Tag: NIST

Categories
Blog

Can Compliance Own Enterprise Resilience?

It has been some time since I checked in with the Harvard Business Review for some blog posts. To remedy this deficiency, I will write this week’s blog posts based on recent HBR articles that caught my interest. Today, we begin with The Case for Hiring a Chief Resilience Officer, which argues that there is a major governance gap inside most organizations. It is that no single executive is accountable for coordinating enterprise-wide resilience and recovery when failures cascade across functions. The article looks at a chief resilience officer (CResO) role which would be responsible for aligning continuity planning, recovery objectives, crisis response, and organizational learning across an enterprise.

The authors begin by noting that the July 2024 CrowdStrike outage will be remembered as more than a technology failure. It was a governance lesson. A routine software update caused cascading operational disruption across airlines, hospitals, logistics systems, and other critical services. The technical root cause mattered, but it was not the only lesson. The larger issue was how quickly a single failure could ripple across functions, third parties, customer obligations, regulatory expectations, and business operations. The article articulated this as the case for a CResO, because many organizations have no single executive accountable for coordinating enterprise-wide resilience and recovery when disruption crosses organizational boundaries.

For the corporate compliance function, that argument should sound familiar. Compliance professionals have spent years explaining that risk does not respect departmental boundaries. Bribery risk can arise from sales incentives, third-party relationships, financial controls, gifts and hospitality, and management pressure. Data risk can sit in technology, privacy, procurement, HR, and customer operations. AI risk can sit in product development, vendor management, legal, cybersecurity, records retention, and board oversight.

Operational resilience is the same kind of problem. It is not only an IT issue. It is not only a business continuity issue. It is not only a risk management issue. It is a governance issue, a controls issue, a documentation issue, a third-party issue, and a board oversight issue. That makes it a compliance issue as well.

The Compliance Significance of Resilience

The central insight behind the CResO role is that most organizations already have pieces of resilience, but they do not always have resilience governance. Risk teams assess exposure. Cybersecurity teams protect systems. Operations teams manage delivery. Business continuity teams write plans and run exercises. Procurement manages vendors. Legal evaluates obligations. Communications handles stakeholders. Compliance monitors controls, policies, reporting, and escalation. Each function may be doing its job. The problem appears when no one owns the integrated answer.

That is why operational resilience has become a regulatory and governance priority. The Basel Committee defines operational resilience as the ability to deliver critical operations through disruption and emphasizes governance, mapping interdependencies, third-party dependency management, business continuity testing, and incident management. The FCA in the UK similarly focuses on important business services, impact tolerances, mapping, testing, vulnerability remediation, lessons learned, and communications planning. In the EU, the Digital Operational Resilience Act (DORA) has elevated digital operational resilience, technology and information third-party risk, incident reporting, and resilience testing into a formal financial sector regulatory framework.

For compliance professionals, the message is clear. Resilience is moving from planning to evidence. Regulators, boards, and senior management will increasingly ask not simply whether the company had a plan, but whether the company knew its critical services, mapped its dependencies, tested severe but plausible scenarios, documented vulnerabilities, assigned accountability, and remediated weaknesses.

That is familiar territory for compliance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a compliance program is well designed, adequately resourced and empowered, and works in practice. It also asks whether improvements to compliance and internal controls have been tested to show they would prevent or detect similar misconduct in the future. Those questions are not limited to bribery, fraud, or sanctions. They reflect a broader governance discipline: design, authority, resources, testing, remediation, and proof.

Can Compliance Absorb the CResO Role?

The answer is yes, but only under the right conditions. A compliance function can absorb the resilience governance role if it has the mandate, authority, resources, data access, and board visibility to do the job. It cannot absorb the role if the organization merely adds resilience to the CCO’s already crowded list of responsibilities without giving compliance the ability to coordinate across technology, operations, procurement, cybersecurity, finance, legal, human resources, communications, and business leadership. This distinction matters.

Compliance can own the governance framework for resilience. It can help define standards, require documentation, monitor remediation, test controls, escalate gaps, and report to the board. It can ensure that resilience obligations are embedded into policies, third-party oversight, incident response, investigations, root cause analysis, training, and internal controls.

Compliance should not become the operator of every resilience process. The first line must still own business services. Technology must still own systems. Cybersecurity must still own cyber defense. Procurement must still own vendor contracting and supplier performance. Operations must still own delivery. Legal must still advise on obligations. Communications must still manage stakeholder messaging. The CCO can serve as the enterprise resilience governance leader, but not as a substitute for operational ownership. That is the practical dividing line.

When Compliance Is the Right Home

Compliance is a strong candidate to absorb the CResO function when resilience is framed as an enterprise governance and controls discipline. This is especially true in organizations where the compliance function already has mature capabilities in risk assessment, policy governance, third-party risk management, investigations, remediation tracking, board reporting, training, monitoring, and documentation. In that model, compliance can bring several advantages.

First, compliance understands cross-functional risk. A well-designed compliance program already reaches into the business, finance, procurement, HR, legal, internal audit, IT, and senior leadership. That horizontal view is essential for resilience.

Second, compliance understands evidence. Resilience cannot be built on verbal assurance. It requires inventories, dependency maps, testing records, incident reports, remediation plans, escalation logs, board materials, and lessons learned. Compliance professionals know how to create a record that demonstrates program effectiveness.

Third, compliance understands accountability. A resilience program without accountable owners will become a collection of meetings. Compliance can help define who owns each critical service, each dependency, each recovery objective, and who must act when testing identifies a vulnerability.

Fourth, compliance understands third-party risk. Many resilience failures begin outside the company’s walls. A critical software provider, cloud provider, logistics partner, manufacturer, payroll vendor, or data processor can disrupt the company’s ability to deliver. Compliance can help connect due diligence, contracting, ongoing monitoring, audit rights, incident notification, and exit planning into a resilience framework.

Finally, compliance understands board reporting. Resilience is a board-level issue because disruption can affect customers, investors, regulators, employees, and the company’s license to operate. The FCA has emphasized that boards need enough information to understand the firm’s resilience approach, who is responsible for it, and the organization’s ability to recover important business services within impact tolerances. Those are governance questions. Compliance is built to translate them into a management system.

When Compliance Should Not Absorb the Role

Compliance should not assume the CResO role if the function lacks operational authority, technical depth, crisis-management access, or senior-level support. A CCO who is asked to “own resilience” without the resources to do so has not been empowered. That CCO has been handed accountability without control. There are several warning signs.

If compliance does not have direct access to the CEO, executive committee, and board, it cannot coordinate enterprise resilience. If compliance cannot require action from technology, operations, procurement, and business units, it cannot close resilience gaps. If compliance lacks data on critical services, vendor concentration, system dependencies, recovery times, incident history, and testing results, it cannot evaluate resilience in practice. If compliance is already under-resourced, resilience will become another paper responsibility.

That would be a mistake. The worst outcome would be to move resilience into compliance as a label while leaving the real decision-making elsewhere. That creates the appearance of governance without its substance.

A Better Model: Compliance as Resilience Governor

For many companies, the right answer is not a binary choice between a standalone CResO and a compliance-owned resilience function. The better model may be compliance as a resilience governor. Under this approach, the company appoints a senior resilience owner, either as a CResO (chief risk and resilience officer) or as a named executive with enterprise authority. Compliance then provides the governance architecture: standards, controls, testing expectations, third-party requirements, escalation procedures, documentation rules, remediation tracking, and board reporting.

This model preserves first-line ownership while giving the organization a consistent second-line framework. It also allows compliance to ask the questions that matter:

Who owns each critical business service? What are the maximum tolerable disruptions? What systems, people, facilities, data, and third parties support each service? What severe but plausible scenarios have been tested? What vulnerabilities were identified? Who owns remediation? What evidence shows that remediation worked? What has been reported to the board?

These are not theoretical questions. They are the difference between a plan and a program.

Five Lessons for Compliance Professionals

  1. Resilience is now a compliance program issue. It involves governance, controls, accountability, documentation, testing, remediation, and board oversight.
  2. Compliance can absorb the resilience governance role, but not the operational role. The CCO can govern the framework. The business must still own delivery.
  3. Authority matters. A compliance-led resilience function must have CEO support, board visibility, cross-functional access, and the ability to require remediation.
  4. Evidence is essential. Dependency maps, scenario tests, incident reports, remediation records, and board materials are what turn resilience from aspiration into proof.
  5. The board should focus on accountability before structure. Whether the company appoints a CResO, places resilience under risk, or builds a compliance-led governance model, the core question remains the same: who owns the enterprise response when disruption crosses every boundary?

