls

Shadow AI is the internal-controls problem of the artificial-intelligence age.

It is not hard to understand why employees use AI tools without waiting for formal approval. These tools are fast, accessible, practical, and often embedded into platforms employees already use. A business development professional may use AI to draft a proposal. A lawyer may use it to summarize a contract. A finance employee may use it to analyze a spreadsheet. A compliance analyst may use it to review due diligence materials. A manager may use it to draft performance feedback. The use case may be productive. The intent may be benign. The risk may still be real.

That is the compliance challenge. Shadow AI is not simply unauthorized technology use. It is ungoverned decision support, unapproved data transfer, undocumented reliance, uncontrolled output, and untested automation. It poses risks to confidentiality, privilege, privacy, intellectual property, cybersecurity, employment decisions, books and records, third-party management, investigations, and board reporting. Most importantly, it creates a visibility gap. The company cannot govern what it cannot see.

In the first post in this series, we used Magnifica Humanitas to frame the choice between Babel and Nehemiah. In the second post, we moved from principle to program design and argued that AI governance should be embedded in the compliance program. Now we turn to the first practical test: whether the company can convert hidden AI use into governed AI use.

The Magnifica Humanitas Lesson: Opaque Power Is a Governance Risk

Magnifica Humanitas warns that technology is never neutral in practice because it takes on the characteristics of those who devise, finance, regulate, and use it (Magnifica Humanitas, para. 9). For a corporate audience, that is the first lesson of shadow AI. When employees use AI outside approved channels, the company may not know which technology is being used, what data is being transferred, what outputs are being relied on, or what assumptions are being embedded in business decisions.

The Encyclical also warns that control over platforms, infrastructure, data, and computing power can become concentrated, opaque, and difficult to oversee (Magnifica Humanitas, para. 95). Inside a company, shadow AI creates a similar problem on a smaller but very practical scale. Power shifts away from approved systems, documented workflows, and accountable owners toward individual employees’ practices that may be invisible to legal, compliance, privacy, cybersecurity, internal audit, and the board.

Pope Leo also identifies three risks in private AI use that map directly to employee behavior: the ease of getting results, the impression of objectivity, and the simulation of human communication. He warns that these features can encourage overreliance, ready-made answers, and weakened judgment (Magnifica Humanitas, para. 100). That is exactly why shadow AI matters. The risk is not only that employees use the wrong tool. The greater risk is that employees begin to rely on AI outputs without understanding the assumptions, limitations, data sources, or error rates that underpin them.

From Encyclical Principle to Internal Control Requirement

The corporate translation is straightforward: if AI is never merely technical when it affects rights, opportunities, status, freedom, reputation, or work, then shadow AI cannot be treated as a minor IT exception (Magnifica Humanitas, para. 102). It is a governance issue. It is a control issue. It is a compliance issue.

Magnifica Humanitas says responsibility must be clearly defined at every stage, including those who design, develop, use, and rely on AI for concrete decisions. Accountability requires the ability to identify who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, para. 105). In corporate language, that means AI use cases need owners, approvals, controls, escalation paths, incident processes, documentation, and remediation.

The Encyclical also cautions that abstract ethics are not enough. Responsible AI requires rigorous evaluation, independent oversight, informed users, and safeguards capable of governing AI’s effects (Magnifica Humanitas, para. 106). For the CCO, that is the bridge between principles and controls. Shadow AI must be made visible, classified by risk, controlled at the data layer, reviewed by accountable humans, tested by independent functions, and reported to the board.

Shadow AI Is a Control Environment Issue

A company may have an AI policy and still have a shadow AI problem. A policy tells employees what is expected of them. A control tells the company whether the expectation is working.

This is where COSO becomes essential. COSO has warned that generative AI is moving into daily operations faster than traditional governance models anticipated and that internal control must be applied to risks such as uncontrolled adoption, opaque reasoning, prompt manipulation, model drift, cyber exposure, and configuration change. That is the heart of the matter. A memo from legal does not solve the shadow AI problem. It is solved through the control environment.

The company needs to define leadership expectations, conduct risk assessments, establish control activities, ensure information and communication, and implement monitoring. Those are not technology terms. They are governance terms. The CCO should work with legal, IT, cybersecurity, privacy, HR, procurement, internal audit, and the business to create a practical AI control structure. The first line should own the business use case. The second line should set standards, review risk, and monitor compliance. The third line should test design and operating effectiveness. The board should receive reports showing whether the system is working.

