Tag: Tower of Babel

Categories
AI Today in 5

AI Today in 5: June 15, 2026, The Anthropic In Trouble Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Compuvi gets $40MM funding. (FinTechGlobal)
  2. US bars top Anthropic models from foreign use. (NYT)
  3. EU AI Act risk tiers. (Snowflake)
  4. Tower of Babel and AI governance. (Compliance Week)
  5. US regulators are reviewing banks’ use of AI. (Reuters)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 3 – Shadow AI and Internal Controls

Shadow AI is the internal-controls problem of the artificial-intelligence age.

It is not hard to understand why employees use AI tools without waiting for formal approval. These tools are fast, accessible, practical, and often embedded into platforms employees already use. A business development professional may use AI to draft a proposal. A lawyer may use it to summarize a contract. A finance employee may use it to analyze a spreadsheet. A compliance analyst may use it to review due diligence materials. A manager may use it to draft performance feedback. The use case may be productive. The intent may be benign. The risk may still be real.

That is the compliance challenge. Shadow AI is not simply unauthorized technology use. It is ungoverned decision support, unapproved data transfer, undocumented reliance, uncontrolled output, and untested automation. It poses risks to confidentiality, privilege, privacy, intellectual property, cybersecurity, employment decisions, books and records, third-party management, investigations, and board reporting. Most importantly, it creates a visibility gap. The company cannot govern what it cannot see.

In the first post in this series, we used Magnifica Humanitas to frame the choice between Babel and Nehemiah. In the second post, we moved from principle to program design and argued that AI governance should be embedded in the compliance program. Now we turn to the first practical test: whether the company can convert hidden AI use into governed AI use.

The Magnifica Humanitas Lesson: Opaque Power Is a Governance Risk

Magnifica Humanitas warns that technology is never neutral in practice because it takes on the characteristics of those who devise, finance, regulate, and use it (Magnifica Humanitas, para. 9). For a corporate audience, that is the first lesson of shadow AI. When employees use AI outside approved channels, the company may not know which technology is being used, what data is being transferred, what outputs are being relied on, or what assumptions are being embedded in business decisions.

The Encyclical also warns that control over platforms, infrastructure, data, and computing power can become concentrated, opaque, and difficult to oversee (Magnifica Humanitas, para. 95). Inside a company, shadow AI creates a similar problem on a smaller but very practical scale. Power shifts away from approved systems, documented workflows, and accountable owners toward individual employees’ practices that may be invisible to legal, compliance, privacy, cybersecurity, internal audit, and the board.

Pope Leo also identifies three risks in private AI use that map directly to employee behavior: the ease of getting results, the impression of objectivity, and the simulation of human communication. He warns that these features can encourage overreliance, ready-made answers, and weakened judgment (Magnifica Humanitas, para. 100). That is exactly why shadow AI matters. The risk is not only that employees use the wrong tool. The greater risk is that employees begin to rely on AI outputs without understanding the assumptions, limitations, data sources, or error rates that underpin them.

From Encyclical Principle to Internal Control Requirement

The corporate translation is straightforward: if AI is never merely technical when it affects rights, opportunities, status, freedom, reputation, or work, then shadow AI cannot be treated as a minor IT exception (Magnifica Humanitas, para. 102). It is a governance issue. It is a control issue. It is a compliance issue.

Magnifica Humanitas says responsibility must be clearly defined at every stage, including those who design, develop, use, and rely on AI for concrete decisions. Accountability requires the ability to identify who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, para. 105). In corporate language, that means AI use cases need owners, approvals, controls, escalation paths, incident processes, documentation, and remediation.

The Encyclical also cautions that abstract ethics are not enough. Responsible AI requires rigorous evaluation, independent oversight, informed users, and safeguards capable of governing AI’s effects (Magnifica Humanitas, para. 106). For the CCO, that is the bridge between principles and controls. Shadow AI must be made visible, classified by risk, controlled at the data layer, reviewed by accountable humans, tested by independent functions, and reported to the board.

Shadow AI Is a Control Environment Issue

A company may have an AI policy and still have a shadow AI problem. A policy tells employees what is expected of them. A control tells the company whether the expectation is working.