The practical compliance lesson is straightforward. Resilience cannot remain a collection of disconnected plans. It must become an operating discipline. For some companies, that discipline will require a dedicated Chief Resilience Officer. For others, a mature, properly empowered compliance function can assume the governance role. But no company should leave resilience to assumption, informal coordination, or after-the-fact improvisation.

In today’s risk environment, the ability to recover is not only an operational strength. It is evidence of effective governance.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 3 – Shadow AI and Internal Controls

Shadow AI is the internal-controls problem of the artificial-intelligence age.

It is not hard to understand why employees use AI tools without waiting for formal approval. These tools are fast, accessible, practical, and often embedded into platforms employees already use. A business development professional may use AI to draft a proposal. A lawyer may use it to summarize a contract. A finance employee may use it to analyze a spreadsheet. A compliance analyst may use it to review due diligence materials. A manager may use it to draft performance feedback. The use case may be productive. The intent may be benign. The risk may still be real.

That is the compliance challenge. Shadow AI is not simply unauthorized technology use. It is ungoverned decision support, unapproved data transfer, undocumented reliance, uncontrolled output, and untested automation. It poses risks to confidentiality, privilege, privacy, intellectual property, cybersecurity, employment decisions, books and records, third-party management, investigations, and board reporting. Most importantly, it creates a visibility gap. The company cannot govern what it cannot see.

In the first post in this series, we used Magnifica Humanitas to frame the choice between Babel and Nehemiah. In the second post, we moved from principle to program design and argued that AI governance should be embedded in the compliance program. Now we turn to the first practical test: whether the company can convert hidden AI use into governed AI use.

The Magnifica Humanitas Lesson: Opaque Power Is a Governance Risk

Magnifica Humanitas warns that technology is never neutral in practice because it takes on the characteristics of those who devise, finance, regulate, and use it (Magnifica Humanitas, para. 9). For a corporate audience, that is the first lesson of shadow AI. When employees use AI outside approved channels, the company may not know which technology is being used, what data is being transferred, what outputs are being relied on, or what assumptions are being embedded in business decisions.

The Encyclical also warns that control over platforms, infrastructure, data, and computing power can become concentrated, opaque, and difficult to oversee (Magnifica Humanitas, para. 95). Inside a company, shadow AI creates a similar problem on a smaller but very practical scale. Power shifts away from approved systems, documented workflows, and accountable owners toward individual employees’ practices that may be invisible to legal, compliance, privacy, cybersecurity, internal audit, and the board.

Pope Leo also identifies three risks in private AI use that map directly to employee behavior: the ease of getting results, the impression of objectivity, and the simulation of human communication. He warns that these features can encourage overreliance, ready-made answers, and weakened judgment (Magnifica Humanitas, para. 100). That is exactly why shadow AI matters. The risk is not only that employees use the wrong tool. The greater risk is that employees begin to rely on AI outputs without understanding the assumptions, limitations, data sources, or error rates that underpin them.

From Encyclical Principle to Internal Control Requirement

The corporate translation is straightforward: if AI is never merely technical when it affects rights, opportunities, status, freedom, reputation, or work, then shadow AI cannot be treated as a minor IT exception (Magnifica Humanitas, para. 102). It is a governance issue. It is a control issue. It is a compliance issue.

Magnifica Humanitas says responsibility must be clearly defined at every stage, including those who design, develop, use, and rely on AI for concrete decisions. Accountability requires the ability to identify who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, para. 105). In corporate language, that means AI use cases need owners, approvals, controls, escalation paths, incident processes, documentation, and remediation.

The Encyclical also cautions that abstract ethics are not enough. Responsible AI requires rigorous evaluation, independent oversight, informed users, and safeguards capable of governing AI’s effects (Magnifica Humanitas, para. 106). For the CCO, that is the bridge between principles and controls. Shadow AI must be made visible, classified by risk, controlled at the data layer, reviewed by accountable humans, tested by independent functions, and reported to the board.

Shadow AI Is a Control Environment Issue

A company may have an AI policy and still have a shadow AI problem. A policy tells employees what is expected of them. A control tells the company whether the expectation is working.

This is where COSO becomes essential. COSO has warned that generative AI is moving into daily operations faster than traditional governance models anticipated and that internal control must be applied to risks such as uncontrolled adoption, opaque reasoning, prompt manipulation, model drift, cyber exposure, and configuration change. That is the heart of the matter. A memo from legal does not solve the shadow AI problem. It is solved through the control environment.

The company needs to define leadership expectations, conduct risk assessments, establish control activities, ensure information and communication, and implement monitoring. Those are not technology terms. They are governance terms. The CCO should work with legal, IT, cybersecurity, privacy, HR, procurement, internal audit, and the business to create a practical AI control structure. The first line should own the business use case. The second line should set standards, review risk, and monitor compliance. The third line should test design and operating effectiveness. The board should receive reports showing whether the system is working.

The DOJ ECCP Question

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging risks, including new technologies such as AI. It asks how companies govern AI in commercial operations and in the compliance program, how they monitor reliability and trustworthiness, how they limit AI to intended uses, how they preserve human decision-making, how accountability is assigned, and how employees are trained.

That logic tracks closely with Magnifica Humanitas. Pope Leo supplies the accountability mandate; the DOJ supplies the compliance program test. If responsibility must be defined and harm must be capable of challenge and remediation, then the company must be able to show that AI tools are known, approved, monitored, limited to intended uses, and subject to human oversight (Magnifica Humanitas, para. 105).

A company with uncontrolled shadow AI has a predictable compliance problem. It may not be able to show that it has identified an AI risk. It may not be possible to demonstrate that employees were effectively trained. It may not be possible to show that AI tools are limited to intended uses. It may not be possible to demonstrate that human review is in place for consequential decisions. It may not be able to show that compliance has visibility into AI use. For the CCO, the question is direct: can we explain how AI is actually being used in the company or only how we hope it is?

From Prohibition to Governed Use

The wrong response to shadow AI is a blanket prohibition that employees ignore. AI is here to stay. Employees will use it because it saves time and improves work product. The better response is governed adoption.

The company should begin with an AI use-case inventory. This should capture approved tools, embedded AI in existing platforms, vendor-provided AI, internally developed AI, pilot projects, and employee use of public tools. It should identify the business owner, purpose, data used, vendor involved, risk rating, approval status, required human review, and applicable controls.

Next, the company should create a clear classification model. Low-risk uses, such as drafting generic internal communications, may require basic training and disclosure. Medium-risk uses, such as summarizing non-sensitive business materials, may require approved tools and data restrictions. High-risk uses, such as employment decisions, customer eligibility, financial reporting, investigations, regulated communications, or third-party risk scoring, should require formal review, documented controls, human oversight, and periodic testing.

NIST’s AI Risk Management Framework provides useful architecture through its Govern, Map, Measure, and Manage functions. ISO/IEC 42001 provides the management-system approach, including policies, responsibilities, risk management, transparency, monitoring, performance evaluation, corrective action, and continual improvement. For shadow AI, these frameworks point to the same conclusion as the Encyclical: move from ad hoc use to structured accountability.

The Controls That Matter

A defensible shadow AI control program should include several core elements.

First, the company needs an approved tools list and a prohibited tools list. Employees should know what is permitted, what is restricted, and what is banned.

Second, the company needs data controls. Employees should not place confidential information, personal data, trade secrets, privileged information, customer data, source code, or sensitive business information into unapproved AI tools. Magnifica Humanitas warns that data and digital infrastructure can become new forms of power when control is concentrated and opaque (Magnifica Humanitas, paras. 108-109). Data governance is therefore not an administrative detail. It is the foundation of responsible AI controls.

Third, the company needs approval workflows for high-risk use cases. The higher the risk, the more formal the review should be.

Fourth, the company needs human review and recourse. AI should support judgment, not replace it. For consequential decisions, a person must remain accountable, and affected individuals should have a channel to challenge errors. This reflects the Encyclical’s insistence that decisions should be capable of justification, monitoring, challenge, and remedy (Magnifica Humanitas, para. 105).

Fifth, the company needs to be monitored and tested. Internal audit should be able to test whether employees are following the policy, whether approved tools are operating within scope, and whether exceptions are remediated.

Finally, the company needs an AI incident process. Employees should know how to report accidental data disclosure, hallucinated output, inappropriate reliance, biased output, suspected vendor misuse, or unauthorized AI use. The goal should not be punishment first. The goal should be visibility, correction, and learning.