The DOJ ECCP Question

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging risks, including new technologies such as AI. It asks how companies govern AI in commercial operations and in the compliance program, how they monitor reliability and trustworthiness, how they limit AI to intended uses, how they preserve human decision-making, how accountability is assigned, and how employees are trained.

That logic tracks closely with Magnifica Humanitas. Pope Leo supplies the accountability mandate; the DOJ supplies the compliance program test. If responsibility must be defined and harm must be capable of challenge and remediation, then the company must be able to show that AI tools are known, approved, monitored, limited to intended uses, and subject to human oversight (Magnifica Humanitas, para. 105).

A company with uncontrolled shadow AI has a predictable compliance problem. It may not be able to show that it has identified an AI risk. It may not be possible to demonstrate that employees were effectively trained. It may not be possible to show that AI tools are limited to intended uses. It may not be possible to demonstrate that human review is in place for consequential decisions. It may not be able to show that compliance has visibility into AI use. For the CCO, the question is direct: can we explain how AI is actually being used in the company or only how we hope it is?

From Prohibition to Governed Use

The wrong response to shadow AI is a blanket prohibition that employees ignore. AI is here to stay. Employees will use it because it saves time and improves work product. The better response is governed adoption.

The company should begin with an AI use-case inventory. This should capture approved tools, embedded AI in existing platforms, vendor-provided AI, internally developed AI, pilot projects, and employee use of public tools. It should identify the business owner, purpose, data used, vendor involved, risk rating, approval status, required human review, and applicable controls.

Next, the company should create a clear classification model. Low-risk uses, such as drafting generic internal communications, may require basic training and disclosure. Medium-risk uses, such as summarizing non-sensitive business materials, may require approved tools and data restrictions. High-risk uses, such as employment decisions, customer eligibility, financial reporting, investigations, regulated communications, or third-party risk scoring, should require formal review, documented controls, human oversight, and periodic testing.

NIST’s AI Risk Management Framework provides useful architecture through its Govern, Map, Measure, and Manage functions. ISO/IEC 42001 provides the management-system approach, including policies, responsibilities, risk management, transparency, monitoring, performance evaluation, corrective action, and continual improvement. For shadow AI, these frameworks point to the same conclusion as the Encyclical: move from ad hoc use to structured accountability.

The Controls That Matter

A defensible shadow AI control program should include several core elements.

First, the company needs an approved tools list and a prohibited tools list. Employees should know what is permitted, what is restricted, and what is banned.

Second, the company needs data controls. Employees should not place confidential information, personal data, trade secrets, privileged information, customer data, source code, or sensitive business information into unapproved AI tools. Magnifica Humanitas warns that data and digital infrastructure can become new forms of power when control is concentrated and opaque (Magnifica Humanitas, paras. 108-109). Data governance is therefore not an administrative detail. It is the foundation of responsible AI controls.

Third, the company needs approval workflows for high-risk use cases. The higher the risk, the more formal the review should be.

Fourth, the company needs human review and recourse. AI should support judgment, not replace it. For consequential decisions, a person must remain accountable, and affected individuals should have a channel to challenge errors. This reflects the Encyclical’s insistence that decisions should be capable of justification, monitoring, challenge, and remedy (Magnifica Humanitas, para. 105).

Fifth, the company needs to be monitored and tested. Internal audit should be able to test whether employees are following the policy, whether approved tools are operating within scope, and whether exceptions are remediated.

Finally, the company needs an AI incident process. Employees should know how to report accidental data disclosure, hallucinated output, inappropriate reliance, biased output, suspected vendor misuse, or unauthorized AI use. The goal should not be punishment first. The goal should be visibility, correction, and learning.

