Tag: ISO

Categories
Blog

From the Tower of Babel to the Boardroom: Part 2 – AI Governance Is a Compliance Issue

In the first post in this series, we used Magnifica Humanitas to frame the choice facing every board and compliance leader in the age of artificial intelligence. Companies can build a new Tower of Babel, driven by speed, scale, efficiency and power without adequate governance. Or they can follow the path of Nehemiah, rebuilding with discipline, shared responsibility, accountability and the human person at the center. That choice now moves from principle to program design.

AI governance cannot remain in the innovation lab, the IT department or the digital transformation office. It belongs inside the compliance program. Not because compliance should own every AI decision, and not because the CCO should become the chief technologist. AI governance belongs in compliance because AI creates the very risks compliance programs are designed to manage: legal risk, ethical risk, data risk, third-party risk, culture risk, internal controls risk, reporting risk, investigation risk and board oversight risk.

Magnifica Humanitas makes this point in moral language. Pope Leo writes that the use of AI is never a purely technical matter when it enters processes that affect people’s lives, rights, opportunities, status and freedom (Magnifica Humanitas, ¶102). For the modern compliance professional, that is familiar terrain. These are the risks an effective compliance program must identify, assess, control, monitor and remediate.

AI Is Not an Adjacent Risk

The first mistake companies make is treating AI as an adjacent risk. The business says AI is a productivity tool. IT says AI is a systems issue. Legal says AI is a regulatory issue. Privacy says AI is a data issue. Cybersecurity says AI is an access issue. HR says AI is a workforce issue. Internal audit says AI is a controls issue. Procurement says AI is a vendor issue. They are all correct.

That is precisely why AI governance must be cross-functional, risk-based and integrated into the compliance program. AI does not respect organizational charts. It moves through data, workflows, vendors, platforms, communications, decisions and employee behavior. It may be embedded inside software already used by the company. It may be adopted by employees without formal approval. It may be deployed by vendors before procurement or legal fully understands how the tool works. It may be used by compliance itself for monitoring, investigations, hotline triage, third-party due diligence, sanctions screening or training.

The DOJ Has Already Put AI on the Compliance Agenda

The Department of Justice has made clear that AI is now part of compliance program evaluation. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a process for identifying and managing emerging risks, including risks related to new technologies such as AI. It asks how the company assesses the impact of AI on compliance with criminal laws, whether AI risk is integrated into enterprise risk management, how the company governs AI in commercial operations and in the compliance program, whether controls monitor trustworthiness and reliability, whether AI is limited to intended uses, what human decision-making baseline is used, how accountability is enforced and how employees are trained.

This is where the Encyclical and the ECCP align. Pope Leo calls for responsibility to be clearly defined at every stage, from those who design and develop AI systems to those who use them and rely on them for concrete decisions (Magnifica Humanitas, ¶105). The DOJ asks whether the company has translated that responsibility into risk assessment, controls, testing, training and accountability.

For CCOs, the message is direct. AI governance should be reflected in the risk assessment, policies and procedures, training, third-party risk management, internal controls, monitoring, investigations, discipline, incentives and board reporting. A company that cannot explain how it governs AI will struggle to explain how its compliance program is keeping pace with the business.

The CCO’s Role in AI Governance

The CCO does not need to own AI. The CCO does need a seat at the table. Compliance should help design the company’s AI governance model. That model should include a cross-functional AI governance committee with representation from compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance and the business. It should define approval rights for high-risk use cases. It should establish documentation standards. It should require risk classification. It should identify prohibited uses. It should provide escalation channels for AI incidents and concerns.

This is the corporate version of Nehemiah’s wall. Pope Leo writes that everyone is given a section of the wall and that shared responsibility across disciplines and communities is the way to build for the common good (Magnifica Humanitas, ¶13). AI governance works the same way. Legal cannot do it alone. IT cannot do it alone. Compliance cannot do it alone. The governance model must assign roles so the whole enterprise can rebuild with discipline.

The CCO should also insist on an AI use-case inventory. This is the foundational control. The company cannot govern what it cannot see. The inventory should include the business owner, tool name, vendor, purpose, data categories, decision impact, risk rating, applicable policies, human review requirements, testing history, approval date, renewal date and control owner.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. The Encyclical does not give companies an AI procedure manual. It gives them governing principles. The compliance task is to translate those principles into requirements that can be owned, tested, evidenced and improved. Pope Leo is explicit that digital processes should not be imposed from above in opaque or unilateral ways, but should be directed toward the common good with transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable access to data and avenues for recourse (Magnifica Humanitas, ¶71).

