Tag: Supply Chain

Categories
Blog

From the Tower of Babel to the Boardroom: Part 5 – Workforce Transformation, Third-Party Risk, and Modern Slavery

Artificial intelligence often appears frictionless. A prompt goes in. An answer comes out. A report is summarized. A risk score is generated. A customer interaction is automated. A compliance analyst receives a faster answer. A business process becomes more efficient. Yet there is nothing frictionless about AI.

Behind every AI tool sits a human supply chain. Some workers label data, moderate content, train models, build infrastructure, mine minerals, assemble devices, maintain data centers, write code, manage vendors, and absorb the consequences when automation changes the nature of work. There are third parties, subcontractors, cloud providers, data brokers, model developers, implementation consultants, and business users. There are people whose labor, data, dignity, and livelihoods may be affected long before the board ever sees an AI dashboard. Now we turn to the human supply chain of AI: workforce transformation, third-party risk, and modern slavery.

The Magnifica Humanitas Lesson: AI Is Never Disembodied

Magnifica Humanitas makes a powerful point for compliance professionals: AI is not immaterial or magical. Pope Leo states, “Nothing in the world of AI is immaterial or magical.” That is a moral statement, but it is also a governance statement. The Encyclical explains that AI depends on natural resources, energy infrastructure, digital platforms, and human labor, including data labeling, model training, content moderation, and the extraction of materials needed for devices and microprocessors (Magnifica Humanitas, ¶173).

That is a direct compliance lesson. The risk does not begin when the company deploys an AI tool. The risk begins when the company selects the vendor, approves the use case, provides data, accepts contractual terms, relies on outputs, and fails to ask who and what sits behind the technology. The Encyclical is equally direct that digital systems can amplify hidden forms of exploitation and that supply chains supporting the technology industry should become transparent so competitive advantage is not built on hidden exploitation (Magnifica Humanitas, ¶179).

The document also speaks directly to work. It teaches that work is not simply an instrument, but a setting in which people develop, contribute, cooperate, support their families, and build together (Magnifica Humanitas, ¶148-149). It warns that AI can improve productivity while also de-skilling workers, subjecting them to automated surveillance, forcing them to adapt to the pace of machines, and eroding their agency (Magnifica Humanitas, ¶150). For the CCO, this means AI governance is not only about model risk. It is also about people’s risk.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. Pope Leo calls for human-centred technology, social criteria for innovation, verifiable measures to protect employment, retraining, worker participation, and a corporate commitment to include the quality and dignity of work among the indicators of success (Magnifica Humanitas, ¶156). In corporate governance language, that means AI adoption should include workforce impact assessment, role-based training, human review, bias testing, privacy controls, speak-up protections, and board reporting.

The Encyclical also calls for preventive ethical verification, or due diligence, across the digital economy, with priority given to worker protection, the fight against forced labor, and assessment of the social impact of data-driven business models (Magnifica Humanitas, ¶179). For compliance professionals, that is third-party risk management. It means vendor due diligence, subcontractor transparency, audit rights, data provenance, labor standards, modern slavery review, incident reporting, and ongoing monitoring.

This is where the moral language of Magnifica Humanitas becomes the operating language of compliance. Human dignity becomes human rights due diligence. Shared responsibility becomes cross-functional governance. Transparency becomes supply chain visibility. Accountability includes naming owners, documentation, monitoring, testing, challenge, and remediation.

Workforce Transformation Is a Compliance Issue

AI will change work. That is not speculation. It is already changing how employees draft, analyze, monitor, investigate, review, report, and decide. The question is whether companies will manage this transformation with governance, transparency, and care, or allow automation to wash through the workforce as a cost-reduction exercise.

Compliance should not attempt to own a workforce strategy. That belongs with management, HR, legal, finance, and business leadership. But compliance should have a voice because workforce transformation creates culture risk, speak-up risk, retaliation risk, discrimination risk, privacy risk, monitoring risk, and internal controls risk. The Encyclical warns that innovation pursued solely for cost reduction and profit can produce job insecurity, inequality, and social instability (Magnifica Humanitas, ¶151).

A company using AI to evaluate employees, monitor productivity, screen applicants, assess performance, recommend discipline, or allocate opportunities should ask hard questions. What data is being used? Has the tool been tested for bias? Are employees informed? Can individuals challenge errors? Is human review required? Are managers trained not to over-rely on AI outputs? Is the tool increasing fairness, or simply making questionable decisions faster?