5 Lessons for the CCO
  1. Govern what employees actually use, not merely what policy permits. The first step is visibility. Create a process for employees and business units to disclose AI use without fear that each disclosure will trigger disciplinary action.
  2. Control data before it leaves the enterprise. The most immediate shadow AI risk is often data leakage. Define prohibited data categories, approved tools for sensitive information, and vendor restrictions on model training or reuse.
  3. Assign accountability at every stage. Every material AI use case should have a business owner, a risk owner, a control owner, an approval status, a review cycle, and an escalation path.
  4. Require human review and recourse for consequential uses. AI can assist, summarize, flag, and recommend. It should not replace accountable human judgment where rights, opportunities, employment, reputation, or legal obligations are involved.
  5. Test, remediate, and report evidence. AI governance must generate proof. Monitor usage, test controls, track incidents, remediate exceptions, and report meaningful metrics to the board.
Conclusion: Hidden Use Must Become Governed Use

Shadow AI is the modern Babel inside the corporation. It may look productive, efficient, and innovative. Yet if it operates without transparency, accountability, controls, or human judgment, it creates a structure the company does not understand and cannot govern.

Magnifica Humanitas reminds us that technology must remain at the service of the human person and not become a system of invisible control (Magnifica Humanitas, para. 171). That principle becomes real in the compliance program through internal controls. CCOs should help the company transition from hidden use to governed use.

In the next post, we will move from the hidden use of AI to the broader question of trust. We will examine AI, Truth, and Corporate Trust, and consider how synthetic content, misinformation, deepfakes, false documentation, and AI-generated narratives create a new compliance risk for boards, management, and the CCO.

Categories
Great Women in Compliance

Great Women in Compliance: Wildly Effective, 10 Years Later

Author and compliance professional Kristy Grant-Hart on the 10th anniversary of her book. 

Sarah Hadden sits down with Kristy Grant Hart to discuss the 10th anniversary edition of her influential book, How to Be a Wildly Effective Compliance Officer. They explore how the compliance profession has evolved over the past decade — from a rules-and-regulations mindset toward a more human-centered approach grounded in influence, resilience, storytelling, and leadership.

They also dig into some of the book’s more debated ideas, including personal branding, visibility, networking, and whether being “wildly effective” requires becoming an influencer.

Along the way, they tackle burnout, resilience, AI’s rapidly expanding role and why human judgment remains irreplaceable. This is a candid and energizing conversation about what it really takes to thrive in compliance today — and why the future of the profession is bright.

Categories
Blog

Where No Man Has Gone Before: Power, Ego, and the Ethics of Control

In this episode of Trekking Through Compliance, we consider Where No Man Had Gone Before, which aired on September 22, 1966, Star Date 1312.4. We board the Enterprise as it breaches the edge of the galaxy and the boundaries of ethical power. When a mysterious force transforms navigator Gary Mitchell into a godlike being with unchecked telepathic abilities, his rapid descent into tyranny presents a sobering metaphor for the compliance professional. With rising powers come rising risks, and Kirk must choose between loyalty to a friend and duty to his crew. Today, we explore five key compliance takeaways from Where No Man Has Gone Before, showing how early-stage risk, power imbalances, and ethical hesitation can transform even trusted employees into existential threats for your organization.

Story

This is the first Star Trek episode made (not counting the pilot episode, The Cage), although not the first aired. It differs from subsequent episodes in that there is no “Space, the final frontier” voice-over during the theme song at the beginning.

The Enterprise discovers a 200-year-old ship recorder from the SS Valiant near the galaxy’s edge. Shortly after, the Enterprise passes through an unknown phenomenon that causes major damage and knocks out navigators Gary Mitchell and Dr. Elizabeth Dehner (both of whom have high ESP ratings). When Gary recovers, he begins to acquire telepathic and telekinetic powers. Kirk, alarmed at the prospect of having his ship taken over by an increasingly powerful and tyrannical Mitchell, is convinced by Spock to maroon Mitchell at the lithium cracking plant of Delta Vega. Dr. Piper has no explanation for what is happening. Gary kills Lee Kelso and escapes from his imprisonment. Kirk follows him and can destroy him with the help of Dr. Dehner, who is also beginning to acquire the power but kills herself in the process.

Key highlights:

1. Emerging Risks – Early Signs Should Trigger Action, Not Complacency

🖖 Illustrated by: Gary Mitchell’s glowing eyes and ESP abilities appearing shortly after the Enterprise crosses the galactic barrier.

The moment Mitchell begins reading faster, manipulating objects, and demonstrating control over ship systems, it’s clear something’s wrong. But initial responses are muted—like many corporate environments where emerging risks are downplayed. Compliance teams must be trained to treat anomalies seriously, regardless of the individual’s charisma or seniority.