Human dignity becomes human impact assessment and human review. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional participation, with decisions made close enough to the risk to be informed and accountable. Solidarity becomes attention to affected employees, customers, communities and vulnerable populations. Social justice becomes bias testing, access, recourse and a refusal to let opaque systems create hidden exclusion.

NIST AI RMF and ISO/IEC 42001 as Practical Architecture

Two frameworks can help compliance leaders translate AI principles into program structure. They give operational force to Pope Leo’s warning that it is not enough to invoke ethics in the abstract. He calls instead for robust frameworks, independent oversight, informed users and institutions capable of governing AI’s effects (Magnifica Humanitas, ¶106). That is precisely the move compliance must make, from AI principles to an AI management system.

The NIST AI Risk Management Framework organizes AI risk management around four functions: Govern, Map, Measure and Manage. For compliance leaders, that is highly practical. Govern means the company has assigned authority, accountability, policies and risk appetite. Map means the company understands the context, purpose, users, affected stakeholders and potential impact of each AI use case. Measure means the company evaluates performance, reliability, bias, data quality, security and control effectiveness. Manage means the company prioritizes risks, implements controls, monitors outcomes, remediates problems and documents decisions.

ISO/IEC 42001 provides a management-system model. It focuses on establishing, implementing, maintaining and continually improving an AI management system. For a compliance program, that supplies the discipline of policy, objectives, roles, processes, risk assessment, controls, monitoring, performance evaluation, corrective action and continual improvement.

From Policy to Controls

A policy is necessary, but it is not sufficient. A company can have a well-written AI policy and still have a weak AI governance program. The issue is whether the policy has operational effect.

Pope Leo explains why. Technology is never neutral because it takes on the characteristics of those who devise, finance, regulate and use it (Magnifica Humanitas, ¶9). He later adds that every technical tool embodies choices and priorities through what it measures, ignores, optimizes and how it classifies people and situations (Magnifica Humanitas, ¶104). For compliance, that means the control environment must reach design, data, use, monitoring, output and remediation.

COSO has warned that generative AI creates risks from cyber exposure, prompt manipulation, opaque reasoning, model drift and frequent configuration changes that can affect operations, reporting and compliance if not addressed with robust internal controls. That is the compliance challenge. AI governance must become control activity.

Compliance Can Use AI Responsibly

Compliance should not stand outside the AI transformation. AI can help compliance become more effective. It can identify patterns in transactional data. It can assist with third-party risk scoring. It can support sanctions screening. It can help analyze hotline trends. It can improve training design. It can help prioritize monitoring. It can summarize large document sets in investigations. It can support control testing.

Magnifica Humanitas is direct on this point. AI may imitate functions of human intelligence, but it does not possess conscience, experience, responsibility or the capacity to judge good and evil (Magnifica Humanitas, ¶99). It can also create excessive reliance, the impression of objectivity and a weakening of personal judgment (Magnifica Humanitas, ¶100). Compliance professionals should use AI, but they should never surrender professional judgment to it. Human primacy remains the central control.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI is now part of legal, ethical, operational, data, third-party and culture risk. The Encyclical reminds us that AI touches rights, opportunities, status and freedom when it enters consequential decisions (Magnifica Humanitas, ¶102).
  2. Build and maintain an AI inventory because governance begins with visibility. Every AI use case should have an owner, purpose, risk rating, data classification, control set, approval status and review cycle.
  3. Govern compliance’s own AI use because accountability starts at home. Compliance should use AI, but it must document purpose, controls, human review, validation and accountability.
  4. Move from policy to controls because technology is never neutral. AI governance requires approval workflows, data restrictions, testing, monitoring, escalation, remediation and auditability (Magnifica Humanitas, ¶9, ¶104).
  5. Report evidence to the board because accountability requires more than aspiration. Boards need dashboards and documentation showing where AI is used, what risks exist, what controls apply, who is accountable and whether the governance program is effective (Magnifica Humanitas, ¶105).
Conclusion: From Governance Principle to Control Discipline

Magnifica Humanitas challenges us to place the human person at the center of technological transformation. For compliance leaders, that means AI must be governed through risk assessment, controls, accountability, transparency, human oversight and evidence. The DOJ ECCP makes clear that prosecutors will ask how companies govern AI in the business and in compliance. NIST AI RMF and ISO/IEC 42001 provide practical architecture for doing so. COSO gives the internal controls discipline.

