Tag: AI Governance

Categories
Blog

From the Tower of Babel to the Boardroom: Part 3 – Shadow AI and Internal Controls

Shadow AI is the internal controls problem of the artificial intelligence age.

It is not hard to understand why employees use AI tools without waiting for formal approval. These tools are fast, accessible, practical, and often embedded into platforms employees already use. A business development professional may use AI to draft a proposal. A lawyer may use it to summarize a contract. A finance employee may use it to analyze a spreadsheet. A compliance analyst may use it to review due diligence materials. A manager may use it to draft performance feedback. The use case may be productive. The intent may be benign. The risk may still be real.

That is the compliance challenge. Shadow AI is not simply unauthorized technology use. It is ungoverned decision support, unapproved data transfer, undocumented reliance, uncontrolled output, and untested automation. It creates risk in confidentiality, privilege, privacy, intellectual property, cybersecurity, employment decisions, books and records, third-party management, investigations, and board reporting. Most importantly, it creates a visibility gap. The company cannot govern what it cannot see.

In the first post in this series, we used Magnifica Humanitas to frame the choice between Babel and Nehemiah. In the second post, we moved from principle to program design and argued that AI governance belongs inside the compliance program. Now we turn to the first practical test: whether the company can convert hidden AI use into governed AI use.

The Magnifica Humanitas Lesson: Opaque Power Is a Governance Risk

Magnifica Humanitas warns that technology is never neutral in practice because it takes on the characteristics of those who devise, finance, regulate, and use it (Magnifica Humanitas, para. 9). For a corporate audience, that is the first lesson of shadow AI. When employees use AI outside approved channels, the company may not know what technology is being used, what data is being transferred, what outputs are being relied upon, or what assumptions are being embedded into business decisions.

The Encyclical also warns that control over platforms, infrastructure, data, and computing power can become concentrated, opaque, and difficult to oversee (Magnifica Humanitas, para. 95). Inside a company, shadow AI creates a similar problem on a smaller but very practical scale. Power moves away from approved systems, documented workflows, and accountable owners into individual employee practices that may be invisible to legal, compliance, privacy, cybersecurity, internal audit, and the board.

Pope Leo also identifies three risks in private AI use that map directly to employee behavior: the ease of getting results, the impression of objectivity, and the simulation of human communication. He warns that these features can encourage overreliance, ready-made answers, and weakened judgment (Magnifica Humanitas, para. 100). That is exactly why shadow AI matters. The risk is not only that employees use the wrong tool. The deeper risk is that employees begin to rely on AI outputs without understanding the assumptions, limitations, data sources, or error rates behind them.

From Encyclical Principle to Internal Control Requirement

The corporate translation is straightforward: if AI is never merely technical when it affects rights, opportunities, status, freedom, reputation, or work, then shadow AI cannot be treated as a minor IT exception (Magnifica Humanitas, para. 102). It is a governance issue. It is a controls issue. It is a compliance issue.

Magnifica Humanitas says responsibility must be clearly defined at every stage, including those who design, develop, use, and rely on AI for concrete decisions. Accountability requires the ability to identify who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, para. 105). In corporate language, that means AI use cases need owners, approvals, controls, escalation paths, incident processes, documentation, and remediation.

The Encyclical also cautions that abstract ethics are not enough. Responsible AI requires rigorous evaluation, independent oversight, informed users, and safeguards capable of governing AI’s effects (Magnifica Humanitas, para. 106). For the CCO, that is the bridge from principle to controls. Shadow AI must be made visible, classified by risk, controlled at the data layer, reviewed by accountable humans, tested by independent functions, and reported to the board.

Shadow AI Is a Control Environment Issue

A company may have an AI policy and still have a shadow AI problem. A policy tells employees what is expected. A control tells the company whether the expectation is working.

This is where COSO becomes essential. COSO has warned that generative AI is moving into daily operations faster than traditional governance models anticipated and that internal control must be applied to risks such as uncontrolled adoption, opaque reasoning, prompt manipulation, model drift, cyber exposure, and configuration change. That is the heart of the matter. Shadow AI is not solved by a memo from legal. It is solved through the control environment.

The company needs leadership expectations, risk assessment, control activities, information and communication, and monitoring. Those are not technology terms. They are governance terms. The CCO should work with legal, IT, cybersecurity, privacy, HR, procurement, internal audit, and the business to create a practical AI control structure. The first line should own the business use case. The second line should set standards, review risk, and monitor compliance. The third line should test design and operating effectiveness. The board should receive reporting that shows whether the system is working.

