Tag: ECCP

Categories
Blog

May the Controls Be With You: Compliance Lessons from Star Wars: Episode IV – A New Hope

Every May 4, the business world pauses, smiles, and says, “May the Fourth be with you.” For compliance professionals, that phrase carries more than nostalgia. It can also remind us that every organization faces a recurring struggle between power and accountability, command and control, culture and fear, risk and resilience.

Star Wars: Episode IV – A New Hope is not simply a space adventure. It is a story about governance failure, ethical courage, institutional blindness, weak controls, overconfidence, and the power of a small group committed to a mission larger than themselves. In other words, it is fertile ground for the modern compliance professional.

The Galactic Empire had scale, resources, technology, command authority, and a massive enforcement apparatus. What it lacked was ethics, accountability, transparency, and trust. The Rebel Alliance had far fewer resources, but it had purpose, shared values, disciplined intelligence, and a willingness to challenge a system that had become corrupt at its core.

That is the compliance lesson. Size is not strength if governance fails. Technology is not protection if culture is broken. Authority is not leadership if fear replaces trust. And no control environment is effective if the people inside the system are afraid to speak, unwilling to escalate, or conditioned to obey without question.

The Empire as a Case Study in Governance Failure

The Empire offers a powerful example of what happens when power operates without accountability. Its leadership model is command-driven, opaque, and fear-based. Decisions flow from the top, dissent is punished, and risk information is filtered through hierarchy rather than tested through independent challenge.

This is not a sustainable operating model for any corporation. It may produce short-term compliance with directives, but it does not produce ethical performance. Employees may follow orders, but they will not raise concerns. Managers may execute instructions, but they will not challenge flawed assumptions. Leaders may believe they are in control, but they are really operating inside an echo chamber.

That is a classic governance breakdown. Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP), prosecutors ask whether compliance has adequate authority, access, and resources. They also ask whether the company’s culture encourages ethical conduct and whether employees can report concerns without fear of retaliation. The Empire would fail that test before the first audit interview began. A culture of fear is not control. It is a risk multiplier.

The Death Star and the Danger of Overconfidence

The Death Star is the ultimate symbol of institutional overconfidence. It is massive, technologically advanced, expensive, and terrifying. It is also vulnerable because its designers and leaders failed to take a critical weakness in the system seriously.

For compliance professionals, this is a familiar issue. Organizations often build impressive frameworks: policies, systems, committees, dashboards, training platforms, risk registers, and reporting structures. Yet one untested assumption, one ignored warning, one undocumented exception, or one poorly monitored third party can create a vulnerability that undermines the entire program. The lesson is not that complexity is bad. The lesson is that complexity must be tested.

A compliance program cannot be judged solely by its architecture. It must be judged by whether it works in practice. Do controls operate as designed? Are exceptions reviewed? Are risk assessments updated? Are third-party red flags escalated? Are investigations tied to root cause analysis? Are lessons learned incorporated back into the program? The Death Star failed because its leadership confused scale with effectiveness. Compliance leaders should never make the same mistake.

Princess Leia and the Importance of Speak-Up Culture

Princess Leia is one of the great figures to speak up in popular culture. She sees the Empire’s reality clearly, acts with courage, preserves critical information, and refuses to be intimidated by power. In a corporate setting, she represents the employee, executive, or compliance professional who raises a concern when the organization would rather look the other way. She also reminds us that a speak-up culture is not built by having a hotline. It is built by protecting those who use it.

A company can have a hotline, a Code of Conduct, annual training, and posters in every break room. None of that matters if employees believe reporting will lead to retaliation, career damage, isolation, or indifference. The real measure of a speak-up culture is whether people trust the system enough to use it before a problem becomes a crisis. Leia’s courage mattered. But in a corporation, courage should not be the only control. The system itself must make reporting safe, trusted, and effective.

Obi-Wan Kenobi and the Role of Ethical Leadership

Obi-Wan Kenobi does not lead through fear. He leads through wisdom, restraint, discipline, and example. He understands risk. He understands history. He understands that values must be taught, modeled, and passed forward. That is the leadership lesson. Slogans do not create an ethical culture. It is transmitted through conduct. Employees watch what leaders reward, tolerate, ignore, and punish. They listen to speeches, but they believe in actions.

For boards and senior executives, this is a central compliance obligation. Tone at the top must be matched by conduct at the top. Middle management must reinforce the message. Incentives must align with ethical behavior. Discipline must be consistent. Performance pressure must not overwhelm controls. Obi-Wan understood that leadership is stewardship. Compliance leaders should view their work the same way.

Luke Skywalker and the Development of Compliance Judgment

Luke Skywalker begins as inexperienced, impatient, and uncertain. He does not yet understand the broader conflict, the risks, or his own role. Over time, he learns judgment. He listens, observes, trains, fails, and grows. That is how compliance capability develops inside a company. Employees don’t come to work knowing about conflicts of interest, third-party risk, gifts and hospitality, data governance, sanctions exposure, procurement controls, or escalation protocols. They must be trained, guided, and supported.

Effective compliance training is not a once-a-year exercise in legal coverage. It is a business process for building judgment. The goal is not simply to tell employees the rules. The goal is to help them recognize risk in real time, pause before acting, ask better questions, and escalate when necessary. Compliance is not merely knowledge. It is judgment under pressure.

Han Solo and the Third-Party Risk Lesson

Han Solo is charismatic, capable, and useful. He is also a third-party risk case study waiting to happen. He has unclear loyalties, questionable business relationships, financial pressure, and a complicated history with counterparties. Every compliance professional knows this profile. The company needs a third party because that party can get things done. The business sponsor trusts the relationship. The third party knows the market, has access

to it, and can move quickly. But the risk indicators are visible: opaque ownership, unusual payment terms, reluctance to provide documentation, government touchpoints, reputation concerns, or unexplained urgency.

The answer is not to avoid all third parties. The answer is to manage them. Due diligence must be risk-based. Contracts must include compliance obligations, audit rights, and termination rights. Payment controls must be disciplined. Services must be documented. Red flags must be resolved before onboarding and monitored after onboarding. Han Solo eventually becomes aligned with the mission. In corporate life, however, hope is not a third-party control. Documentation is.

The Rebel Alliance and the Power of Mission

The Rebel Alliance wins not because it is larger, better funded, or more technologically sophisticated. It wins because it has clarity of mission, trust, shared purpose, and the ability to turn intelligence into action. That is the best compliance program at work. They are not bureaucratic overlays. They are mission-aligned business systems. They help the organization grow the right way. They identify risk earlier. They protect trust. They support better decisions. They turn values into controls and controls into evidence.

A mature compliance program should operate like the best parts of the Rebel Alliance: focused, informed, agile, disciplined, and mission-driven. It should gather information from across the enterprise, analyze risk, escalate concerns, and act before the organization faces regulatory, reputational, or operational harm. Compliance is not the department of “no.” It is the discipline of sustainable performance.

Five Key Takeaways for Compliance Professionals

  1. Fear is not a compliance culture. It may produce silence, but it will not produce trust, transparency, or early reporting.
  2. Scale is not effective. A large compliance program must still prove that its controls work in practice.
  3. Speak-up systems must be trusted. Employees need safe channels, anti-retaliation protections, and confidence that concerns will be addressed.
  4. Third-party risk requires discipline. Useful intermediaries can also create serious exposure if diligence, contracts, payments, and monitoring are weak.
  5. Governance must challenge overconfidence. Boards and executives should ask hard questions about assumptions, vulnerabilities, escalation, and control testing.

Final Thought

On May 4, we can enjoy Star Wars Day. But for compliance professionals, A New Hope offers something more durable than a pop culture reference. It reminds us that ethics, accountability, controls, culture, and courage matter. The Empire had power. The Rebels had purpose. In compliance, purpose supported by controls is the real force multiplier.

May the Fourth be with you.

Categories
Blog

Isaac Newton and the Hidden Forces Behind Misconduct

Today, we conclude our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this concluding post, we consider Isaac Newton’s theorem that misconduct is rarely random.

If Francis Bacon taught us that a compliance program must be grounded in evidence, René Descartes taught us that evidence must be examined with rigor, John Locke taught us that the system must be legitimate, and Thomas Hobbes taught us that institutions need order, Isaac Newton brings this series to its final and perhaps most powerful insight: misconduct is rarely random. Forces drive it. Pressures. Incentives. Structural weaknesses. Repeated patterns. Hidden relationships. The most mature compliance programs understand that reality and act on it.

Newton is remembered as the great scientist of motion, force, and causation. He gave the world a way to understand that observable events are often the result of underlying principles that can be identified, studied, and predicted. His work was not simply about describing what happened. It was about explaining why it happened and how the same forces might operate again. For the compliance professional, that is a profoundly useful way to think. A hotline complaint, a bribery incident, a books-and-records failure, a retaliation claim, or a control breakdown should never be seen as a one-off event. The real question is Newtonian: what forces produced this result? In a best practices compliance program, that question is the bridge from reaction to prevention.

Why Newton Matters to Compliance

Newton helps compliance professionals move beyond event-based thinking. Too often, organizations respond to misconduct by focusing only on the visible incident. Someone violated policy. Someone approved a bad payment. Someone ignored a red flag. Someone retaliated against a whistleblower. Those facts matter, of course, but they are usually only the surface expression of deeper conditions. Newton would urge us to ask what was acting beneath the surface.

Was the employee under intense sales pressure? Were performance incentives designed in a way that rewarded output but ignored process? Was a business unit growing so quickly that controls were bypassed in the name of speed? Did management tolerate workarounds because the local market was too important to slow down? Was the company relying on outdated monitoring tools in a rapidly changing business model? Were risk signals present but scattered across functions with no one connecting them?

That is Newton’s great gift to compliance. He reminds us that forces shape behavior, and if you want to reduce misconduct, you must understand and address the forces that make misconduct more likely.

The DOJ Expects Companies to Understand Causes, Not Just Outcomes

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Newtonian logic with remarkable consistency. The ECCP asks whether a company performs root cause analysis, adapts its program based on lessons learned, uses data to identify patterns, aligns incentives with ethical conduct, and can demonstrate that controls are responsive to emerging risks. These are not narrow enforcement questions. There are questions about causation.

