BLOG

Today many organizations use AI that is general. It was trained on the public record, not on any one sector or business. It does not know your mission, your values, your goals, your processes, your protocols, or your standard operating procedures. When you ask it a question, it answers from what is common across everyone, not from how that knowledge applies to the particulars of what you do. In a regulated, high-risk domain this is a problem. The general model gives you the

In every industry where failure is consequential, we learned to engineer control into a system before we trusted it to run. With AI, we are skipping that step. The discipline we are missing has a name: engineered regulation. Engineered Regulation for AI Systems No one runs a refinery with a big red button and good intentions. Before the plant starts, engineers design the control loops that hold temperature and pressure where they belong. They add independent safety systems th

Compliance is now vulnerable. Every promise you've made — privacy, security, quality, financial integrity, legal adherence, ethical values — now runs through systems that are unreliable, uncertain, and unable to align with your mission. So ask the hard questions: Does your AI know your obligations, your values, your promises? Does it follow your processes, your standard operating procedures, your policies? Will it cost you your legal license — or your social license — to oper

There is a quiet assumption running underneath the loudest investment of our age, and Sunday is a good day to bring it into the light. We are building compute. Enormous, almost unimaginable quantities of it. We are miniaturizing computers at one end — fabricating features measured in handfuls of atoms — and scaling them up at the other into hyperscale clouds that span continents. The capital is real, the engineering is genuine, and the people doing it are among the most capab

We have been here before. In the enterprise, there have always been two kinds of searches. The first looks for the exact answer you get from a query (deterministic). The second looks for the closest answer you can find through full-text search (probabilistic). We knew the difference, and we learned how to use each kind. Full-text search gave us the approximate answers. It returned a ranked list of the most relevant results — useful when you are browsing, less so when you need

Just because AI may not yet be regulated does not mean compliance should sit on the sidelines. Compliance has always struggled to know how it creates and preserves value. AI now presents both the opportunity and the necessity to do so. Here is why. Organizations everywhere are adopting AI. Many are slowly realizing that adoption is not the objective: AI must create value. But this prompts a question few are asking. Not what value is AI creating, but what value is it losing? T

The regulatory landscape has changed, as I have been writing about for almost a decade. For a long time, compliance asked one thing of an organization: that procedures were in place, and that there was evidence they had been followed. That's procedural compliance, and it's well served. A certificate or an audit gives you exactly that — confirmation of procedural integrity. It's useful, honest work, and it isn't going away. But increasingly, boards, stakeholders and regulators

When we use AI in its most common form, we come to realize something about it. The large language models (LLMs) behind it have been trained on public knowledge, not on the knowledge your organization, business, or institution owns. We can provide a model with our documents to process, but this does not change the model. It does not learn that way. The exchange is one-directional in a way that is easy to miss. The model answers our prompts and forgets us, but the data we send

Raimund Laqua, P.Eng., PMP We need to talk about the collapse of governance and management. Much of what gets written these days about governance is really management wearing governance clothing. Frameworks, control libraries, risk registers, maturity models, oversight committees — all of it operates on the parts of a system. None of it sets direction or steers toward mission outcomes. We kept the word governance and filled it with the work of the layer below. Nowhere is this

That's the line being sold to executives right now — wrapped in maturity models, readiness assessments, and seven-dimension frameworks. And it's patently false. This is an old argument dressed up in AI clothing. When a technology fails to deliver, blame the organization for not being ready to receive it: Your workflows are too fragmented Your processes are too manual Your processes lack ownership Your data isn't clean enough Your business has too many regulations Of course ex

Compliance investment has been climbing for decades. Effectiveness has not. The difference is rarely effort or budget. It is whether the program is built to deliver outcomes or built to create reports and pass audits. Compliance 1 (Procedural) is adherence and conformance oriented. Reactive. Internal controls — managerial, procedural, attestation-based. Compliance 2 (Operational) is performance and outcome oriented. Proactive. System controls — engineered into the work, instr

Cancer isn't an invader. It's our own cells, multiplying without restraint, ignoring the signals that tell healthy tissue when to stop, when to differentiate, when to die. It drifts from the body's purpose while consuming the body's resources. This is starting to look like how AI behaves inside our organizations. It over-constructs. Every problem becomes a reason for another model, another agent, another pipeline, multiplying without a purpose to serve. It outpaces our abilit