The DOJ ECCP Question

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging risks, including new technologies such as AI. It asks how companies govern AI in commercial operations and in the compliance program, how they monitor reliability and trustworthiness, how they limit AI to intended uses, how they preserve human decision-making, how accountability is assigned, and how employees are trained.

That logic tracks closely with Magnifica Humanitas. Pope Leo supplies the accountability mandate; the DOJ supplies the compliance program test. If responsibility must be defined and harm must be capable of challenge and remediation, then the company must be able to show that AI tools are known, approved, monitored, limited to intended uses, and subject to human oversight (Magnifica Humanitas, para. 105).

A company with uncontrolled shadow AI has a predictable compliance problem. It may not be able to show that it has identified AI risk. It may not be able to show that employees were trained effectively. It may not be able to show that AI tools are limited to intended uses. It may not be able to show that human review exists where consequential decisions are made. It may not be able to show that compliance has visibility into AI use. For the CCO, the question is direct: can we explain how AI is actually being used in the company, or only how we hope it is being used?

From Prohibition to Governed Use

The wrong response to shadow AI is a blanket prohibition that employees ignore. AI is here to stay. Employees will use it because it saves time and improves work product. The better response is governed adoption.

The company should begin with an AI use-case inventory. This should capture approved tools, embedded AI in existing platforms, vendor-provided AI, internally developed AI, pilot projects, and employee use of public tools. It should identify the business owner, purpose, data used, vendor involved, risk rating, approval status, required human review, and applicable controls.

Next, the company should create a clear classification model. Low-risk uses, such as drafting generic internal communications, may require basic training and disclosure. Medium-risk uses, such as summarizing non-sensitive business materials, may require approved tools and data restrictions. High-risk uses, such as employment decisions, customer eligibility, financial reporting, investigations, regulated communications, or third-party risk scoring, should require formal review, documented controls, human oversight, and periodic testing.

NIST’s AI Risk Management Framework provides useful architecture through its Govern, Map, Measure, and Manage functions. ISO/IEC 42001 provides the management-system approach, including policies, responsibilities, risk management, transparency, monitoring, performance evaluation, corrective action, and continual improvement. For shadow AI, these frameworks point to the same conclusion as the Encyclical: move from ad hoc use to structured accountability.

The Controls That Matter

A defensible shadow AI control program should include several core elements.

First, the company needs an approved tools list and a prohibited tools list. Employees should know what is permitted, what is restricted, and what is banned.

Second, the company needs data controls. Employees should not place confidential information, personal data, trade secrets, privileged information, customer data, source code, or sensitive business information into unapproved AI tools. Magnifica Humanitas warns that data and digital infrastructure can become new forms of power when control is concentrated and opaque (Magnifica Humanitas, paras. 108-109). Data governance is therefore not an administrative detail. It is the foundation of responsible AI controls.

Third, the company needs approval workflows for high-risk use cases. The higher the risk, the more formal the review should be.

Fourth, the company needs human review and recourse. AI should support judgment, not replace it. For consequential decisions, a person must remain accountable, and affected individuals should have a channel to challenge errors. This reflects the Encyclical’s insistence that decisions should be capable of being justified, monitored, challenged, and remedied (Magnifica Humanitas, para. 105).

Fifth, the company needs monitoring and testing. Internal audit should be able to test whether employees are following the policy, whether approved tools are operating within scope, and whether exceptions are remediated.

Finally, the company needs an AI incident process. Employees should know how to report accidental data disclosure, hallucinated output, inappropriate reliance, biased output, suspected vendor misuse, or unauthorized AI use. The goal should not be punishment first. The goal should be visibility, correction, and learning.

5 Lessons for the CCO
  1. Govern what employees actually use, not merely what policy permits. The first step is visibility. Create a process for employees and business units to disclose AI use without fear that every disclosure will trigger discipline.
  2. Control data before it leaves the enterprise. The most immediate shadow AI risk is often data leakage. Define prohibited data categories, approved tools for sensitive information, and vendor restrictions on model training or reuse.
  3. Assign accountability at every stage. Every material AI use case should have a business owner, risk owner, control owner, approval status, review cycle, and escalation path.
  4. Require human review and recourse for consequential uses. AI can assist, summarize, flag, and recommend. It should not replace accountable human judgment where rights, opportunities, employment, reputation, or legal obligations are involved.
  5. Test, remediate, and report evidence. AI governance must generate proof. Monitor usage, test controls, track incidents, remediate exceptions, and report meaningful metrics to the board.
Conclusion: Hidden Use Must Become Governed Use

Shadow AI is the modern Babel inside the corporation. It may look productive, efficient, and innovative. Yet if it operates without transparency, accountability, controls, or human judgment, it creates a structure the company does not understand and cannot govern.