This is where COSO becomes essential. COSO has warned that generative AI is moving into daily operations faster than traditional governance models anticipated and that internal control must be applied to risks such as uncontrolled adoption, opaque reasoning, prompt manipulation, model drift, cyber exposure, and configuration change. That is the heart of the matter. A memo from legal does not solve the shadow AI problem. It is solved through the control environment.

The company needs to define leadership expectations, conduct risk assessments, establish control activities, ensure information and communication, and implement monitoring. Those are not technology terms. They are governance terms. The CCO should work with legal, IT, cybersecurity, privacy, HR, procurement, internal audit, and the business to create a practical AI control structure. The first line should own the business use case. The second line should set standards, review risk, and monitor compliance. The third line should test design and operating effectiveness. The board should receive reports showing whether the system is working.

The DOJ ECCP Question

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging risks, including new technologies such as AI. It asks how companies govern AI in commercial operations and in the compliance program, how they monitor reliability and trustworthiness, how they limit AI to intended uses, how they preserve human decision-making, how accountability is assigned, and how employees are trained.

That logic tracks closely with Magnifica Humanitas. Pope Leo supplies the accountability mandate; the DOJ supplies the compliance program test. If responsibility must be defined and harm must be capable of challenge and remediation, then the company must be able to show that AI tools are known, approved, monitored, limited to intended uses, and subject to human oversight (Magnifica Humanitas, para. 105).

A company with uncontrolled shadow AI has a predictable compliance problem. It may not be able to show that it has identified an AI risk. It may not be possible to demonstrate that employees were effectively trained. It may not be possible to show that AI tools are limited to intended uses. It may not be possible to demonstrate that human review is in place for consequential decisions. It may not be able to show that compliance has visibility into AI use. For the CCO, the question is direct: can we explain how AI is actually being used in the company or only how we hope it is?

From Prohibition to Governed Use

The wrong response to shadow AI is a blanket prohibition that employees ignore. AI is here to stay. Employees will use it because it saves time and improves work product. The better response is governed adoption.

The company should begin with an AI use-case inventory. This should capture approved tools, embedded AI in existing platforms, vendor-provided AI, internally developed AI, pilot projects, and employee use of public tools. It should identify the business owner, purpose, data used, vendor involved, risk rating, approval status, required human review, and applicable controls.

Next, the company should create a clear classification model. Low-risk uses, such as drafting generic internal communications, may require basic training and disclosure. Medium-risk uses, such as summarizing non-sensitive business materials, may require approved tools and data restrictions. High-risk uses, such as employment decisions, customer eligibility, financial reporting, investigations, regulated communications, or third-party risk scoring, should require formal review, documented controls, human oversight, and periodic testing.

NIST’s AI Risk Management Framework provides useful architecture through its Govern, Map, Measure, and Manage functions. ISO/IEC 42001 provides the management-system approach, including policies, responsibilities, risk management, transparency, monitoring, performance evaluation, corrective action, and continual improvement. For shadow AI, these frameworks point to the same conclusion as the Encyclical: move from ad hoc use to structured accountability.

The Controls That Matter

A defensible shadow AI control program should include several core elements.

First, the company needs an approved tools list and a prohibited tools list. Employees should know what is permitted, what is restricted, and what is banned.

Second, the company needs data controls. Employees should not place confidential information, personal data, trade secrets, privileged information, customer data, source code, or sensitive business information into unapproved AI tools. Magnifica Humanitas warns that data and digital infrastructure can become new forms of power when control is concentrated and opaque (Magnifica Humanitas, paras. 108-109). Data governance is therefore not an administrative detail. It is the foundation of responsible AI controls.

Third, the company needs approval workflows for high-risk use cases. The higher the risk, the more formal the review should be.

Fourth, the company needs human review and recourse. AI should support judgment, not replace it. For consequential decisions, a person must remain accountable, and affected individuals should have a channel to challenge errors. This reflects the Encyclical’s insistence that decisions should be capable of justification, monitoring, challenge, and remedy (Magnifica Humanitas, para. 105).

Fifth, the company needs to be monitored and tested. Internal audit should be able to test whether employees are following the policy, whether approved tools are operating within scope, and whether exceptions are remediated.