What access control misses, and why your compliance investment just became strategic By Raimund Laqua, P.Eng., PMP — Lean Compliance Consulting, Inc. Imagine your organization deploys an AI agent to process vendor invoices. It has permission to read the invoice system, check against contracts, flag anomalies, and submit approved payments below a threshold. The deployment is described as "governed" — the agent has defined access, risk-tiered autonomy, and a human-in-the-loop f

AI is pushing humans out of the loop. The response many are taking is to figure out how to put humans back in. That is the wrong response. The answer is not human-in-the-loop. The answer is agent-in-the-loop. Train AI agents to participate in the governance loops that already exist. AI agents are replacing human workers who operated within those loops every day — workers who followed SOPs, escalated exceptions, maintained standards, and kept promises. When you remove those hu

That's the answer I hear when I ask organizations what work they're delegating to AI agents. Don't worry about defining the work. Don't worry about characterizing its complexity. The AI will sort it out. The end by any means. This sounds like progress. It is the abdication of governance. And no amount of forensic auditing will put back accountability for what was not there to begin with. Start with the work This is why I've been drawing on Elliott Jaques' work on Requisite Or

Operational Compliance Landscape When viewed through an operational lens, governance is not just oversight, accountability structure, or decision authority. Governance is the act of regulating organizational effort towards organizational values. This differentiates traditional approaches — Compliance 1 — focused on procedural compliance. It defines Compliance 2 : Operational Compliance. When it comes to regulatory design, there are four primary types, each requiring its own

Why Governance Starts with Obligations, Not Decisions "Requisite Authority — the decision-making capacity necessary for an obligation owner to fulfil their obligation." Scroll through any governance-focused discussion on LinkedIn right now and you'll find a recurring theme: organizations need decision authority at the point of execution. The argument is intuitive. Operations move fast. People closest to the action can't wait for three levels of sign-off. Therefore, push decis

Up until now, we created, stored, and moved data to where it was needed to drive our businesses. This was the world of Information Technology (IT) — and the foundation of Enterprise Architecture. That era is ending. AI has already absorbed virtually all the unstructured data available in the world. Large language models didn't just process that data — they internalized it. Now we need to build AI for the business — harnessing operational data, engaging the system of record, a

Canada's sovereign AI infrastructure is being built right now. Federal investment is flowing into domestic compute capacity. New privacy legislation is imminent. Environmental scrutiny of AI energy consumption is intensifying. AI governance frameworks are formalizing. And the compliance obligations facing data centre operators span seven distinct domains — each evolving independently, many of them overlapping in what they demand from the same operational activities. The organ

I just attended a webinar from a leading GRC vendor promoting continuous risk assessment for AI. The topic seemed timely and the solution promising, so I gave it my full attention. What I heard : AI introduces significant risk across organizations and within every functional silo. Fair enough. ⚡ The pitch: With all this risk, you need a system to manage it comprehensively. OK. What they demonstrated was little more than a risk register combined with task management—where task

As artificial intelligence systems reshape entire industries and societal structures, we face an unprecedented regulatory challenge: how do you effectively govern systems that often exceed human comprehension in their complexity and decision-making processes? Traditional compliance frameworks, designed for predictable industrial processes and human-operated systems, are proving inadequate for the dynamic, emergent behaviors of modern AI. The rapid proliferation of AI across c

AI governance policies typically describe what organizations intend to do. Lean Compliance focuses on how those intentions become operational capabilities that keep promises under uncertainty. Mapping an AI governance policy means creating an operational, regulation framework that links legal , ethical , engineering , and management commitments across AI use‑cases and life-cycle stages. The goal isn't compliance documentation—it's designing the operational capabilitie

The sequence matters: proper engineering design must occur before deployment, not afterwards. by Raimund Laqua, PMP, P.Eng As a professional engineer with over three decades of experience in highly regulated industries, I firmly believe we can and should embrace AI technology. However, the current approach to deployment poses a risk we simply cannot afford. Across industries, I’m observing a troubling pattern: organizations are bypassing the engineering design phase and dire

Raimund Laqua, P.Eng., PMP Note: Link to my strategy briefing document is located at the end of the blog post. About a year ago, I heard an AI expert suggest that we might need AI to control AI. My immediate reaction? That's nonsense. Why would you control something uncertain with more uncertainty? It seemed like doubling down on the problem rather than solving it. Turns out I was wrong. Or at least, I was asking the wrong question. The Problem That Won't Go Away I'm an engin