Magnifica Humanitas reminds us that technology must remain at the service of the human person and not become a system of invisible control (Magnifica Humanitas, para. 171). That principle becomes real in the compliance program through internal controls. CCOs should help the company turn hidden use into governed use.

In the next post, we will move from hidden AI use to the broader question of trust. We will examine AI, Truth, and Corporate Trust, and consider how synthetic content, misinformation, deepfakes, false documentation, and AI-generated narratives create a new compliance risk for boards, management, and the CCO.

Categories
Innovation in Compliance

Innovation in Compliance: Data Defensibility: Enterprise Agentic AI: Governance, Auditability, and the AI Gateway Layer with Nikunj Bajaj

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom visits with Nikunj Bajaj, Co-founder & CEO at TrueFoundry, about enterprise agentic AI infrastructure, governance, and hidden costs most organizations are not accounting for.

Nikunj describes TrueFoundry’s platform as a single control plane for enterprises to build, ship, and govern agentic AI applications, inspired by Meta’s internal ML stack, which he says is about a decade ahead of the rest of the industry. He argues enterprises over-focus on model and tool selection when problem definition and effective use are the real constraints. On governance, he identifies two failure modes: avoiding meaningful use cases entirely to sidestep governance risk, or trying to solve all governance problems up front and never reaching ROI. Successful teams implement application-specific controls iteratively, starting with a few high-value use cases rather than hundreds of low-value ones. He highlights that model inference accounts for only about 20% of total generative AI spend, with the majority of spend concentrated in infrastructure, engineering, and debugging, creating cost-allocation and budget-control challenges for compliance teams. For auditability, he argues that an agent without full decision traces is “a liability with an API key,” and walks through how end-to-end tracing enables audit readiness, faster debugging, and proactive attack detection. He closes by advocating centralized control via a unified AI gateway while enabling federated development and tailoring guardrails to whether your exposure surface is external or internal.

Key highlights:

  • Stop Chasing Tools
  • Governance vs Speed
  • Hidden AI Costs
  • Agent Auditability
  • Board Level Priorities

Resources:

Connect with Nikunj Bajaj

Learn More About TrueFoundry

Categories
Blog

From the Tower of Babel to the Boardroom: Part 2 – AI Governance Is a Compliance Issue

In the first post in this series, we used Magnifica Humanitas to frame the choice facing every board and compliance leader in the age of artificial intelligence. Companies can build a new Tower of Babel, driven by speed, scale, efficiency and power without adequate governance. Or they can follow the path of Nehemiah, rebuilding with discipline, shared responsibility, accountability and the human person at the center. That choice now moves from principle to program design.

AI governance cannot remain in the innovation lab, the IT department or the digital transformation office. It belongs inside the compliance program. Not because compliance should own every AI decision, and not because the CCO should become the chief technologist. AI governance belongs in compliance because AI creates the very risks compliance programs are designed to manage: legal risk, ethical risk, data risk, third-party risk, culture risk, internal controls risk, reporting risk, investigation risk and board oversight risk.

Magnifica Humanitas makes this point in moral language. Pope Leo writes that the use of AI is never a purely technical matter when it enters processes that affect people’s lives, rights, opportunities, status and freedom (Magnifica Humanitas, ¶102). For the modern compliance professional, that is familiar terrain. These are the risks an effective compliance program must identify, assess, control, monitor and remediate.

AI Is Not an Adjacent Risk

The first mistake companies make is treating AI as an adjacent risk. The business says AI is a productivity tool. IT says AI is a systems issue. Legal says AI is a regulatory issue. Privacy says AI is a data issue. Cybersecurity says AI is an access issue. HR says AI is a workforce issue. Internal audit says AI is a control issue. Procurement says AI is a vendor issue. They are all correct.