Finally, the company needs an AI incident process. Employees should know how to report accidental data disclosure, hallucinated output, inappropriate reliance, biased output, suspected vendor misuse, or unauthorized AI use. The goal should not be punishment first. The goal should be visibility, correction, and learning.

5 Lessons for the CCO
  1. Govern what employees actually use, not merely what policy permits. The first step is visibility. Create a process for employees and business units to disclose AI use without fear that each disclosure will trigger disciplinary action.
  2. Control data before it leaves the enterprise. The most immediate shadow AI risk is often data leakage. Define prohibited data categories, approved tools for sensitive information, and vendor restrictions on model training or reuse.
  3. Assign accountability at every stage. Every material AI use case should have a business owner, a risk owner, a control owner, an approval status, a review cycle, and an escalation path.
  4. Require human review and recourse for consequential uses. AI can assist, summarize, flag, and recommend. It should not replace accountable human judgment where rights, opportunities, employment, reputation, or legal obligations are involved.
  5. Test, remediate, and report evidence. AI governance must generate proof. Monitor usage, test controls, track incidents, remediate exceptions, and report meaningful metrics to the board.
Conclusion: Hidden Use Must Become Governed Use

Shadow AI is the modern Babel inside the corporation. It may look productive, efficient, and innovative. Yet if it operates without transparency, accountability, controls, or human judgment, it creates a structure the company does not understand and cannot govern.

Magnifica Humanitas reminds us that technology must remain at the service of the human person and not become a system of invisible control (Magnifica Humanitas, para. 171). That principle becomes real in the compliance program through internal controls. CCOs should help the company transition from hidden use to governed use.

In the next post, we will move from the hidden use of AI to the broader question of trust. We will examine AI, Truth, and Corporate Trust, and consider how synthetic content, misinformation, deepfakes, false documentation, and AI-generated narratives create a new compliance risk for boards, management, and the CCO.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 2 – AI Governance Is a Compliance Issue

In the first post in this series, we used Magnifica Humanitas to frame the choice facing every board and compliance leader in the age of artificial intelligence. Companies can build a new Tower of Babel, driven by speed, scale, efficiency and power without adequate governance. Or they can follow the path of Nehemiah, rebuilding with discipline, shared responsibility, accountability and the human person at the center. That choice now moves from principle to program design.

AI governance cannot remain in the innovation lab, the IT department or the digital transformation office. It belongs inside the compliance program. Not because compliance should own every AI decision, and not because the CCO should become the chief technologist. AI governance belongs in compliance because AI creates the very risks compliance programs are designed to manage: legal risk, ethical risk, data risk, third-party risk, culture risk, internal controls risk, reporting risk, investigation risk and board oversight risk.

Magnifica Humanitas makes this point in moral language. Pope Leo writes that the use of AI is never a purely technical matter when it enters processes that affect people’s lives, rights, opportunities, status and freedom (Magnifica Humanitas, ¶102). For the modern compliance professional, that is familiar terrain. These are the risks an effective compliance program must identify, assess, control, monitor and remediate.

AI Is Not an Adjacent Risk

The first mistake companies make is treating AI as an adjacent risk. The business says AI is a productivity tool. IT says AI is a systems issue. Legal says AI is a regulatory issue. Privacy says AI is a data issue. Cybersecurity says AI is an access issue. HR says AI is a workforce issue. Internal audit says AI is a control issue. Procurement says AI is a vendor issue. They are all correct.

That is precisely why AI governance must be cross-functional, risk-based and integrated into the compliance program. AI does not respect organizational charts. It moves through data, workflows, vendors, platforms, communications, decisions and employee behavior. It may be embedded inside software already used by the company. Employees may adopt it without formal approval. Vendors may deploy it before procurement or legal fully understands how the tool works. It may be used by compliance itself for monitoring, investigations, hotline triage, third-party due diligence, sanctions screening or training.

The DOJ Has Already Put AI on the Compliance Agenda

The Department of Justice has made clear that AI is now part of compliance program evaluation. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a process for identifying and managing emerging risks, including risks related to new technologies such as AI. It asks how the company assesses the impact of AI on compliance with criminal laws, whether AI risk is integrated into enterprise risk management, how the company governs AI in commercial operations and in the compliance program, whether controls monitor trustworthiness and reliability, whether AI is limited to intended uses, what human decision-making baseline is used, how accountability is enforced and how employees are trained.