AI adoption should also include change management. Employees need training on approved AI use, prohibited data inputs, required human review, and escalation of concerns. They also need assurance that raising concerns about AI will not be punished. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether companies train employees on emerging technologies such as AI and whether companies have controls to monitor AI trustworthiness, reliability, intended use, human decision-making, and accountability. That is not only a technology expectation. It is a cultural expectation.

Third-Party AI Risk Is Not Ordinary Vendor Risk

AI vendors are not ordinary vendors when they touch sensitive data, influence consequential decisions, support compliance processes, provide core infrastructure, or rely on opaque subcontracting chains. A company may believe it is buying software. In reality, it may be acquiring a new decision system, a new data processor, a new compliance dependency, and a new supply chain exposure.

Magnifica Humanitas warns that major economic and technological actors can exercise de facto power over data, expertise, access, visibility, and opportunity. It calls for transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable data access, and avenues for recourse (Magnifica Humanitas, ¶71-72). For the CCO, that is a vendor governance mandate.

The ECCP already provides the compliance architecture. A well-designed compliance program should apply risk-based due diligence to third-party relationships, understand the business rationale, assess the risks posed, include appropriate contract terms, monitor third parties through updated due diligence, training, audits, and certifications, and use data to evaluate vendor risk during the relationship. Apply that directly to AI vendors.

The company should know what the AI tool does, what data it uses, whether company data will train or improve the model, where data is stored, who has access, what subcontractors are involved, whether outputs are explainable, what human review is required, how incidents are reported, and whether the vendor can support audit rights. The company should also ask whether the vendor uses third parties for data labeling, content moderation, model evaluation, or technical support, and what labor standards apply to those providers.

An AI vendor questionnaire should not stop at cybersecurity and privacy. It should cover human rights, labor standards, modern slavery risk, data provenance, subcontractor transparency, model governance, incident reporting, auditability, and exit rights.

Modern Slavery Risk in the AI Supply Chain

The risk of modern slavery may seem far removed from enterprise AI adoption. It is not. Magnifica Humanitas challenges that assumption by reminding us that the digital economy depends on physical infrastructure, extracted resources, hidden labor, and vulnerable workers. It specifically identifies data labeling, model training, content moderation, resource extraction, and trafficking-enabled misuse of digital platforms as part of the moral challenge of AI (Magnifica Humanitas, ¶173).

For compliance professionals, the lesson is straightforward. AI supply chain risk should be folded into third-party risk management and human rights due diligence. The company should not assume that because an AI provider has a sophisticated interface, the underlying chain is clean. Procurement and compliance should ask who performs outsourced labeling, testing, moderation, data enrichment, and support work. They should assess whether workers are paid fairly, protected from exposure to harmful content, free from coercion, and supported by appropriate safeguards.

This is especially important where vendors rely on lower-cost labor markets, opaque subcontracting, high-volume content review, or resource extraction. The issue is not whether every AI vendor is high risk. The issue is whether the company has a defensible process to identify which vendors, services, geographies, and labor practices require enhanced review.

The Encyclical makes this corporate obligation unusually concrete: supply chains underpinning the technology industry and digital economy should become more transparent; companies and investors should adopt clear due diligence criteria; and digital platforms should cooperate to prevent communication, payment, and profiling tools from becoming channels for recruitment and control of victims (Magnifica Humanitas, ¶179). A modern AI third-party program should therefore include labor and human rights due diligence at onboarding, contractual commitments, audit rights, subcontractor approval rights, certifications, incident reporting, and ongoing monitoring.

Frameworks for Governing the Human Supply Chain

NIST and ISO/IEC provide a practical structure for this work. NIST’s Generative AI Profile calls for acceptable use policies that address proprietary and open-source AI technologies, data, contractors, consultants, and other third-party personnel. It also identifies the need to document generative AI value-chain risks, plan for failures or incidents involving third-party data or systems, and continuously monitor third-party AI systems in deployment.

ISO/IEC 42001 provides a management-system approach for organizations that develop, provide, or use AI-based products or services. It supplies the governance discipline compliance professionals understand: policy, roles, risk assessment, controls, monitoring, performance evaluation, corrective action, and continual improvement.