The ECCP is not satisfied when a company says it found the bad actor and imposed discipline. Regulators want to know what the company learned. Why did the misconduct happen? Were there prior warning signs? Was the conduct enabled by poor oversight, flawed incentives, weak middle management, insufficient resources, or ineffective controls? Did the company identify those drivers and change the system? That is exactly the sort of inquiry Newton would have appreciated.

Root Cause Analysis Is Newton in Practice

If there is one place where Newton’s influence should be front and center, it is root cause analysis. In compliance, root cause analysis is the discipline of looking beyond the immediate violation to identify the pressures, structures, incentives, and system weaknesses that created the conditions for failure. This is where many companies still fall short.

A company uncovers improper payments and concludes that an employee acted dishonestly. Perhaps that is true. But Newton would ask what else was in motion. Was there a compensation model that encouraged aggressive behavior without corresponding control discipline? Were finance and compliance understaffed relative to expansion? Did business leadership send signals that revenue mattered more than process? Had similar concerns surfaced in audit findings or prior investigations? Was a third-party oversight process designed for a smaller and less risky operating model? A true root cause analysis keeps asking until the organization understands the forces at work.

Incentives Are Among the Strongest Forces in Any Organization

Newton’s framework is especially valuable when thinking about incentives. Every organization generates motion through what it rewards, measures, and celebrates. If those incentives are poorly designed, they can push employees and managers toward decisions that undermine the compliance program even when the formal policy language is sound. This is one of the most underappreciated truths in compliance.

A company may say all the right things about integrity, but if promotions, bonuses, and recognition go disproportionately to people who hit aggressive numbers regardless of how they achieved them, employees receive a different message. If managers are evaluated on speed and volume but not on control discipline, they will often treat process as friction. If local market leaders are given extraordinary flexibility without matching oversight, the organization may create precisely the pressures and blind spots that breed misconduct.

The ECCP has increasingly focused on compensation structures, clawbacks, and incentive alignment for precisely this reason. Regulators understand that culture is shaped not only by leadership’s words, but also by tangible rewards that guide daily conduct. Newton helps compliance professionals explain why this matters. Incentives are not background conditions. They are active forces inside the corporate system.

Analytics Help the Company See What the Eye Misses

A Newtonian compliance program also leverages analytics more effectively. Newton’s work showed that patterns in motion could be identified through disciplined observation and analysis. Modern compliance can do something similar. Data analytics, trend reviews, and integrated monitoring allow a company to detect patterns that an isolated human review might miss. That does not mean technology replaces judgment. It means technology can help reveal the forces and relationships that judgment must then interpret.

Consider a multinational company reviewing third-party spend, travel, and entertainment data, hotline trends, and investigation outcomes. Each data set alone may show only limited information. But when viewed together, patterns may emerge. A particular region may show above-average use of high-risk intermediaries, greater discounting, delayed documentation, and increased employee complaints about management pressure. No single data point proves misconduct. But together they may reveal a system under strain.

This is where Newton connects back to Bacon. Bacon tells us to gather evidence. Newton tells us to study how patterns and causes operate across the system. Together, they produce a compliance function that is empirical, analytical, and forward-looking.

Misconduct Is Often a Systems Failure, Not Merely an Individual Failure

One of the most valuable lessons Newton offers the compliance profession is that misconduct is frequently systemic. This does not excuse individual wrongdoing. Personal accountability remains essential. But if a company stops with personal accountability, it may miss the broader organizational truth.

An employee may make an improper payment, but the surrounding system may have made that outcome easier, more predictable, or more likely. A senior manager may retaliate against a reporter, but the broader culture may have conditioned leaders to treat bad news as disloyalty. A financial control breakdown may involve one approving official, but the deeper problem may be a long-standing tolerance for informal overrides. In each case, the misconduct event should prompt a systems review.

This is particularly important in fast-changing environments. Growth, acquisitions, digital transformation, remote work, AI deployment, and market stress all alter the forces acting on the organization. Controls designed for one operating model may not be sufficient for the next. A Newtonian compliance officer understands that governance must evolve as the system changes. The question is never just whether the policy still exists. The question is whether the underlying forces have shifted in ways the compliance program has not yet caught up to.

Newton and the Future of Compliance

Newton is particularly relevant today because the modern compliance landscape is increasingly defined by complexity. Third-party ecosystems are larger. Data flows are faster. Business models shift more quickly. AI and automated decision-making create new risks that can change over time through drift, scale, and changing use cases. In that world, static compliance is not enough. A company needs to understand how moving systems work.

This is where frameworks like NIST and ISO/IEC 42001 become useful companions to Newtonian thinking. They emphasize lifecycle governance, ongoing monitoring, documented accountability, testing, and adaptation. In the AI context, especially, the lesson is clear: a control that works on day one may not be enough on day two. Risks evolve—inputs change. Vendors change. User behavior changes. Governance must therefore be dynamic, evidence-based, and attentive to emerging forces.

The same is true across compliance more broadly. Companies cannot assume that yesterday’s control environment will manage tomorrow’s pressures. Newton teaches that motion continues unless acted upon, and in the corporate setting, that means risk patterns will continue to develop unless governance actively intervenes.

The Compliance Officer as Interpreter of Organizational Forces

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, Locke as a steward of legitimacy, and Hobbes as an architect of order, Newton casts the compliance officer as an interpreter of organizational forces. That is a sophisticated and necessary role.

The compliance officer must ask what is really driving conduct across the enterprise. Which incentives are shaping decisions? Which processes are creating blind spots? Which managers are transmitting pressure? Which data trends suggest a deeper problem? Which repeated “isolated incidents” are no longer isolated at all? Which changes in the business model have altered the risk environment without corresponding updates to governance?

Those are not merely compliance questions. They are strategic governance questions. That is why Newton is such a fitting conclusion to this series. He pulls together all that came before. Evidence matters. Rigor matters. Legitimacy matters. Order matters. But ultimately, the mature compliance program does something more. It understands how these elements interact inside a living system. It seems that misconduct does not fall from the sky. It emerges from forces that can be studied, anticipated, and changed. Isaac Newton would have understood that a well-governed institution learns to read its own motion.

Five Lessons Learned for the Modern Compliance Professional

First, misconduct is rarely random. It is usually the product of identifiable pressures, incentives, weaknesses, and structural conditions.

Second, root cause analysis must go beyond the visible event. The goal is to understand the forces that made the event more likely.

Third, incentives are among the strongest drivers of conduct. A company must align compensation, promotion, and recognition systems with ethical and compliant behavior.

Fourth, analytics and trend analysis are essential tools for seeing patterns across the system. They help the company detect pressure points before they become crises.

Fifth, the most mature compliance programs are systemic and preventive. They do not simply respond to incidents. They study the organization well enough to reduce the conditions that produce misconduct.

Closing It Out

This five-part journey through Bacon, Descartes, Locke, Hobbes, and Newton shows that the architecture of a modern compliance program is not merely legal or procedural. It is intellectual. Bacon teaches us to demand evidence. Descartes teaches us to examine it with discipline. Locke teaches us that the system must be legitimate. Hobbes teaches us that institutions require order. Newton teaches us to understand the forces that shape outcomes.

Together, they offer a powerful framework for the compliance professional, the board, internal audit, legal, and business leadership. A best practices compliance program is not simply a collection of policies. It is a way to see the organization clearly, govern it credibly, and continuously improve it. That is as true now as it would have been revolutionary in their own time.

 

Categories
Blog

Thomas Hobbes and Why Every Compliance Program Needs Order

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider how Thomas Hobbes makes clear in his writings that no institution can function without order.

If Francis Bacon teaches that compliance must be grounded in evidence, René Descartes teaches that evidence must be examined rigorously, and John Locke teaches that a compliance system must be legitimate, Thomas Hobbes takes us to a different but equally important truth about structure.  That is where Hobbes becomes surprisingly relevant to the modern corporate compliance program.

That point can sound severe to modern ears, but compliance professionals understand it instinctively. Good intentions are not enough. Strong values are not enough. Even a trusted culture is not enough. A company also needs structure, clear rules, defined authority, escalation channels, and credible enforcement. Without them, pressure, ambiguity, and self-interest will fill the vacuum.

Hobbes is often remembered for his stark view of human nature and his argument that, in the absence of a strong governing authority, disorder follows. In his political philosophy, institutions exist in part to prevent chaos, conflict, and the breakdown of shared rules. While corporations are not states and employees are not citizens in the political sense, the organizational lesson is powerful. In any complex enterprise, when roles are unclear, rules are weak, exceptions become routine, and accountability is diffuse, people will default to local incentives, personal judgment, and short-term advantage. That is a dangerous environment for compliance.

Why Hobbes Matters to Compliance

Hobbes helps us understand something that compliance officers see every day: misconduct often flourishes not simply because individuals have bad intent, but because the system around them lacks structure. When approval processes are vague, when no one knows who owns a risk, when policies are written but not operationalized, when escalation lines are uncertain, or when managers believe standards are optional if performance is strong, disorder sets in. It may not look dramatic at first. It may look like improvisation, local flexibility, or entrepreneurial speed. But over time, that disorder becomes fertile ground for misconduct. Hobbes would not have been surprised.

His philosophy begins with the recognition that interests, fears, ambitions, and competing claims drive human beings. In the absence of a framework that organizes conduct, conflict, and opportunism follow. Translate that into corporate life, and the message becomes clear. Sales teams under pressure will rationalize shortcuts. Business sponsors will push third parties through onboarding if they believe control functions are merely advisory. Local managers will create informal workarounds if policies lack clear accountability. A company does not become more ethical by leaving such matters to improvisation. It becomes less governable. That is why compliance needs structure. Structure is what turns values into operations.

The DOJ Looks for Structure, Not Slogans

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Hobbesian insight throughout. Prosecutors do not simply ask whether a company talks about ethics. They ask whether the compliance function has authority, stature, autonomy, and resources. They ask who owns specific risks, how decisions are made, whether controls are implemented consistently, whether investigations are escalated properly, and whether disciplinary systems are enforced. Those are all questions about institutional order.