This is where the Encyclical and the ECCP align. Pope Leo calls for responsibility to be clearly defined at every stage, from those who design and develop AI systems to those who use them and rely on them for concrete decisions (Magnifica Humanitas, ¶105). The DOJ asks whether the company has translated that responsibility into risk assessment, controls, testing, training and accountability.

For CCOs, the message is direct. AI governance should be reflected in the risk assessment, policies and procedures, training, third-party risk management, internal controls, monitoring, investigations, discipline, incentives and board reporting. A company that cannot explain how it governs AI will struggle to demonstrate how its compliance program keeps pace with the business.

The CCO’s Role in AI Governance

The CCO does not need to own AI. The CCO does need a seat at the table. Compliance should inform the design of the company’s AI governance model. That model should include a cross-functional AI governance committee with representation from compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance and the business. It should define approval rights for high-risk use cases. It should establish documentation standards. It should require risk classification. It should identify prohibited uses. It should provide escalation channels for AI incidents and concerns.

This is the corporate version of Nehemiah’s wall. Pope Leo writes that everyone is given a section of the wall and that shared responsibility across disciplines and communities is the way to build for the common good (Magnifica Humanitas, ¶13). AI governance works the same way. Legal cannot do it alone. IT cannot do it alone. Compliance cannot do it alone. The governance model must assign roles so the whole enterprise can rebuild with discipline.

The CCO should also insist on an inventory of AI use cases. This is the foundational control. The company cannot govern what it cannot see. The inventory should include the business owner, tool name, vendor, purpose, data categories, decision impact, risk rating, applicable policies, human review requirements, testing history, approval date, renewal date and control owner.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. The Encyclical does not give companies an AI procedure manual. It gives them governing principles. The compliance task is to translate those principles into requirements that can be owned, tested, evidenced and improved. Pope Leo is explicit that digital processes should not be imposed from above in opaque or unilateral ways, but should be directed toward the common good with transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable access to data and avenues for recourse (Magnifica Humanitas, ¶71).

Human dignity becomes human impact assessment and human review. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional participation, with decisions made close enough to the risk to be informed and accountable. Solidarity becomes attention to affected employees, customers, communities and vulnerable populations. Social justice becomes bias testing, access, recourse and a refusal to let opaque systems create hidden exclusion.

NIST AI RMF and ISO/IEC 42001 as Practical Architecture

Two frameworks can help compliance leaders translate AI principles into program structure. They give operational force to Pope Leo’s warning that it is not enough to invoke ethics in the abstract. He instead calls for robust frameworks, independent oversight, informed users, and institutions capable of governing AI’s effects (Magnifica Humanitas, ¶106). That is precisely the move compliance must make, from AI principles to an AI management system.

The NIST AI Risk Management Framework organizes AI risk management around four functions: Govern, Map, Measure and Manage. For compliance leaders, that is highly practical. Govern means the company has assigned authority, accountability, policies and risk appetite. Map means the company understands the context, purpose, users, affected stakeholders and potential impact of each AI use case. Measure means the company evaluates performance, reliability, bias, data quality, security and control effectiveness. Manage means the company prioritizes risks, implements controls, monitors outcomes, remediates problems and documents decisions.

ISO/IEC 42001 provides a management system model. It focuses on establishing, implementing, maintaining and continually improving an AI management system. For a compliance program that supplies the discipline of policy, objectives, roles, processes, risk assessment, controls, monitoring, performance evaluation, corrective action and continual improvement.

From Policy to Controls

A policy is necessary, but it is not sufficient. A company can have a well-written AI policy and still have a weak AI governance program. The issue is whether the policy has an operational effect.

Pope Leo explains why. Technology is never neutral because it takes on the characteristics of those who devise, finance, regulate and use it (Magnifica Humanitas, ¶9). He later adds that every technical tool embodies choices and priorities through what it measures, what it ignores, what it optimises, and how it classifies people and situations (Magnifica Humanitas, ¶104). For compliance, this means the control environment must cover design, data, use, monitoring, output, and remediation.