COSO adds the internal controls discipline. COSO’s GenAI guidance emphasizes that generative AI is moving into operations and boardrooms faster than traditional governance models anticipated, and that risks such as cyber exposure, prompt manipulation, opaque reasoning, model drift, and configuration changes can jeopardize operations, reporting, and compliance if not addressed through robust internal controls.

Together, these frameworks point to the same conclusion. AI supply chain governance must be documented, controlled, monitored, tested, and improved.

Board Oversight: The Human Cost Must Be Visible

Boards do not need to manage AI vendors. They do need to oversee the systems management used to identify, assess, monitor, and remediate material AI risks. Under Caremark principles, directors must make a good-faith effort to oversee company operations. The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability and due diligence mandate.

For AI, the board should ask whether management has visibility into the human supply chain. Which AI vendors are critical? Which tools affect employees, customers, suppliers, or compliance decisions? Which vendors use subcontractors? Which AI tools rely on sensitive data? What labor and human rights risks have been identified? What workforce impacts are expected? What retraining is planned? What AI-related incidents have occurred? What open remediation items remain?

Magnifica Humanitas closes this portion of its analysis with a shared responsibility principle: innovation must be guided by institutions, businesses, intermediary organizations, educational communities, and citizens so that it serves integral human development rather than becoming a source of exclusion and dominance (Magnifica Humanitas, ¶180-181). The board failure will not be that the directors did not understand every model parameter. The failure would be failing to ask whether management has a reasonable system to govern AI’s human, third-party, and supply chain impacts.

5 Lessons for the CCO
  1. Map the human supply chain. The company should know the vendors, subcontractors, data sources, infrastructure providers, and outsourced labor that support material AI tools.
  2. Treat high-impact AI vendors as high-risk third parties. AI vendors that touch sensitive data, support consequential decisions, or affect compliance processes require enhanced due diligence, contractual protections, and ongoing monitoring.
  3. Build human rights and modern slavery risk into AI due diligence. Vendor reviews should address labor practices, subcontractors, content moderation, data labeling, resource extraction, worker protections, and geographic risk.
  4. Govern workforce transformation. AI adoption should include training, retraining, human review, transparency, privacy protections, bias testing, and speak-up channels for employee concerns.
  5. Report evidence to the board. Boards need visibility into AI vendor risk, workforce impact, supply chain exposure, incidents, remediation, and control testing.
Conclusion: From Babel to Responsible Reconstruction

The AI age will reward companies that innovate. But it will also test whether those companies can govern innovation with discipline, transparency, responsibility, and human primacy. The lesson of Magnifica Humanitas is that AI must remain at the service of the human person. That includes the employee whose job is changing, the worker hidden in the supply chain, the community affected by resource extraction, the customer subject to an automated decision, and the board charged with oversight.

This five-part series began with the Tower of Babel and the boardroom. Babel was power without humility. Nehemiah was rebuilding with responsibility. For the modern compliance professional, that is the AI governance choice. Pope Leo frames the alternative as progress that serves people or progress that subjects them to the mentality of power (Magnifica Humanitas, ¶129). We can allow AI to grow through hidden use, opaque vendors, weak controls, synthetic trust, and invisible human cost. Or we can build an AI governance program grounded in risk assessment, controls, accountability, transparency, human review, third-party diligence, workforce care, and board reporting.

The next step is to convert these five lessons into a practical board-ready AI governance checklist. That checklist should give directors, CCOs, general counsel, audit leaders, risk leaders, and CEOs a structured way to ask the right questions, demand the right evidence, and govern AI before AI governs the enterprise.

Categories
Daily Compliance News

Daily Compliance News: April 27, 2026, The Good Judgment Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • What is good judgment? (FT)
  • Is the MACC fostering corruption? (Bloomberg)
  • Israeli President wants a deal. (NDTV World)
  • What’s in the US government supply chain? (NYT)

For more information on the use of AI in compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out my latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

Returning to Venezuela: Part 1 – Bribery, Corruption and the Risks You Must Confront Before You Enter

When US energy companies talk about returning to Venezuela, the conversation almost always starts with opportunity. Yet the CEO of Exxon has said Venezuela is ‘uninvestible’. There is another set of problems that every corporate compliance team will face if their company decides to enter the Brazilian market. For the compliance professional, it must start with corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore key issues every company and CCO will face when considering whether to enter (or re-enter) Venezuela. In Parts 1 and 2, I will consider the top 10 anti-bribery/anti-corruption (ABC) risks a compliance professional will face. (Part 1, risks 1-5; Part 2, risks 6-10). We will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

1. Systemic Corruption Is the Baseline Condition

Risk

Venezuela is not a market where corruption appears as an exception. It is the default condition against which all business activity must be measured. For compliance professionals, this means risk assessments cannot ask whether corruption exists. They must assume it does and ask where pressure will arise. Licensing, customs, inspections, labor issues, utilities, and currency all present opportunities for improper advantage. Boards must understand this upfront. Entering Venezuela without acknowledging systemic corruption is not optimism. It is a governance failure.