This is important because many organizations still overestimate the power of tone. Tone at the top matters. Culture matters. Legitimacy matters. But none of those can substitute for structure. A CEO can deliver a compelling speech about integrity. However, if the company’s third-party onboarding process is fragmented, if financial approvals can be bypassed informally, or if no one knows when a matter must be escalated to legal or compliance, then the organization has created a system in which disorder is likely.

Hobbes helps compliance professionals make this point without apology. Rules are not a sign of distrust. Controls are not bureaucratic excess. Escalation pathways are not obstacles to business. They are the architecture that prevents pressure and self-interest from overwhelming principle. The COSO Internal Controls Framework makes much the same point in a different vocabulary. The control environment, control activities, information and communication, and monitoring all depend on defined roles, clear expectations, and operational discipline. The Federal Sentencing Guidelines likewise assume that compliance requires standards, oversight, training, auditing, reporting, and consistent response. Hobbes would recognize all of that as institutional design for preventing disorder.

Policies Must Be Operational, Not Aspirational

One of the most common failures in corporate compliance is the belief that policy issuance is itself control. It is not. A policy can express a standard, but unless the company translates that standard into decision rights, workflows, approvals, and accountability, the policy remains aspirational. This is where Hobbes is especially useful. He reminds us that order is created not by declarations, but by mechanisms.

Take a gifts, travel, and entertainment policy. On paper, the policy may clearly prohibit excessive or improperly documented expenses. But the real compliance question is whether the operating system around the policy supports that standard. Who approves the expense? Is there a threshold that triggers additional review? Are government-facing interactions flagged? Is supporting documentation required before reimbursement? Are there analytics to identify unusual patterns? Are exceptions tracked? Can someone ask a friendly manager to sign off without scrutiny? If the answers are weak, the policy is weak, no matter how polished its language.

Internal Controls Are the Language of Order

If one wanted to translate Hobbes into modern corporate practice, one would end up talking about internal controls. Controls are how an organization embeds order into decision-making. They define who can do what, under what conditions, with what approvals, and with what oversight. They reduce discretion where discretion creates unacceptable risk. They separate duties so that no single actor can move money, approve vendors, or override procedures without a second set of eyes. They create documentation so that actions can be reviewed later. They make authority visible.

For compliance professionals, this is a critical point. Compliance is not merely about training people to do the right thing. It is also about designing systems that make the right thing more likely and the wrong thing harder to do. Hobbes would say that the institution failed to create sufficient order to contain foreseeable human behavior.

Escalation Is a Form of Governance

Another Hobbesian lesson for compliance is the importance of escalation. In poorly governed companies, people often know something is wrong but do not know where the issue should go, who owns the decision, or what threshold requires higher review. That uncertainty is one of the most dangerous forms of disorder because it allows time, politics, and convenience to shape the response. A mature compliance program should therefore have clear escalation pathways.

When does a third-party red flag require a compliance sign-off? When must legal be brought into an internal investigation? At what point does a matter involving senior leadership move to the audit committee or board? Who can approve an exception to policy, and what documentation must support it? Who decides whether a substantiated misconduct issue triggers broader control remediation? These are not administrative details. They are the channels through which institutional order is maintained.

The ECCP pays close attention to this issue because escalation is one of the clearest indicators of whether compliance has real authority. If important matters can be contained, softened, or rerouted informally by management, then the program is fragile. Hobbes would have recognized the danger immediately. Where the lines of authority are unclear, competing interests will rush in.

Enforcement Gives Standards Their Weight

No discussion of order would be complete without enforcement. Hobbes understood that rules without consequences are invitations to defection. The same is true in corporate compliance. A company may have excellent policies, robust training, and well-designed procedures, but if employees believe violations will be ignored, minimized, or treated selectively, the system loses force. This is where consistent discipline matters so much. John Locke helped us see discipline as a question of legitimacy and fairness. Hobbes adds a different point. Discipline is also what gives the rule structure its operational credibility. It signals that standards are real, that no one is exempt, and that the organization is willing to defend the order it has established.

This does not mean punitive excess. It means predictability and seriousness. A company should be able to explain how disciplinary outcomes are determined, how similar cases are handled, and how managers are held accountable not only for their own conduct but for the environments they create. High performers cannot be given private exemptions. Senior executives cannot be allowed to negotiate around standards. Informal workarounds cannot become tolerated customs. Hobbes would have called that a dangerous condition.

The Compliance Officer as Architect of Order

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, and Locke as a steward of legitimacy, Hobbes casts the compliance officer as an architect of order. The compliance officer helps turn principle into process. The compliance officer asks where authority sits, where decisions are made, where controls can be bypassed, where exceptions accumulate, where roles are unclear, and where escalation can fail. That work is not separate from ethics. It is one of the main ways ethics becomes operational inside a large organization.

This is especially important during periods of growth, restructuring, acquisitions, digital transformation, or market stress. Disorder often enters through change. New business lines are launched before roles are clarified. AI tools are deployed before governance is assigned. Third parties are engaged before diligence and monitoring are fully operational. Incentives are revised without understanding how they affect conduct. Hobbes reminds us that institutional order is not self-sustaining. It must be built, maintained, and defended.

Thomas Hobbes may seem like an austere companion for the modern compliance professional, but his lesson is both practical and urgent. Institutions do not drift into integrity. They require order.

Five Lessons from Thomas Hobbes for the Modern Compliance Professional

First, culture and values are essential, but they cannot substitute for structure. A company needs clear rules, defined roles, and operating discipline.

Second, policies are not controls unless they are translated into workflows, approvals, documentation, and accountability.

Third, internal controls are the mechanisms by which institutional order is embedded in business operations. They make the right behavior more likely and the wrong behavior harder to execute.

Fourth, escalation pathways are critical. Employees and managers must know when and how risk moves upward for review and decision.

Fifth, enforcement gives standards their weight. Rules without consistent consequences will eventually be overtaken by convenience and local incentives.

Coming Next: Isaac Newton and the Hidden Forces Behind Misconduct

If Thomas Hobbes teaches us why every compliance program needs order, Isaac Newton will help us understand something even deeper: misconduct is rarely random. It is produced by forces, incentives, pressures, and patterns that can be studied and addressed. In Part 5, I will explore how Newton’s systems-based way of thinking offers a powerful framework for root cause analysis, incentive review, compliance analytics, and proactive prevention. A mature compliance program does not simply respond to failure. It learns to understand the forces that make failure more likely.

Categories
Blog

John Locke and the Legitimacy of Compliance Governance

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields such as science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider René Descartes and what he teaches as the next step beyond Bacon: evidence must be examined rigorously.

If Francis Bacon teaches us that compliance must be grounded in evidence, and René Descartes teaches us that evidence must be examined with rigor, John Locke brings us to the next great question: why should anyone trust the system itself? That question sits at the center of every modern compliance program. Employees are asked to report concerns, managers are expected to model ethical behavior, boards are charged with oversight, and companies routinely tell regulators that their compliance program is real, effective, and embedded in the business. But none of that works if the people inside the organization do not believe the system is fair, credible, and worthy of trust. That is why John Locke matters so much to the modern compliance professional.

Locke is often remembered as a philosopher of liberty, consent, rights, and accountable government. He argued that authority is legitimate only when it is exercised responsibly and for the benefit of those subject to it. Power, in Locke’s world, is not self-justifying. It must be bounded, accountable, and tied to obligations. That idea is highly relevant to corporate compliance. A compliance program is not legitimate simply because senior management approved it, or because the board receives quarterly updates, or because policies have been published on an intranet site. It is legitimate when employees experience it as fair, when reports are taken seriously, when retaliation is not tolerated, when discipline is consistent, and when leadership is seen to be accountable to the same standards as everyone else. That is not abstract philosophy. That is compliance governance.

Why Locke Matters to Compliance

Locke’s central insight is that authority derives its legitimacy from responsible exercise and reciprocal obligation. In a political context, that meant government existed to protect rights and serve the governed, not simply to command obedience. In the corporate context, the analogy is not exact, but the lesson is powerful. Employees will not trust a compliance program merely because it exists. They will trust it only if they believe it operates fairly, protects those who raise concerns, applies standards consistently, and treats power as accountable.

This is where Locke helps compliance professionals understand something many organizations still miss. Trust in a compliance system is not automatic. It has to be earned. An employee deciding whether to call a hotline is making a deeply practical judgment. Will anyone listen? Will the matter be reviewed fairly? Will the reporter be protected from retaliation? Will the senior executive who generated the concern be treated differently from everyone else? If the employee believes the answer to those questions is no, the reporting system has already failed, no matter how polished the company’s policy language may be.

The DOJ’s Compliance Expectations Are About Legitimacy

The Department of Justice does not use the language of social contract theory, but its Evaluation of Corporate Compliance Programs (ECCP) is filled with Locke’s concerns. The ECCP asks whether the program is well-designed, applied in good faith, and works in practice. It asks about tone at the top and tone in the middle. It asks whether reporting mechanisms are trusted, whether investigations are handled properly, whether discipline is applied consistently, and whether there is protection against retaliation. Those are all questions of legitimacy. A compliance program that employees do not trust cannot work in practice.

This point is critical because too many organizations still frame culture as something soft and secondary, a matter of messaging rather than system design. Locke would reject that categorically. In his framework, legitimacy is not a decoration added to authority. It is what makes authority durable and acceptable. In a company, that means culture and governance cannot be separated. Speak-up systems, fair treatment, board attention, transparent escalation, and consistent discipline are not peripheral to compliance. They are core structural elements of it.

Speak-Up Culture Is a Test of Governance

Few areas of compliance reveal Locke’s relevance more clearly than a speak-up culture. Every company says it wants employees to raise concerns. Every company says it prohibits retaliation. But the real issue is whether employees believe those statements are true in lived experience. That belief is shaped more by organizational behavior than by slogans.

If employees see complaints buried, if they watch high performers protected despite repeated concerns, if they hear that reporting a problem is career-limiting, or if they conclude that management is more interested in identifying the reporter than addressing the underlying issue, the company has lost legitimacy. In Lockean terms, authority has ceased to be trustworthy because it is no longer being exercised for the benefit of those subject to it.