COSO has warned that generative AI poses risks of cyber exposure, prompt manipulation, opaque reasoning, model drift, and frequent configuration changes that can affect operations, reporting, and compliance if not addressed with robust internal controls. That is the compliance challenge. AI governance must become a control activity.

Compliance Can Use AI Responsibly

Compliance should not stand outside the AI transformation. AI can help compliance become more effective. It can identify patterns in transactional data. It can assist with third-party risk scoring. It can support sanctions screening. It can help analyze hotline trends. It can improve training design. It can help prioritize monitoring. It can summarize large document sets in investigations. It can support control testing.

Magnifica Humanitas is direct on this point. AI may imitate functions of human intelligence, but it does not possess conscience, experience, responsibility or the capacity to judge good and evil (Magnifica Humanitas, ¶99). It can also create excessive reliance, the impression of objectivity and a weakening of personal judgment (Magnifica Humanitas, ¶100). Compliance professionals should use AI, but they should never surrender professional judgment to it. Human primacy remains the central control.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI is now part of legal, ethical, operational, data, third-party and cultural risk. The Encyclical reminds us that AI affects rights, opportunities, status, and freedom when it enters into consequential decisions (Magnifica Humanitas, ¶102).
  2. Build and maintain an AI inventory because governance begins with visibility. Every AI use case should have an owner, a purpose, a risk rating, a data classification, a control set, an approval status, and a review cycle.
  3. Govern compliance’s own use of AI because accountability starts at home. Compliance should use AI, but it must document purpose, controls, human review, validation and accountability.
  4. Move from policy to controls because technology is never neutral. AI governance requires approval workflows, data restrictions, testing, monitoring, escalation, remediation and auditability (Magnifica Humanitas, ¶9, ¶104).
  5. Report evidence to the board because accountability requires more than aspiration. Boards need dashboards and documentation showing where AI is used, what risks exist, what controls apply, who is accountable and whether the governance program is effective (Magnifica Humanitas, ¶105).
Conclusion: From Governance Principle to Control Discipline

Magnifica Humanitas challenges us to place the human person at the center of technological transformation. For compliance leaders, that means AI must be governed through risk assessment, controls, accountability, transparency, human oversight and evidence. The DOJ ECCP makes clear that prosecutors will ask how companies govern AI in the business and in compliance. NIST AI RMF and ISO/IEC 42001 provide practical architecture for doing so. COSO gives the internal controls discipline.

The compliance profession should embrace AI. It can make compliance more effective, more data-driven and more responsive. But embracing AI does not mean surrendering judgment to it. The right model is not fear. The right model is governed by adoption.

In the next post, we will move from formal AI governance to the most immediate AI control challenge inside many companies: Shadow AI and Internal Controls. Employees are already using AI tools because they are fast, useful and accessible. The compliance question is whether the company can turn hidden use into governed use before shadow AI becomes the next major control failure.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 1 – Governing AI

Artificial intelligence is no longer a future issue for boards, CEOs, general counsel, chief compliance officers, audit leaders, or risk professionals. It is already inside the enterprise. It is in employee workflows, vendor platforms, data analytics, customer engagement, monitoring tools, investigations support, training design, due diligence, and decision-making processes. The compliance question is no longer whether the company will use AI. The real question is whether the company will govern AI before AI becomes embedded into the business without accountability, transparency, controls, or human judgment.

That is the danger of the modern Tower of Babel. Babel was not a failure of engineering. It was a failure of purpose, humility, and governance. It was a project built on power without accountability and ambition without restraint. For modern corporations, ungoverned AI can become a similar project. It may promise efficiency, scale, speed, and competitive advantage. Yet without proper governance, it can also produce bias, opacity, data misuse, weakened accountability, employee overreliance, vendor risk, and board blind spots.

What Is Magnifica Humanitas?