Compliance Framework Response

Before addressing individual risks, the compliance function must establish baseline principles governing how risk is assessed and managed in Venezuela.

  1. Assume corruption pressure exists. The risk assessment does not ask if corruption will arise, but where and how.
  2. Controls must be operational, not theoretical. Policies without authority, monitoring, and escalation are not controls.
  3. Risk ownership must be explicit. Every risk category has a business owner, a compliance owner, and a board oversight hook.
  4. Boards govern risk; they do not run operations. Oversight is mandatory. Tactical interference is prohibited.

2. PdVSA as a Prominent and Persistent Risk

Risk

Any discussion of bribery risk in Venezuela must begin with Petróleos de Venezuela S.A. (PdVSA), which has been at the center of some of the most significant corruption schemes in modern enforcement history, involving contracts, invoices, intermediaries, and payment routing. Indeed, 10 years ago, I wrote that it would cost a fortune to schedule and confirm a meeting. But companies make the mistake of treating PdVSA as a single risk node. In reality, it is a network risk. Joint ventures, service contracts, maintenance agreements, and procurement relationships all radiate outward, exposing the organization to corruption. If your counterparty touches PdVSA, you have inherited PdVSA risk.

Compliance Framework Response

The starting point is a Venezuela-specific bribery and corruption risk assessment, refreshed whenever business scope, counterparties, or operating conditions change.

This assessment must:

  • Map all government touchpoints.
  • Identify all third parties by function, not just by name;
  • Distinguish systemic risk from transactional risk; and
  • Flag PdVSA exposure explicitly.

Outputs are not static reports. They are control design inputs.

3. Joint Ventures and Service Contracts: Shared Risk, Shared Liability

Risk

Joint ventures are often framed as risk mitigation tools. In Venezuela, they frequently do the opposite. Local partners may be politically connected. Governance structures may be opaque. Control rights may be illusory. Compliance professionals must scrutinize who appoints management, who controls procurement, and who interacts with government officials. Under the ECCP, regulators ask whether compliance has authority commensurate with risk. In a Venezuelan JV, symbolic compliance oversight is not enough.

Compliance Framework Response

1. Assessment Controls

  • Government interaction mapping by function and frequency
  • Identification of pressure points where discretion exists
  • Historical analysis of delays, denials, or unexplained variability

2. Management Controls

  • Pre-approval requirements for all government-facing interactions
  • Clear prohibitions on facilitation payments
  • Mandatory escalation for any demand tied to speed, access, or discretion

Monitoring

  • Trend analysis of approvals and delays
  • Comparison of processing times across regions or projects

1. Board Oversight Questions

  • Where do we face the highest government discretion risk?
  • What interactions cannot proceed without a compliance sign-off?

4. Procurement as the First Corruption Flashpoint

Risk

Procurement is where corruption pressure materializes fastest. Vendors expect to be paid for access. Officials expect influence. Intermediaries promise to “make things happen.” This is even more true in Venezuela. This is where third parties begin to matter and where compliance must be in place before contracts are signed. Retrospective diligence does not cure a corrupted procurement process. Boards should demand visibility into how vendors are selected, not just who they are.

Compliance Framework Response

1. Assessment Controls

  • Explicit identification of direct and indirect PdVSA touchpoints
  • Mapping of PdVSA influence over pricing, approvals, and payments
  • Review of historical enforcement patterns tied to similar structures

2. Management Controls

  • Enhanced due diligence for any counterparty touching PdVSA
  • Compliance approval of all PdVSA-facing contract terms
  • Segregation of duties around invoicing and change orders

Monitoring

  • Continuous review of intermediaries interacting with PdVSA
  • Red flag monitoring for unusual invoice timing or routing
  1. Board Oversight Questions
  2. How are PdVSA’s risks different from those of other SOEs we engage with?
  3. What controls exist beyond standard third-party diligence?