This is why non-retaliation is so important. It is not simply an employment-law consideration or a human-resources aspiration. It is a governance imperative. Retaliation tells employees that the system serves power rather than principle. Once that lesson is absorbed, reporting declines, silent resignation grows, and risk moves underground. A company may still claim to have a hotline, but it no longer has a functioning speak-up culture.

Fairness Is Not Soft. It Is a Control.

Locke also helps us understand the role of fairness in a compliance program. In many organizations, fairness is discussed as a value. It should be discussed as a control. Why? Because fairness shapes behavior. When employees believe standards will be applied consistently, they are more likely to follow them, more likely to report deviations, and more likely to trust the company’s response when issues arise. When employees believe discipline is arbitrary, selective, or influenced by rank and revenue generation, the opposite occurs. Cynicism spreads quickly. Policies become performative. Reporting drops. Informal norms replace formal standards.

That is why the ECCP pays so much attention to disciplinary consistency. Regulators understand that a compliance program loses credibility when senior leaders are treated differently from line employees. Locke would have recognized the point immediately. In any system of authority, legitimacy is undermined when rules are used to bind the weak but not the powerful.

Board Oversight and Accountable Authority

Locke’s philosophy is equally useful when thinking about board oversight. He believed that those entrusted with authority must remain accountable for how they exercise it. That is a principle every board member should understand in the context of compliance.

Board oversight is not merely about receiving information. It is about ensuring that authority inside the company is properly bounded, monitored, and answerable. The board does not run day-to-day compliance, but it is responsible for ensuring that management has created a system worthy of trust. That means asking whether reporting channels work, whether investigations are independent, whether non-retaliation protections are real, whether major risks are escalated, and whether compliance has stature and access.

This is particularly important because boards sometimes fall into the trap of treating compliance as a downstream operational matter. Locke would have viewed that as a category mistake. Governance is not something separate from legitimacy. Governance is how legitimacy is maintained.

For the modern board, that means compliance oversight must be substantive. Directors should ask not only for dashboards, but for explanations. How does management know employees trust reporting channels? What evidence supports claims of a strong culture? How is middle management assessed? What happens when senior leaders are implicated? What trends in reporting, substantiation, retaliation, and discipline should concern the board? Those questions move oversight from ceremonial to real.

In that sense, Locke also speaks directly to Caremark-era expectations. Directors have obligations not simply to exist, but to oversee. A board that does not ensure the company has credible systems of information and response is not exercising accountable authority. It is abdicating it.

Culture and the Middle Management Problem

No discussion of compliance legitimacy would be complete without examining middle management. The DOJ, in both the ECCP and the FCPA Resource Guide, 2nd edition, has long emphasized that “tone at the top” is not enough. Tone in the middle matters enormously, because employees experience the company most directly through their immediate supervisors.

This is another place where Locke offers real insight. In any system of authority, legitimacy rises or falls through those who exercise power closest to the governed. If middle managers pressure employees to ignore controls, discourage escalation, roll their eyes at compliance training, or quietly punish bad news, the company’s formal commitments will collapse in practice.

This is why companies must treat middle management behavior as a governance issue. Are managers trained not just on rules, but on their duty to support reporting and ethical decision-making? Are they evaluated on how they build culture? Do promotion and bonus structures reinforce ethical leadership, or only financial performance? Are there consequences when managers create pressure that undermines compliance expectations?

These are not marginal considerations. They are central to whether the compliance program is experienced as legitimate in daily operations. Locke reminds us that people judge institutions less by official declarations than by how authority is exercised.

The Compliance Officer as Steward of Institutional Legitimacy

Locke casts the compliance officer as a steward of institutional legitimacy. That is an important and underappreciated role. The compliance officer helps the company earn trust, not through public relations, but through structure, fairness, and accountability. The compliance officer helps ensure that when people speak up, they are heard; when misconduct occurs, it is handled consistently; when leaders exercise authority, they do so under standards that bind them as well. In this sense, compliance is not just about preventing legal violations. It is about making the institution worthy of confidence.

That is why legitimacy matters so much. A company with high trust in its compliance system detects issues earlier, responds more effectively, learns more quickly, and sustains a stronger ethical culture over time. A company without that trust becomes opaque to itself. Risk goes silent. Problems surface late. Governance becomes reactive. The institution loses one of its most important defenses: its own people’s willingness to tell it the truth.

Five Lessons Learned for the Modern Compliance Professional

First, a compliance program must be legitimate to be effective. Employees must believe the system is fair, credible, and trustworthy.

Second, speak-up culture is a governance test. Reporting mechanisms only work when employees believe concerns will be taken seriously and retaliation will not follow.

Third, fairness is a control. Consistent discipline, equal treatment across levels of seniority, and transparent standards strengthen compliance credibility.

Fourth, boards must exercise accountable oversight. They should test management’s claims about culture, reporting, and non-retaliation with real evidence.

Fifth, middle management is where legitimacy lives or dies. A company must align manager incentives, expectations, and accountability with its compliance values.

Coming Next: Thomas Hobbes and Why Every Compliance Program Needs Order

If John Locke teaches us that compliance governance must be legitimate, Thomas Hobbes will remind us that legitimacy alone is not enough. A company also needs structure, clear rules, assigned authority, escalation pathways, and credible enforcement. In Part 4, I will explore how Hobbes helps explain the roles of policies, procedures, internal controls, and operational discipline in a best-practices compliance program. Trust matters, but so does order.

Categories
Blog

René Descartes and the Discipline of Internal Investigation

This week, we are moving to Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields such as science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider René Descartes and what he teaches as the next step beyond Bacon: that evidence must be rigorously examined.

If Francis Bacon taught us that a compliance program must be grounded in evidence, René Descartes teaches the next step: evidence must be examined with rigor. That is why Descartes is the natural second installment in this series on what Enlightenment thinkers can teach us about modern corporate compliance. Bacon gave us empiricism. Descartes gives us a method. Bacon tells us to look. Descartes tells us how to think about what we find.

For the compliance professional, that is no small matter. Modern compliance programs do not fail only because they lack information. They often fail because organizations do not ask the right questions, challenge convenient assumptions, or investigate troubling facts with sufficient discipline. A hotline report comes in, and management prematurely dismisses it. A financial anomaly is explained away because the business result looks attractive. A third-party red flag is rationalized because the market opportunity seems too important to slow down. In each case, the problem is not simply a lack of data. The problem is a lack of disciplined inquiry.

That is where Descartes has something important to say to the modern Chief Compliance Officer.

Why Descartes Matters to Compliance

René Descartes is best known for methodical doubt. He believed that if one wanted to arrive at reliable knowledge, one had to strip away weak assumptions and test what could be known. He did not advocate doubt for its own sake. He advocated doubt as a disciplined tool, a way to avoid error and reach sound conclusions. His method required breaking problems into parts, analyzing them carefully, proceeding in an orderly manner, and ensuring nothing important was overlooked. That is remarkably close to what an effective compliance investigation function should do.

The compliance professional cannot assume an allegation is false because it is inconvenient. Nor can one assume it is true because it is emotionally compelling. The task is to examine. What happened? Who knew what, and when? What documents exist? What controls should have operated? Where are the inconsistencies? What explanation fits the evidence, and what explanation merely sounds comforting? Descartes would have recognized this immediately. A sound conclusion requires method, not instinct.

In a corporate environment, that is especially important because organizations are full of narratives. Managers tell stories about performance. Employees tell stories about why something was necessary. Third parties tell stories about local customs or business necessities. The compliance function should listen, but it cannot stop there. It must test those stories against facts.

The DOJ Expects More Than a Quick Answer

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use philosophical language, but its expectations align closely with Cartesian thinking. The ECCP asks whether investigations are properly scoped, whether the company has adequate resources to conduct them, whether the company preserves and analyzes relevant data, whether reporting structures support independence, and whether lessons learned are used to improve the compliance program. That is not a request for superficial closure. It is a demand for disciplined inquiry.

The ECCP is not interested in whether a company can produce a memo that says the matter has been reviewed. It wants to know whether the review was credible. Did the company ask hard questions? Did it follow the evidence even when the evidence was uncomfortable? Did it look at underlying causes or accept a narrow explanation that minimized institutional responsibility? These are Descartes’ questions as much as the DOJ’s.

Method Beats Reaction

One of the most important lessons Descartes offers is that method matters more than reaction. Too many organizations still respond to reports of misconduct in an ad hoc fashion. The identity of the reporter, the subject’s seniority, or the business sensitivity of the issue can distort the process from the outset. Some matters are overreacted to because they are visible. Others are under-investigated because they are politically awkward. That is not a system. That is improvisation. A mature compliance program requires a clear, repeatable investigative method.

That begins with triage. Allegations should be assessed based on risk, scope, subject matter, and potential impact. Matters involving senior leadership, financial controls, corruption risk, retaliation, or systemic process failures may require immediate escalation and greater independence. Low-risk issues may still require attention, but not every matter needs the same level of response. Cartesian thinking does not mean treating every problem identically. It means applying a coherent method to determine what level of inquiry is warranted.

From there, the matter should be broken down into manageable components. What is the allegation? What business process is implicated? What documents are likely relevant? Who are the key custodians? What data sources exist? What is the working timeline? What controls should have operated? What policy provisions may have been implicated? This is classic Descartes: divide complex problems into smaller parts so they can be understood.

Disciplined Skepticism Is a Compliance Strength

Compliance professionals sometimes worry that skepticism will be perceived as mistrust. But disciplined skepticism is not cynicism. It is not hostility. It is professional rigor. It is the recognition that people often explain events in self-protective ways, that organizations prefer neat stories to messy truths, and that important facts are often buried inside routine processes. Descartes would have understood that skepticism is a necessary safeguard against error.

Consider a common internal reporting scenario. A manager says that a questionable payment was simply an administrative oversight. Perhaps that is true. But a compliance professional guided by Descartes would ask several follow-up questions. Was it really isolated? Have similar payments occurred before? Were approval thresholds bypassed? Was the vendor properly vetted? Were invoice descriptions vague or coded? Did someone raise concerns earlier? Was the explanation consistent across all available records? None of those questions accuse. They clarify.