The compliance profession should embrace AI. It can make compliance more effective, more data-driven and more responsive. But embracing AI does not mean surrendering judgment to it. The right model is not fear. The right model is governed adoption.

In the next post, we will move from formal AI governance to the most immediate AI control challenge inside many companies: Shadow AI and Internal Controls. Employees are already using AI tools because they are fast, useful and accessible. The compliance question is whether the company can turn hidden use into governed use before shadow AI becomes the next major control failure.

Categories
Blog

Ongoing Monitoring: Why AI Governance Begins After Launch

In this blog post, we turn to the fourth major governance challenge in AI: ongoing monitoring. This is one of the most persistent weaknesses in AI governance. Organizations may build an intake process. They may create an approval committee. They may conduct risk reviews, privacy assessments, and validation testing before launch. All of that is important. But it is not enough.

AI risk does not freeze at the moment of approval. It changes over time. Use cases evolve. Employees adapt tools in unexpected ways. Vendors modify models. Controls weaken in practice. Regulatory expectations shift. What looked reasonable at launch may become inadequate six weeks later.

That is why ongoing monitoring is not an optional enhancement to AI governance. It is a core governance requirement. For boards and CCOs, the central question is not simply whether the company approved AI responsibly. It is whether the company has the discipline to govern it continuously once it is in the wild.

Approval Is Not Governance

One of the great temptations in AI governance is to confuse approval with control. A business unit proposes a use case, a committee reviews it, guardrails are listed, and the tool goes live. At that point, many organizations behave as though the governance work is largely complete. It is not.

Approval is a moment. Governance is a process. The problem is that companies often put their best people, clearest thinking, and highest scrutiny into the approval stage, then shift immediately into operational mode without building the same discipline around post-launch oversight. That leaves management blind to how the system actually performs under real-world conditions.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) is especially instructive here. The ECCP does not ask merely whether a company has policies on paper. It asks whether the program works in practice, whether controls are tested, whether issues are investigated, and whether lessons learned are incorporated back into the compliance framework. AI governance should be viewed through the same lens. The question is not whether a control was described at launch. The question is whether that control continues to function and whether management would know if it stopped.

Why AI Risks Change After Launch

Post-deployment risk in AI does not arise because management failed to care on Implementation Day. It arises because AI systems operate in dynamic environments. A model may begin to drift as conditions change. A tool approved for one limited purpose may gradually be used for broader or higher-risk decisions. Employees may find workarounds that bypass the intended controls. Human reviewers may begin by scrutinizing outputs closely but, over time, may become overconfident, overloaded, or simply too reliant on the system. Vendors may update underlying functionality without the company fully appreciating the consequences. New regulations or regulatory interpretations may alter the risk landscape. Inputs may change. Outputs may become less reliable. Bias may surface in ways not identified in initial testing.

In other words, AI governance risk is not static. It is operational. That is why boards and CCOs must resist the notion that initial approval is the hardest part. In many respects, ongoing monitoring is harder because it requires sustained attention, clear metrics, escalation discipline, and the willingness to revisit prior assumptions.

The Governance Question

After implementation, the governance question changes. It is no longer simply, “Was this use case approved?” It becomes, “Is the use case still operating as expected, within risk tolerance, and under effective control?” That sounds simple, but it requires a much more mature oversight model than many companies currently have. It requires management to define what should be monitored, how frequently, by whom, and what changes or anomalies trigger escalation. It requires a reporting structure that does not simply celebrate adoption or efficiency gains, but surfaces incidents, deviations, near misses, and control fatigue.

For the board, the challenge is to insist on post-launch visibility. Board reporting on AI should not end with inventories and implementation updates. It should include information about ongoing performance, exception trends, complaints, incidents, validation results, vendor changes, policy breaches, and remediation efforts. A board that hears only that AI adoption is accelerating may not hear that AI governance is working.

For the CCO, the challenge is even more immediate. Compliance must ask whether the organization is gathering evidence that controls continue to function in practice. If it is not, then the governance program is still immature, no matter how polished its approval process may appear.

Monitoring What Matters

It all begins by identifying the right things to monitor. This cannot be a generic exercise. Monitoring should be tied to the specific use case, its risk classification, and its control environment. But there are some recurring categories that boards and CCOs should expect to see.