5. The Illusion of “Routine” Government Interaction

Risk

Companies often underestimate corruption risk by labeling interactions as routine: inspections, permits, customs clearances, utilities, and labor approvals. And yes, the DOJ has said it will back off on enforcement of small payments, which may be traditionally made, but in Venezuela, routine functions are often monetized.  Compliance programs must draw hard lines early and firmly.

Compliance Framework Response

1. Assessment Controls

  • Governance and control-rights analysis
  • Identification of who appoints management and controls procurement
  • Mapping of partner government relationships

2. Management Controls

  • Contractual compliance rights with audit and termination authority
  • Compliance veto power over high-risk activities
  • Mandatory training for JV-appointed personnel

Monitoring

  • Periodic compliance audits of JV operations
  • Review of partner interactions with officials

1. Board Oversight Questions

  • Where do we lack real compliance leverage in our JVs?
  • Are control rights aligned with our risk exposure?

Join us tomorrow as we look at ABC risks 6-10, including third parties, extortion, organized crime, currency issues, and a weak rule of law.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 65 – The This Is Nuts Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! ABC protests topple the Bulgarian government, a French tennis player is suspended for 20 years over corruption, a UM coach is fired over an affair with a staffer, and Trump puts the DOJ in a no-win position over Warner Bros.

Stories this week include:

  • NY state could be a battleground for AI regulation. NYT
  • Massive fraud in aircraft parts uncovered in the UK. TheTimes
  • Switzerland charges Credit Suisse over Tuna Bond fraud. ACAMS
  • Former Labour PM convicted of corruption in Bangladesh. Independent
  • Lane Kiffin should be nowhere near Ole Miss football. WSJ
  • U.S. Supply Chains Deemed Vulnerable to Chinese Exploitation – WSJ
  • Europe Aimed to Set Standards for Tech Rules; Now It Wants to Roll Them Back – WSJ
  • Campbell Soup executive called its products food for “poor people,” lawsuit claims – CBS News
  • I Made an Offensive Joke. But So Did Everyone Else! Why Did I Get Fired? – NYT
  • Florida Man Stops Paying for Rental Car, Uses It to Give Uber Rides – FloridaMan.com

Connect with the Hosts:

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Ethical AI Is Built in Procurement, Not Posters

In the ongoing conversation about AI, companies are increasingly highlighting their ethical principles. They publish responsible AI statements, share aspirational values, and post impressive slide decks. However, any experienced compliance professional knows that ethics does not live in posters. It lives in systems. It lives in contracts. It lives in the infrastructure choices that decide who holds power, who can be audited, and who is accountable when things go wrong.

When you pull back the curtain on most modern AI deployments, you find a hard truth. Ethical outcomes depend less on high-level values and more on the mundane details of compute access, data governance, vendor resilience, and transparency. Those details are not glamorous, but they are decisive. They are also exactly where the compliance function must lead. The companies that treat AI as a technical problem will struggle. The companies that understand AI as a governance problem will succeed. Compliance should be at the center of that governance effort.

The Infrastructure Beneath Ethical AI

The most important element of ethical AI is the part no one sees. The infrastructure decisions made today are the ethical outcomes of tomorrow. Consider four core factors that determine the integrity of an AI system long before it begins making predictions.

a. Compute Access

The amount of compute you grant, the regions in which it can be used, and the failover plan for outages are not IT decisions. They are about fairness, safety, and continuity. If only certain business units have access to the most powerful models, you have created inequities inside your own walls. If you cannot maintain operations during a provider outage, you have made a resilience gap that regulators will notice.

b. Data Governance

AI systems amplify the quality and cleanliness of your data practices. Data lineage, retention schedules, classification levels, and access controls determine who can see what, when, and under what safeguards. If the data is flawed, every model output built on it is flawed. Compliance already governs data privacy, confidentiality, and use restrictions. AI raises the stakes.

c. Vendor Resilience

The more an organization invests in a single AI provider, the more dependent it becomes on that provider’s risk posture. Multi-cloud strategies, vendor exit rights, and enforceable SLAs are not operational niceties. They are governance tools to prevent concentration risk. Compliance has long experience managing third-party risk; AI vendors are simply the newest category.

d. Model Operations

Model versioning, approval workflows, rollback procedures, and audit trails determine how quickly an organization can detect harm and correct it. These operational controls map almost perfectly onto compliance best practices. They reflect the same principles that underpin any effective risk management program: evidence, traceability, and documented decision-making.