Documentation Turns Inquiry Into Credibility

Another Cartesian lesson for compliance is the importance of orderly reasoning. An investigation cannot simply be sound in substance. It must also be documented in a way that shows how the conclusion was reached. This is essential for institutional memory, for regulatory defensibility, and for credibility with boards and senior management.

A well-documented investigation answers basic but vital questions. What was alleged? Who handled the matter? What evidence was reviewed? Which witnesses were interviewed? What facts were established? What policy or control failures were identified? What conclusion was reached, and why? What remediation followed? This kind of documentation is not bureaucratic excess. It is proof of intellectual discipline.

Without it, the company cannot show that it acted reasonably. It cannot identify patterns across matters. It cannot demonstrate consistency. It cannot revisit earlier decisions when new facts emerge. Most importantly, it cannot turn an individual case into organizational learning. Descartes’ method was about structured thinking. In corporate compliance, documentation is how structured thinking becomes durable.

Independence Matters When the Facts Get Uncomfortable

No discussion of investigations would be complete without addressing independence. The most elegant methodology in the world will not help if investigators are pressured to protect favored executives, minimize business disruption, or avoid awkward findings. Cartesian rigor requires a willingness to follow the facts wherever they lead. That, in turn, requires real autonomy.

The ECCP addresses this directly through its focus on stature, authority, resources, and access. Can the compliance function investigate senior personnel? Can it escalate concerns to the board or audit committee when necessary? Is it empowered to challenge management narratives? These are not secondary governance questions. They are central to whether the investigation process can produce reliable conclusions.

There is a reason so many compliance failures involve not merely misconduct, but management interference with the review of misconduct. When power shapes the investigation, facts become negotiable. Descartes would have seen that as a fundamental corruption of method.

Investigations Must Lead to Remediation

A Cartesian compliance program does not end with a finding. It asks what the finding means for the system. That is why investigations must connect to remediation and root cause analysis. If an allegation is substantiated, the question is not simply who violated what rule. The question is what enabled the failure.

Was the training insufficient? Were incentives pushing employees toward bad decisions? Was a manager creating pressure that undermined ethical judgment? Did the approval process invite shortcuts? Was the policy too vague to guide real-world conduct? These questions push the company from conclusion to improvement.

This is where Descartes connects back to Bacon. Bacon teaches that we need evidence. Descartes teaches that we must reason carefully from the evidence. Together, they create a powerful model for compliance effectiveness. The company observes, investigates, documents, learns, and improves.

The Compliance Officer as a Guardian of Clear Thinking

If Bacon cast the compliance officer as an institutional scientist, Descartes casts the compliance officer as a guardian of clear thinking. In a corporation full of pressure, narrative, hierarchy, and urgency, that role is vital. Someone must insist that facts be tested, that assumptions be challenged, that conclusions be explained, and that the process remain disciplined when the easier path is to settle for a quick answer.

That is not merely an investigative skill. It is a governance function. It protects employee fairness, the board’s credibility, and the company’s defensibility. It also builds trust over time, because people learn that reports are taken seriously, that outcomes are reasoned rather than political, and that the system values truth over convenience.

René Descartes may seem an unlikely guide for corporate compliance. Yet his method of doubt, order, and careful reasoning belongs squarely within the modern best-practices compliance program. In an era where companies are judged not simply on whether they responded, but on how they responded, Descartes offers an enduring lesson: clear thinking is a control.

Five Lessons Learned for the Modern Compliance Professional

First, allegations should trigger a method, not a reaction. A repeatable investigative framework reduces bias and improves consistency.

Second, disciplined skepticism is a professional obligation. Compliance must test explanations against facts rather than accept convenient narratives.

Third, complex matters should be broken into parts. Scoping, evidence review, interviews, control mapping, and timeline construction all improve rigor.

Fourth, documentation is essential. It is how the company proves that its inquiry was credible and how it preserves institutional learning.

Fifth, an investigation is not complete until it informs remediation. Findings should lead to enhancements in control, policy changes, training updates, or broader governance improvements.

Coming Next: John Locke and the Legitimacy of Compliance Governance

If Francis Bacon teaches us to gather evidence and René Descartes teaches us to examine it rigorously, John Locke asks an equally important question: why should anyone trust the system in the first place? In Part 3, I will explore how Locke’s ideas about legitimacy, rights, and accountable authority provide a powerful framework for speak-up culture, non-retaliation, fairness, and board oversight. In the world of compliance, authority alone is never enough. It must also be credible.

Categories
Blog

The 30-Day Shadow-AI Amnesty: Turning Hidden Risk into Governance

There is a hard truth that every Chief Compliance Officer and compliance professional needs to confront right now: artificial intelligence is already inside your organization, whether it arrived through formal approval channels or not.

Employees are testing tools independently. Business teams are adopting AI-enabled workflows without waiting for a governance committee to approve them. Vendors are embedding AI into products and services faster than many companies can update their policies. Somewhere inside that mix, decisions are being influenced by systems that may not be documented, reviewed, or governed in any meaningful way. That is the world of Shadow-AI.

It is not necessarily malicious. In many cases, it is simply the predictable result of innovation outpacing governance. But from a compliance perspective, that does not make it any less risky. Under the Department of Justice’s Evaluation of Corporate Compliance Programs, the question is not whether management intended to allow uncontrolled use of AI. The question is whether the company can identify emerging risks, implement controls that address them, encourage internal reporting, and demonstrate that the program works in practice.

That is why the 30-day Shadow-AI Amnesty matters. Properly designed, it is not an admission of failure. It is proof of governance. It is a practical mechanism for surfacing hidden risk, reinforcing a speak-up culture, and creating the operational baseline needed to govern AI over the long term.

You Cannot Govern What You Cannot See

The first challenge with Shadow-AI is visibility. Too many organizations still assume that AI risk begins with approved enterprise systems. That assumption is already outdated. The real risk universe is broader. It includes employees using public generative AI tools for drafts or analysis. It includes business units creating internal automations that affect workflows. It includes third-party applications with embedded AI functionality that have not been separately assessed. It includes pilots that started small and quietly became part of day-to-day decision-making.

This is exactly the sort of problem the ECCP is built to address. The DOJ asks whether a company’s risk assessment is dynamic and updated in light of lessons learned and changing business realities. Shadow-AI embodies the changing business reality. If your risk assessment fails to account for hidden AI use, your compliance program is lagging behind the business.

A 30-day amnesty closes that gap by creating a controlled mechanism to identify what is already happening. It allows the company to convert unknown risk into known risk and known risk into governable risk. In other words, it turns hidden risk into a governance advantage.

Why Amnesty Works Better Than Enforcement at the Start

One of the smartest features of a Shadow-AI Amnesty is that it begins with disclosure rather than punishment. If you want employees to report unapproved AI use, you need to give them a credible reason to come forward. If the first signal from compliance is that disclosure will trigger blame, discipline, or reputational harm, employees will remain silent. The result will be exactly the opposite of what the compliance function needs. This is where the amnesty becomes a culture-and-speak-up control.

The ECCP places significant emphasis on culture, internal reporting, and non-retaliation. Prosecutors are instructed to evaluate whether employees feel comfortable raising concerns and whether the company responds appropriately when they do. A well-structured amnesty aligns directly with those expectations because it tells employees that transparency is valued, that reporting is encouraged, and that remediation matters more than finger-pointing.

That does not mean there are no consequences for reckless or prohibited conduct. It means the organization recognizes that the first step toward control is visibility. The safe-harbor period exists to gather information, assess risk, and bring informal AI activity into a formal governance structure. That is not a weakness. That is smart compliance design.

Designing the Amnesty for Participation

The success of a Shadow-AI Amnesty depends heavily on its design. If the process is burdensome, legalistic, or overly technical, participation will be limited. The design principle should be simple: lower the barrier to disclosure while collecting enough information to support triage.

A short intake process is essential. Employees should be able to disclose a tool, workflow, or use case quickly. The company needs basic information: what the tool is, who owns it, where it is used, what data it touches, what decisions it may influence, and whether any controls already exist. This is not the stage for a full investigation. It is the stage for building inventory and context.

That approach is fully consistent with good governance practice. The NIST AI Risk Management Framework emphasizes understanding context, mapping use cases, and establishing governance for the actual use of AI. ISO/IEC 42001 similarly reflects the principle that effective AI management begins with a defined scope, documented processes, and clear responsibility. You cannot apply either framework if you do not know what systems or uses exist in the first place. The amnesty, then, is not a side exercise. It is the front door to a credible AI governance program.

Triage Is Where Governance Becomes Real

Once disclosures start coming in, the company must shift from intake to triage. This is where design and control become critical. Not every disclosed use of AI presents the same level of risk. Some uses may be low-risk productivity aids. Others may influence hiring, investigations, financial reporting, customer-facing communications, or core operational decisions. The compliance function needs a disciplined way to distinguish between them.

A risk-based triage model should ask a few straightforward questions. Does the AI influence a decision that affects employees, customers, or regulated outcomes? Does it involve sensitive or confidential data? Is there human review, or is the output used automatically? Is the use visible externally? Is it part of a business-critical workflow? What controls exist today?

These are compliance questions. They are also ECCP questions because they go directly to risk assessment, resource allocation, and whether controls are tailored to the realities of the business. This is also where culture and control begin to work together. A company that invites disclosure but fails to triage intelligently will lose credibility. Employees need to see that reporting leads to measured, thoughtful governance, not chaos. The point is not to shut everything down. The point is to classify, prioritize, and respond appropriately.

Culture as a Control

One of the most important themes in the modern compliance conversation is that culture is not soft. Culture is a control. That is especially true with Shadow-AI. In many organizations, the first people to know that a workflow has drifted outside approved channels are the employees using it every day. The first people to spot unreviewed prompts, risky data inputs, or overreliance on AI-generated outputs are often not senior executives or formal governance committees. They are line employees, managers, analysts, and business operators.

If those people do not believe they can report what they see without retaliation or embarrassment, then the organization loses one of its most effective early warning systems. A Shadow-AI Amnesty sends a powerful signal. It says the company would rather know than remain in the dark. It says that governance begins with honesty. It says that disclosure is part of doing the right thing.