Magnifica Humanitas is an Encyclical Letter issued by Pope Leo XIV on May 15, 2026, titled “On Safeguarding the Human Person in the Time of Artificial Intelligence.” (Magnifica Humanitas herein). The document places AI within the long tradition of Catholic social teaching and asks how humanity should respond to the “new things” of the digital age. Pope Leo frames AI not as a narrow technology issue but as a profound question about human dignity, work, truth, freedom, power, data, social justice, and the common good. The letter opens with two biblical images, the Tower of Babel and the rebuilding of Jerusalem under Nehemiah, to present the central choice of the AI age: will we construct systems of domination, or will we build communities of shared responsibility? (Magnifica Humanitas, paras. 1, 7-10).

The significance of Pope Leo issuing Magnifica Humanitas is that he places AI in the same broad moral and social category as prior industrial and economic disruptions. He expressly connects the document to the legacy of Pope Leo XIII and Rerum Novarum, the 1891 encyclical that responded to the labor, capital, and social disruptions of the industrial age. Pope Leo writes that digitalization, AI, and robotics are rapidly transforming the world, shaping decision-making and affecting both human dignity and the common good (Magnifica Humanitas, paras. 3-4). For this five-part series, we will use Magnifica Humanitas as the foundation for translating its core concepts into practical lessons for the modern compliance professional, the board, and the executive leadership team. This will not be a theological series. It will be a governance series. We will apply the moral force of the Encyclical Letter to compliance program design, board oversight, internal controls, data governance, third-party risk, workforce transformation, and corporate trust.

The Compliance Lesson of Babel

The Tower of Babel is a powerful compliance metaphor because it shows what happens when a project has capability but lacks discipline. Pope Leo describes Babel as an impressive feat with “a single language, a single technology, a single direction,” yet one that sacrificed human dignity for efficiency and sought power through self-sufficiency (Magnifica Humanitas, para. 7). In corporate language, Babel is the business transformation project that mistakes technical capability for good governance.

Pope Leo’s warning is direct: technology is never neutral because it takes on the characteristics of those who design, finance, regulate, and use it (Magnifica Humanitas, para. 9). That sentence should sit in every boardroom AI discussion. AI is not neutral in the compliance sense either. It reflects data, design, deployment, vendor, incentive, and governance choices. The first board question is therefore simple: What are we building?

Nehemiah as the Governance Model

If Babel is the warning, Nehemiah is the governance model. In Magnifica Humanitas, Pope Leo contrasts Babel with the rebuilding of Jerusalem. Nehemiah listens, inspects the damage, assigns responsibility, coordinates work, addresses opposition, and rebuilds section by section. The city is reborn through shared responsibility, not through the initiative of a single person (Magnifica Humanitas, para. 8).

That is the model compliance professionals should bring to AI governance. The CCO does not need to become a data scientist. The board does not need to manage model architecture. But the organization needs a disciplined governance structure that brings together compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance, and the business. AI governance cannot sit in a silo. It must be cross-functional because AI risk is cross-functional.

For compliance, that means asking practical questions. Where is AI being used? What problem is it solving? What data does it access? Who approved it? What risks were identified? What controls were designed? What human review is required? What could go wrong? How would we know? Who is accountable if the AI produces a harmful or unlawful result? Those are not anti-innovation questions. They are business discipline questions.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. Human dignity becomes a human impact assessment. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional governance, meaningful participation, and decision-making as close as possible to the affected process. Transparency becomes documentation, explainability, board reporting, and auditability. Accountability includes named owners, escalation rights, challenge mechanisms, and remediation.

Pope Leo makes this bridge explicit when he calls for responsible planning, human and social impact assessment, inclusion of the vulnerable, digital literacy, and guiding research and industry toward justice and peace (Magnifica Humanitas, para. 14). He also warns that control over platforms, infrastructure, data, and computing power can become opaque and evade oversight, producing dependency, exclusion, manipulation, and inequality (Magnifica Humanitas, para. 95). For the CCO and the board, that is the language of AI inventory, data governance, vendor management, access controls, model oversight, incident response, and internal audit testing. That is not only a moral framework. It is a corporate governance requirement.

AI Governance and the DOJ ECCP

The Department of Justice has already made AI a compliance program issue. The logic now runs together. Pope Leo provides the mandate for moral governance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) supplies the compliance program test. The ECCP asks whether companies have a process for identifying and managing emerging risks, including risks related to new technologies such as AI; whether AI risk is integrated into enterprise risk management; how AI is governed in the business and in the compliance program; whether controls monitor trustworthiness and reliability; whether AI is limited to intended uses; what human decision-making baseline exists; how accountability is enforced; and how employees are trained.