Where Compliance Must Lead

Most organizations underestimate the extent to which AI governance requires the same discipline found in mature compliance programs. The compliance function knows how to operationalize policies, create audit trails, and embed accountability. These strengths translate directly into AI. Below are the areas where compliance should play the lead role.

1. Embedding Ethical Standards Into Procurement

Ethical AI begins with ethical procurement. RFPs should require model documentation, bias testing, data ownership guarantees, audit logs, content filtering, and evidence of secure development practices. A vendor that cannot demonstrate its internal controls will not protect your ethical commitments. Compliance is uniquely positioned to identify those red flags.

2. Contracting for Power, Not Promises

Every compliance professional knows that a vendor promise without contractual force is aspiration, not assurance. AI contracts must include termination for harm, financially meaningful remedies, data portability, and clear assignment of responsibilities. Regulators will expect companies to demonstrate that they negotiated governance into their agreements.

3. Designing for Resilience

AI systems break in unfamiliar and sometimes spectacular ways. Multi-region deployment, validated failover paths, and regular stress testing are mandatory. Resilience is an ethical value because it protects customers, employees, and stakeholders from foreseeable harm. Compliance should insist on documented resilience planning as part of deployment approval.

4. Governing the Data Layer

Data minimization, differential access, immutable lineage, and standard retention schedules must be embedded across AI use cases. AI does not excuse a company from its privacy or data-governance obligations. It heightens them. Compliance should ensure that every AI initiative begins with a data governance review before a single line of code is written.

5. Operationalizing Oversight

AI oversight is not a once-a-year assessment. It is a living discipline. Compliance should push for model risk reviews, red-team exercises, change-control approvals, and clearly defined escalation pathways. When issues arise, there must be a time-boxed rollback plan in place. Clearly assigned control owners must be accountable for results.

6. Measuring What Matters

Without metrics, oversight is performance art. Companies should measure false positives and false negatives for each AI use case, especially across protected classes. They should track incident rates, drift detection outcomes, model approval times, and vendor SLA performance. These indicators form a dashboard that demonstrates whether AI governance is real or merely decorative.

7. Funding Ethics as an Operational Requirement

Ethical AI is not free. It requires a budget for monitoring, red teaming, data curation, and external verification. Compliance should push for these resources and make the case that ethics is a form of operational continuity. A company that cannot demonstrate that it has funded its governance model will struggle in any regulatory examination.

8. Building Exit Capability

Most companies underestimate how difficult it is to transition away from an AI vendor. Compliance should require that every material AI system have an exit plan that includes timelines, data-migration standards, and a documented process to ensure continuity. Only an exit tested under realistic conditions qualifies as a real control.

9. Clarifying Accountability

AI governance fails when accountability is diffuse. Every operational risk must have an owner. Compliance should map each AI risk to a responsible executive and require quarterly reviews. Regulators do not want to know who wrote the policy. They want to know who owns the risk.

10. Training the Front Line

AI governance is not the exclusive domain of data scientists. Product teams, procurement staff, and engineers must understand their responsibilities. Compliance should provide scenario-based training and reward early escalation. Culture determines how quickly issues surface, and AI issues must surface fast.

Closing Thoughts

Ethical AI is not an aspirational project. It is a systems problem, a contracting problem, a data problem, and an accountability problem. Compliance has the experience and discipline to lead the organization through these challenges. When procurement, contracts, and architecture embody the company’s values, ethical outcomes follow. When they do not, no principle statement on a website will save you.

Categories
Innovation in Compliance

Innovation in Compliance – Navigating the Future of Supply Chain Compliance with Travis Miller

Innovation is present in many areas, and compliance professionals must not only be prepared for it but also actively embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom welcomes Travis Miller, Chief Strategy Officer and General Counsel at Source Intelligence, to discuss major developments in supply chain compliance.

Miller outlines his recent job transition from Google, where he was the Head of Supply Chain Compliance and Social Responsibility. He delves into the complexities and innovations of Source Intelligence, a company focused on supply chain transparency and compliance. He also talks about his book ‘Guide to Supply Chain Compliance Laws and Regulations’ and highlights the growing significance of supply chain mapping due to new regulations. The conversation examines the pivotal roles of data accuracy, supplier collaboration, and AI in enhancing supply chain compliance. Miller predicts a more technical and relationship-driven future for supply chain professionals, stressing the importance of strategic partnerships. The discussion also explores four market realities that companies can’t ignore, emphasizing the pitfalls of outdated metrics and manual processes. Finally, Travis shares his insights on balancing automation with human judgment to optimize compliance operations.