Under the ECCP, that matters. A culture that encourages internal reporting and constructive remediation is a hallmark of an effective compliance program. In the AI context, it may be one of the few ways to surface emerging risks before they become control failures, regulatory issues, or public problems.

From Amnesty to Operating Model

The amnesty itself is only the beginning. Its true value lies in what follows. Once the company has a baseline inventory of disclosed AI uses, it should not let that information sit in a spreadsheet and die. The next step is to convert the amnesty into a long-term governance operating model.

That means maintaining a living registry of AI use cases. It means embedding disclosure and review into normal business processes. It means defining approval pathways for higher-risk uses. It means establishing ongoing monitoring to detect performance changes, data drift, and control effectiveness. It means updating policies, training, and communications based on what the company has actually learned from the amnesty.

This is where the governance frameworks become especially useful. NIST AI RMF helps organizations move from mapping and understanding AI uses to governing, measuring, and managing them. ISO/IEC 42001 provides the management-system discipline needed to assign responsibility, document controls, review performance, and drive continual improvement.

In other words, the amnesty is not the solution by itself. It is the catalyst that allows a real operating model to emerge.

Proof of Governance Under the ECCP

Why does this matter so much from an enforcement perspective? Because the amnesty produces evidence. If regulators ask how the company identified AI uses, there is a process. If they ask how risks were assessed, there is a methodology for it. If they ask what was done with high-risk cases, there are records of triage and remediation. If they ask what role culture played, there is a concrete speak-up initiative tied to internal reporting and governance design.

This is exactly what the ECCP is looking for. Not slogans. Not a glossy AI principles deck. Evidence that the company identified a risk, created a mechanism to surface it, encouraged reporting, evaluated what it found, and built controls that match the risk. That is why the 30-day Shadow-AI Amnesty is so important. It transforms governance from assertion into proof.

The Practical Bottom Line

The compliance function does not need to wait for a perfect enterprise AI strategy before acting. In fact, waiting may be the biggest mistake. Shadow-AI is already there. The question is whether your organization is prepared to see it, hear about it, and govern it.

A 30-day amnesty is one of the most practical tools available because it combines two things strong compliance programs need: better visibility and a stronger culture. It surfaces risk while reinforcing speak-up. It creates documentation while improving control design. It gives the company a starting point for long-term governance without pretending the problem can be solved in one month.

In the end, that is what good compliance has always done. It does not deny business reality. It creates the structure that allows the business to move forward with integrity, accountability, and confidence.

Categories
Blog

Trust Is Not a Control: The Drop-In AI Audit

There is a hard truth at the center of modern AI governance that every compliance professional needs to confront: trust is not a control. For too long, organizations have approached AI oversight with a familiar but outdated mindset. They collect a vendor certification. They review a policy statement. They ask whether a third party is “aligned” with a recognized framework. Then they move on, assuming the governance box has been checked. In today’s enforcement and risk environment, that approach is no longer good enough.

The Department of Justice has repeatedly made this point in its Evaluation of Corporate Compliance Programs. The DOJ does not ask whether a company has a policy on paper. It asks whether the program is well designed, whether it is applied earnestly and in good faith, and, most importantly, whether it works in practice. That final phrase matters. Works in practice. It is the dividing line between performative governance and effective governance.

That is why every compliance program now needs a drop-in AI audit. It is not simply another diligence exercise. It is a mechanism for proving that governance is real. It is a practical third-party risk tool. And it is one of the clearest ways to operationalize the ECCP in the age of artificial intelligence.

The Problem: Third-Party AI Risk Is Moving Faster Than Oversight

Most companies do not build every AI capability internally. They rely on vendors, service providers, cloud platforms, embedded applications, analytics partners, and other third parties whose tools increasingly shape business processes and compliance outcomes. In many organizations, these third parties now influence investigations, due diligence, monitoring, onboarding, reporting, customer interactions, and internal decision-making. That creates a new class of third-party risk.

The problem is not only whether a vendor has responsible AI language in its contract or whether it can point to a certification. The problem is whether your organization can verify that the relevant controls are functioning as represented in the real-world use case affecting your business. That is where too many compliance programs still fall short.

Under the ECCP, the DOJ asks whether a company’s risk assessment is updated and informed by lessons learned. It asks whether the company has a process for managing risks presented by third parties. It asks whether controls have been tested, whether data is available to compliance personnel, and whether the company can demonstrate continuous improvement. These are not abstract questions. They go directly to how you oversee AI-enabled third parties. If your third-party AI governance begins and ends with a questionnaire and a PDF certification, you do not have evidence of governance. You have evidence of intake.

What a Drop-In Audit Really Does

A drop-in AI audit changes the question from “What does the third party say?” to “What can the third party prove?” That is a profound shift.

The value of the drop-in audit is that it brings compliance discipline directly into third-party AI oversight. Instead of accepting broad claims about safety, control, and alignment, you examine operational evidence. Instead of relying solely on design statements, you test for performance in practice. Instead of treating governance as a one-time approval event, treat it as a repeatable audit process. In that sense, the drop-in audit becomes proof of governance.

It also becomes a far more mature third-party risk tool. You are no longer merely assessing whether a vendor appears sophisticated. You are assessing whether a third party can withstand scrutiny on the questions that matter most: scope, controls, traceability, escalation, and evidence.

And from an ECCP perspective, that is precisely the point. The DOJ has emphasized that compliance programs must move beyond paper design into operational reality. A drop-in audit is one of the few mechanisms that let you do that in a disciplined, documentable way.

From Vendor Oversight to Third-Party Governance

This discipline should not be limited only to classic vendors. The better view is to expand the concept across all third parties that provide, influence, host, or materially shape AI-enabled services. That includes software providers, outsourced service partners, embedded AI functionality in enterprise tools, cloud-based analytics environments, compliance technology vendors, and any external party whose systems affect business-critical decisions or regulated processes.

Risk does not care about the label on the contract. If the third party’s AI affects your organization’s screening, monitoring, investigations, decision support, or disclosures, the compliance risk is real. Your governance process must be equally real. This is why “trust but verify” is no longer just a slogan. It is a design principle for third-party oversight of AI.

The Core Elements of the Drop-In Audit

A strong drop-in audit has three features: sampling, contradiction testing, and escalation.

1. Sampling: Evidence of Operation, Not Merely Design

Sampling is where governance becomes tangible. A company requests specific artifacts tied to actual use cases and actual control operations. This may include scope documents, Statements of Applicability, system documentation, training data summaries, access controls, incident records, runtime logs, or evidence of human review. The point is simple: operational evidence is what matters.

This is where a compliance function moves from hearing about controls to seeing them in action. It is also where internal audit can add real value by testing whether the evidence supports the stated control environment.

2. Contradiction Testing: Where Real Risk Emerges

This is one of the most important and underused concepts in third-party AI oversight. Inconsistencies between claims and reality are where governance failures emerge. If a third party says its certification covers a given service, does the scope document confirm it? If it claims strong incident response, does the record back it up? If it represents strong human oversight, do the runtime traces show meaningful intervention or only theoretical review points?

Contradiction testing is powerful because it goes to credibility. It tests whether the governance narrative matches the operating reality. Under the ECCP, that is exactly the kind of inquiry prosecutors and regulators will care about. It speaks to effectiveness, honesty, and control discipline.

3. Escalation: Governance in Action

Governance without consequences is not governance. A drop-in audit must include clear escalation triggers. Missing evidence, mismatched certification scope, unexplained gaps, unresolved incidents, or inconsistent remediation should not be noted in isolation. They should trigger action.

That action may include enhanced diligence, contractual remediation, independent validation, temporary use restrictions, or deeper audit review. The important point is that the program responds. This is where the drop-in audit becomes operationalizing the ECCP. It demonstrates that the company not only identifies risk but also acts on it.

How the Drop-In Audit Maps to the ECCP

The drop-in audit aligns tightly with the DOJ’s framework for an effective compliance program. Risk assessment is addressed because the audit focuses attention on where AI-enabled third parties create actual operational and control exposure. Policies and procedures are tested because the company does not merely accept them at face value. It assesses whether the stated controls are supported by evidence. Third-party management is strengthened by making oversight continuous, risk-based, and verifiable. Testing and continuous improvement are built into the audit process, which identifies gaps, contradictions, and corrective actions. Investigation and remediation principles are reinforced by documenting, escalating, and using findings to improve the control environment.

Most importantly, the audit answers the ECCP’s central practical question: Does the program work in practice?

How the Drop-In Audit Maps to NIST AI RMF

The NIST AI Risk Management Framework provides a highly useful structure for the drop-in audit, especially through its Govern, Map, Measure, and Manage functions.

  1. Governance is reflected in defined ownership, accountability, and escalation when issues are identified.
  2. A map is reflected in understanding the third party’s actual AI use case, scope, dependencies, and business impact.
  3. The measure is reflected in the use of evidence, runtime observations, contradiction testing, and performance assessment.
  4. Management is reflected in remediation, ongoing oversight, and updates to controls based on audit findings.

In this way, the drop-in audit becomes a practical tool for taking the NIST AI RMF from concept to execution.

How the Drop-In Audit Maps to ISO/IEC 42001

ISO/IEC 42001 adds the management-system discipline that compliance programs need. Its value lies in documented scope, role clarity, control applicability, monitoring, corrective action, and continual improvement. A drop-in audit fits naturally into that structure because it tests whether those elements are visible in operation, not merely stated in documentation.

The Statement of Applicability becomes meaningful when the company verifies that the controls identified there actually correspond to the deployed service. Monitoring becomes meaningful when evidence is examined. Corrective action becomes meaningful when gaps trigger follow-up. Continual improvement becomes meaningful when findings are fed back into governance. That is why the documentation you generate should serve your board, regulators, and internal stakeholders without additional work. Producing evidence that travel is one of the most strategic benefits of this approach.

Why Every Compliance Program Needs This Now

The strategic payoff is straightforward. Strong AI governance is not a drag on innovation. It is what allows innovation to scale with trust. A drop-in audit gives compliance and internal audit a mechanism to test what matters, document their findings, and create evidence that withstands scrutiny. It moves governance from assertion to proof. It transforms third-party diligence into a repeatable, auditable process. It helps ensure that when regulators, boards, or business leaders ask how the company knows its third-party AI governance is working, there is a real answer.