That is precisely why AI governance must be cross-functional, risk-based and integrated into the compliance program. AI does not respect organizational charts. It moves through data, workflows, vendors, platforms, communications, decisions and employee behavior. It may be embedded inside software already used by the company. Employees may adopt it without formal approval. Vendors may deploy it before procurement or legal fully understands how the tool works. It may be used by compliance itself for monitoring, investigations, hotline triage, third-party due diligence, sanctions screening or training.

The DOJ Has Already Put AI on the Compliance Agenda

The Department of Justice has made clear that AI is now part of compliance program evaluation. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a process for identifying and managing emerging risks, including risks related to new technologies such as AI. It asks how the company assesses the impact of AI on compliance with criminal laws, whether AI risk is integrated into enterprise risk management, how the company governs AI in commercial operations and in the compliance program, whether controls monitor trustworthiness and reliability, whether AI is limited to intended uses, what human decision-making baseline is used, how accountability is enforced and how employees are trained.

This is where the Encyclical and the ECCP align. Pope Leo calls for responsibility to be clearly defined at every stage, from those who design and develop AI systems to those who use them and rely on them for concrete decisions (Magnifica Humanitas, ¶105). The DOJ asks whether the company has translated that responsibility into risk assessment, controls, testing, training and accountability.

For CCOs, the message is direct. AI governance should be reflected in the risk assessment, policies and procedures, training, third-party risk management, internal controls, monitoring, investigations, discipline, incentives and board reporting. A company that cannot explain how it governs AI will struggle to demonstrate how its compliance program keeps pace with the business.

The CCO’s Role in AI Governance

The CCO does not need to own AI. The CCO does need a seat at the table. Compliance should inform the design of the company’s AI governance model. That model should include a cross-functional AI governance committee with representation from compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance and the business. It should define approval rights for high-risk use cases. It should establish documentation standards. It should require risk classification. It should identify prohibited uses. It should provide escalation channels for AI incidents and concerns.

This is the corporate version of Nehemiah’s wall. Pope Leo writes that everyone is given a section of the wall and that shared responsibility across disciplines and communities is the way to build for the common good (Magnifica Humanitas, ¶13). AI governance works the same way. Legal cannot do it alone. IT cannot do it alone. Compliance cannot do it alone. The governance model must assign roles so the whole enterprise can rebuild with discipline.

The CCO should also insist on an inventory of AI use cases. This is the foundational control. The company cannot govern what it cannot see. The inventory should include the business owner, tool name, vendor, purpose, data categories, decision impact, risk rating, applicable policies, human review requirements, testing history, approval date, renewal date and control owner.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. The Encyclical does not give companies an AI procedure manual. It gives them governing principles. The compliance task is to translate those principles into requirements that can be owned, tested, evidenced and improved. Pope Leo is explicit that digital processes should not be imposed from above in opaque or unilateral ways, but should be directed toward the common good with transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable access to data and avenues for recourse (Magnifica Humanitas, ¶71).

Human dignity becomes human impact assessment and human review. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional participation, with decisions made close enough to the risk to be informed and accountable. Solidarity becomes attention to affected employees, customers, communities and vulnerable populations. Social justice becomes bias testing, access, recourse and a refusal to let opaque systems create hidden exclusion.

NIST AI RMF and ISO/IEC 42001 as Practical Architecture

Two frameworks can help compliance leaders translate AI principles into program structure. They give operational force to Pope Leo’s warning that it is not enough to invoke ethics in the abstract. He instead calls for robust frameworks, independent oversight, informed users, and institutions capable of governing AI’s effects (Magnifica Humanitas, ¶106). That is precisely the move compliance must make, from AI principles to an AI management system.

The NIST AI Risk Management Framework organizes AI risk management around four functions: Govern, Map, Measure and Manage. For compliance leaders, that is highly practical. Govern means the company has assigned authority, accountability, policies and risk appetite. Map means the company understands the context, purpose, users, affected stakeholders and potential impact of each AI use case. Measure means the company evaluates performance, reliability, bias, data quality, security and control effectiveness. Manage means the company prioritizes risks, implements controls, monitors outcomes, remediates problems and documents decisions.

ISO/IEC 42001 provides a management system model. It focuses on establishing, implementing, maintaining and continually improving an AI management system. For a compliance program that supplies the discipline of policy, objectives, roles, processes, risk assessment, controls, monitoring, performance evaluation, corrective action and continual improvement.