5 Lessons for the CCO
  1. Govern what employees actually use, not merely what policy permits. The first step is visibility. Create a process for employees and business units to disclose AI use without fear that each disclosure will trigger disciplinary action.
  2. Control data before it leaves the enterprise. The most immediate shadow AI risk is often data leakage. Define prohibited data categories, approved tools for sensitive information, and vendor restrictions on model training or reuse.
  3. Assign accountability at every stage. Every material AI use case should have a business owner, a risk owner, a control owner, an approval status, a review cycle, and an escalation path.
  4. Require human review and recourse for consequential uses. AI can assist, summarize, flag, and recommend. It should not replace accountable human judgment where rights, opportunities, employment, reputation, or legal obligations are involved.
  5. Test, remediate, and report evidence. AI governance must generate proof. Monitor usage, test controls, track incidents, remediate exceptions, and report meaningful metrics to the board.
Conclusion: Hidden Use Must Become Governed Use

Shadow AI is the modern Babel inside the corporation. It may look productive, efficient, and innovative. Yet if it operates without transparency, accountability, controls, or human judgment, it creates a structure the company does not understand and cannot govern.

Magnifica Humanitas reminds us that technology must remain at the service of the human person and not become a system of invisible control (Magnifica Humanitas, para. 171). That principle becomes real in the compliance program through internal controls. CCOs should help the company transition from hidden use to governed use.

In the next post, we will move from the hidden use of AI to the broader question of trust. We will examine AI, Truth, and Corporate Trust, and consider how synthetic content, misinformation, deepfakes, false documentation, and AI-generated narratives create a new compliance risk for boards, management, and the CCO.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 2 – AI Governance Is a Compliance Issue

In the first post in this series, we used Magnifica Humanitas to frame the choice facing every board and compliance leader in the age of artificial intelligence. Companies can build a new Tower of Babel, driven by speed, scale, efficiency and power without adequate governance. Or they can follow the path of Nehemiah, rebuilding with discipline, shared responsibility, accountability and the human person at the center. That choice now moves from principle to program design.

AI governance cannot remain in the innovation lab, the IT department or the digital transformation office. It belongs inside the compliance program. Not because compliance should own every AI decision, and not because the CCO should become the chief technologist. AI governance belongs in compliance because AI creates the very risks compliance programs are designed to manage: legal risk, ethical risk, data risk, third-party risk, culture risk, internal controls risk, reporting risk, investigation risk and board oversight risk.

Magnifica Humanitas makes this point in moral language. Pope Leo writes that the use of AI is never a purely technical matter when it enters processes that affect people’s lives, rights, opportunities, status and freedom (Magnifica Humanitas, ¶102). For the modern compliance professional, that is familiar terrain. These are the risks an effective compliance program must identify, assess, control, monitor and remediate.

AI Is Not an Adjacent Risk

The first mistake companies make is treating AI as an adjacent risk. The business says AI is a productivity tool. IT says AI is a systems issue. Legal says AI is a regulatory issue. Privacy says AI is a data issue. Cybersecurity says AI is an access issue. HR says AI is a workforce issue. Internal audit says AI is a control issue. Procurement says AI is a vendor issue. They are all correct.

That is precisely why AI governance must be cross-functional, risk-based and integrated into the compliance program. AI does not respect organizational charts. It moves through data, workflows, vendors, platforms, communications, decisions and employee behavior. It may be embedded inside software already used by the company. Employees may adopt it without formal approval. Vendors may deploy it before procurement or legal fully understands how the tool works. It may be used by compliance itself for monitoring, investigations, hotline triage, third-party due diligence, sanctions screening or training.

The DOJ Has Already Put AI on the Compliance Agenda

The Department of Justice has made clear that AI is now part of compliance program evaluation. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a process for identifying and managing emerging risks, including risks related to new technologies such as AI. It asks how the company assesses the impact of AI on compliance with criminal laws, whether AI risk is integrated into enterprise risk management, how the company governs AI in commercial operations and in the compliance program, whether controls monitor trustworthiness and reliability, whether AI is limited to intended uses, what human decision-making baseline is used, how accountability is enforced and how employees are trained.

This is where the Encyclical and the ECCP align. Pope Leo calls for responsibility to be clearly defined at every stage, from those who design and develop AI systems to those who use them and rely on them for concrete decisions (Magnifica Humanitas, ¶105). The DOJ asks whether the company has translated that responsibility into risk assessment, controls, testing, training and accountability.

For CCOs, the message is direct. AI governance should be reflected in the risk assessment, policies and procedures, training, third-party risk management, internal controls, monitoring, investigations, discipline, incentives and board reporting. A company that cannot explain how it governs AI will struggle to demonstrate how its compliance program keeps pace with the business.

The CCO’s Role in AI Governance

The CCO does not need to own AI. The CCO does need a seat at the table. Compliance should inform the design of the company’s AI governance model. That model should include a cross-functional AI governance committee with representation from compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance and the business. It should define approval rights for high-risk use cases. It should establish documentation standards. It should require risk classification. It should identify prohibited uses. It should provide escalation channels for AI incidents and concerns.

This is the corporate version of Nehemiah’s wall. Pope Leo writes that everyone is given a section of the wall and that shared responsibility across disciplines and communities is the way to build for the common good (Magnifica Humanitas, ¶13). AI governance works the same way. Legal cannot do it alone. IT cannot do it alone. Compliance cannot do it alone. The governance model must assign roles so the whole enterprise can rebuild with discipline.

The CCO should also insist on an inventory of AI use cases. This is the foundational control. The company cannot govern what it cannot see. The inventory should include the business owner, tool name, vendor, purpose, data categories, decision impact, risk rating, applicable policies, human review requirements, testing history, approval date, renewal date and control owner.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. The Encyclical does not give companies an AI procedure manual. It gives them governing principles. The compliance task is to translate those principles into requirements that can be owned, tested, evidenced and improved. Pope Leo is explicit that digital processes should not be imposed from above in opaque or unilateral ways, but should be directed toward the common good with transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable access to data and avenues for recourse (Magnifica Humanitas, ¶71).

Human dignity becomes human impact assessment and human review. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional participation, with decisions made close enough to the risk to be informed and accountable. Solidarity becomes attention to affected employees, customers, communities and vulnerable populations. Social justice becomes bias testing, access, recourse and a refusal to let opaque systems create hidden exclusion.

NIST AI RMF and ISO/IEC 42001 as Practical Architecture

Two frameworks can help compliance leaders translate AI principles into program structure. They give operational force to Pope Leo’s warning that it is not enough to invoke ethics in the abstract. He instead calls for robust frameworks, independent oversight, informed users, and institutions capable of governing AI’s effects (Magnifica Humanitas, ¶106). That is precisely the move compliance must make, from AI principles to an AI management system.

The NIST AI Risk Management Framework organizes AI risk management around four functions: Govern, Map, Measure and Manage. For compliance leaders, that is highly practical. Govern means the company has assigned authority, accountability, policies and risk appetite. Map means the company understands the context, purpose, users, affected stakeholders and potential impact of each AI use case. Measure means the company evaluates performance, reliability, bias, data quality, security and control effectiveness. Manage means the company prioritizes risks, implements controls, monitors outcomes, remediates problems and documents decisions.

ISO/IEC 42001 provides a management system model. It focuses on establishing, implementing, maintaining and continually improving an AI management system. For a compliance program that supplies the discipline of policy, objectives, roles, processes, risk assessment, controls, monitoring, performance evaluation, corrective action and continual improvement.

From Policy to Controls

A policy is necessary, but it is not sufficient. A company can have a well-written AI policy and still have a weak AI governance program. The issue is whether the policy has an operational effect.

Pope Leo explains why. Technology is never neutral because it takes on the characteristics of those who devise, finance, regulate and use it (Magnifica Humanitas, ¶9). He later adds that every technical tool embodies choices and priorities through what it measures, what it ignores, what it optimises, and how it classifies people and situations (Magnifica Humanitas, ¶104). For compliance, this means the control environment must cover design, data, use, monitoring, output, and remediation.

COSO has warned that generative AI poses risks of cyber exposure, prompt manipulation, opaque reasoning, model drift, and frequent configuration changes that can affect operations, reporting, and compliance if not addressed with robust internal controls. That is the compliance challenge. AI governance must become a control activity.

Compliance Can Use AI Responsibly

Compliance should not stand outside the AI transformation. AI can help compliance become more effective. It can identify patterns in transactional data. It can assist with third-party risk scoring. It can support sanctions screening. It can help analyze hotline trends. It can improve training design. It can help prioritize monitoring. It can summarize large document sets in investigations. It can support control testing.