  1. Performance should be monitored. Is the tool still delivering outputs that are accurate, reliable, and appropriate for the intended purpose? Have error rates changed? Are there signs of drift or degraded quality?
  2. Control effectiveness should be monitored. Are human review requirements actually being followed? Are approval restrictions, access controls, or usage limitations still operating as designed? Is there evidence that employees are bypassing or weakening controls?
  3. Incidents and complaints should be monitored. Has the tool produced problematic results? Have customers, employees, or managers raised concerns? Have there been internal reports about bias, inaccuracy, misuse, or confidentiality risks?
  4. Changes in scope should be monitored. Is the tool still being used for the original purpose, or has it drifted into new contexts? Scope creep is one of the oldest compliance problems in business, and AI is no exception.
  5. External change should be monitored. Has a vendor updated the model? Have relevant laws, guidance, or industry expectations changed? Has a new regulatory concern emerged that requires reevaluation?

This is where the NIST AI Risk Management Framework is especially useful. NIST emphasizes that organizations must govern, measure, and manage AI risk over time, not simply identify it once. ISO/IEC 42001 reaches the same conclusion from a management systems perspective by requiring continual improvement, internal review, and adaptive controls. Both frameworks point to the same truth: effective AI governance is iterative, not episodic.

The CCO’s Role in Governance

For compliance professionals, ongoing monitoring is where the AI governance conversation becomes most familiar. This is where the CCO brings real institutional value. Compliance understands that controls weaken over time. Training decays. Workarounds emerge. Policies lose operational traction. Reporting channels capture issues others do not see. Root cause analysis matters. Corrective action must be tracked to closure. These are not new lessons. They are the daily work of compliance. AI gives them a new domain.

The CCO should insist that AI use cases have documented post-launch monitoring plans. These should identify the responsible owner, the metrics to be reviewed, the review frequency, the escalation triggers, and the process for documenting findings and remediation. High-risk use cases should not be left to passive observation. They should be actively governed.

The CCO should also ensure that AI monitoring is connected to the broader compliance ecosystem. Employee concerns raised through speak-up channels may reveal issues with the model. Internal investigations may expose misuse. Third-party due diligence may uncover changes to vendors. Training gaps may explain repeated incidents. AI governance should not be isolated from these functions. It should be integrated with them.

This is also where the CCO can most effectively help the board. Rather than presenting AI as a series of isolated technical matters, the CCO can frame post-launch governance in familiar compliance terms: monitoring, testing, escalation, remediation, and lessons learned.

Board Practice: Ask for More Than Adoption Metrics

One of the most important disciplines boards can develop is to stop mistaking usage information for governance information.

Management may report that AI adoption is growing, that productivity gains are material, or that pilot programs are expanding. Those data points may be relevant, but they are not a form of governance assurance. A board should want to know whether controls are operating, whether incidents are increasing, whether certain business units generate more exceptions, whether human review remains meaningful, and whether management has paused or modified any use cases based on real-world experience.

This is where board oversight becomes genuinely valuable. When the board asks for evidence of ongoing monitoring, it changes management behavior. It signals that AI success will not be measured solely by speed or efficiency, but also by discipline and resilience.

Boards should also ensure that high-risk use cases receive enhanced visibility. Not every AI tool merits the same level of board attention. But where AI affects regulated interactions, employment decisions, sensitive data, financial reporting, significant customer outcomes, or reputationally sensitive functions, ongoing board-level reporting should be expected.

Escalation and Remediation Must Be Built In

Monitoring matters only if it leads to action. There must be clear escalation and remediation protocols. When a material issue emerges, who gets notified? Can the use case be paused? Who determines whether the problem is technical, operational, legal, or cultural? How are facts gathered? How are corrective actions assigned? When is the board informed? How is the lesson fed back into policy, training, vendor management, or approval standards?

These processes should not be improvised. They should be documented. The organization should know in advance which incidents require escalation, which temporary controls may be imposed, and how remediation is tracked.

This is another place where the ECCP provides a useful governance model. DOJ expects companies not only to identify misconduct but also to investigate it, understand its root causes, and implement improvements that reduce the risk of recurrence. AI governance should work the same way. If a model fails or a control weakens, management should not merely fix the immediate problem. It should ask what the failure reveals about the program itself.

Documentation Is the Proof

As with every other element of effective governance, documentation is what turns intention into evidence. Post-launch AI governance should generate records that demonstrate monitoring occurred, issues were surfaced, escalations were handled, and remediation was completed. That may include performance reviews, validation updates, incident logs, committee minutes, complaint summaries, control testing records, vendor change notices, and corrective action trackers.