Because, in the end, evidence of governance matters. Not narratives. Not slide decks. Evidence. President Reagan was right in the 1980s, and he is still right today: “Trust but verify.”

Categories
Blog

AI Disclosures, Controls, and D&O Coverage: Closing the Governance Gap Around Artificial Intelligence

A new governance gap is emerging around artificial intelligence, and it is one that Chief Compliance Officers, compliance professionals, and boards need to confront now. It sits at the intersection of three areas that too many companies still treat separately: public disclosures, internal controls, and insurance coverage. That siloed approach is no longer sustainable.

As companies speak more confidently about their AI strategies, insurers are becoming more cautious about the risks those strategies create. That tension matters. It signals that the market is beginning to see something many organizations have not yet fully addressed: when a company’s statements about AI outpace its actual governance, the exposure is not merely operational or reputational. It can become a disclosure issue, a board oversight issue, and ultimately a proof-of-governance issue under the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP).

For the compliance professional, this is not simply an insurance story. It is a compliance integration story. The question is whether the company can align its statements about AI, the controls it has in place, and the protections it believes it has in place if something goes wrong.

The New Governance Gap

Many organizations are eager to describe AI as a source of innovation, efficiency, better decision-making, or competitive advantage. Those messages increasingly appear in earnings calls, investor decks, public filings, marketing materials, and board presentations. Yet the underlying governance structures often remain immature. That disconnect is the governance gap.

It appears when management speaks broadly about responsible AI but has not built a complete inventory of AI use cases. It appears when companies discuss oversight but cannot show testing, documentation, or monitoring. It appears that boards assume that insurance will respond to AI-related claims without understanding how new policy language may narrow coverage.

This is where D&O coverage becomes so important. It is not the center of the story, but it is a revealing signal. If insurers are revisiting policy language and introducing exclusions or limitations tied to AI-related conduct, it suggests the market sees governance risk. In other words, the insurance market is sending a message: AI-related claims are no longer hypothetical, and companies that cannot demonstrate disciplined oversight may find that risk transfer is less available than they assumed.

Why the ECCP Should Be the Primary Lens

The DOJ’s ECCP remains the most useful framework for analyzing this issue because it asks exactly the right questions.

Has the company conducted a risk assessment that accounts for emerging risks? Are policies and procedures aligned with actual business practice? Are controls working in practice? Is there proper oversight, accountability, and continuous improvement? Can the company demonstrate all of this with evidence? Those are compliance questions, but they are also the right AI governance questions.

If a company makes public statements about AI capability, oversight, or reliability, the ECCP lens requires more than aspiration. It requires substantiation. Can the company show who owns the AI risk? Can it demonstrate how models or systems are tested? Can it show escalation procedures when problems arise? Can it document how AI-related decisions are monitored, reviewed, and improved over time?

If the answer is no, then the issue is not simply that the company may have overpromised. The issue is that its compliance program may not be adequately addressing a material emerging risk. That is why CCOs should view AI as a cross-functional challenge requiring integration across legal, compliance, technology, risk, audit, investor relations, and the board.

AI Disclosure Must Be Evidence-Based

One of the most practical steps a compliance function can take is to push for an evidence-based disclosure process around AI. This means that public statements about AI should not be driven solely by enthusiasm, market pressure, or executive optimism. They should be grounded in underlying documentation. If the company says it uses AI responsibly, where is the governance framework? If it claims AI improves decision-making, what testing supports that assertion? If it says it has safeguards, where are the control descriptions, monitoring results, and escalation records?

This is not about suppressing innovation. It is about ensuring that disclosure discipline keeps pace with technological ambition. For boards, this means asking harder questions before approving or relying on public AI narratives. For compliance officers, it means helping management build the evidentiary record that turns broad statements into defensible representations.

Controls Must Catch Up to Strategy

This is where the “how-to” work begins. Compliance professionals should begin by creating a structured inventory of AI use cases across the enterprise. That inventory should identify where AI is being used, what decisions it informs, what data it relies on, who owns it, and what risks it entails.

Once that inventory exists, risk tiering should follow. Not every AI use case carries the same compliance significance. A low-risk productivity tool does not need the same oversight as a system that affects investigations, third-party due diligence, customer interactions, financial reporting, or core operational decisions.

From there, the company can design controls proportionate to risk. High-impact uses of AI should have documented governance, human review where appropriate, testing protocols, escalation triggers, and monitoring requirements. The compliance team should be able to answer a simple question: where are the controls, and how do we know they work? That is the heart of the ECCP inquiry.

Where NIST AI RMF and ISO/IEC 42001 Fit

This is also where the NIST AI Risk Management Framework and ISO/IEC 42001 become highly practical tools. NIST AI RMF helps organizations govern, map, measure, and manage AI risks. For compliance professionals, this provides a disciplined structure for identifying AI use cases, understanding impacts, assessing reliability, and managing response. It is especially useful in linking abstract AI risk to operational decision-making.

ISO/IEC 42001 brings management system discipline to AI governance. It focuses on defined roles, documented processes, control implementation, monitoring, internal review, and continual improvement. That makes it an excellent bridge between policy and execution. Together, these frameworks help operationalize the ECCP. The ECCP tells you what an effective compliance program should be able to demonstrate. NIST AI RMF helps structure the risk analysis. ISO 42001 helps embed those requirements into a repeatable governance process.

For CCOs, the practical lesson is clear: use these frameworks not as academic overlays, but as working tools to build ownership, documentation, testing, and accountability.

Insurance Is a Governance Input

Companies also need to stop treating insurance as an afterthought. D&O coverage should be considered a governance input, not merely a downstream purchase. If policy language is narrowing around AI-related claims, boards and compliance leaders need to understand what that means. What scenarios might raise disclosure-related allegations? Where is ambiguity in coverage? What assumptions has management made about protection that may no longer hold?

Compliance does not need to become an insurance specialist. But it does need to ensure that disclosure, governance, and risk transfer are aligned. If the company is making strong public claims about AI while carrying unexamined governance weaknesses and uncertain coverage, that is precisely the kind of mismatch that can trigger a crisis.

Closing the Gap Before It Becomes a Failure

The larger lesson is straightforward. AI governance is not simply about technology controls. It is about integration. It is about ensuring that what the company says, what it does, and what it can prove all line up. That is why the governance gap matters so much. It is the space where strategy outruns structure, where disclosure outruns evidence, and where confidence outruns control. For boards and compliance professionals, the task is to close that gap before it becomes a failure.

The companies that do this well will not necessarily be the ones moving the fastest. They will be the ones building documented, tested, monitored, and governed AI programs that stand up to regulatory scrutiny, investor pressure, and real-world disruption. That is not bureaucracy. That is the price of sustainable innovation.

Categories
Blog

AI as a Force Multiplier for Compliance: From Efficiency Tool to Program Effectiveness

There is a temptation in every wave of new technology to focus first on speed. How much faster can we do the work? How many hours can we save? How many tasks can we automate? Yet for the compliance professional, those are not the right first questions. The right first question is always: does this make our compliance program more effective?

That is why the recent Moody’s discussion of GenAI is so interesting when viewed through a compliance lens. The article describes AI not simply as a productivity engine, but as a tool that changes how professionals interact with information, generate insights, and support decision-making. It emphasizes workflow transformation, role-based support, auditability, data quality, and the need for governance and human oversight . For compliance officers, that is the real story. AI can indeed make work faster. But its true promise is that it can make compliance more targeted, more consistent, more responsive, and more operationally embedded.

The Department of Justice has been telling us for years, through the Evaluation of Corporate Compliance Programs (ECCP), that effectiveness is the standard. The questions are not whether a company has a policy on the shelf or a training module in the system. The questions are whether the company has access to data, whether it uses that data, whether controls are tested, whether issues are triaged appropriately, whether lessons learned are fed back into the program, and whether the program evolves as risks change. AI, properly governed, can help answer yes to each of those questions.

AI and the Compliance Program of the Future

The Moody’s paper notes that GenAI is moving from passive, knowledge-based support toward more action-oriented solutions that can assist with complex, multi-step workflows . That observation should resonate with every Chief Compliance Officer. The future is not an AI toy that drafts emails. The future is an AI-enabled compliance architecture that helps the function move from reactive to proactive.

Consider third-party due diligence. Most compliance teams still struggle with volume, fragmentation, and prioritization. Information sits in onboarding questionnaires, sanctions screens, beneficial ownership reports, payment histories, audit findings, hotline allegations, and open-source media. The challenge is not merely gathering that information. The challenge is turning it into risk-based action. AI can help synthesize disparate information sources, surface red flags, identify missing documentation, and create a more coherent risk picture. Under the ECCP, that supports a more thoughtful, risk-based approach to third-party management.

Take investigations triage. Every mature speak-up program faces the same problem: how to distinguish between the urgent, the important, and the routine. AI can help sort allegations by subject matter, geography, potential legal exposure, prior related issues, implicated business units, and urgency indicators. That does not mean AI decides guilt, materiality, or discipline. It means AI helps compliance direct scarce investigative resources where they matter most. In ECCP terms, it strengthens case handling, responsiveness, consistency, and root-cause readiness.

Now think about risk assessment. The best compliance risk assessments are dynamic, not annual rituals. AI can assist in identifying patterns across reports, controls failures, investigation outcomes, gifts and entertainment data, third-party activity, and regulatory developments. It can help compliance professionals see concentrations of risk earlier and with greater context. In a program built around continuous improvement, that is a force multiplier.

Effectiveness, Not Mere Automation

One of the most important lessons from the Moody’s article is that the value of AI lies in supporting higher-value analytical work, not just reducing routine effort. That is exactly how compliance leaders should approach deployment.

Transaction monitoring is a good example. Many organizations already use rules-based systems, but these often produce high volumes of noise. AI can support better prioritization, pattern recognition, and anomaly detection. It can help identify clusters of conduct that might otherwise remain hidden across vendors, employees, geographies, or payment channels. But the point is not simply to clear alerts faster. The point is to make the monitoring program smarter, more risk-based, and more defensible.