Magnifica Humanitas is direct on this point. AI may imitate functions of human intelligence, but it does not possess conscience, experience, responsibility or the capacity to judge good and evil (Magnifica Humanitas, ¶99). It can also create excessive reliance, the impression of objectivity and a weakening of personal judgment (Magnifica Humanitas, ¶100). Compliance professionals should use AI, but they should never surrender professional judgment to it. Human primacy remains the central control.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI is now part of legal, ethical, operational, data, third-party and cultural risk. The Encyclical reminds us that AI affects rights, opportunities, status, and freedom when it enters into consequential decisions (Magnifica Humanitas, ¶102).
  2. Build and maintain an AI inventory because governance begins with visibility. Every AI use case should have an owner, a purpose, a risk rating, a data classification, a control set, an approval status, and a review cycle.
  3. Govern compliance’s own use of AI because accountability starts at home. Compliance should use AI, but it must document purpose, controls, human review, validation and accountability.
  4. Move from policy to controls because technology is never neutral. AI governance requires approval workflows, data restrictions, testing, monitoring, escalation, remediation and auditability (Magnifica Humanitas, ¶9, ¶104).
  5. Report evidence to the board because accountability requires more than aspiration. Boards need dashboards and documentation showing where AI is used, what risks exist, what controls apply, who is accountable and whether the governance program is effective (Magnifica Humanitas, ¶105).
Conclusion: From Governance Principle to Control Discipline

Magnifica Humanitas challenges us to place the human person at the center of technological transformation. For compliance leaders, that means AI must be governed through risk assessment, controls, accountability, transparency, human oversight and evidence. The DOJ ECCP makes clear that prosecutors will ask how companies govern AI in the business and in compliance. NIST AI RMF and ISO/IEC 42001 provide practical architecture for doing so. COSO gives the internal controls discipline.

The compliance profession should embrace AI. It can make compliance more effective, more data-driven and more responsive. But embracing AI does not mean surrendering judgment to it. The right model is not fear. The right model is governed by adoption.

In the next post, we will move from formal AI governance to the most immediate AI control challenge inside many companies: Shadow AI and Internal Controls. Employees are already using AI tools because they are fast, useful and accessible. The compliance question is whether the company can turn hidden use into governed use before shadow AI becomes the next major control failure.

Categories
Blog

AI Disclosures, Controls, and D&O Coverage: Closing the Governance Gap Around Artificial Intelligence

A new governance gap is emerging around artificial intelligence, and it is one that Chief Compliance Officers, compliance professionals, and boards need to confront now. It sits at the intersection of three areas that too many companies still treat separately: public disclosures, internal controls, and insurance coverage. That siloed approach is no longer sustainable.

As companies speak more confidently about their AI strategies, insurers are becoming more cautious about the risks those strategies create. That tension matters. It signals that the market is beginning to see something many organizations have not yet fully addressed: when a company’s statements about AI outpace its actual governance, the exposure is not merely operational or reputational. It can become a disclosure issue, a board oversight issue, and ultimately a proof-of-governance issue under the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP).

For the compliance professional, this is not simply an insurance story. It is a compliance integration story. The question is whether the company can align its statements about AI, the controls it has in place, and the protections it believes it has in place if something goes wrong.

The New Governance Gap

Many organizations are eager to describe AI as a source of innovation, efficiency, better decision-making, or competitive advantage. Those messages increasingly appear in earnings calls, investor decks, public filings, marketing materials, and board presentations. Yet the underlying governance structures often remain immature. That disconnect is the governance gap.

It appears when management speaks broadly about responsible AI but has not built a complete inventory of AI use cases. It appears when companies discuss oversight but cannot show testing, documentation, or monitoring. It appears that boards assume that insurance will respond to AI-related claims without understanding how new policy language may narrow coverage.

This is where D&O coverage becomes so important. It is not the center of the story, but it is a revealing signal. If insurers are revisiting policy language and introducing exclusions or limitations tied to AI-related conduct, it suggests the market sees governance risk. In other words, the insurance market is sending a message: AI-related claims are no longer hypothetical, and companies that cannot demonstrate disciplined oversight may find that risk transfer is less available than they assumed.

Why the ECCP Should Be the Primary Lens

The DOJ’s ECCP remains the most useful framework for analyzing this issue because it asks exactly the right questions.

Has the company conducted a risk assessment that accounts for emerging risks? Are policies and procedures aligned with actual business practice? Are controls working in practice? Is there proper oversight, accountability, and continuous improvement? Can the company demonstrate all of this with evidence? Those are compliance questions, but they are also the right AI governance questions.

If a company makes public statements about AI capability, oversight, or reliability, the ECCP lens requires more than aspiration. It requires substantiation. Can the company show who owns the AI risk? Can it demonstrate how models or systems are tested? Can it show escalation procedures when problems arise? Can it document how AI-related decisions are monitored, reviewed, and improved over time?

If the answer is no, then the issue is not simply that the company may have overpromised. The issue is that its compliance program may not be adequately addressing a material emerging risk. That is why CCOs should view AI as a cross-functional challenge requiring integration across legal, compliance, technology, risk, audit, investor relations, and the board.

AI Disclosure Must Be Evidence-Based

One of the most practical steps a compliance function can take is to push for an evidence-based disclosure process around AI. This means that public statements about AI should not be driven solely by enthusiasm, market pressure, or executive optimism. They should be grounded in underlying documentation. If the company says it uses AI responsibly, where is the governance framework? If it claims AI improves decision-making, what testing supports that assertion? If it says it has safeguards, where are the control descriptions, monitoring results, and escalation records?

This is not about suppressing innovation. It is about ensuring that disclosure discipline keeps pace with technological ambition. For boards, this means asking harder questions before approving or relying on public AI narratives. For compliance officers, it means helping management build the evidentiary record that turns broad statements into defensible representations.

Controls Must Catch Up to Strategy

This is where the “how-to” work begins. Compliance professionals should begin by creating a structured inventory of AI use cases across the enterprise. That inventory should identify where AI is being used, what decisions it informs, what data it relies on, who owns it, and what risks it entails.

Once that inventory exists, risk tiering should follow. Not every AI use case carries the same compliance significance. A low-risk productivity tool does not need the same oversight as a system that affects investigations, third-party due diligence, customer interactions, financial reporting, or core operational decisions.

From there, the company can design controls proportionate to risk. High-impact uses of AI should have documented governance, human review where appropriate, testing protocols, escalation triggers, and monitoring requirements. The compliance team should be able to answer a simple question: where are the controls, and how do we know they work? That is the heart of the ECCP inquiry.

Where NIST AI RMF and ISO/IEC 42001 Fit

This is also where the NIST AI Risk Management Framework and ISO/IEC 42001 become highly practical tools. NIST AI RMF helps organizations govern, map, measure, and manage AI risks. For compliance professionals, this provides a disciplined structure for identifying AI use cases, understanding impacts, assessing reliability, and managing response. It is especially useful in linking abstract AI risk to operational decision-making.

ISO/IEC 42001 brings management system discipline to AI governance. It focuses on defined roles, documented processes, control implementation, monitoring, internal review, and continual improvement. That makes it an excellent bridge between policy and execution. Together, these frameworks help operationalize the ECCP. The ECCP tells you what an effective compliance program should be able to demonstrate. NIST AI RMF helps structure the risk analysis. ISO 42001 helps embed those requirements into a repeatable governance process.

For CCOs, the practical lesson is clear: use these frameworks not as academic overlays, but as working tools to build ownership, documentation, testing, and accountability.

Insurance Is a Governance Input

Companies also need to stop treating insurance as an afterthought. D&O coverage should be considered a governance input, not merely a downstream purchase. If policy language is narrowing around AI-related claims, boards and compliance leaders need to understand what that means. What scenarios might raise disclosure-related allegations? Where is ambiguity in coverage? What assumptions has management made about protection that may no longer hold?

Compliance does not need to become an insurance specialist. But it does need to ensure that disclosure, governance, and risk transfer are aligned. If the company is making strong public claims about AI while carrying unexamined governance weaknesses and uncertain coverage, that is precisely the kind of mismatch that can trigger a crisis.

Closing the Gap Before It Becomes a Failure

The larger lesson is straightforward. AI governance is not simply about technology controls. It is about integration. It is about ensuring that what the company says, what it does, and what it can prove all line up. That is why the governance gap matters so much. It is the space where strategy outruns structure, where disclosure outruns evidence, and where confidence outruns control. For boards and compliance professionals, the task is to close that gap before it becomes a failure.

The companies that do this well will not necessarily be the ones moving the fastest. They will be the ones building documented, tested, monitored, and governed AI programs that stand up to regulatory scrutiny, investor pressure, and real-world disruption. That is not bureaucracy. That is the price of sustainable innovation.

Categories
Blog

AI as a Force Multiplier for Compliance: From Efficiency Tool to Program Effectiveness

There is a temptation in every wave of new technology to focus first on speed. How much faster can we do the work? How many hours can we save? How many tasks can we automate? Yet for the compliance professional, those are not the right first questions. The right first question is always: does this make our compliance program more effective?