From Policy to Controls

A policy is necessary, but it is not sufficient. A company can have a well-written AI policy and still have a weak AI governance program. The issue is whether the policy has an operational effect.

Pope Leo explains why. Technology is never neutral because it takes on the characteristics of those who devise, finance, regulate and use it (Magnifica Humanitas, ¶9). He later adds that every technical tool embodies choices and priorities through what it measures, what it ignores, what it optimises, and how it classifies people and situations (Magnifica Humanitas, ¶104). For compliance, this means the control environment must cover design, data, use, monitoring, output, and remediation.

COSO has warned that generative AI poses risks of cyber exposure, prompt manipulation, opaque reasoning, model drift, and frequent configuration changes that can affect operations, reporting, and compliance if not addressed with robust internal controls. That is the compliance challenge. AI governance must become a control activity.

Compliance Can Use AI Responsibly

Compliance should not stand outside the AI transformation. AI can help compliance become more effective. It can identify patterns in transactional data. It can assist with third-party risk scoring. It can support sanctions screening. It can help analyze hotline trends. It can improve training design. It can help prioritize monitoring. It can summarize large document sets in investigations. It can support control testing.

Magnifica Humanitas is direct on this point. AI may imitate functions of human intelligence, but it does not possess conscience, experience, responsibility or the capacity to judge good and evil (Magnifica Humanitas, ¶99). It can also create excessive reliance, the impression of objectivity and a weakening of personal judgment (Magnifica Humanitas, ¶100). Compliance professionals should use AI, but they should never surrender professional judgment to it. Human primacy remains the central control.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI is now part of legal, ethical, operational, data, third-party and cultural risk. The Encyclical reminds us that AI affects rights, opportunities, status, and freedom when it enters into consequential decisions (Magnifica Humanitas, ¶102).
  2. Build and maintain an AI inventory because governance begins with visibility. Every AI use case should have an owner, a purpose, a risk rating, a data classification, a control set, an approval status, and a review cycle.
  3. Govern compliance’s own use of AI because accountability starts at home. Compliance should use AI, but it must document purpose, controls, human review, validation and accountability.
  4. Move from policy to controls because technology is never neutral. AI governance requires approval workflows, data restrictions, testing, monitoring, escalation, remediation and auditability (Magnifica Humanitas, ¶9, ¶104).
  5. Report evidence to the board because accountability requires more than aspiration. Boards need dashboards and documentation showing where AI is used, what risks exist, what controls apply, who is accountable and whether the governance program is effective (Magnifica Humanitas, ¶105).
Conclusion: From Governance Principle to Control Discipline

Magnifica Humanitas challenges us to place the human person at the center of technological transformation. For compliance leaders, that means AI must be governed through risk assessment, controls, accountability, transparency, human oversight and evidence. The DOJ ECCP makes clear that prosecutors will ask how companies govern AI in the business and in compliance. NIST AI RMF and ISO/IEC 42001 provide practical architecture for doing so. COSO gives the internal controls discipline.

The compliance profession should embrace AI. It can make compliance more effective, more data-driven and more responsive. But embracing AI does not mean surrendering judgment to it. The right model is not fear. The right model is governed by adoption.

In the next post, we will move from formal AI governance to the most immediate AI control challenge inside many companies: Shadow AI and Internal Controls. Employees are already using AI tools because they are fast, useful and accessible. The compliance question is whether the company can turn hidden use into governed use before shadow AI becomes the next major control failure.

Categories
AI Today in 5

AI Today in 5: June 1, 2026, The AI is Infrastructure Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Compliance is becoming infrastructure. (FinTech Global)
  2. AI: What CFOs need to know for fintech. (Tech Funnel)
  3. AI models consistently break EU AI law. (Tech Republic)
  4. AI outpacing governance frameworks. (Insurance Business Mag)
  5. China issues ethical guidelines for AI use. (IAPP)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
AI Today in 5

AI Today in 5: May 12, 2026, The RegTech as Infrastructure Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Innovation in Compliance

Innovation in Compliance: Data Defensibility: The Compliance Foundation for AI Governance with George Tziahanas

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom visits with George Tziahanas, VP of Compliance and Associate General Counsel at Archive360.