Key highlights:

  • The Importance of Supply Chain Compliance
  • Supply Chain Mapping and Regulations
  • Full Material Declarations and Their Significance
  • AI in Supply Chain Compliance
  • The Future Role of Supply Chain Professionals
  • The Compliance Playbook and Market Realities

Resources:

Travis Miller on LinkedIn

‘Guide to Supply Chain Compliance Laws and Regulations

The Compliance Playbook is Broken on LinkedIn

Innovation in Compliance was recently honored as the number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
ACI FCPA Conference 2025

ACI-FCPA Conference Speaker Preview Series – Ricardo Wagner de Araujo on Potential Trouble in your (Latin American) Supply Chain

In this episode of the ACI-FCPA and Global Anti-Corruption Conference Speaker Podcasts series, Ricardo Wagner de Araujo discusses his panel at the event, “Managing New Risks in Latin America: A Look at the Biggest Ways Cartels/TCOs Are Infiltrating Businesses and Supply Chains, and How Companies Are Responding.”

Some of the issues the panel will discuss are:

    • The changing risks in Latin America.
    • How TCOs and cartels exploit 3rd party relationships.
    • Tips for adapting your compliance programs in Latin America.

I hope you can join me at the ACI–FCPA Conference. This year’s event will take place on December 3-4 at the Gaylord National Resort & Convention Center in National Harbor, Maryland, near Washington, D.C. The lineup of this year’s event is simply first-rate, featuring some of the top FCPA professionals, white-collar attorneys, and compliance practitioners in the field.

The 2025 program is being completely redesigned to help your organization stay agile, responsive, and ahead of the curve. Expect a dynamic agenda shaped by real-world priorities, practical takeaways, and the most cutting-edge thinking in compliance—led by a faculty of global practitioners with boots on the ground, encountering the very risks that come across your desk.

Please join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount by using the code D10-999-CPN26.

Categories
Blog

AI in the Supply Chain: Transformative Insights for Compliance Professionals

Compliance professionals responsible for managing risk, regulatory adherence, and organizational integrity must understand how AI technologies are being integrated into supply chains to effectively manage compliance obligations and leverage these advancements for optimal business outcomes. The integration of AI technologies within supply chain operations provides organizations with substantial advantages, including enhanced efficiency, reduced costs, and improved decision-making. From demand forecasting and supplier risk management to customs clearance and sustainability, AI is transforming every facet of the supply chain. Compliance professionals must navigate this technological evolution with careful understanding and deliberate strategy. In an article in Reuters, László Serester explored these issues. I have adapted his article for a corporate compliance audience.

Enhanced Demand Forecasting

Accurate demand forecasting is crucial for maintaining optimal inventory levels and preventing costly stockouts or overstocking situations. The use of machine learning algorithms enables businesses like Walmart and Amazon to analyze vast datasets, including historical sales data, market trends, seasonal patterns, and economic indicators. This granular analysis allows organizations to predict product demand with unprecedented accuracy.

For instance, companies such as Unilever and Pfizer utilize AI-driven forecasts to proactively adjust production schedules and ensure the continuous availability of raw materials. The introduction of autonomous agentic AI systems capable of independently adjusting production schedules without human approval signifies a leap towards greater operational autonomy, demanding vigilant compliance oversight to ensure appropriate checks and balances remain robustly in place.

Proactive Supplier Risk Management

Procurement processes are inherently complex, with multiple suppliers contributing to a single supply chain. AI systems, like SAP Ariba’s machine learning solutions, streamline supplier risk management by providing real-time insights into supplier performance. This capability enables quicker and more informed procurement decisions, significantly mitigating the risks associated with unreliable suppliers.

During crises, rapid vendor selection and thorough due diligence are paramount. AI-driven software, utilized by corporations like Unilever and Siemens, automates the identification and evaluation of potential new suppliers by analyzing diverse data sources, including financial health, sustainability practices, and compliance history. This systematic evaluation not only enhances operational resilience but also ensures adherence to ethical sourcing standards and regulatory requirements.