Without such documentation, management may believe it is effectively monitoring AI, but it will struggle to prove it to internal audit, regulators, or the board. More importantly, it will struggle to learn from experience in a disciplined way. A company that documents ongoing monitoring creates institutional memory. It can compare use cases, detect patterns, and refine its oversight model over time. That is how governance matures.

AI Governance Starts After Launch

The hardest truth in AI governance may be this: launching the tool is often the easiest part. The real challenge begins afterward. That is when optimism meets operational reality. That is when human reviewers become tired. That is when vendors update products. That is when regulators begin asking harder questions. That is when small problems become visible, or invisible, depending on whether the company has built a monitoring system capable of finding them.

For boards and CCOs, this is where governance earns its name. If the organization can monitor, escalate, remediate, and improve, then AI oversight has substance. If it cannot, then the company has not really governed AI at all. It has only been approved.

In the next and final blog post in this series, I will turn to the fifth governance challenge: culture, speak-up, and human judgment, because in many organizations, the first people to see an AI problem will not be the board, the CCO, or the governance committee. It will be the employee closest to the work.

Categories
Compliance and AI

Compliance and AI: Ali Khan on Implementing AI Risk Management Systems

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? We will explore these three questions in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance. In this episode, Tom is joined by Ali Khan, Head of Governance Risk & Compliance at Kandji and an Advisory Board Member (CAB) at Drata.

This episode discusses the essential steps to effectively implement an artificial intelligence management system, as defined by ISO 42001. They start by understanding the standard requirements and expectations, performing a scoping exercise and gap assessment, and securing management’s commitment to the project. Key steps include revamping the risk assessment process to align with ISO 23894, which guides managing AI-related risks and using the NIST AI risk management framework. The design and implementation phase involves creating various AI policies, integrating AI deployment plans, and performing impact and risk assessments. They also discuss Kandji’s internal audit plan, third-party vendor assessment processes, and security awareness training to include AI-specific considerations. The beauty of ISO 42001 is its applicability to organizations of any size and industry that develop, produce, or use AI products or services.

Key highlights:

  • Understanding the Standard Requirements
  • NIST AI Risk Management Framework
  • Design and Implementation
  • Creating AI Policies and Procedures
  • Performing AI Impact and Risk Assessments
  • Steps Taken for ISO 42001 Implementation

Resources

Ali Khan on Linkedin

Kandji Website

Kandji on LinkedIn and X

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 12 – Speaking Up is Awesome Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of compliance topics, including a visit by a Florida man.

In the world of business, compliance and investigation protocols play a crucial role in ensuring fairness, consistency, and institutional justice. Organizations need to establish robust frameworks to handle incidents effectively and mitigate risks. In this episode of 2 Gurus Talk Compliance, we discuss several key factors impacting the enhancement of compliance and investigation protocols for organizations, including the need for standardization and rigor in investigation protocols, a perspective rooted in his belief in the importance of a culture of compliance within organizations. Kristy takes the lead in highlighting the value of consistency and standards in investigation protocols for ensuring institutional justice and fairness. Join them as they delve deeper into this topic on this episode of the 2 Gurus Talk Compliance podcast.

 Highlights Include:

  1. ISO standards for internal investigations. (FCPA Blog)
  2. Tom releases a new book. (Amazon)
  3. The Spanish Kiss. (ESPN)
  4. How to develop a culture of compliance. (Compliance and Enforcement Blog)
  5. The first 100 days. (CCI)
  6. Has China outlawed due diligence? (FCPA Blog)
  7. 3M Settles U.S. Probe Over Tourist Trips for China Officials (FCPA Blog)
  8. You Can Now Make ChatGPT Work Specifically for Your Company. Here’s How (Inc.)
  9. You’ve Heard of Quiet Quitting. Now Companies are Quiet Cutting (WSJ)
  10. Fentanyl found in cookie jar during a traffic stop in Florida, man arrested (WFLA Florida)

 Resources 

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

September 23, 2021 the Those Pesky Texts edition


In today’s edition of Daily Compliance News:
·       ISO sets corp governance standards. (WSJ)
·       Dems raise SPAC concerns. (WSJ)
·       It’s always those pesky texts. (WSJ)
·       SEC wants more corp info on climate risks. (WSJ)