That is why the recent Moody’s discussion of GenAI is so interesting when viewed through a compliance lens. The article describes AI not simply as a productivity engine, but as a tool that changes how professionals interact with information, generate insights, and support decision-making. It emphasizes workflow transformation, role-based support, auditability, data quality, and the need for governance and human oversight . For compliance officers, that is the real story. AI can indeed make work faster. But its true promise is that it can make compliance more targeted, more consistent, more responsive, and more operationally embedded.

The Department of Justice has been telling us for years, through the Evaluation of Corporate Compliance Programs (ECCP), that effectiveness is the standard. The questions are not whether a company has a policy on the shelf or a training module in the system. The questions are whether the company has access to data, whether it uses that data, whether controls are tested, whether issues are triaged appropriately, whether lessons learned are fed back into the program, and whether the program evolves as risks change. AI, properly governed, can help answer yes to each of those questions.

AI and the Compliance Program of the Future

The Moody’s paper notes that GenAI is moving from passive, knowledge-based support toward more action-oriented solutions that can assist with complex, multi-step workflows . That observation should resonate with every Chief Compliance Officer. The future is not an AI toy that drafts emails. The future is an AI-enabled compliance architecture that helps the function move from reactive to proactive.

Consider third-party due diligence. Most compliance teams still struggle with volume, fragmentation, and prioritization. Information sits in onboarding questionnaires, sanctions screens, beneficial ownership reports, payment histories, audit findings, hotline allegations, and open-source media. The challenge is not merely gathering that information. The challenge is turning it into risk-based action. AI can help synthesize disparate information sources, surface red flags, identify missing documentation, and create a more coherent risk picture. Under the ECCP, that supports a more thoughtful, risk-based approach to third-party management.

Take investigations triage. Every mature speak-up program faces the same problem: how to distinguish between the urgent, the important, and the routine. AI can help sort allegations by subject matter, geography, potential legal exposure, prior related issues, implicated business units, and urgency indicators. That does not mean AI decides guilt, materiality, or discipline. It means AI helps compliance direct scarce investigative resources where they matter most. In ECCP terms, it strengthens case handling, responsiveness, consistency, and root-cause readiness.

Now think about risk assessment. The best compliance risk assessments are dynamic, not annual rituals. AI can assist in identifying patterns across reports, controls failures, investigation outcomes, gifts and entertainment data, third-party activity, and regulatory developments. It can help compliance professionals see concentrations of risk earlier and with greater context. In a program built around continuous improvement, that is a force multiplier.

Effectiveness, Not Mere Automation

One of the most important lessons from the Moody’s article is that the value of AI lies in supporting higher-value analytical work, not just reducing routine effort. That is exactly how compliance leaders should approach deployment.

Transaction monitoring is a good example. Many organizations already use rules-based systems, but these often produce high volumes of noise. AI can support better prioritization, pattern recognition, and anomaly detection. It can help identify clusters of conduct that might otherwise remain hidden across vendors, employees, geographies, or payment channels. But the point is not simply to clear alerts faster. The point is to make the monitoring program smarter, more risk-based, and more defensible.

The same is true in training and communications. Too much compliance training remains generic, static, and detached from actual risk. AI opens the door to role-based, scenario-based, and even timing-based communications. A sales team in a high-risk market should not receive the same examples as procurement professionals dealing with third parties. A manager with hotline escalation responsibilities should not receive the same training as a new hire. AI can help tailor content, refresh scenarios, and improve accessibility. Under the ECCP, that supports effectiveness in training design, communications, and accessibility of guidance.

Speak-up and case management also stand to benefit. AI can help identify repeat issue patterns, detect retaliation indicators, cluster similar allegations, and flag unresolved themes across regions or functions. Done correctly, it can help compliance move from case closure to issue intelligence. That is where a hotline becomes not just a reporting channel but an early warning system.

Governance Is the Price of Admission

Here is where the compliance professional earns his or her stripes. The Moody’s piece is explicit that none of this works without robust governance, trustworthy data, transparency, documentation, validation, and human expertise remaining central to critical decisions . That is the bridge to both the NIST AI Risk Management Framework (NIST AI RMF) and ISO/IEC 42001.

NIST AI RMF gives compliance teams a practical way to think about governance, mapping, measurement, and management. ISO/IEC 42001 provides a management-system structure for implementing AI governance in an enterprise setting. Together with the ECCP, they provide a powerful architecture. The ECCP asks whether your compliance program works. NIST AI RMF helps define and manage AI risk. ISO/IEC 42001 helps operationalize governance and accountability.

What does that mean on the ground for  your compliance regime?

It means every AI use case in compliance should have a defined business purpose, an identified owner, approved data sources, documented limitations, escalation criteria, testing protocols, and monitoring for drift or unintended consequences. It means AI outputs should be reviewable. It means prompt logs, source provenance, and validation results should be retained where appropriate. It means employees should know when they are permitted to rely on AI and when human review is mandatory. It means there must be clear boundaries around privacy, privilege, confidentiality, bias, and record retention.

Most of all, it means compliance should resist the easy sales pitch that AI is a substitute for professional judgment. It is not. It is a force multiplier for judgment.

The Board and Senior Management Imperative

Boards and senior leaders should be asking a straightforward question: are we using AI to make compliance more effective, or are we simply using it to do old tasks faster? Those are not the same thing. A mature answer would include at least five elements. First, a risk-based inventory of compliance AI use cases. Second, governance over data quality and model performance. Third, defined human-review thresholds for consequential decisions. Fourth, ongoing monitoring and periodic validation. Fifth, a feedback loop so lessons from investigations, audits, and operations improve the system over time.

That is very much in line with both the ECCP and the Moody’s article’s emphasis on verifiable data, decision auditability, and governance at scale.

Five Lessons Learned

  1. Start with effectiveness, not efficiency. If AI only helps you do low-value tasks faster, you have not transformed compliance. Use it where it improves risk identification, triage, analysis, and action.
  2. Build around the ECCP. The DOJ already gave compliance professionals the framework. Use AI to strengthen risk assessment, third-party management, investigations, training, and continuous improvement.
  3. Govern the data before you celebrate the tool. Bad data, undocumented prompts, or unvalidated outputs will undermine trust. Governance over data provenance and output review is essential.
  4. Keep humans in the loop where it matters. AI can assist with pattern recognition, drafting, prioritization, and synthesis. It should not replace judgment on materiality, discipline, escalation, privilege, or remediation.
  5. Treat AI as part of your compliance operating model. This is not an innovation side project. It should be documented, tested, monitored, and improved like any other core compliance process.

The bottom line is this: AI offers compliance functions a genuine opportunity to become more effective, more focused, and more business relevant. But that opportunity only becomes real when it is grounded in governance, disciplined by the ECCP, and supported by frameworks like NIST AI RMF and ISO/IEC 42001. Done right, AI will not diminish the role of the compliance professional. It will elevate it.

Categories
Blog

Culture, Speak-Up, and Human Judgment: The Human Side of AI Governance

Artificial intelligence may be built on data, models, and code, but governance ultimately rests on people. For boards and Chief Compliance Officers, one of the most important questions is not only whether the organization has responsibly approved AI tools, but also whether employees are prepared to challenge them, report concerns, and apply human judgment when something does not look right. In many organizations, the earliest warning system for AI failure is not a dashboard. It is the workforce.

Over the course of this series, I have explored four critical governance challenges in AI: board oversight and accountability, strategy outrunning governance, data governance and privacy, and ongoing monitoring. This final blog post turns to the fifth and most underappreciated challenge of all: culture, speak-up, and human judgment.

Underappreciated because organizations often begin AI governance with structure in mind. They build committees, draft policies, classify risks, and establish approval gates. All of that is necessary. But structure alone is not sufficient. If the human beings closest to the work do not understand their role in AI governance, do not feel empowered to raise concerns, or begin to defer too readily to machine-generated outputs. The governance framework will be weaker than it appears on paper.

This is the point many companies miss. AI governance is not only about the technology. It is about whether the organization’s culture supports the responsible use of technology.

Employees Will See AI Failures First

In many companies, the first person to notice an AI problem will not be a board member, a Chief Executive Officer, or even a member of the governance committee. It will be an employee interacting with the tool in daily operations. It may be the customer service representative who sees the system generating inaccurate responses. It may be the HR professional who notices troubling patterns from an AI-supported screening tool. It may be the sales employee who sees a generative tool overstating product claims. It may be the finance professional who questions an automated summary that does not match underlying records. It may be the compliance analyst who sees a tool being used for an unapproved purpose.