Tom interviews George Tziahanas on why organizations must move beyond data storage to providing data integrity, lineage, and accountability as a foundation for AI readiness. George defines “data defensibility” as the ability to defend how AI systems were trained and operate when AI decisions are not easily explainable, such as in rules-based automation, emphasizing upstream data provenance, monitoring, and audit trails. They discuss increasing regulator and stakeholder focus on authority and accountability and how litigation can shape compliance, citing early e-discovery practices influenced by the Zubulake v. UBS Warburg decision and enforcement context involving former New York AG Elliot Spitzer. George uses the Mercor breach to show supply-chain and confidentiality risks in AI training data and notes that regulators and plaintiffs may rely on existing laws. He highlights risks from weak data governance, dark data, and legacy archives. He recommends asset/data inventories, migrating data off insecure legacy systems, risk-tiering AI use cases, extending ISO/NIST frameworks, and building observability to enable faster, responsible AI adoption.

Key highlights:

  • What Data Defensibility Means
  • Litigation Shapes Compliance
  • Weak Data Governance Risks
  • Managing Legacy Archive Data
  • Governance Accelerates AI
  • Dark Data Explained
  • What Success Looks Like

Resources:

George Tziahanas on LinkedIn

Archive360

Articles by George Tziahanas

Beyond Retention: Why AI Governance in 2026 is a Defensibility Problem

Keeping Data in Check: The Importance of Data Defensibility

Categories
FCPA Compliance Report

FCPA Compliance Report: Report from Compliance Week 2026 on AI Sessions

In this episode, Tom Fox takes a solo turn behind the mic to report on the AI tracks from the recently concluded Compliance Week 2026 conference.

He highlights two AI tracks: practical “creative” uses, including live demonstrations by Hemma Lomax creating PowerPoint content and Roxanne Petraeus creating video content, and the more critical compliance focus on AI governance, oversight, and accountability amid limited federal direction and a growing patchwork of state laws, with the EU AI Act positioned as a global benchmark. Tom emphasizes applying standard compliance risk management to AI (identify, manage, train, implement, monitor, improve), addressing shadow AI, internal/external/vendor risks, and building AI “in” rather than bolting it on. He notes scaling challenges, ROI questions, auditor expectations, risk registers, fraudsters’ use of AI, and ongoing discussions with Matt Kelly.

Key highlights:

  • AI Everywhere at CW
  • Creative AI Demos
  • AI Risk Framework
  • Shadow AI and Risks
  • ROI and Use Cases
  • Scaling and Oversight
  • Governance Takeaways

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com: https://a.co/d/00XNoelh.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com: https://a.co/d/05NTW4zz.

Categories
Blog

Compliance Week 2026: AI Governance Highlights

The 21st Annual Compliance Week Conference made one point unmistakably clear: AI is no longer a technology issue sitting outside the compliance function. It is now a governance, risk, controls, culture, and accountability issue. Across the conference, AI appeared in nearly every discussion, from practical tools for compliance teams to regulatory uncertainty, shadow AI, third-party risk, and board oversight. The central message for compliance professionals was clear: AI must be governed with the same discipline, documentation, monitoring, and continuous improvement as any other enterprise risk.

That should not surprise any Chief Compliance Officer. The DOJ’s Evaluation of Corporate Compliance Programs (2024 ECCP) has long asked whether a compliance program is well-designed, adequately resourced, empowered to function effectively, and working in practice. Those same questions now apply to AI. The issue is not whether an organization is using AI. It almost certainly is. The issue is whether the company knows where AI is being used, who approved it, the risks it creates, the controls that apply, and whether those controls are being monitored.

AI Is Now a Compliance Governance Issue

The first major theme from Compliance Week 2026 was governance. AI may be exciting, efficient, and creative, but without governance, it can quickly become a source of unmanaged enterprise risk. That governance challenge begins with oversight. Who owns AI risk? Who approves AI use cases? Who determines whether a tool is appropriate for use with company data? Who has the authority to stop an AI project that is not meeting its stated purpose? These are not theoretical questions. They are the basic operating questions of an effective compliance program.

A company should not treat AI as a series of disconnected experiments. It should treat AI as part of the enterprise control environment. That means clear governance structures, documented approvals, defined risk owners, escalation protocols, monitoring, testing, and board reporting. The board does not need to become a group of AI engineers. But directors do need to understand whether management has created a defensible AI governance framework. They should ask how AI risks are identified, how high-risk use cases are reviewed, how third-party AI vendors are assessed, and how the company detects unauthorized AI use.