Manufacturing and Quality Assurance

AI’s contribution extends deeply into manufacturing processes, improving operational efficiency from design through commercialization. Companies like Siemens, GE, and Bosch harness big data analytics and IoT technologies for real-time monitoring, predictive maintenance, and automation. These innovations reduce downtime, extend equipment lifespan, and minimize operational risks.

AI’s role in quality control, particularly through advanced computer vision, enables companies to inspect products for defects with greater accuracy and speed, thereby significantly enhancing compliance with stringent quality standards. For example, electronics manufacturers utilize AI-driven inspections to detect circuit board defects, directly contributing to higher compliance standards and reduced regulatory risk.

Inventory and Warehousing Optimization

AI-powered inventory management solutions dramatically enhance warehouse operations. Predictive analytics, based on sales history, market trends, and real-time inventory data, enables companies to manage stock replenishment precisely. Organizations like Gather AI have deployed drone technology integrated with AI to perform inventory audits rapidly and accurately, drastically reducing human error and associated compliance risks.

Automation within warehouses, exemplified by Ocado’s autonomous mobile robots and Amazon Robotics’ warehouse solutions, optimizes storage efficiency, minimizes manual labor, and reduces the incidence of workplace injuries. The integration of deep-learning algorithms for recommending suitable alternatives when products are out of stock further illustrates AI’s profound impact on operational compliance and customer satisfaction.

Transportation and Logistics Efficiency

In logistics, AI-driven predictive analytics optimize transportation routes by analyzing traffic patterns, weather conditions, and real-time scheduling data to enhance efficiency. Companies like Maersk and UPS deploy AI systems to significantly enhance delivery efficiency, reduce costs, and improve environmental sustainability through optimized fuel usage.

AI’s capacity to manage freight matching and load optimization minimizes empty truck miles, directly contributing to sustainability goals and compliance with environmental regulations. Autonomous trucking initiatives, such as those from startups like Gatik, demonstrate AI’s transformative potential in the logistics sector, necessitating rigorous compliance oversight to address emerging safety and regulatory concerns.

Streamlined Customs Clearance and Regulatory Compliance

Compliance with customs regulations is greatly enhanced through AI technologies that automate document processing, accurately classify goods, and predict duties and taxes. Systems like ClearMetal’s predictive logistics and Descartes Systems Group’s AI solutions expedite customs declarations, significantly reducing errors and delays.

Moreover, AI-driven cargo screening technologies employed by U.S. Customs and Border Protection officials enhance inspection efficiency, focusing resources on high-risk shipments. Such applications underscore the essential role AI plays in maintaining robust regulatory compliance in international trade.

AI in Legal and Compliance Support

Legal departments supporting supply chain functions can utilize AI to streamline processes ranging from document review to contract management. Solutions like Thomson Reuters’ HighQ and Westlaw Edge facilitate efficient document analysis and rapid identification of potential compliance risks or contract deviations.

AI-enhanced legal research and drafting tools further empower legal professionals by automating repetitive tasks, allowing them to focus on strategic compliance advisory roles that require nuanced judgment and business acumen. This integration highlights the utility of AI in enhancing legal and compliance capabilities, ensuring the precise and efficient management of compliance obligations.

Promoting Sustainability through AI

Finally, sustainability practices benefit significantly from AI technologies that enable comprehensive evaluation and monitoring of supplier sustainability credentials. Platforms like EcoVadis and SupplyShift utilize AI-driven data analytics to rate suppliers on ESG criteria, empowering organizations to uphold rigorous sustainability standards and meet regulatory expectations.

The widespread integration of AI into supply chain operations presents both opportunities and obligations for compliance professionals. Mastery of AI tools and methodologies enables enhanced risk management, regulatory adherence, and organizational resilience. As supply chain operations continue to advance technologically, compliance teams must remain vigilant and adaptive, leveraging AI’s capabilities responsibly to protect organizational integrity and promote sustainable, compliant business practices.

Embracing AI strategically positions compliance professionals not only as guardians of regulatory adherence but also as key facilitators of organizational innovation and sustainability. The thoughtful application of AI within the supply chain thus becomes a cornerstone of a robust compliance strategy, essential for thriving in an increasingly complex regulatory environment.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Using Supply Chain to Innovate in Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

How to use your supply chain partners to innovate for your compliance program.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th Edition, which LexisNexis recently released. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The Role of Supply Chain and Compliance in Tariffs

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider how compliance can support your company’s Supply Chain in this era of tariff hikes and their suspensions.