Tag: AI

Categories
AI Today in 5

AI Today in 5: February 23, 2026, The Bold But Balanced Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. How AI is transforming compliance in 2026. (FinTechGlobal)
  2. Asian banks are struggling to integrate AI into their compliance systems. (AsianBanking&Finance)
  3. A bold but balanced AI revolution. (CIO)
  4. Safely navigating chatbots and healthcare PII. (News-Medical)
  5. What is shaping AI governance? (ISEAS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

5 Strategic Board Playbooks for AI Risk (and a Bootcamp)

Artificial intelligence is no longer a future-state technology risk. It is a current-state governance issue. If AI is being deployed inside governance, risk, and compliance functions, then it is already shaping how your company detects misconduct, prioritizes investigations, manages regulatory obligations, and measures program effectiveness. That makes AI risk a board agenda item, not a management footnote.

In an innovation-forward organization, the goal is not to slow AI adoption. The goal is to professionalize it. Board of Directors and Chief Compliance Officers (CCOs) should approach AI the way they approached cybersecurity a decade ago: move it from “interesting updates” to a structured reporting cadence with measurable controls, clear accountability, and director education that raises the collective literacy of the room.

Today, we consider 5 strategic playbooks designed for a Board of Directors and a CCO operating in an industry-agnostic environment, building AI in-house, without a model registry yet, and with a cross-functional AI governance committee chaired and owned by Compliance. The program must also work across multiple regulatory regimes, including the DOJ Evaluation of Corporate Compliance Programs (ECCP), the EU AI Act, and a growing patchwork of state laws. We end with a proposal for a Board of Directors Boot Camp on their responsibilities to oversee AI in their organization.

Playbook 1: Put AI Risk on the Calendar, Not on the Wish List

If AI risk is always “important,” it becomes perpetually postponed. The first play is procedural: create a standing quarterly agenda item with a consistent structure.

Quarterly board agenda structure (20–30 minutes):

  1. What changed since last quarter? Items such as new use cases, material model changes, new regulations, and major control exceptions.
  2. AI full Risk Dashboard, with 8–10 board KPIs, trends, and thresholds.
  3. Top risks and mitigations, including three headline risks with actions, owners, and dates.
  4. Assurance and testing, which would include internal audit coverage, red-teaming results, and remediation progress.
  5. Decisions required include policy approvals, risk appetite adjustments, and resourcing.

This cadence does two things. First, it forces repeatability. Second, it creates institutional memory. Boards govern better when they can compare quarter-over-quarter progress, not when they receive one-off deep dives that cannot be benchmarked.

Playbook 2: Build the AI Governance Operating Model Around Compliance Ownership

In your design, Compliance owns AI governance and its use throughout the organization, supported by a cross-functional AI governance committee. That is a strong model, but only if it is explicit about responsibilities.

Three lines of accountability:

  • Compliance (Owner): policy, risk framework, controls, training, and board reporting.
  • AI Governance Committee (Integrator): cross-functional prioritization, approvals, escalation, and issue resolution.
  • Build Teams (Operators): documentation, testing, change control, and implementation evidence.

Boards should ask one simple question each quarter: Who is accountable for AI governance, and how do we know it is working? If the answer is “everyone,” then the real answer is “no one.” Your model makes the answer clear: Compliance owns it, and the committee operationalizes it.

Playbook 3: Create the AI Registry Before You Argue About Controls

You have no model registry yet. That is the first operational gap to close, because you cannot govern what you cannot inventory. In a GRC context, this is not a “nice to have.” Without an inventory, you cannot prove coverage, you cannot scope an audit, you cannot define reporting, and you cannot explain to regulators how you know where AI is influencing decisions.

Minimum viable AI registry fields (start simple):

  • Use case name and business owner;
  • Purpose and decision impact (advisory vs. automated);
  • Data sources and data sensitivity classification;
  • Model type and version, with change log;
  • Key risks (bias, privacy, explainability, security, reliability);
  • Controls mapped to the risk (testing, monitoring, approvals);
  • Deployment status (pilot, production, retired); and
  • Incident history and open issues.

