BLOG LIBRARY

That's the line being sold to executives right now — wrapped in maturity models, readiness assessments, and seven-dimension frameworks. And it's patently false. This is an old argument dressed up in AI clothing. When a technology fails to deliver, blame the organization for not being ready to receive it: Your workflows are too fragmented Your processes are too manual Your processes lack ownership Your data isn't clean enough Your business has too many regulations Of course ex

Compliance investment has been climbing for decades. Effectiveness has not. The difference is rarely effort or budget. It is whether the program is built to deliver outcomes or built to create reports and pass audits. Compliance 1 (Procedural) is adherence and conformance oriented. Reactive. Internal controls — managerial, procedural, attestation-based. Compliance 2 (Operational) is performance and outcome oriented. Proactive. System controls — engineered into the work, instr

Cancer isn't an invader. It's our own cells, multiplying without restraint, ignoring the signals that tell healthy tissue when to stop, when to differentiate, when to die. It drifts from the body's purpose while consuming the body's resources. This is starting to look like how AI behaves inside our organizations. It over-constructs. Every problem becomes a reason for another model, another agent, another pipeline, multiplying without a purpose to serve. It outpaces our abilit

The discipline inherited its working model from financial audit, never matured past the prescriptive rule, and now asks its management systems to govern something that was never engineered. The breaches we keep being surprised by are the consequence. There is a quiet contradiction at the centre of modern cybersecurity. Organizations score well on framework after framework. Their controls operate as designed. Their audit reports come back clean. Their ISO 27001 information sec

What access control misses, and why your compliance investment just became strategic By Raimund Laqua, P.Eng., PMP — Lean Compliance Consulting, Inc. Imagine your organization deploys an AI agent to process vendor invoices. It has permission to read the invoice system, check against contracts, flag anomalies, and submit approved payments below a threshold. The deployment is described as "governed" — the agent has defined access, risk-tiered autonomy, and a human-in-the-loop f

AI is pushing humans out of the loop. The response many are taking is to figure out how to put humans back in. That is the wrong response. The answer is not human-in-the-loop. The answer is agent-in-the-loop. Train AI agents to participate in the governance loops that already exist. AI agents are replacing human workers who operated within those loops every day — workers who followed SOPs, escalated exceptions, maintained standards, and kept promises. When you remove those hu

That's the answer I hear when I ask organizations what work they're delegating to AI agents. Don't worry about defining the work. Don't worry about characterizing its complexity. The AI will sort it out. The end by any means. This sounds like progress. It is the abdication of governance. And no amount of forensic auditing will put back accountability for what was not there to begin with. Start with the work This is why I've been drawing on Elliott Jaques' work on Requisite Or

The role defines the result. Here's something that doesn't get said often enough: most compliance programs aren't led. They're maintained. And there's a world of difference between the two. The Caretaker Problem In many organizations, the person responsible for compliance isn't leading it. They're caretaking it. Their mandate — spoken or unspoken — is to keep things the same. Don't rock the boat. Don't introduce risk. Make sure we pass the next audit. This isn't a character f

Operational Compliance Landscape When viewed through an operational lens, governance is not just oversight, accountability structure, or decision authority. Governance is the act of regulating organizational effort towards organizational values. This differentiates traditional approaches — Compliance 1 — focused on procedural compliance. It defines Compliance 2 : Operational Compliance. When it comes to regulatory design, there are four primary types, each requiring its own

Why Governance Starts with Obligations, Not Decisions "Requisite Authority — the decision-making capacity necessary for an obligation owner to fulfil their obligation." Scroll through any governance-focused discussion on LinkedIn right now and you'll find a recurring theme: organizations need decision authority at the point of execution. The argument is intuitive. Operations move fast. People closest to the action can't wait for three levels of sign-off. Therefore, push decis

Up until now, we created, stored, and moved data to where it was needed to drive our businesses. This was the world of Information Technology (IT) — and the foundation of Enterprise Architecture. That era is ending. AI has already absorbed virtually all the unstructured data available in the world. Large language models didn't just process that data — they internalized it. Now we need to build AI for the business — harnessing operational data, engaging the system of record, a

Raimund Laqua, P.Eng., PMP For decades, the system of record has been the gravitational centre of the enterprise. Your ERP, your CRM, your quality management system — whatever the acronym, the function was the same. One place where the authoritative version of the truth lives. Every audit trail starts there. Every compliance obligation traces back to it. Machines have always done part of the work inside these systems — workflows, automated triggers, batch processing. But that

Canada's sovereign AI infrastructure is being built right now. Federal investment is flowing into domestic compute capacity. New privacy legislation is imminent. Environmental scrutiny of AI energy consumption is intensifying. AI governance frameworks are formalizing. And the compliance obligations facing data centre operators span seven distinct domains — each evolving independently, many of them overlapping in what they demand from the same operational activities. The organ

If you work in quality or lean, you have been trained to treat variation as the enemy. Deming, Taguchi, Six Sigma — the entire discipline is built on reducing, controlling, and eliminating variation. And that discipline is not wrong. But it is incomplete. Without variation, you cannot have two of anything. If no variation were permitted — if every instance of a thing had to be absolutely identical in every respect — production would be impossible. Every piece of raw material

The systems that run our world make implicit promises — to route traffic, to process transactions, to keep data where it belongs. Most of those promises are never explicitly declared, never monitored against, and never reported on until something breaks. Promise Theory, the framework Mark Burgess developed to model autonomous commitment, sits at the heart of the Lean Compliance methodology. This briefing extends it further, asking what becomes possible when security infrastru

How Enshittification, the Collapse of the Abstraction Stack, and AI Are Rewriting the Rules — and Why Governance Will Determine What Comes Next Raimund (Ray) Laqua, P.Eng., PMP Something is breaking, and something else is being born. I think we need to talk about both. If you work in technology, or if your business depends on technology — which is to say, if you run a business — you’re caught between two forces that are about to reshape everything. One is tearing down the mod