That matters because early visibility is one of the most valuable protections a company can have. But visibility only becomes a control if employees know what to do with what they see. That is why culture is a governance issue. A workforce may spot the problem, but if employees do not understand that AI-related concerns are reportable, are unsure where to raise them, or believe management will ignore them, the warning system fails.

For boards and CCOs, that means AI governance cannot stop at policy creation. It must extend into behavior, reporting norms, and organizational trust.

Speak-Up Culture Is an AI Governance Control

Compliance professionals have long known that a speak-up culture is a control. It is often the first way a company learns of misconduct, process breakdowns, weak supervision, retaliation, harassment, fraud, or control evasion. The same principle now applies with equal force to AI.

Employees may observe biased outputs, inaccurate recommendations, privacy concerns, unexplained model behavior, misuse of tools, inappropriate reliance on machine-generated content, or efforts to bypass required human review. If they do not report those concerns, management may have no timely way to know what is happening.

This is where the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) remains highly instructive. The ECCP places substantial emphasis on whether employees are comfortable raising concerns, whether the company investigates them appropriately, and whether retaliation is prohibited in practice. Those same questions should now be asked in the context of AI. Does the company’s reporting framework explicitly include AI-related concerns? Are managers trained to recognize and escalate those concerns? Are reports investigated with the same seriousness as other compliance issues? Are employees protected if they raise uncomfortable questions about a tool the business wants to use?

If the answer is no, the company may have AI procedures, but does not yet have embedded AI governance in its culture.

Human Judgment Cannot Be Optional

One of the most significant risks in AI governance is not simply that a model will be wrong. It is that people will stop questioning it. AI systems can produce outputs quickly, fluently, and with apparent confidence. That creates a powerful temptation for users to over-trust the tool. When a system sounds polished, appears efficient, and reduces workload, people may assume that its conclusions deserve deference. This is precisely where governance needs the corrective force of human judgment.

Human judgment cannot be treated as a ceremonial step or a paper requirement. It must be meaningful. That means the people reviewing AI outputs must have the authority, time, training, and confidence to challenge those outputs when needed. A human review requirement that exists only on paper is not much of a safeguard. If reviewers are overloaded, insufficiently trained, or culturally discouraged from slowing the process, the control may be largely illusory.

Boards should care about this because one of the easiest mistakes management can make is to describe human oversight in governance documents without testing whether it is functioning in practice. CCOs should care because this is a classic compliance problem. A control may be designed elegantly but fail in daily operations because the supporting culture is too weak to sustain it.

Training Must Change with AI

A company cannot expect good judgment around AI if it has not trained people on what good judgment looks like. That means AI training should go beyond technical usage instructions. Employees need to understand what risks may arise, what concerns are reportable, what approved use looks like, what prohibited use looks like, and why human challenge matters. Managers need additional training because they are often the first informal escalation point when an employee raises a concern. If managers dismiss AI concerns as overreactions, inconveniences, or resistance to innovation, the speak-up system will quickly lose credibility.

Training should also be role-based. The risks faced by a customer-facing team may differ from those faced by teams in HR, legal, procurement, marketing, finance, or internal audit. A generic AI training module may create awareness, but it will not create the operational judgment needed in high-risk areas.

This is where the NIST AI Risk Management Framework provides practical value. NIST’s emphasis on governance is not limited to formal structures. It contemplates culture, accountability, and the need for organizations to support informed decision-making across the enterprise. ISO/IEC 42001 similarly reinforces the importance of organizational competence, awareness, and defined responsibilities. Both frameworks point to a critical truth: responsible AI use depends not only on controls over the technology, but also on the capabilities of the people who use and oversee it.

Managers Matter More Than Companies Often Realize

If culture is the operating environment of governance, managers are often its most important local translators. An employee may not begin by filing a formal report. More often, an employee may raise a concern informally with a supervisor or colleague. “This output does not seem right.” “I do not think we should be using it this way.” “This seems to be pulling in sensitive information.” “This recommendation may be biased.” “The human review is not really happening anymore.”

The manager’s response in that moment matters enormously. Does the manager take the concern seriously? Does the manager know it should be escalated? Does the manager see it as a governance issue or as resistance to efficiency? Does the manager understand the difference between a minor usability complaint and a potentially significant compliance concern?

This is why boards and CCOs should not think about speak-up solely in hotline terms. AI governance depends on the broader management culture. If supervisors are not equipped to receive and escalate AI concerns appropriately, many issues will die in the middle of the organization before they ever reach a formal channel.

Anti-Retaliation Must Be Real in the AI Context

There is another dimension that cannot be overlooked: the risk of retaliation. In some organizations, employees may hesitate to raise AI concerns because they fear being labeled anti-innovation, obstructionist, or not commercially minded. That creates a subtle but serious governance risk. If the corporate atmosphere celebrates rapid AI adoption without equally celebrating responsible challenge, then employees may conclude that silence is safer than candor.

This is why anti-retaliation messaging must be explicit in the AI context. The company should make clear that raising concerns about inaccurate outputs, misuse, privacy risks, unfairness, or control breakdowns is part of responsible business conduct. It is not a failure to embrace innovation. It is a contribution to the effective governance of innovation.

The CCO should ensure that AI-related concerns are incorporated into existing anti-retaliation frameworks, investigations protocols, and communications. Boards should ask whether employee sentiment data, hotline trends, and internal investigations provide any signal that people are reluctant to question AI initiatives. If the organization is moving aggressively on AI, it should be equally serious about protecting those who raise governance concerns about it.

Documentation and Escalation Still Matter

As with every other aspect of AI governance, culture and judgment must be integrated into the process. A company should document how AI-related concerns can be reported, how they are triaged, who reviews them, what escalation triggers apply, and how resolutions are tracked. Concerns about AI should not be dismissed as vague general complaints. They should be reviewable and analyzable over time.

This is essential not only for accountability but for learning. Patterns in employee concerns may reveal weaknesses in training, design, vendor management, access controls, or oversight. A single report may be an isolated event. Repeated concerns within a single function may point to a systemic governance problem. That is why speak-up is not just about receiving reports. It is about turning those reports into organizational intelligence.

The ECCP again offers a useful framework. It asks whether investigations are timely, whether root causes are examined, and whether lessons learned are fed back into the compliance program. AI governance should work the same way. A reported concern should not end with a narrow answer to the immediate complaint. It should prompt management to ask what the issue reveals about the broader governance environment.

Boards Must Model the Right Tone

This final point may be the most important. Culture is shaped by what leadership rewards, tolerates, and asks about. If the board only asks about AI efficiency, adoption, and speed, management will take the signal. If the board asks whether employees are raising concerns, whether human oversight is meaningful, whether managers are trained, and whether retaliation protections are working, management will take that signal as well.

For CCOs, this is a vital opportunity. The compliance function can help boards understand that governance is not only about structure and controls, but also about whether the organization has preserved the human capacity to question, escalate, and correct. In the AI context, that may be the most important governance capability of all.

Because in the end, even the most advanced system will not govern itself. An enterprise must govern it. That requires culture. It requires trust. It requires the courage to speak up. And it requires strong human judgment to look at an impressive output and still ask, “Is this right?”

The Human Side of Governance Is the Decisive Side

This final article brings the series back to a simple truth. AI governance is not only about what the company builds. It is about how the company behaves.

Boards may establish oversight. Management may create structures. Compliance may build controls. But if employees are not prepared to report concerns or exercise judgment, the organization will remain vulnerable. A strong AI governance program does not merely control the system. It empowers the people around the system to challenge it responsibly.

That is the human side of governance, and in many ways it is the decisive side. 

Categories
Blog

Ongoing Monitoring: Why AI Governance Begins After Launch

In this blog post, we turn to the fourth major governance challenge in AI: ongoing monitoring. This is one of the most persistent weaknesses in AI governance. Organizations may build an intake process. They may create an approval committee. They may conduct risk reviews, privacy assessments, and validation testing before launch. All of that is important. But it is not enough.

AI risk does not freeze at the moment of approval. It changes over time. Use cases evolve. Employees adapt tools in unexpected ways. Vendors modify models. Controls weaken in practice. Regulatory expectations shift. What looked reasonable at launch may become inadequate six weeks later.

That is why ongoing monitoring is not an optional enhancement to AI governance. It is a core governance requirement. For boards and CCOs, the central question is not simply whether the company approved AI responsibly. It is whether the company has the discipline to govern it continuously once it is in the wild.

Approval Is Not Governance

One of the great temptations in AI governance is to confuse approval with control. A business unit proposes a use case, a committee reviews it, guardrails are listed, and the tool goes live. At that point, many organizations behave as though the governance work is largely complete. It is not.