2. Leadership and Ethical Courage – Friendship vs Responsibility

🖖 Illustrated by: Kirk’s emotional struggle to deal with Mitchell, his long-time friend.

Kirk hesitates—understandably so—because of his relationship with Mitchell. But ultimately, he chooses duty over sentiment. Compliance officers are often put in a similar spot: when someone close to leadership violates ethical norms, will the organization act? Ethical courage means prioritizing institutional integrity over personal comfort.

3. Power Without Accountability – Why Guardrails Matter

🖖 Illustrated by: Mitchell’s growing powers and his assertion of superiority over the crew.

With no checks on his abilities, Mitchell quickly develops a god complex. This is a chilling representation of what happens when key employees—CFOs, procurement officers, or engineers—operate without oversight. Just because someone is brilliant or “indispensable” doesn’t mean they’re beyond the reach of your compliance program.

4. Escalation Protocols and the Role of Outside Advisers

🖖 Illustrated by: Spock’s insistence that Mitchell be isolated and marooned.

Spock serves as outside counsel—offering unemotional advice grounded in logic. Every company needs this voice. Internal politics often cloud judgment; a good compliance officer, like Spock, keeps the focus on what must be done to protect the enterprise. His advice to act decisively is what ultimately saves the crew.

5. Shared Risk and Collective Action – The Role of Allies in Enforcement

🖖 Illustrated by: Dr. Dehner’s decision to sacrifice herself to stop Mitchell.

Dehner, who initially defends Mitchell, comes to see the threat he poses and joins Kirk in neutralizing him. Her journey mirrors that of employees who shift from enabling bad behavior to becoming whistleblowers or allies in enforcement. Compliance success depends on empowering people like Dehner to act before it’s too late.

Final StarLog Reflections

Where No Man Has Gone Before gives us a blueprint for compliance at the edge of the unknown. It reminds us that rapid change, whether from new tech, new hires, or new business environments, demands rapid, courageous compliance responses. Waiting too long to act can mean the difference between course correction and catastrophe.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Innovation in Compliance

Innovation in Compliance: Data Defensibility: Enterprise Agentic AI: Governance, Auditability, and the AI Gateway Layer with Nikunj Bajaj

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom visits with Nikunj Bajaj, Co-founder & CEO at TrueFoundry, about enterprise agentic AI infrastructure, governance, and hidden costs most organizations are not accounting for.

Nikunj describes TrueFoundry’s platform as a single control plane for enterprises to build, ship, and govern agentic AI applications, inspired by Meta’s internal ML stack, which he says is about a decade ahead of the rest of the industry. He argues enterprises over-focus on model and tool selection when problem definition and effective use are the real constraints. On governance, he identifies two failure modes: avoiding meaningful use cases entirely to sidestep governance risk, or trying to solve all governance problems up front and never reaching ROI. Successful teams implement application-specific controls iteratively, starting with a few high-value use cases rather than hundreds of low-value ones. He highlights that model inference accounts for only about 20% of total generative AI spend, with the majority of spend concentrated in infrastructure, engineering, and debugging, creating cost-allocation and budget-control challenges for compliance teams. For auditability, he argues that an agent without full decision traces is “a liability with an API key,” and walks through how end-to-end tracing enables audit readiness, faster debugging, and proactive attack detection. He closes by advocating centralized control via a unified AI gateway while enabling federated development and tailoring guardrails to whether your exposure surface is external or internal.

Key highlights:

  • Stop Chasing Tools
  • Governance vs Speed
  • Hidden AI Costs
  • Agent Auditability
  • Board Level Priorities

Resources:

Connect with Nikunj Bajaj

Learn More About TrueFoundry

Categories
AI Today in 5

AI Today in 5: June 2, 2026, The Exposing Yourself Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. A compliance gap that can expose your AI systems. (FinTech Global)
  2. CT businesses face new AI law. (HBJ)
  3. Anthropic files to go public. (NYT)
  4. OpenAI sued by FL AG. (WSJ)
  5. Anthropic offers Mythos to the EU. (FT)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: June 2, 2026, The Big Trouble Down Under Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • The former Turks and Caicos PM was sentenced to 4 years in prison for corruption. (AP)
  • Storytelling in compliance. (CCI)
  • Another former TD America employee pleads guilty to bribery and corruption. (Washington Times)
  • KPMG Australia Directors agree to reopen the investigation. (SMH)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 2 – Leadership and Training Lessons from Charlie X

In this episode of Trekking Through Compliance for 2026, we consider leadership and training lessons from Charlie X, which aired on September 15, 1966, Star Date 1533.6.