Boards do not need the registry details. They need the coverage metric and the assurance that the registry is complete enough to support governance.

Playbook 4: Align to the ECCP, EU AI Act, and State Laws Without Creating a Paper Program

Many organizations make a predictable mistake: they respond to multiple frameworks by producing multiple binders. That creates activity, not effectiveness. A better approach is to use a single control architecture to map to multiple requirements. The board should see one integrated story:

  • DOJ ECCP lens: effectiveness, testing, continuous improvement, accountability, and resourcing;
  • EU AI Act lens: risk classification, transparency, human oversight, quality management, and post-market monitoring; and
  • State law lens: privacy, consumer protection concepts, discrimination prohibitions, and notice requirements where applicable

This mapping becomes powerful when it ties back to the board dashboard. The board is not there to read statutes. The board is there to govern outcomes.

Playbook 5: Use a Board Dashboard That Measures Coverage, Control Health, and Outcomes

You asked for a combined dashboard and narrative with 8–10 KPIs. Here is a board-level set designed for AI in governance, risk, and compliance functions, with in-house build, internal audit, and red teaming for assurance.

Board AI Governance KPIs (8–10)

1. AI Inventory Coverage Rate

Percentage of AI use cases captured in the registry versus estimated footprint.

2. Risk Classification Completion Rate

Percentage of registered use cases risk-classified (EU AI Act style tiers or internal tiers).

3. Pre-Deployment Review Pass Rate

Percentage of deployments that cleared required testing and approvals on first submission.

4. Model Change Control Compliance

Percentage of model changes executed with documented approvals, testing evidence, and rollback plans.

5. Explainability and Documentation Score

Percentage of in-scope use cases with complete documentation, rationale, and user guidance.

6. Monitoring Coverage

Percentage of production use cases with active monitoring for drift, anomalies, and performance degradation.

7. Issue Closure Velocity

Median days to close AI governance issues, by severity.

8. Internal Audit Coverage and Findings Trend

Number of audits completed, rating distribution, repeat findings, and remediation status.

9. Red Team Findings and Remediation Rate

Number of material vulnerabilities identified and percentage remediated within the target time.

10. Escalations and Incident Rate

Number of AI-related incidents or escalations (including near-misses), with severity and lessons learned.

These KPIs do not require vendor controls and align with an in-house build model. They also support both board oversight and compliance management.

AI Director Boot Camp

Your board has a medium level of literacy and needs a boot camp. I agree. Directors do not need to become engineers. They need a common vocabulary and a governance frame. The recommended boot camp design is one-half day, making it highly practical. It should include the following.

  1. AI in the company’s operating model. This means where it touches decisions, risk, and compliance outcomes.
  2. AI risk taxonomy, such as bias, privacy, security, explainability, reliability, third-party, and later.
  3. Regulatory landscape overview, including a variety of laws and regulatory approaches, including the DOJ ECCP approach to effectiveness, the EU AI Act risk framing, and several state law themes approaches.
  4. Governance model walkthrough to ensure the BOD understands the registry, risk classification, controls, monitoring, and escalation.
  5. Tabletop exercises, such as an AI incident in a GRC context with false negatives in monitoring or biased triage.
  6. Board oversight duties. Teach the BOD how they can meet their obligations, including which questions to ask quarterly, which thresholds trigger escalation, and similar insights.

The deliverable from the boot camp should be a one-page “Director AI Oversight Guide” with the KPIs, escalation triggers, and the quarterly agenda structure.

The Bottom Line for Boards and CCOs

This is the moment to treat AI risk like a board-governed discipline. The organizations that get it right will not be the ones with the longest AI policy. They will be the ones with the clearest operating model, the most reliable reporting cadence, and the strongest evidence of control effectiveness.

If Compliance owns AI governance, then Compliance must also own the proof. That proof is delivered through a registry, a quarterly board agenda item, a balanced KPI dashboard, and assurance through internal audit and red teaming. Add a director boot camp to create shared understanding, and you have the beginnings of a program that is innovation-forward and regulator-ready.