Approval is a moment. Governance is a process. The problem is that companies often put their best people, clearest thinking, and highest scrutiny into the approval stage, then shift immediately into operational mode without building the same discipline around post-launch oversight. That leaves management blind to how the system actually performs under real-world conditions.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) is especially instructive here. The ECCP does not ask merely whether a company has policies on paper. It asks whether the program works in practice, whether controls are tested, whether issues are investigated, and whether lessons learned are incorporated back into the compliance framework. AI governance should be viewed through the same lens. The question is not whether a control was described at launch. The question is whether that control continues to function and whether management would know if it stopped.

Why AI Risks Change After Launch

Post-deployment risk in AI does not arise because management failed to care on Implementation Day. It arises because AI systems operate in dynamic environments. A model may begin to drift as conditions change. A tool approved for one limited purpose may gradually be used for broader or higher-risk decisions. Employees may find workarounds that bypass the intended controls. Human reviewers may begin by scrutinizing outputs closely but, over time, may become overconfident, overloaded, or simply too reliant on the system. Vendors may update underlying functionality without the company fully appreciating the consequences. New regulations or regulatory interpretations may alter the risk landscape. Inputs may change. Outputs may become less reliable. Bias may surface in ways not identified in initial testing.

In other words, AI governance risk is not static. It is operational. That is why boards and CCOs must resist the notion that initial approval is the hardest part. In many respects, ongoing monitoring is harder because it requires sustained attention, clear metrics, escalation discipline, and the willingness to revisit prior assumptions.

The Governance Question

After implementation, the governance question changes. It is no longer simply, “Was this use case approved?” It becomes, “Is the use case still operating as expected, within risk tolerance, and under effective control?” That sounds simple, but it requires a much more mature oversight model than many companies currently have. It requires management to define what should be monitored, how frequently, by whom, and what changes or anomalies trigger escalation. It requires a reporting structure that does not simply celebrate adoption or efficiency gains, but surfaces incidents, deviations, near misses, and control fatigue.

For the board, the challenge is to insist on post-launch visibility. Board reporting on AI should not end with inventories and implementation updates. It should include information about ongoing performance, exception trends, complaints, incidents, validation results, vendor changes, policy breaches, and remediation efforts. A board that hears only that AI adoption is accelerating may not hear that AI governance is working.

For the CCO, the challenge is even more immediate. Compliance must ask whether the organization is gathering evidence that controls continue to function in practice. If it is not, then the governance program is still immature, no matter how polished its approval process may appear.

Monitoring What Matters

It all begins by identifying the right things to monitor. This cannot be a generic exercise. Monitoring should be tied to the specific use case, its risk classification, and its control environment. But there are some recurring categories that boards and CCOs should expect to see.

  1. Performance should be monitored. Is the tool still delivering outputs that are accurate, reliable, and appropriate for the intended purpose? Have error rates changed? Are there signs of drift or degraded quality?
  2. Control effectiveness should be monitored. Are human review requirements actually being followed? Are approval restrictions, access controls, or usage limitations still operating as designed? Is there evidence that employees are bypassing or weakening controls?
  3. Incidents and complaints should be monitored. Has the tool produced problematic results? Have customers, employees, or managers raised concerns? Have there been internal reports about bias, inaccuracy, misuse, or confidentiality risks?
  4. Changes in scope should be monitored. Is the tool still being used for the original purpose, or has it drifted into new contexts? Scope creep is one of the oldest compliance problems in business, and AI is no exception.
  5. External change should be monitored. Has a vendor updated the model? Have relevant laws, guidance, or industry expectations changed? Has a new regulatory concern emerged that requires reevaluation?

This is where the NIST AI Risk Management Framework is especially useful. NIST emphasizes that organizations must govern, measure, and manage AI risk over time, not simply identify it once. ISO/IEC 42001 reaches the same conclusion from a management systems perspective by requiring continual improvement, internal review, and adaptive controls. Both frameworks point to the same truth: effective AI governance is iterative, not episodic.

The CCO’s Role in Governance

For compliance professionals, ongoing monitoring is where the AI governance conversation becomes most familiar. This is where the CCO brings real institutional value. Compliance understands that controls weaken over time. Training decays. Workarounds emerge. Policies lose operational traction. Reporting channels capture issues others do not see. Root cause analysis matters. Corrective action must be tracked to closure. These are not new lessons. They are the daily work of compliance. AI gives them a new domain.

The CCO should insist that AI use cases have documented post-launch monitoring plans. These should identify the responsible owner, the metrics to be reviewed, the review frequency, the escalation triggers, and the process for documenting findings and remediation. High-risk use cases should not be left to passive observation. They should be actively governed.

The CCO should also ensure that AI monitoring is connected to the broader compliance ecosystem. Employee concerns raised through speak-up channels may reveal issues with the model. Internal investigations may expose misuse. Third-party due diligence may uncover changes to vendors. Training gaps may explain repeated incidents. AI governance should not be isolated from these functions. It should be integrated with them.

This is also where the CCO can most effectively help the board. Rather than presenting AI as a series of isolated technical matters, the CCO can frame post-launch governance in familiar compliance terms: monitoring, testing, escalation, remediation, and lessons learned.

Board Practice: Ask for More Than Adoption Metrics

One of the most important disciplines boards can develop is to stop mistaking usage information for governance information.

Management may report that AI adoption is growing, that productivity gains are material, or that pilot programs are expanding. Those data points may be relevant, but they are not a form of governance assurance. A board should want to know whether controls are operating, whether incidents are increasing, whether certain business units generate more exceptions, whether human review remains meaningful, and whether management has paused or modified any use cases based on real-world experience.

This is where board oversight becomes genuinely valuable. When the board asks for evidence of ongoing monitoring, it changes management behavior. It signals that AI success will not be measured solely by speed or efficiency, but also by discipline and resilience.

Boards should also ensure that high-risk use cases receive enhanced visibility. Not every AI tool merits the same level of board attention. But where AI affects regulated interactions, employment decisions, sensitive data, financial reporting, significant customer outcomes, or reputationally sensitive functions, ongoing board-level reporting should be expected.

Escalation and Remediation Must Be Built In

Monitoring matters only if it leads to action. There must be clear escalation and remediation protocols. When a material issue emerges, who gets notified? Can the use case be paused? Who determines whether the problem is technical, operational, legal, or cultural? How are facts gathered? How are corrective actions assigned? When is the board informed? How is the lesson fed back into policy, training, vendor management, or approval standards?

These processes should not be improvised. They should be documented. The organization should know in advance which incidents require escalation, which temporary controls may be imposed, and how remediation is tracked.

This is another place where the ECCP provides a useful governance model. DOJ expects companies not only to identify misconduct but also to investigate it, understand its root causes, and implement improvements that reduce the risk of recurrence. AI governance should work the same way. If a model fails or a control weakens, management should not merely fix the immediate problem. It should ask what the failure reveals about the program itself.

Documentation Is the Proof

As with every other element of effective governance, documentation is what turns intention into evidence. Post-launch AI governance should generate records that demonstrate monitoring occurred, issues were surfaced, escalations were handled, and remediation was completed. That may include performance reviews, validation updates, incident logs, committee minutes, complaint summaries, control testing records, vendor change notices, and corrective action trackers.

Without such documentation, management may believe it is effectively monitoring AI, but it will struggle to prove it to internal audit, regulators, or the board. More importantly, it will struggle to learn from experience in a disciplined way. A company that documents ongoing monitoring creates institutional memory. It can compare use cases, detect patterns, and refine its oversight model over time. That is how governance matures.

AI Governance Starts After Launch

The hardest truth in AI governance may be this: launching the tool is often the easiest part. The real challenge begins afterward. That is when optimism meets operational reality. That is when human reviewers become tired. That is when vendors update products. That is when regulators begin asking harder questions. That is when small problems become visible, or invisible, depending on whether the company has built a monitoring system capable of finding them.

For boards and CCOs, this is where governance earns its name. If the organization can monitor, escalate, remediate, and improve, then AI oversight has substance. If it cannot, then the company has not really governed AI at all. It has only been approved.

In the next and final blog post in this series, I will turn to the fifth governance challenge: culture, speak-up, and human judgment, because in many organizations, the first people to see an AI problem will not be the board, the CCO, or the governance committee. It will be the employee closest to the work.

Categories
Blog

AI Compliance as a Competitive Advantage: Turning Governance Into ROI

In too many organizations, “AI compliance” is treated like a speed bump. Something to route around, manage after launch, or outsource to a vendor deck and a policy that nobody reads. That mindset is not only outdated but also expensive. In 2026, mature AI governance is becoming a commercial differentiator because customers, regulators, employees, and business partners increasingly ask the same question: Can you prove your system is trustworthy?