Story

The USS Enterprise meets the merchant vessel Antares to take charge of Charlie Evans, the sole survivor of a transport ship that crashed on Thasus. For fourteen years, seventeen-year-old Charlie grew up alone, stranded in the wreckage, learning to communicate with the ship’s computer systems, which remained intact.

Despite his eagerness to please, Charlie becomes obnoxious because his lack of upbringing has left him without knowledge of social norms or control over his emotions. He latches on to Captain Kirk as a father figure and develops an infatuation with Yeoman Janice Rand. He demonstrates extraordinary telepathic and matter-transmutation powers. When the Antares is nearly out of sensor range, it transmits a message to the Enterprise. The message is cut off before it can convey a warning. Scanners show that Antares has been reduced to debris.

Realizing Charlie’s powers are too great to be controlled, Kirk opts to divert from Alpha V to at least keep Charlie away from a civilized world where he would wreak havoc. Charlie discovers Kirk’s plans and takes control of the Enterprise.

A Thasian ship approaches and restores the Enterprise and its crew to their proper forms. The Thasian commander says that his race gave Charlie his powers so he could survive in their world, but these powers (which they can’t remove from him) make him too dangerous to live among humans. Charlie begs Kirk not to let the aliens have him since the Thasians lack any physical form or capacity for love. However, the Thasians reject Kirk’s argument that Charlie belongs with his kind, with a final echoing wail of “I wanna stay!

Commentary

The episode explores the story of Charlie Evans, a young man with dangerous telekinetic powers, and draws parallels to modern compliance and mental health issues. Tom discusses the responsibilities that come with power, the importance of training and supervision, handling unpredictable behavior, clear communication, crisis management, and addressing misconduct. He also reflects on recent real-world events, such as the Uvalde school shooting and the challenges of addressing mental health in compliance programs.

Key highlights:

1. The Responsibilities of Power—Strength Without Structure

🖖 Illustrated by: Charlie turning crew members into nothingness when they anger him.

Charlie is gifted with tremendous abilities but lacks any ethical framework or boundaries. This is a vivid metaphor for what happens when individuals inside an organization gain influence or access without training or accountability. Think of an unmonitored executive with access to financial controls or an engineer with override access but no compliance training—a ticking time bomb.

2. Training and Supervision—It’s Not Optional, It’s Essential

🖖 Illustrated by: Kirk’s attempt to guide Charlie and his later regret at not recognizing the full scope of the risk.

Charlie’s guardianship was left to chance: no proper onboarding, no safety protocols. Sound familiar? In corporate compliance, onboarding isn’t just about day one—it’s about culture shaping. Organizations must ensure that individuals with a higher risk potential receive both guidance and oversight from the outset.

3. Unpredictable Behavior and Ethical Culture—From Red Flag to Alarm Bell

🖖 Illustrated by: Charlie’s mood swings and escalating aggression, which are repeatedly ignored until it’s too late.

The crew notices early signs—jealousy, possessiveness, emotional outbursts—but tolerates them. This reflects the real-world danger of brushing off early signs of a toxic culture. A strong compliance function identifies behavioral red flags before they escalate into corporate crises.

4. Communication and Escalation Protocols—Say Something, Do Something

🖖 Illustrated by: Janice Rand’s discomfort and unease around Charlie, which she initially tries to manage on her own.

Rand’s growing fear underscores the difficulty of speaking up, especially when someone powerful appears to be protected. Her reluctance reminds us that a speak-up culture is not automatic. Companies must establish genuine channels for complaints, empower employees to utilize them, and respond promptly and transparently.

5. Crisis Management—Too Late is Still Too Late

🖖 Illustrated by: The crew’s loss of control over the Enterprise, forcing alien intervention to remove Charlie.