That is a roadmap for the CCO. AI governance should be part of the compliance risk assessment. It should be reflected in policies and procedures. It should include training and communications. It should be monitored, audited, and improved. It should generate evidence. The company should be able to show not only that it has an AI policy but also that the policy has an operational effect. In other words, AI governance must move from aspiration to controls.

Board Oversight and Caremark

For boards, AI governance also raises Caremark oversight considerations. Directors are not expected to run the company’s AI systems. They are expected to make a good-faith effort to ensure that reasonable reporting and monitoring systems are in place for central compliance risks. In Marchand v. Barnhill (Bluebell Ice Cream), the Delaware Supreme Court emphasized that boards must make a good-faith effort to put in place a reasonable board-level system of monitoring and reporting around central compliance risks.

The board obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability mandate. If Pope Leo requires that responsibility be defined, decisions be justified, systems be monitored, harms be challenged, and errors be remedied (Magnifica Humanitas, para. 105), then the board must ask whether management has built a governance system capable of producing that evidence. The board does not need technical comfort. It needs governance confidence.

Human Primacy as a Control

One of the most important lessons from Magnifica Humanitas is that AI is a tool, not a moral actor. Pope Leo explains that AI systems may imitate language, analysis, behavior, and even empathy, but they do not possess lived experience, conscience, wisdom, moral responsibility, or the capacity to understand what they produce (Magnifica Humanitas, para. 99). That matters deeply when AI affects employment, reputation, access, rights, opportunities, or treatment.

For compliance professionals, human primacy must be designed into AI governance. Human review is not a bureaucratic obstacle. It is a control. Pope Leo warns that sensitive decisions concerning employment, credit, access to services, and reputational risk are being delegated to automated systems that lack compassion, mercy, forgiveness, or the hope that people can change (Magnifica Humanitas, para. 102). The company should decide which AI outputs can be used automatically, which require review, which require escalation, and which uses should be prohibited altogether. The more consequential the decision, the stronger the human oversight must be.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI should be included in the compliance risk assessment, enterprise risk management process, and board reporting because it can affect rights, opportunities, status, freedom, privacy, and trust.
  2. Build an AI inventory because governance begins with visibility. The company cannot govern what it cannot see. The inventory should include business tools, vendor tools, embedded AI, compliance tools, and employee use of public AI.
  3. Require controls before scale because technology is never neutral. AI policies must be supported by approval processes, data controls, access controls, monitoring, testing, escalation, and remediation.
  4. Preserve human judgment because accountability cannot be outsourced. Human review should be required for high-risk and consequential decisions. Accountability must remain with people, not systems.
  5. Give the board evidence because governance requires reporting, monitoring, and remediation. Boards need dashboards, metrics, incident reporting, audit findings, risk rankings, and documentation that AI governance is working.
Conclusion: From Babel to Compliance Program Design

The lesson of Babel is not that building is wrong. The lesson is that building without humility, accountability, and purpose leads to fracture. AI is here to stay, and compliance professionals should embrace its promise. AI can improve monitoring, strengthen risk analysis, support investigations, enhance training, and identify patterns that humans might miss. But it must be governed with vigilance, responsibility, transparency, and human primacy.

Magnifica Humanitas gives us the mandate for moral governance. The ECCP gives us the compliance program questions. Caremark gives boards the oversight framework. Together, they point to the same conclusion: AI governance must be built before AI risk becomes unmanageable.

In the next post, we will move from principle to program design. We will examine why AI governance is a compliance program issue, how the CCO should help structure AI oversight, and how compliance can use AI responsibly while governing the risks AI creates.

Categories
Daily Compliance News

Daily Compliance News: May 26, 2026, The Tower of Babel Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professionals.

Top stories include:

  • OpenAI goes on a law firm hiring spree.  (Reuters)
  • Blood antiquities from Cambodia. (Bloomberg)
  • Why Roberts Rules of Order still rule. (FT)
  • Pope Leo says AI could become a ‘Tower of Babel’. (WSJ)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.