The most underappreciated truth is that AI risk is not “an AI team problem.” It is a business-process problem, expressed through data, decisions, third parties, and change control. The Department of Justice Evaluation of Corporate Compliance Programs (ECCP) has never been about perfect paperwork; it has been about whether a program is designed, implemented, resourced, tested, and improved. If you can translate that posture into AI, you can convert “compliance cost” into “credibility capital.”

A cautionary backdrop shows why. The EEOC’s 2023 settlement with iTutorGroup serves as a cautionary tale: automated hiring screening that disadvantages older workers can lead to legal exposure, remediation costs, and reputational damage. The details matter less than the pattern; when algorithmic decisions are not governed, the business eventually pays the bill. The compliance professional should see the pivot clearly; governance is the mechanism that lets you move fast without becoming reckless.

From a build-from-scratch, low-to-medium maturity posture, the win is not sophistication. The win is repeatability. If you build an AI governance framework aligned to NIST AI RMF (govern, map, measure, manage), structured through ISO/IEC 42001’s management-system discipline, and cognizant of EU AI Act risk tiering, you get something the business loves: a predictable path from idea to deployment. Today, I will explore five ways mature AI compliance can become a competitive advantage, each with a practical view of how a compliance-focused GenAI assistant can support business processes.

1) Sales and Customer Trust

Trust is a sales feature now, even when marketing refuses to call it that. Customers increasingly ask about data use, model behavior, security controls, and human oversight, and they are doing it in procurement questionnaires and contract negotiations. A mature governance framework lets you answer quickly, consistently, and with evidence, thereby shortening sales cycles and reducing late-stage deal friction. A compliance GenAI can support this by drafting standardized responses from approved trust artifacts such as policies, model cards, DPIAs, and audit summaries; flagging gaps, and routing exceptions to Legal and Compliance before the business overpromises.

For compliance professionals, this lesson is even more stark, as the ‘customers’ of a corporate compliance program are your employees. Some key KPIs you can track are average time to complete AI security and compliance questionnaires; percentage of deals requiring AI-related contractual concessions; number of customer-facing AI disclosures issued with approved templates; and percentage of AI systems with current model documentation and ownership attestations.

2) Regulatory Credibility

Regulators are not impressed by ambition; controls persuade them. NIST AI RMF provides a common language to demonstrate that you mapped use cases, measured risks, and managed them over time, while ISO/IEC 42001 imposes discipline on accountability, documentation, and continual improvement. The EU AI Act’s risk-based approach adds an organizing principle: classify systems, apply controls proportionate to risk, and prove that you did it. A compliance GenAI can help by maintaining a living inventory, prompting owners to complete quarterly attestations, drafting control narratives aligned with the frameworks, and assembling regulator-ready “evidence packs” that demonstrate governance in operation rather than on paper.

For compliance professionals, this lesson is about your gap analysis. You have not aligned your current internal controls with GenAI, governance, or other controls. You should do so. Some key KPIs you can track are percentage of AI systems risk-tiered and documented; time to produce an evidence pack for a high-impact system; number of material control exceptions and time-to-remediation; and frequency of risk reviews for high-impact systems.

3) Faster Product Approvals and Safer Deployment

Speed comes from clarity, not from cutting corners. When decision rights, review thresholds, and required artifacts are defined up front, product teams stop guessing what Compliance will require at the end. That is the management-system advantage: ISO/IEC 42001 treats AI governance like a repeatable operational process with gates, owners, and records, rather than a series of one-off debates. A compliance GenAI can support the workflow by pre-screening new use-case intake forms, recommending the correct risk tier under EU AI Act concepts, suggesting required testing (bias, privacy, safety), and generating the first draft of a launch checklist that the product team can execute.

For compliance professionals, this lesson is that you must run compliance at the speed of your business operations. Some key KPIs you can track are: cycle time from AI intake to approval; percent of launches that pass on first review; number of post-launch “surprise” issues tied to missing pre-launch controls; and percentage of models with human-in-the-loop controls when required.

4) Talent, Recruiting, and Internal Confidence

Top performers do not want to work in a company that treats AI like a toy and compliance like a nuisance. Mature governance creates psychological safety inside the organization: employees know what is permitted, what is prohibited, and how to raise concerns. It also improves recruiting because candidates, especially in technical roles, ask about responsible AI practices, data governance, and ethical guardrails. A compliance GenAI can support internal confidence by serving as the first-line “policy concierge,” answering questions with approved guidance, directing employees to the correct procedures, and logging common questions so Compliance can improve training and communications.

For compliance professionals, this fits squarely within the DOJ mandate for compliance to lead efforts in institutional justice and fairness. Some key KPIs you can track include training completion and comprehension metrics for AI use; the number of AI-related helpline inquiries and their resolution times; employee survey results on comfort raising AI concerns; and the percentage of AI use cases with documented business-owner accountability.

5) Lower Cost of Incidents and More Resilient Operations

AI incidents are rarely just “bad outputs.” They are process failures: poor data lineage, uncontrolled model changes, vendor opacity, missing logs, weak access controls, or no escalation path when harm appears. NIST AI RMF’s “measure” and “manage” functions emphasize monitoring, drift detection, incident response, and continuous improvement, which is precisely how you reduce the frequency and severity of failures. A compliance GenAI can support incident resilience by guiding teams through an AI incident response playbook, helping triage severity, ensuring evidence is preserved (audit logs, prompts, outputs, approvals), and generating lessons-learned reports that connect root cause to control enhancements.

For compliance professionals, this lesson is even more stark, as the ‘customers’ of a corporate compliance program are your employees. Some key KPIs you can track include the number of AI incidents by severity tier; mean time to detect and mean time to remediate; the percentage of high-impact models with drift-monitoring and alert thresholds; and the percentage of third-party AI providers subject to change-control notification requirements.

What “Mature Governance” Looks Like When You Are Building From Scratch

Do not start with a 60-page policy. Start with a few non-negotiables that scale:

  • Inventory and classification: Create a single inventory of GenAI assistants, ML models, and automated decision systems. Classify them by impact using EU AI Act concepts (high-impact versus low-impact) and your own business context.
  • Accountability and decision rights: Assign an owner for each system and require periodic attestations for the highest-risk categories.
  • Standard artifacts: Use lightweight model documentation, data lineage notes, and disclosure templates. If it is not documented, it does not exist for governance.
  • Human oversight and logging: Define when human-in-the-loop is mandatory and ensure logs capture who approved what, when, and why.
  • Third-party AI controls: Contract for transparency, audit support, change notification, and security requirements. Vendor opacity is not a strategy.

This is where ECCP thinking helps. The question is not whether you have a policy. The question is whether the policy is operationalized, tested, and improved. That is the bridge from compliance to competitive advantage.

If you want AI compliance to be a competitive advantage, treat it like a management system that produces evidence, not like a policy library that produces comfort. When governance becomes repeatable, the business can move faster, regulators become more confident, and customers see the difference. That is not a cost center. That is credibility you can take to the bank.

Categories
Innovation in Compliance

Innovation in Compliance: Navigating Cybersecurity Compliance: From Physical Audits to AI Frameworks with Lori Crooks

Innovation is present in many areas, and compliance professionals must not only be prepared for it but also actively embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox visits with Lori Crooks, a seasoned professional in the field of cybersecurity and audit assessments, to discuss the evolution of auditing practices from physical infrastructure to cloud and AI.

Lori shares insights from her extensive career, highlighting key federal compliance frameworks like NIST 800-53, FedRAMP, and NIST 800-171. Lori stresses the importance of proactive compliance strategies and scalable GRC programs. As AI integration accelerates, she also addresses the challenges of adapting compliance frameworks to keep pace with technological advancements and the need to foster collaboration within organizations to effectively meet regulatory requirements.

Key highlights:

  • Federal Auditing Frameworks
  • Proactive Compliance Strategies
  • Scalable GRC Programs
  • AI and Compliance Landscape
  • Future of Auditing in the Age of AI

Resources:

Lori Crooks on LinkedIn

Cadra

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Check out my latest book, Upping Your Game-How Compliance and Risk Management Move to 2023 and Beyond, available from Amazon.com.

Innovation in Compliance was recently honored as the number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
Daily Compliance News

Daily Compliance News: August 31, 2023 – The Switzerland AML Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News, all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

·       Goldman Sanctioned for ephemeral messaging compliance failures.  (WSJ)

·       NIST framework and AI.  (Bloomberg Law)

·       China crackdowns rip through healthcare industry corruption. (FT)

·       Switzerland unveils money-laundering crackdown. (FT)