The crew fails to contain the situation internally. It takes external, godlike beings to restore order—a cautionary tale for compliance leaders. If a company waits until the crisis has gone public or regulatory bodies step in, internal credibility is lost. Crisis planning and early intervention are crucial in protecting the organization before outside authorities are required to intervene.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

From the Tower of Babel to the Boardroom: Part 2 – AI Governance Is a Compliance Issue

In the first post in this series, we used Magnifica Humanitas to frame the choice facing every board and compliance leader in the age of artificial intelligence. Companies can build a new Tower of Babel, driven by speed, scale, efficiency and power without adequate governance. Or they can follow the path of Nehemiah, rebuilding with discipline, shared responsibility, accountability and the human person at the center. That choice now moves from principle to program design.

AI governance cannot remain in the innovation lab, the IT department or the digital transformation office. It belongs inside the compliance program. Not because compliance should own every AI decision, and not because the CCO should become the chief technologist. AI governance belongs in compliance because AI creates the very risks compliance programs are designed to manage: legal risk, ethical risk, data risk, third-party risk, culture risk, internal controls risk, reporting risk, investigation risk and board oversight risk.

Magnifica Humanitas makes this point in moral language. Pope Leo writes that the use of AI is never a purely technical matter when it enters processes that affect people’s lives, rights, opportunities, status and freedom (Magnifica Humanitas, ¶102). For the modern compliance professional, that is familiar terrain. These are the risks an effective compliance program must identify, assess, control, monitor and remediate.

AI Is Not an Adjacent Risk

The first mistake companies make is treating AI as an adjacent risk. The business says AI is a productivity tool. IT says AI is a systems issue. Legal says AI is a regulatory issue. Privacy says AI is a data issue. Cybersecurity says AI is an access issue. HR says AI is a workforce issue. Internal audit says AI is a control issue. Procurement says AI is a vendor issue. They are all correct.

That is precisely why AI governance must be cross-functional, risk-based and integrated into the compliance program. AI does not respect organizational charts. It moves through data, workflows, vendors, platforms, communications, decisions and employee behavior. It may be embedded inside software already used by the company. Employees may adopt it without formal approval. Vendors may deploy it before procurement or legal fully understands how the tool works. It may be used by compliance itself for monitoring, investigations, hotline triage, third-party due diligence, sanctions screening or training.

The DOJ Has Already Put AI on the Compliance Agenda

The Department of Justice has made clear that AI is now part of compliance program evaluation. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a process for identifying and managing emerging risks, including risks related to new technologies such as AI. It asks how the company assesses the impact of AI on compliance with criminal laws, whether AI risk is integrated into enterprise risk management, how the company governs AI in commercial operations and in the compliance program, whether controls monitor trustworthiness and reliability, whether AI is limited to intended uses, what human decision-making baseline is used, how accountability is enforced and how employees are trained.

This is where the Encyclical and the ECCP align. Pope Leo calls for responsibility to be clearly defined at every stage, from those who design and develop AI systems to those who use them and rely on them for concrete decisions (Magnifica Humanitas, ¶105). The DOJ asks whether the company has translated that responsibility into risk assessment, controls, testing, training and accountability.

For CCOs, the message is direct. AI governance should be reflected in the risk assessment, policies and procedures, training, third-party risk management, internal controls, monitoring, investigations, discipline, incentives and board reporting. A company that cannot explain how it governs AI will struggle to demonstrate how its compliance program keeps pace with the business.

The CCO’s Role in AI Governance

The CCO does not need to own AI. The CCO does need a seat at the table. Compliance should inform the design of the company’s AI governance model. That model should include a cross-functional AI governance committee with representation from compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance and the business. It should define approval rights for high-risk use cases. It should establish documentation standards. It should require risk classification. It should identify prohibited uses. It should provide escalation channels for AI incidents and concerns.

This is the corporate version of Nehemiah’s wall. Pope Leo writes that everyone is given a section of the wall and that shared responsibility across disciplines and communities is the way to build for the common good (Magnifica Humanitas, ¶13). AI governance works the same way. Legal cannot do it alone. IT cannot do it alone. Compliance cannot do it alone. The governance model must assign roles so the whole enterprise can rebuild with discipline.