The same is true in training and communications. Too much compliance training remains generic, static, and detached from actual risk. AI opens the door to role-based, scenario-based, and even timing-based communications. A sales team in a high-risk market should not receive the same examples as procurement professionals dealing with third parties. A manager with hotline escalation responsibilities should not receive the same training as a new hire. AI can help tailor content, refresh scenarios, and improve accessibility. Under the ECCP, that supports effectiveness in training design, communications, and accessibility of guidance.

Speak-up and case management also stand to benefit. AI can help identify repeat issue patterns, detect retaliation indicators, cluster similar allegations, and flag unresolved themes across regions or functions. Done correctly, it can help compliance move from case closure to issue intelligence. That is where a hotline becomes not just a reporting channel but an early warning system.

Governance Is the Price of Admission

Here is where the compliance professional earns his or her stripes. The Moody’s piece is explicit that none of this works without robust governance, trustworthy data, transparency, documentation, validation, and human expertise remaining central to critical decisions . That is the bridge to both the NIST AI Risk Management Framework (NIST AI RMF) and ISO/IEC 42001.

NIST AI RMF gives compliance teams a practical way to think about governance, mapping, measurement, and management. ISO/IEC 42001 provides a management-system structure for implementing AI governance in an enterprise setting. Together with the ECCP, they provide a powerful architecture. The ECCP asks whether your compliance program works. NIST AI RMF helps define and manage AI risk. ISO/IEC 42001 helps operationalize governance and accountability.

What does that mean on the ground for  your compliance regime?

It means every AI use case in compliance should have a defined business purpose, an identified owner, approved data sources, documented limitations, escalation criteria, testing protocols, and monitoring for drift or unintended consequences. It means AI outputs should be reviewable. It means prompt logs, source provenance, and validation results should be retained where appropriate. It means employees should know when they are permitted to rely on AI and when human review is mandatory. It means there must be clear boundaries around privacy, privilege, confidentiality, bias, and record retention.

Most of all, it means compliance should resist the easy sales pitch that AI is a substitute for professional judgment. It is not. It is a force multiplier for judgment.

The Board and Senior Management Imperative

Boards and senior leaders should be asking a straightforward question: are we using AI to make compliance more effective, or are we simply using it to do old tasks faster? Those are not the same thing. A mature answer would include at least five elements. First, a risk-based inventory of compliance AI use cases. Second, governance over data quality and model performance. Third, defined human-review thresholds for consequential decisions. Fourth, ongoing monitoring and periodic validation. Fifth, a feedback loop so lessons from investigations, audits, and operations improve the system over time.

That is very much in line with both the ECCP and the Moody’s article’s emphasis on verifiable data, decision auditability, and governance at scale.

Five Lessons Learned

  1. Start with effectiveness, not efficiency. If AI only helps you do low-value tasks faster, you have not transformed compliance. Use it where it improves risk identification, triage, analysis, and action.
  2. Build around the ECCP. The DOJ already gave compliance professionals the framework. Use AI to strengthen risk assessment, third-party management, investigations, training, and continuous improvement.
  3. Govern the data before you celebrate the tool. Bad data, undocumented prompts, or unvalidated outputs will undermine trust. Governance over data provenance and output review is essential.
  4. Keep humans in the loop where it matters. AI can assist with pattern recognition, drafting, prioritization, and synthesis. It should not replace judgment on materiality, discipline, escalation, privilege, or remediation.
  5. Treat AI as part of your compliance operating model. This is not an innovation side project. It should be documented, tested, monitored, and improved like any other core compliance process.

The bottom line is this: AI offers compliance functions a genuine opportunity to become more effective, more focused, and more business relevant. But that opportunity only becomes real when it is grounded in governance, disciplined by the ECCP, and supported by frameworks like NIST AI RMF and ISO/IEC 42001. Done right, AI will not diminish the role of the compliance professional. It will elevate it.

Categories
Blog

When AI Becomes Evidence of Bad Governance: What CCOs and Boards Can Learn from Fortis Advisors

The Delaware Court of Chancery has handed compliance leaders and boards a timely lesson: generative AI is not a substitute for judgment, legal discipline, or governance. When leaders use AI to validate a predetermined objective, the technology does not reduce risk. It can become powerful evidence of intent, bad faith, and control failure.

A Cautionary Tale for Corporate Leaders

The recent Delaware Court of Chancery decision in Fortis Advisors, LLC v. Krafton, Inc. should be read by every Chief Compliance Officer (CCO), board member, general counsel, and corporate deal professional. The article describing the decision recounts a dispute in which a buyer, apparently unhappy with a substantial earnout obligation, turned to ChatGPT for advice on how to escape the economic consequences of the deal. According to the court’s account, the buyer then executed an AI-generated strategy designed to renegotiate the arrangement or take control from the seller management team. The court ultimately found that the buyer had wrongfully terminated key employees, improperly seized operational control, reinstated the seller’s CEO, and extended the earnout window to restore a genuine opportunity to achieve the payout.

The Real Compliance Lesson

For compliance professionals, the most important lesson is not that AI is dangerous. The lesson is that leadership can use AI in dangerous ways when governance is absent. That is a far more important point.

Too many organizations still approach AI governance as a technology problem. They focus on model performance, cybersecurity, or procurement review. Those are important issues, but this case reminds us that AI governance begins with human purpose. What question was asked? What objective was embedded in the prompt? What controls existed before action was taken? Who challenged the proposed course of conduct? Who documented the legal and ethical analysis? Those are compliance questions. Those are board questions.

Viewing the Case Through the DOJ ECCP Lens

This is also where the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) provides a useful lens. The ECCP asks whether a company’s program is well designed, adequately resourced, empowered to function effectively, and actually works in practice. Put that framework over this fact pattern, and the governance gaps become painfully clear. Was there a control around the use of generative AI in strategic or legal decision-making? Was there escalation to legal, compliance, or the board when a significant earnout exposure was at stake? Was there any meaningful challenge function, or did leadership use AI as a convenient amplifier for a business objective it had already chosen?

The case suggests the latter. That should concern every board. Generative AI can be useful in brainstorming, summarizing, and scenario testing. But when executives use it to reinforce a desired outcome, particularly one touching contractual obligations, employment decisions, or post-closing governance rights, the tool can become a mechanism for rationalizing misconduct.

When AI Chats Become Discoverable Evidence

Worse, it creates a record. The Court notes that the AI chats were not privileged, were discoverable, and vividly underscored the buyer’s efforts to avoid its legal obligations. That point alone should stop corporate leaders in their tracks.

Many executives still treat AI chats as an informal thinking space, almost like talking to themselves. That is a serious mistake. Prompt histories, outputs, internal forwarding, and downstream use can all become evidence. If employees use public or enterprise AI tools to explore termination strategies, dispute positions, or ways around contractual commitments, they may be creating exactly the documentary record that plaintiffs, regulators, and judges will later find most compelling. In other words, the issue is not simply data leakage. It is discoverability, privilege erosion, and self-generated evidence of intent.

That is why CCOs and boards need to move beyond generic AI-use policies and build governance around high-risk use cases. The question should not be, “Do we allow ChatGPT?” The question should be, “Under what circumstances can generative AI be used in decisions involving legal rights, employee discipline, regulatory exposure, strategic transactions, or board-level matters?” If the answer is unclear, the company has work to do.

The M&A and Earnout Governance Lesson

The dealmaking lesson here is equally important. Earnouts are already fertile ground for post-closing disputes because they sit at the intersection of incentives, control, and timing. Buyers often want flexibility. Sellers want protection from interference. This case illustrates what can happen when a buyer attempts to manipulate operations in a way that affects the achievement of the earnout. The court not only found wrongful interference but also equitably extended the earnout period by 258 days and preserved a further contractual right to extend, thereby materially altering the deal’s economic landscape.

That is a governance lesson hiding inside an M&A lesson. Once a company acquires a business with earnout rights and operational covenants, post-closing conduct is no longer just integration management. It is compliance management. Interference with operational control, pretextual terminations, or actions designed to suppress performance metrics can lead to litigation, destroy value, and trigger judicial remedies that boards did not expect. CCOs should therefore insist that M&A integration playbooks include compliance review of earnout governance, decision rights, escalation protocols, and documentation standards.

Five Lessons for Boards and CCOs

What should boards and compliance officers do now? Here are five lessons.

  1. Govern the objective before you govern the tool. AI is only as sound as the purpose for which it is deployed. If leadership starts with a bad objective, AI can scale the problem. Boards should require management to define prohibited uses of AI in areas such as contract avoidance, pretextual employee actions, retaliation, and legal strategy without oversight by counsel.
  2. Treat high-risk AI prompts and outputs as governed business records. If a prompt relates to litigation, terminations, regulatory response, deal rights, or board matters, it should fall within clear policies on retention, review, and escalation. Employees need to understand that AI interactions may be discoverable and may not be privileged.
  3. Embed legal and compliance into consequential AI use cases. The ECCP emphasizes whether compliance has stature, access, and authority. That principle applies directly here. Strategic uses of AI that touch contractual rights, employment decisions, or fiduciary issues should not proceed without legal and compliance review.
  4. Build AI governance into M&A and post-closing integration. Earnout structures, operational covenants, and seller management rights are precisely the areas where incentives can distort behavior. Boards should ask whether integration teams have controls preventing actions that could be viewed as interference, manipulation, or bad-faith conduct.
  5. Document challenge, not just action. A single final decision does not prove good governance. It is proved by the process surrounding it. Was there dissent? Was there an analysis? Was there an escalation memo? Was there a documented rationale grounded in law, contract, and fiduciary duty? If not, the company may be left with a record that tells the wrong story.

Governance Must Come Before AI

In the end, this case is not really about a video game company. It is about a governance failure dressed in modern technology. Leaders appear to have used AI not to improve judgment, but to reinforce a course of conduct they already wanted to pursue. That is the compliance lesson. AI does not remove the need for fiduciary discipline, legal oversight, or ethical restraint. It makes those requirements more urgent.

For boards and CCOs, the mandate is clear. Governance must come first. Because when AI is used without guardrails, it does not merely create risk; it creates it. It can become the evidence.