Shadow AI Is the Risk Hiding in Plain Sight

One of the strongest compliance lessons from the conference was the danger of shadow AI. Employees are already using AI tools, often because they are efficient, accessible, and easy to deploy. The problem is that ease of use can defeat governance. If employees are using ChatGPT, Claude, Gemini, Copilot, or other tools without authorization, training, or data restrictions, the company has a control gap. Confidential business information, financial data, personal information, customer information, or regulated data can move into systems the company does not control. That creates legal, privacy, cybersecurity, contractual, and reputational risk.

The answer is not simply to prohibit AI. That approach is unlikely to work. The better answer is to identify the tools being used, classify them by risk, authorize appropriate use cases, train employees, monitor usage, and make clear what data can and cannot be entered into an AI system. A strong AI governance program should include an AI use register. It should identify approved tools, owners, business purposes, data categories, risk ratings, controls, monitoring obligations, and renewal or reassessment dates. Without that inventory, a company cannot credibly claim to govern AI risk.

The Compliance Risk Management Model Already Works

One of the most important insights from the conference was that compliance professionals already have the right risk management framework. AI risk does not require abandoning the compliance discipline. It requires applying it.

The framework is familiar. Identify the risk. Develop a risk management strategy. Train employees. Implement the strategy. Monitor performance. Use data to improve your strategy continuously. That is the compliance operating model. It is also the right model for AI governance.

The 2024 ECCP emphasized risk-based compliance, data access, continuous improvement, and the effectiveness of controls in practice. Those expectations fit naturally into AI governance. A company should ask whether its AI controls are designed around actual risks, whether compliance has access to AI-related data, whether employees understand acceptable use, and whether the company can prove that its controls operate effectively. The lesson is straightforward. Do not build AI governance as a technology policy alone. Build it as a compliance program.

AI Risk Has Three Core Dimensions

The conference also highlighted the need to separate AI risk into practical categories. For compliance officers, three risk areas deserve immediate attention.

First, internal risk. This includes employee use of AI, shadow AI, unauthorized tools, misuse of confidential information, lack of training, and gaps in approval processes.

Second, external risk. This involves AI systems that affect customers, patients, consumers, investors, or other external stakeholders. These tools may raise issues involving fairness, privacy, transparency, discrimination, consumer protection, and regulatory obligations.

Third, third-party risk. Vendors, consultants, service providers, and sales agents may introduce AI into the company’s operations. A third-party vendor using AI in screening, analytics, customer service, data processing, or decision support can pose a risk to the company, even when the company did not build the tool.

This is where compliance must bring discipline. Third-party AI risk should be part of due diligence, contracting, audit rights, monitoring, and renewal. Companies should ask vendors what AI tools they use, what data those tools process, whether subcontractors are involved, how outputs are validated, and whether the company has audit rights over AI-related controls.

ROI Must Begin With the Business Purpose

AI projects should begin with a simple question: what problem are we trying to solve? Too many AI initiatives begin with pressure to “use AI” rather than a clear business case. That is not governance. That is technology enthusiasm without control or discipline. A compliance-minded AI review should ask whether the proposed tool has a defined use case, measurable business value, appropriate controls, and a clear owner. It should also ask whether the project is drifting from its original purpose. Mission creep is a real AI risk. A tool approved for one purpose can quickly be used for another. That creates new risks and may invalidate the original approval.

The more regulated the use case, the more important this analysis becomes. AI used in healthcare, employment, finance, consumer decisions, investigations, sanctions screening, or third-party risk management demands heightened scrutiny. ROI may not always appear as a direct financial return. Sometimes the business value is avoiding regulatory exposure, improving consistency, strengthening documentation, or reducing unmanaged risk.

Training Is No Longer Optional

AI training must move beyond general awareness. Employees need practical, role-based instruction. They need to know which tools are approved. They need to know what data is prohibited. They need to understand when human review is required. They need to know how to report AI concerns, errors, bias, hallucinations, or misuse. They also need to understand that AI output is not a substitute for professional judgment.

For compliance teams, training should include investigators, auditors, third-party managers, procurement, legal, finance, HR, IT, and business leaders. The message should be clear: AI can support the work, but it does not remove accountability.

Build AI In, Do Not Bolt It On

One of the most practical insights from the conference was that AI should be built into business processes, not bolted on afterward. That distinction matters. Bolted-on AI becomes a tool without governance. Built-in AI becomes part of the control environment.