The CCO should also insist on an inventory of AI use cases. This is the foundational control. The company cannot govern what it cannot see. The inventory should include the business owner, tool name, vendor, purpose, data categories, decision impact, risk rating, applicable policies, human review requirements, testing history, approval date, renewal date and control owner.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. The Encyclical does not give companies an AI procedure manual. It gives them governing principles. The compliance task is to translate those principles into requirements that can be owned, tested, evidenced and improved. Pope Leo is explicit that digital processes should not be imposed from above in opaque or unilateral ways, but should be directed toward the common good with transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable access to data and avenues for recourse (Magnifica Humanitas, ¶71).

Human dignity becomes human impact assessment and human review. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional participation, with decisions made close enough to the risk to be informed and accountable. Solidarity becomes attention to affected employees, customers, communities and vulnerable populations. Social justice becomes bias testing, access, recourse and a refusal to let opaque systems create hidden exclusion.

NIST AI RMF and ISO/IEC 42001 as Practical Architecture

Two frameworks can help compliance leaders translate AI principles into program structure. They give operational force to Pope Leo’s warning that it is not enough to invoke ethics in the abstract. He instead calls for robust frameworks, independent oversight, informed users, and institutions capable of governing AI’s effects (Magnifica Humanitas, ¶106). That is precisely the move compliance must make, from AI principles to an AI management system.

The NIST AI Risk Management Framework organizes AI risk management around four functions: Govern, Map, Measure and Manage. For compliance leaders, that is highly practical. Govern means the company has assigned authority, accountability, policies and risk appetite. Map means the company understands the context, purpose, users, affected stakeholders and potential impact of each AI use case. Measure means the company evaluates performance, reliability, bias, data quality, security and control effectiveness. Manage means the company prioritizes risks, implements controls, monitors outcomes, remediates problems and documents decisions.

ISO/IEC 42001 provides a management system model. It focuses on establishing, implementing, maintaining and continually improving an AI management system. For a compliance program that supplies the discipline of policy, objectives, roles, processes, risk assessment, controls, monitoring, performance evaluation, corrective action and continual improvement.

From Policy to Controls

A policy is necessary, but it is not sufficient. A company can have a well-written AI policy and still have a weak AI governance program. The issue is whether the policy has an operational effect.

Pope Leo explains why. Technology is never neutral because it takes on the characteristics of those who devise, finance, regulate and use it (Magnifica Humanitas, ¶9). He later adds that every technical tool embodies choices and priorities through what it measures, what it ignores, what it optimises, and how it classifies people and situations (Magnifica Humanitas, ¶104). For compliance, this means the control environment must cover design, data, use, monitoring, output, and remediation.

COSO has warned that generative AI poses risks of cyber exposure, prompt manipulation, opaque reasoning, model drift, and frequent configuration changes that can affect operations, reporting, and compliance if not addressed with robust internal controls. That is the compliance challenge. AI governance must become a control activity.

Compliance Can Use AI Responsibly

Compliance should not stand outside the AI transformation. AI can help compliance become more effective. It can identify patterns in transactional data. It can assist with third-party risk scoring. It can support sanctions screening. It can help analyze hotline trends. It can improve training design. It can help prioritize monitoring. It can summarize large document sets in investigations. It can support control testing.

Magnifica Humanitas is direct on this point. AI may imitate functions of human intelligence, but it does not possess conscience, experience, responsibility or the capacity to judge good and evil (Magnifica Humanitas, ¶99). It can also create excessive reliance, the impression of objectivity and a weakening of personal judgment (Magnifica Humanitas, ¶100). Compliance professionals should use AI, but they should never surrender professional judgment to it. Human primacy remains the central control.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI is now part of legal, ethical, operational, data, third-party and cultural risk. The Encyclical reminds us that AI affects rights, opportunities, status, and freedom when it enters into consequential decisions (Magnifica Humanitas, ¶102).
  2. Build and maintain an AI inventory because governance begins with visibility. Every AI use case should have an owner, a purpose, a risk rating, a data classification, a control set, an approval status, and a review cycle.
  3. Govern compliance’s own use of AI because accountability starts at home. Compliance should use AI, but it must document purpose, controls, human review, validation and accountability.
  4. Move from policy to controls because technology is never neutral. AI governance requires approval workflows, data restrictions, testing, monitoring, escalation, remediation and auditability (Magnifica Humanitas, ¶9, ¶104).
  5. Report evidence to the board because accountability requires more than aspiration. Boards need dashboards and documentation showing where AI is used, what risks exist, what controls apply, who is accountable and whether the governance program is effective (Magnifica Humanitas, ¶105).
Conclusion: From Governance Principle to Control Discipline

Magnifica Humanitas challenges us to place the human person at the center of technological transformation. For compliance leaders, that means AI must be governed through risk assessment, controls, accountability, transparency, human oversight and evidence. The DOJ ECCP makes clear that prosecutors will ask how companies govern AI in the business and in compliance. NIST AI RMF and ISO/IEC 42001 provide practical architecture for doing so. COSO gives the internal controls discipline.