That is the strategic playbook: not fear, not hype, but governance.

Categories
AI Today in 5

AI Today in 5: February 20, 2026, The Spinx Raises Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI compliance demands grow. (PlanAdviser)
  2. Compliance Monitoring: what works, what backfires. (UCToday)
  3. New AI governance tool. (PRNewsWire)
  4. The Spinx raises funds for new AI compliance agents. (FinTechGlobal)
  5. Boys will always be…just boys. (CNBC)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Embedded Explainability: Turning Principles into Proof

Embedded explainability is the design choice to build “the why” directly into a system as it operates, rather than bolting on an explanation after the fact. In practical terms, it means the model or decision engine is instrumented to surface the key factors that drove a specific output as the output is delivered. In a compliance, risk, or fraud context, this can include reason codes tied to specific data features, a clear confidence score, the policy or control implicated, and a short narrative that translates technical drivers into business language. The point is not to turn every decision into a science project; the point is to make explanations an always-on product requirement, so investigators, managers, and auditors can quickly understand what the system saw, why it escalated, and what evidence supports the action.

Where this becomes powerful is in governance. Embedded explainability creates a durable audit trail and makes accountability real: you can test whether explanations are consistent over time, whether they drift, whether similarly situated cases are treated consistently, and whether the system is relying on inappropriate proxies. It also reduces the “black box” tax during exams and internal reviews because your documentation is generated continuously, decision by decision, rather than recreated under a deadline. Done well, embedded explainability supports model risk management, accelerates case resolution, and builds user trust because the system does not just tell you what to do. It shows its work in a way that is usable for first-line teams and defensible for second-line and regulators.

If you have been in a single AI governance meeting, you have heard the same reassuring words: transparency, fairness, accountability. They sound good. They also do not answer the one question your Audit Committee will ask you the minute something goes sideways: can you prove what happened, who approved it, and why the system did what it did?

That is the heart of embedded explainability for a GRC or compliance professional. It is not a debate about data science. It is about building a program that can withstand scrutiny. In a strong compliance program, “principles” are not controls. They are intentions. Regulators, prosecutors, and auditors do not award credit for intent. They want evidence of implementation and effectiveness. When you embed explainability, you are building evidence into the workflow itself, so the program produces audit-ready artifacts without heroics.

Think like an auditor, not like a vendor.

In many organizations, “explainability” is treated like a technical deliverable. Someone pulls a chart. Someone cites an algorithm. Everyone nods. Then, the internal audit asks a simple question: “Show me how this use case was approved, how risks were assessed, how testing was performed, and how you monitor it today.”

That is where compliance needs to reframe the conversation. For GRC, the most important explainability is process explainability:

  • Who approved the use case, and what decision impact does it have?
  • What risks were identified, and what mitigations were required?
  • What data and content sources were used, and how they are governed.
  • What testing was done, what thresholds were applied, and what failed.
  • Who monitors the system in production, and how issues get escalated.
  • How changes are controlled, logged, and reapproved

If you can answer those questions with documentation, you can pull on demand; you are not “talking about explainability.” You are demonstrating it.

The risk that hides in plain sight: language and cultural bias

Most compliance teams understand bias as a broad concept. The operational problem manifests in a narrower, more painful way: language and cultural bias within everyday compliance workflows. Consider the real-life places your organization may be using AI or analytics: hotline intake, investigations triage, monitoring and surveillance, third-party diligence, audit planning, policy interpretation, and case summarization. Now add the facts of corporate life: multilingual reporting, non-native English narratives, regional idioms, and different cultural communication styles.

Here is the compliance risk: the system may not be “biased” in a headline-grabbing way. It may be biased in a quiet, compounding way:

  • A hotline narrative written in non-native English is scored lower for credibility.
  • Regional phrasing triggers false positives in monitoring.
  • Direct communication styles are interpreted as “aggressive” or “retaliatory”;
  • Reports from certain geographies are deprioritized because of linguistic patterns; and
  • Summaries strip context from culturally specific descriptions of harm.

This is why embedded explainability matters. If the system cannot tell you why it scored and routed a case the way it did, you will not find these problems until someone outside the company points them out to you.

A compliance-led lifecycle that makes explainability real

The practical move is to treat embedded explainability as a lifecycle requirement, not a go-live checkbox. You want stage gates with documented approvals and an evidence pack that travels with the use case from intake to monitoring. Think of it as the same discipline you already apply to third parties, controls testing, and investigations: define, document, test, approve, monitor, and improve.

A simple compliance-led lifecycle looks like this:

  1. Intake and approval: What is the use case, what is the decision impact, and who is accountable?
  2. Data and language risk assessment: What data is used, what languages and regions are in scope, and what bias risks exist?
  3. Build with traceability: Document the logic, rules, prompts, and human review points.
  4. Testing: Prove the system can be reconstructed and does not degrade across language groups.
  5. Deployment readiness: Confirm monitoring, access controls, logging, and escalation are active.
  6. Ongoing monitoring: Report drift, exceptions, overrides, and bias findings; reapprove material changes.

This is the compliance function earning its keep; not by arguing about definitions, but by building a governance machine that produces defensible evidence.

The minimum evidence pack: what you should be able to pull on demand

If you want to operationalize embedded explainability, standardize the artifacts. Do not let every team reinvent documentation. Your minimum evidence pack should be consistent across machine learning models, rules-based analytics, LLM workflows, and decision engines.

At a minimum, you should be able to produce:

  • Use case charter: purpose, scope, decision impact, owner, risk tier, approvals;
  • Data and language risk assessment: sources, language coverage, cultural risk factors, mitigations;
  • System specification: what it is, how it works, where humans intervene;
  • Testing artifacts: bias test plan, scenario tests, results, remediation notes;
  • Explainability checklist: proof you can reconstruct inputs, steps, outputs, and rationale;
  • Deployment approval record: stage-gate sign-offs and dates;
  • Monitoring and drift reports: trends, exceptions, and escalation notes;
  • Incident and escalation log: root cause, corrective actions, closure dates, and
  • Change management log: what changed, materiality, retesting, reapproval.

If you have this, you have something most organizations still lack: a system of record for AI governance that internal and external auditors can actually test.

The Bottom Line

Embedded explainability is how you turn AI governance from a values statement into a control environment. It is how you protect innovation by making it defensible. If your program can reconstruct decisions, show approvals, demonstrate testing, and document monitoring, you are not hoping you are compliant. You are ready to prove it. 

Categories
AI Today in 5

AI Today in 5: February 18, 2026, The AI for Rural Healthcare Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI to transform fraud investigations. (PRNewswire)
  2. Better defensible AI oversight. (PRNewswire)
  3. What’s in your compliance gap? (Forbes)
  4. Is the AI moment here? (FRSF)
  5. Oz wants AI avatars for rural healthcare. (NPR)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: February 17, 2026, The All FT Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • A KPMG partner was fined for using AI to cheat on a test about AI. (FT)
  • An Indian billionaire and his company’s missing billions. (FT)
  • Rethinking Board pay in the UK. (FT)
  • Measurable gains from using AI are now seen. (FT)
Categories
AI Today in 5

AI Today in 5: February 17, 2026, The Measurable Gains Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Measurable gains are now being achieved with AI. (FT)
  2. The hidden cost of poor compliance conciliation. (FinTechGlobal)
  3. AI at Kraken Compliance. (Kraken Blog)
  4. Is a memory chip crisis coming? (Bloomberg)
  5. AI worries erase $1tn from Big Tech values. (PYMNTS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Innovation in Compliance

Innovation in Compliance: Navigating AI: Governance, Risk with some Culture Thrown in with Matt Kunkel

Innovation spans many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox interviews Matt Kunkel, CEO and Co-Founder at LogicGate, about the company’s governance, risk, and compliance (GRC) platform and current market trends.

Matt recounts his path into regulatory risk and compliance work that led to founding LogicGate and launching its Risk Cloud platform in 2015. A major focus is AI governance. Tom and Matt explore how and why senior management is asking compliance teams to provide governance frameworks despite the absence of a single standard (e.g., NIST/ISO/SOC). Matt explains organizations need scalable processes to triage and route large volumes of AI usage requests, apply guardrails based on data sensitivity and criticality, and avoid becoming a bottleneck to innovation. He emphasizes training and culture to address employee misuse, highlighting risks of exposing proprietary data and the need to define what information is acceptable to input into AI models.

The discussion turns to LogicGate’s culture and how it has been sustained during rapid, organic growth (no acquisitions). Matt outlines LogicGate’s six values: Be as One, Embrace Your Curiosity, Empower Customers, Raise the Bar, Own It, and Do the Right Thing. For evaluating AI and modernizing compliance programs, he frames value in three outcomes: making money, reducing costs, or reducing risk, and describes LogicGate’s value realization framework that translates efficiency and ROI into business terms. He also describes Risk Cloud as an orchestration layer for compliance programs and anticipates more “intentional AI” and selective use of agentic capabilities rather than fully autonomous end-to-end program execution.

 

Key highlights:

  • From Consulting to GRC: Coding, Madoff Investigation, and Founding LogicGate
  • Why AI Is Supercharging the “G” in GRC
  • LogicGate’s Culture Playbook: Values That Scale with Hypergrowth
  • How to Evaluate AI Tools in Compliance: Proving Value, ROI, and “Intentional AI”
  • Cybersecurity in 2026: AI-Powered Social Engineering, Deepfakes, and Risk Mapping
  • What’s Next for GRC by 2030: Agents, Responsible AI, and Tech as the Glue

Resources:

Matt Kunkel on LinkedIn

LogicGate

Innovation in Compliance was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.

Categories
AI Today in 5

AI Today in 5: February 16, 2026, The Doom Loop Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Staying ahead of AI regs in housing. (HousingWire)
  2. UN sets up panel on AI impact. (YahooNews)
  3. KPMG examines PE and AI. (CrowdFundInsider)
  4. Continuous learning to scale healthcare. (FilMoGaz)
  5. Everything stock AI touches in ‘Doom Loop’? (Bloomberg)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Navigating Compliance in 2026: Trends and Transformations

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, we replay a recent webinar Tom Fox participated in, hosted by EQS. The panel moderator was Steph Holmes, and the panelists were Tom Fox, Mary Shirley, and Matt Kelly.

The session focuses on six key 2026 trends for ethics and compliance programs:

(1) AI moving from experimentation to operational use, emphasizing deliberate scaling, human-in-the-loop oversight, governance frameworks, monitoring, and managing “shadow AI,” with practical use cases such as policy chatbots, gift/travel/entertainment reviews, and AI-enabled third-party risk lifecycle management;

(2) enforcement “volatility” and unpredictable regulatory signals, with emphasis on returning to fundamentals such as documenting program inputs and outcomes, and noting continued activity, including record FCA resolutions and a DOJ whistleblower program award leading to a rapid antitrust settlement;

(3) shifting employer–employee dynamics, including Gartner survey findings that 40% of employees would intentionally miss a compliance requirement to harm their organization, discussion of trust, employee sentiment, multi-generational communication differences, and the need to partner with HR while staying within organizational lanes;

(4) heightened third-party and supply chain risk expectations, including cybersecurity, tariffs/tariff evasion, export controls, and the need to unify siloed risk views into a holistic third-party risk assessment;

(5) anticipated increases in whistleblowing and investigation demands amid volatility, highlighting the importance of preventing retaliation, keeping reporters feeling heard through responsive communications, triage protocols, and anonymized case examples to build trust; and

(6) measuring program effectiveness through a shift from outputs to outcomes, including reviewing KPIs and key risk indicators, peer review of investigations, hotline “mystery shopping,” and gap analyses against the DOJ’s ECCP and compliance program hallmarks, with special emphasis on third-party documentation and ongoing monitoring.

Resources:

Mary Shirley on LinkedIn

Steph Holmes on LinkedIn

Matt Kelly at Radical Compliance

EQS

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Returning to Venezuela on Amazon.com