For example, in third-party risk management, AI can help analyze due diligence responses, identify red flags, monitor adverse media, track contract obligations, and support ongoing risk scoring. But it must be embedded into a process with human oversight, escalation protocols, audit trails, and testing. The same applies to investigations, hotline analytics, policy management, training, and monitoring. AI should strengthen compliance processes, not bypass them.

The CCO Must Have a Seat at the AI Table

The compliance function should not wait to be invited into AI governance. It should claim its role. The CCO brings the language of risk, controls, accountability, documentation, monitoring, and culture. Those are precisely the disciplines AI governance requires. Compliance should help design AI approval workflows, risk assessments, training, third-party reviews, monitoring plans, and board reporting.

This does not mean compliance owns every AI decision. It means compliance must be part of the governance architecture. AI governance should be cross-functional, with legal, compliance, IT, privacy, cybersecurity, internal audit, procurement, HR, and the business working together. But compliance must ensure that the program is not simply innovative. It must be defensible.

Practical Takeaways for Compliance Professionals

  1. Create an AI inventory. Know what tools are being used, by whom, for what purpose, and with what data.
  2. Establish an AI governance committee. Include compliance, legal, IT, privacy, cybersecurity, internal audit, procurement, and business leadership.
  3. Build a risk-based approval process. High-risk AI use cases should require enhanced review, documentation, testing, and escalation.
  4. Address shadow AI directly. Do not assume employees are waiting for policy guidance. Identify actual use and bring it into governance.
  5. Train by role and risk. General AI awareness is not enough. Employees need practical rules for approved tools, prohibited data, human review, and reporting.
  6. Extend third-party risk management to AI. Vendor diligence, contracts, audit rights, monitoring, and renewal reviews should include AI-specific questions.
  7. Monitor and improve. AI governance is not a one-time policy exercise. It requires testing, metrics, incident review, and continuous improvement.

Board Questions

  1. Do we have an inventory of AI tools currently used across the enterprise?
  2. Who approves AI use cases, and how are high-risk uses escalated?
  3. How do we detect and manage shadow AI?
  4. What data is prohibited from being entered into AI tools?
  5. How are third-party AI vendors reviewed, contracted, monitored, and audited?
  6. What AI metrics does management provide to the board?
  7. Who has the authority to pause or terminate an AI project that creates unacceptable risk?

CCO Questions

  1. Is compliance involved before AI tools are deployed?
  2. Do our policies distinguish between approved, restricted, and prohibited uses of AI?
  3. Can we prove employees have been trained on AI risks?
  4. Do we have a documented AI risk assessment process?
  5. Are AI controls tested by internal audit or another independent function?
  6. Are AI incidents, errors, and misuse captured through speak-up and escalation systems?
  7. Can we show regulators that our AI governance works in practice?

Conclusion

Compliance Week 2026 confirmed that AI has crossed the threshold from emerging technology to core compliance risk. The companies that succeed will not be those that chase every new tool. They will be the companies that govern AI with discipline. For the modern CCO, this is the moment to step forward. AI governance belongs squarely within the compliance conversation because it involves risk, accountability, culture, controls, third parties, monitoring, and board oversight. Those are the foundations of effective compliance.

AI may change the tools. It does not change the obligation. Governance still matters. Controls still matter. Culture still matters. Accountability still matters. And compliance must help lead the way.

Categories
Sunday Book Review

Sunday Book Review: May 10, 2026, The Top Books on AI Governance Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books on AI governance.

  • AI Governance: Secure, Privacy-preserving, Ethical Systems by Engin Bozdag & Stefano Bennati (2026) 
  • Governing the Machine: How to Navigate the Risks of AI and Unlock Its True Potential by Ray Eitel-Porter, Paul Dongha, & Miriam Vogel (2025) 
  • A Short & Happy Guide to AI Governance and Regulation by Kashyap Kompella & James Cooper (2025) 
  • Mastering AI Governance: A Guide to Building Trustworthy and Transparent AI Systems by Rajendra Gangavarapu (2025)
Categories
AI Today in 5

AI Today in 5: April 29, 2026, The (AI) Trial of the Century Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Musk v. Altman-AI Trial of the Century. (WSJ)
  2. A RegTech solution vs. an internal bespoke solution. (FinTech Global)
  3. AI governance in practice. (bankinfo security)
  4. AI in a skilled nursing facility. (McKnights)
  5. US v. states—the battle for AI governance. (Vorys)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.