The compliance profession should embrace AI. It can make compliance more effective, more data-driven and more responsive. But embracing AI does not mean surrendering judgment to it. The right model is not fear. The right model is governed by adoption.

In the next post, we will move from formal AI governance to the most immediate AI control challenge inside many companies: Shadow AI and Internal Controls. Employees are already using AI tools because they are fast, useful and accessible. The compliance question is whether the company can turn hidden use into governed use before shadow AI becomes the next major control failure.

Categories
Blog

Charlie X: Power Without Boundaries – A Compliance Nightmare

Today, we explore the explosive volatility of Charlie X—a story about unchecked power, emotional instability, and the dire consequences of failing to enforce rules and structure. Charlie Evans, a teenage orphan raised by aliens, is taken aboard the Enterprise, possessing extraordinary telekinetic abilities but lacking social training, emotional discipline, and accountability. That combination proves disastrous. We consider how Charlie’s descent into violence mirrors risks faced by compliance professionals when misconduct is ignored, misbehavior is tolerated, and power is given without oversight. In today’s corporate world, “Charlie X” is less about space and more about leadership responsibility, psychological safety, and early intervention.

Key Highlights and Star Trek Case Studies:

1. The Responsibilities of Power—Strength Without Structure

This is illustrated by Charlie turning crew members into nothingness when they anger him.

Charlie is gifted with tremendous abilities but lacks any ethical framework or boundaries. This is a vivid metaphor for what happens when individuals inside an organization gain influence or access without training or accountability. Think of an unmonitored executive with access to financial controls or an engineer with override access but no compliance training—a ticking time bomb.

2. Training and Supervision—It’s Not Optional, It’s Essential

This is illustrated by Kirk’s attempt to guide Charlie and his later regret at not recognizing the full scope of the risk.

Charlie’s guardianship was left to chance, with no proper onboarding and no safety protocols. Sound familiar? In corporate compliance, onboarding isn’t just about day one—it’s about culture shaping. Organizations must ensure that individuals with a higher risk potential receive both guidance and oversight from the outset.

3. Unpredictable Behavior and Ethical Culture—From Red Flag to Alarm Bell

This is illustrated by Charlie’s mood swings and escalating aggression, which are repeatedly ignored until it’s too late.

The crew notices early signs, such as jealousy and possessiveness, but tolerates them. This reflects the real-world danger of brushing off early signs of a toxic culture. A strong compliance function identifies behavioral red flags before they escalate into corporate crises.

4. Communication and Escalation Protocols—Say Something, Do Something

This is illustrated by Janice Rand’s discomfort and unease around Charlie, which she initially tries to manage on her own.

Rand’s growing fear underscores the difficulty of speaking up, especially when someone powerful appears to be protected. Her reluctance reminds us that a speak-up culture is not automatic. Companies must establish genuine channels for complaints, empower employees to utilize them, and respond promptly and transparently.

5. Crisis Management—Too Late is Still Too Late

This is illustrated by the crew’s loss of control of the Enterprise, which forced alien intervention to remove Charlie.

The crew fails to contain the situation internally. It takes external, godlike beings to restore order—a cautionary tale for compliance leaders. If a company waits until the crisis has gone public or regulatory bodies step in, internal credibility is lost. Crisis planning and early intervention are crucial in protecting the organization before outside authorities are required to intervene.

Final ComplianceLog Reflections

Charlie X reminds us that power without oversight is perilous, that emotional and psychological health must be part of our compliance focus, and that red flags must not be ignored simply because they come wrapped in charm or vulnerability. Compliance is not simply about policies, procedures, or even rules but rather readiness, responsiveness, and respect for the human element.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha