SEARCH

Following these principles has and will increase the probability of compliance success across all domains (safety, security, sustainability, quality, regulatory, cyber, environmental, etc.) by helping organizations develop and execute credible program plans. To achieve compliance success we recommend you work through these principles with your team to come up with compelling answers for each question. PRINCIPLE PLANNING QUESTIONS EVIDENCE PRINCIPLE IS FOLLOWED ​1. Define what compliance looks like. Where are we heading? What are our goals and targets? What are our obligations & promises? How will we know when we are in compliance and when we are not? Program Scope & Context Obligation / Promise Register ​2. Develop strategy and create plan to realize and sustain compliance. ​How will we meet all our obligations? How will we keep all our promises? How will we always stay between the lines? How will we manage change? How will we improve? ​Concept of Operations   Integrated Master Plan 3. Resource the plan. ​Do we have enough resources (people, technology, knowledge, capabilities, capacity etc.) to satisfy the plan? Program Resource Plan 4. Estimate and handle uncertainty. ​What impediments or opportunities will we encounter? What could go wrong? What needs to go right? How will we recover when boundaries are breached? What is the nature of uncertainty (aleatory, epistemic, ontological, etc.) What is our risk appetite? What is our risk tolerance? Risk and Opportunity Register Risk Management Plan Risk-adjusted IMP 5. Measure progress. ​How will success be measured? (MoE) How will performance be measured? (MoP) How will conformance be measured? (MoC) How will risk be measured? (MoR) How will assurance be measured? (MoA) Benefits realized Outcomes advanced Risk ameliorated Promises kept Obligations met If you are looking to improve your compliance program we offer four strategic Rapid Improvement Engagements  (RIE) – Kaizens – to help you elevate your compliance and stay ahead of risk. Each Compliance Program Kaizen improves an essential aspect of compliance for vital programs that include Safety, Security, Sustainability, Quality, Ethics, ESG, Regulatory, AI, and others. Find out more here:

AI Assurance isn't just about checking boxes before deployment. As the European Defence Agency shows us, it's now a continuous journey involving rigorous engineering and real-time monitoring. With today's AI systems, we simply can't predict everything in advance—we need to stay vigilant while they're running in the real world. This shift is especially crucial in high-risk, mission-critical applications where failure isn't an option. In the paper published by the European Defence Agency (EDA), entitled “Trustworthiness for AI in Defence”, they discuss the difference between Development and Runtime Assurance. ⚡️ Development Assurance: “Traditionally in system engineering (including software and hardware), the term assurance defines the planned and systematic actions necessary to provide confidence and evidence that a system or a product satisfies given requirements. A process is needed which establishes levels of confidence that development errors that can cause or contribute to identified failure conditions (feared events defined by a safety/security/human factor assessment) have been minimized with an appropriate level of rigor. This henceforth is referred to as the development assurance process.” ⚡️ Runtime Assurance: “When the system is deployed in service, runtime assurance refers to a set of techniques and mechanisms designed to ensure that a system behaves correctly during its execution. This involves monitoring the system's behaviour in real-time and taking predefined actions to correct or mitigate any deviations from its expected performance, safety, or security requirements. Runtime assurance can be particularly important in critical and/or autonomous … systems where failures could lead to significant harm or loss.” The evolution of the balance between development assurance and runtime assurance is shown in the following figure: Trustworthiness for AI in Defence - Figure 14 The introduction of AI technologies and autonomy capabilities has tipped the balance towards needing greater runtime assurance, as comprehensive a priori development assurance activities become increasingly challenging. These same definitions can be used for AI assurance in commercial applications, particularly for high-risk, mission-critical applications: AI Assurance involves: planned and systematic actions necessary to provide adequate confidence and evidence that the AI system satisfies the intended function (System Assurance) a process to establish levels of confidence that design/development errors (risk) have been minimized with appropriate level of rigour. (Development Assurance) a set of techniques and mechanisms designed to ensure the system behaves correctly during its execution. (Operational Assurance) The paper is available here: https://eda.europa.eu/docs/default-source/brochures/taid-white-paper-final-09052025.pdf

Compliance 1 life in a Compliance 2 world Edwin A. Abbott published a book in 1883 called, “Flatland" where he explores a two- dimensional world with A. Square as the narrator. Imagine a vast sheet of paper on which straight Lines, Triangles, Squares, Pentagons, Hexagons, and other figures, instead of remaining fixed in their places, move freely about, on or in the surface, but without the power of rising above or sinking below it, very much like shadows - only hard and with luminous edges - and you will then have a pretty correct notion of my country and countrymen. Alas, a few years ago, I should have said "my universe": but now my mind has been opened to higher views of things. In such a country, you will perceive at once that it is impossible that there should be anything of what you call a "solid" kind; but I dare say you will suppose that we could at least distinguish by sight the Triangles, Squares, and other figures, moving about as I have described them. On the contrary, we could see nothing of the kind, not at least so as to distinguish one figure from another. Nothing was visible, nor could be visible, to us, except Straight Lines; and the necessity of this I will speedily demonstrate. Flatland: A Romance of Many Dimensions A. Square's world gets flipped upside down (well, sideways?) by encounters with higher dimensions. First, a being from a one-dimensional world (Lineland) confuses A. Square. Then, a Sphere from a three-dimensional world (Spaceland) changes his perspective forever. A. Square tries to explain this new reality to his Flatland  friends, but they can't grasp the concept. This satirical twist turns Flatland  into a story about the difficulty of accepting new ideas and the dangers of a rigid, unchanging society. Complianceland: Compliance 1 Life in a Compliance 2 World Those who work in Compliance and who have come to understand other dimensions may find it's very much like living in Flatland . Lineland They will find their counterparts, as they themselves once were, without the necessary perspective, context, or holistic thinking. And why should they? After years under the tutelage of prescriptive regulations they will not know what it’s like for compliance to be anything other than rules driven by audits and inspections, and reinforced by reactive behaviours and reductive practices. They will remind you that life in Complianceland is a state of in or out. And if anyone cares to ask – we are always in. The idea of continuous improvement would seem very strange when you are already in compliance. What’s there to improve? The notion of elevating compliance to higher standards would sound fantastical. What do you mean by higher? Meeting obligations and keeping promises would be considered as nonsense, something made up from Thoughtland . Can you describe this in terms we understand using rules and audits? These were the same questions that our friend the Square from Flatland was asked after visiting Spaceland : After I had concluded my defence, the President, perhaps perceiving that some of the junior Circles had been moved by my evident earnestness, asked me two questions: 1. Whether I could indicate the direction which I meant when I used the words "Upward, not Northward"? 2. Whether I could by any diagrams or descriptions (other than the enumeration of imaginary sides and angles) indicate the Figure I was pleased to call a Cube? Complianceworld Being a compliance leader requires convincing others to travel to other dimensions as A. Square attempted in Flatland . However, unlike A. Square who was left to hope for brighter moments having nothing more to say, my hope is for better outcomes for compliance and I still have very much that needs to be said. There are more dimensions to compliance than many can see. That's why I have spent the last several years creating diagrams and illustrations to help describe Complianceworld – a world where compliance has sufficient dimensions to protect and ensure Total Value. Complianceworld: Compliance with Sufficient Dimensions It takes time to understand something new and then to change. It will always seem easier to just go along with what many others are doing and stay in Compianceland . However, with all that's at stake, can we afford to continue to live in Complianceland – a place where compliance has insufficient dimensions to protect all that is valued?

In my three decades as a compliance engineer, I've watched our profession's obsession with check-boxes undermine effective risk management. Today, as AI reshapes our field, there's a new reality we must confront: compliance is probabilistic.   This revelation isn't cause for alarm—it's an opportunity. By embracing Bayesian probability, we can transform how we measure, report, and improve compliance assurance.   In this article I challenge conventional compliance wisdom by asking: What will you do when AI predicts your compliance probability is less than perfect.   The answer might revolutionize how you approach assurance altogether.   If you're ready to move beyond audit check-boxes and embrace the power of probabilistic thinking, this perspective may challenge—and potentially transform—your compliance A Bayesian Approach to Compliance Assurance As a compliance engineer with over 30 years in the field, I've seen how limited single-point, audit-based assessments can be. Today's compliance landscape demands a more sophisticated probabilistic approach. Current Probability Usage in Compliance Probability concepts already permeate modern compliance programs: Risk-Based Programs : Financial institutions routinely express compliance risk as probability metrics ("70% probability of meeting regulatory expectations"), while pharmaceutical companies apply statistical probability to clinical trial compliance. Sampling-Based Testing : Organizations use statistical sampling to generate statements like "95% confidence that controls are effective" or "90% confidence that compliance exceeds 95%." Advanced Analytics : Predictive models assign probability scores to potential violations, with machine learning systems flagging transactions that exceed specific non-compliance thresholds. Industry Applications : From AML suspicious transaction scoring in financial services to statistical confidence levels in healthcare billing and probabilistic assessments in environmental compliance, industry-specific applications abound. Moving Beyond Single Points with Bayes Despite these uses of probability, most programs still rely on periodic audits that produce single-point estimates of compliance. Bayes' theorem provides a framework to synthesize these various probability measures into a cohesive, dynamic approach: P(C|E) = [P(E|C) × P(C)](#) / P(E) Where: P(C|E) is the probability of compliance given new evidence P(E|C) is the probability of observing the evidence if compliant P(C) is the prior probability of compliance P(E) is the probability of observing the evidence This formula allows us to: Start with prior observations from various sources Continuously update our assurance levels as new evidence emerges Express assurance as distributions rather than single points The Practical Advantage By applying Bayesian methods to existing probability measures, we gain significant advantages: Integrate sampling results with predictive analytics and risk-based assessments into a unified view Update assurance continuously rather than waiting for audit cycles Express uncertainty explicitly through probability distributions Allocate resources based on the full distribution, not just central tendencies   So What Will You Do? So what will you do when AI predicts that the confidence level (assurance) in meeting your obligations is less than 1? This isn't a theoretical question—it's the practical reality facing every compliance program. Perfect assurance is a mathematical impossibility in complex systems. The answer lies not in pursuing the unattainable perfect score, but in making informed decisions under acknowledged uncertainty. You'll prioritize interventions based on probability distributions, communicate transparently about confidence levels, and create a compliance function that values honesty about uncertainty over false precision. In the end, effective compliance isn't about claiming perfect assurance—it's about understanding exactly how imperfect your assurance is, and acting accordingly.

Across the world we're witnessing a profound transformation: the continual mechanization of human work, now accelerated by the integration of Artificial Intelligence (AI) and Agentic AI. Organizations, in their relentless pursuit of efficiency and cost-effectiveness, are not only turning the workforce into living machines but are increasingly replacing human workers with AI-powered systems, algorithms, and digital agents. From Human to Machine This trend, insightfully explored by Dan Davies in "The Unaccountable Machine," is creating a new challenge that extends beyond traditional organizational risk. AI systems are being deployed to handle everything from customer service inquiries to complex data analysis, replacing work previously done by “Knowledge workers.” We've become adept at streamlining operations and automating processes, while falling short in fostering the wisdom and genuine intelligence needed to advance mission success, never mind – human flourishing . The result is a workforce caught in a paradox – highly skilled in specific tasks but increasingly disconnected from the broader purpose and impact of their work. We now have AI systems to make decisions and perform work with far-reaching consequences without the nuanced understanding of human context. This shift raises critical questions about accountability, ethics, and the future of work itself. As we navigate this new terrain, we must grapple with the challenge of maintaining human wisdom and oversight in a world where machines are increasingly calling the shots and doing the work. The Middle Management Conundrum One might argue that this is where middle management comes in - to bridge the gap between organizational outcomes and operational objectives. However, the reality is often far from ideal. Middle managers have long since become redundant and for those who are left are caught between the strategic vision of upper management and the day-to-day realities of operations. They often struggle to effectively translate high-level goals into actionable objectives for their teams along with the digital systems and processes that are being used in increasing measure. This disconnect creates a vacuum where critical decisions about risk, purpose, and effectiveness fall through the cracks. The result? An accountability and perhaps even a wisdom gap that can lead to misaligned priorities, overlooked risks, and ultimately, organizational ineffectiveness. The Promise and Peril of Digital Agents and AI As we grapple with these organizational challenges, many are turning to technological solutions. Agentic AI and digital agents promise increased efficiency, 24/7 availability, and the ability to process vast amounts of data, make informed decisions and conduct the knowledge-based work. However, we must ask ourselves: Are we simply replacing human cogs in the machine with digital ones? While these technologies may offer increased utility, they don't inherently provide the wisdom and real intelligence needed for business success. The Machine Mindset Perhaps the most concerning trend is our tendency to treat human workers as machines, focusing solely on efficiency and output, only to replace them with actual machines when the opportunity arises. This approach not only dehumanizes the workforce but also fails to leverage the unique qualities that humans bring to the table - creativity, empathy, and the ability to make nuanced ethical judgments. As we continue to advance technologically, we must remember that: power without wisdom is a dangerous combination. True organizational effectiveness isn't just about having the most advanced systems or the most efficient processes. It's about having the wisdom to use these tools in ways that promote mission success along with human flourishing, both within the organization and in society at large. Reversing the Trend To address the challenges facing today’s workforce and create truly effective organizations in the digital age, we need to: Empower employees at all levels to make meaningful decisions about the work they're doing. Reinvent middle management to truly bridge the gap between strategy and operations. Approach AI and digital agents as tools to augment human wisdom, not replace it. Foster a culture that values and develops human qualities like creativity, empathy, and ethical reasoning. Continuously question and reassess our organizational structures and processes to ensure they're serving their intended purpose. With wisdom, foresight, and a commitment to human values, we can embrace new technologies and create organizations that are both effective and responsible. The choice is ours to make.

A Review of Dan Davies' Exploration of Algorithmic Decision-Making Dan Davies' The Unaccountable Machine is a compelling exploration of the profound shift in decision-making from human judgment to algorithmic systems. In his book, Davies delves into the rise of cybernetics, the science of control and communication in animals and machines, and its impact on organizations and society.     From Human Judgment to Algorithmic Decision-Making   Davies begins by tracing the historical context of this transition, highlighting the increasing complexity of the problems faced by organizations and the allure of automated solutions. He argues that the shift from human decision-making to algorithmic systems is a result of several factors:   Efficiency : Algorithms can process vast amounts of data quickly and accurately, making them more efficient than humans in many tasks. Objectivity : Algorithms can be designed to be unbiased and free from personal biases that may influence human judgment. Scalability : Algorithmic systems can be easily scaled to accommodate growing workloads and expanding operations.   The Rise of Cybernetics   A central theme in Davies' book is the role of cybernetics  in shaping the development of algorithmic systems. Cybernetics, which emerged in the mid-20th century, is the study of control and communication in animals and machines. It provided the theoretical foundation for the development of artificial intelligence and automated decision-making systems.   Davies explores how cybernetic principles have been applied to a wide range of fields, including finance, healthcare, and criminal justice. He argues that the adoption of cybernetic systems has led to a fundamental shift in the way organizations operate, with algorithms playing an increasingly important role in decision-making.   The Accountability Sink   A particularly insightful concept introduced by Davies is the "accountability sink." This refers to the phenomenon where accountability for decisions made by algorithms becomes increasingly diffuse. As algorithms become more complex and interconnected, it increasingly becomes difficult to identify who is ultimately responsible for their outcomes.   Davies argues that the accountability sink can lead to a number of negative consequences, including:   Reduced transparency : When it is unclear who is responsible for a decision, it becomes more difficult to understand how that decision was made. I ncreased risk of bias : If it is not clear who is accountable for the outcomes of an algorithm, there is a greater risk that biases will be introduced into the system. Diminished trust : When people do not trust that decisions are being made fairly and transparently, it can erode trust in institutions and organizations.   The Impact on Organizational Accountability and Compliance   The transition from human judgment to algorithmic systems raises significant questions about organizational accountability and compliance. While algorithms have become increasingly sophisticated and capable of making complex decisions, human oversight remains crucial for several reasons:   Ethical Considerations : Algorithms may not always align with human ethical values or consider all relevant factors. Human oversight can help ensure that decisions made by algorithms are morally sound and in line with societal norms. Unforeseen Circumstances:  Algorithms may struggle to adapt to unexpected or unforeseen circumstances. Human judgment can be essential for making decisions in situations that deviate from the patterns and data that algorithms are trained on. Accountability : Human oversight can help ensure that there is someone accountable for the decisions made by algorithms. This can help to prevent unintended consequences and mitigate risks. Trust : Human oversight can help to build trust in algorithmic systems. When people know that there are human beings involved in overseeing the decisions made by algorithms, they may be more likely to trust the outcomes.   In essence, while algorithms can be powerful tools, they should not be seen as a replacement for human judgment. Human oversight is essential for ensuring that algorithms are used responsibly and ethically, and that their decisions are aligned with human values and goals.   The Unaccountable Machine is a thought-provoking exploration of the implications of the shift from human judgment to algorithmic decision-making. Davies' book provides valuable insights into the challenges and opportunities presented by this technological revolution.

As a compliance engineer, I've watched AI transform from research curiosity to world-changing technology. What began as exciting progress has become a complex challenge that demands our attention. Three critical questions now face us: Can we control these systems? Can we afford them? and What might we lose in the process? The Control Challenge AI systems increasingly make decisions with minimal human input, often delivering better results than human-guided processes. This efficiency is both promising and concerning. I've noticed a troubling shift: human oversight, once considered essential, is increasingly viewed as a bottleneck. Organizations are eager to remove humans from the loop, seeing us as obstacles to efficiency rather than essential guardians of safety and ethics. As compliance professionals, we must determine where human judgment remains non-negotiable. In healthcare, finance, and public safety, human understanding provides context and ethical consideration that algorithms simply cannot replicate. Our responsibility is to build frameworks that clearly define these boundaries, ensuring automation serves humanity rather than the reverse. The Sustainability Dilemma The resource demands of advanced AI are staggering. Training requirements for large models double approximately every few months, creating an unsustainable trajectory for energy consumption that directly conflicts with climate goals. Only a handful of companies can afford to develop cutting-edge AI, creating a technological divide. If access becomes limited to those who can pay premium prices, we risk deepening existing inequalities. The environmental burden often falls on communities already vulnerable to climate impacts. Data centres consume vast amounts of water and electricity, frequently in regions already facing resource scarcity. Our compliance frameworks must address both financial and environmental sustainability. We need clear standards for resource consumption reporting and incentives for more efficient approaches. What We Stand to Lose Perhaps most concerning is what we surrender when embedding AI throughout society. Beyond job displacement, we risk subtle but profound impacts on human capabilities and connections. Medical professionals may lose diagnostic skills when relying heavily on AI. Students using AI writing tools may develop different—potentially diminished—critical thinking abilities. Skills developed over generations could erode within decades. There's also the irreplaceable value of human connection. Care work, education, and community-building fundamentally rely on human relationships. When these interactions become mediated by AI, we may lose essential aspects of our humanity—compassion, empathy, and shared experience. Engineering Responsibility: A Practical Framework As compliance professionals, we must engineer responsibility into AI systems. I propose these actionable steps: Implement Real-Time Governance Controls Deploy continuous monitoring systems that track AI decision patterns, identify anomalies, and enforce boundaries in real-time. These controls should automatically flag or pause high-risk operations that require human review, rather than relying on periodic audits after potential harm occurs. Require Environmental Impact Assessments Before deploying large AI systems, organizations should assess energy requirements and environmental impact. Not every process needs AI—sometimes simpler solutions are both sufficient and sustainable. Promote Accessible AI Infrastructure Support initiatives creating public AI resources and open-source development. Compliance frameworks should reward knowledge-sharing rather than secrecy. Protect Human Capabilities Establish guidelines ensuring AI complements rather than replaces human skill development. This includes policies requiring ongoing training in core skills even as AI assistance becomes available. Establish Cross-Disciplinary Oversight Councils Create formal oversight bodies with representation across technical, ethical, social, and legal domains. These councils must have binding authority over AI implementations and clear enforcement mechanisms to ensure accountability when standards aren't met. As compliance engineers, we must move beyond checkbox exercises to become true stewards of responsible innovation. Our goal isn't blocking progress but ensuring that technology serves humanity's best interests. The questions we face don't have simple answers. But by addressing them directly and engineering thoughtful oversight systems, we can shape an AI future that enhances human potential rather than diminishing it. Our moment to influence this path is now, before technological momentum makes meaningful oversight impossible. Let's rise to this challenge by engineering responsibility into every aspect of AI development and deployment.

The business world is changing fast as companies adopt AI technology. At a recent conference that I attended, experts shared valuable insights on making this transition successfully. Here's what stood out. Finding the Balance AI offers two main benefits for businesses: it can make your current work more efficient, and it can help you do things that weren't possible before. But there's a catch – as one speaker put it, "AI becomes an accelerant - whatever is weak will break." In other words, AI will make your strengths stronger but also expose your weaknesses faster. This dynamic creates both opportunity and risk. Organizations with solid foundations in data management, security, and operational excellence will see AI amplify these strengths. Meanwhile, companies with existing weaknesses may find AI implementations expose these vulnerabilities. The tension between innovation and exposure stood out as a consistent theme. Leaders face the challenge of encouraging creative AI applications while managing potential risks. As one presenter noted, "adopting AI is an opportunity to strengthen your foundations," suggesting that the implementation process itself can improve underlying systems and processes. Getting Governance Right Companies need clear rules for using AI safely. Mercedes-Benz showed how they've built AI risk management into their existing structures. Many experts suggested moving away from rigid checklists toward more flexible guidelines that can evolve with the technology. What matters most? Trust. Customers don't just want AI – they want AI they can trust. This means being careful about where your data comes from, protecting privacy, and being open about how your AI systems work. The establishment of ISO 42001 as an audit standard signals the maturing governance landscape. However, many speakers emphasized that truly effective governance requires moving "from compliance to confidence" – shifting focus from simply checking boxes to building genuinely trustworthy systems. A key insight was that "you can do security without compliance, but you can't do compliance without security." This highlights how fundamental security practices must underpin any meaningful compliance effort. Well-designed guardrails, now developing as the new compliance measures, should be risk-based rather than prescriptive, allowing for innovation within appropriate boundaries. Data provenance received particular attention, with speakers noting that "AI loves data and you will need to manage/govern your use of data." This becomes especially challenging when considering privacy regulations, as legal departments often restrict the use of existing customer data for AI applications. Speakers suggested more nuanced approaches are needed to balance innovation with appropriate data protection. Different Approaches Around the World How companies use AI varies greatly by location. European businesses tend to focus heavily on compliance, with frameworks like the EU AI Act shaping implementation strategies. Regional differences significantly impact how organizations approach AI adoption and governance. Some participants questioned whether the EU AI Act might be too restrictive, noting discussions about potentially toning down certain requirements – similar to adjustments made to GDPR after implementation. This reflects the ongoing challenge of balancing protection with innovation. Compliance expertise varies by region as well. I observed that "compliance is a bigger deal in Europe and they are good at it," suggesting that European organizations may have advantages in navigating complex regulatory environments. This expertise could become increasingly valuable as AI regulations mature globally. Workforce Changes We can't ignore that some jobs will be replaced by automation. This creates a potential two-tier economy and raises important questions about training and developing people for new roles. Companies need to build AI literacy across all departments, from engineering to legal, HR, and marketing. The conference highlighted that AI literacy isn't one-size-fits-all – training needs to be tailored to different functions. Engineers need technical understanding, while legal teams require compliance and risk perspectives. Marketing departments might focus on ethical use cases and customer perception. A particularly interesting trend is taking shape around AI skills development. Many professionals are moving into AI governance roles, but fewer are pursuing AI engineering due to the longer lead time for developing technical expertise. This could create imbalances, with potentially too many governance specialists and too few engineers who can implement AI systems properly. Beyond job replacement, AI promises to transform how knowledge workers engage with information. Rather than simply replacing analysts, AI can help them process "the mountain of existing data" – shifting focus from basic results to deeper insights. This suggests a future where AI augments human capabilities rather than simply substituting for them. The "Shadow AI" Problem Just like when employees started bringing their own devices to work, companies now face "shadow AI" – people using AI tools without official approval. This growing challenge is more pervasive than previous BYOD issues, as AI tools are easily accessible online and often leave fewer traces. Implementing an acceptable use AI policy is the most effective way to address this challenge. Such a policy clearly defines which AI tools are approved, how they can be used, and what data can be processed through them. Rather than simply banning unofficial tools, effective policies create reasonable pathways for employees to suggest and adopt new AI solutions through proper channels. The policy should balance security concerns with practical needs – if official tools are too restrictive or cumbersome, employees will find workarounds. By acknowledging legitimate use cases and providing approved alternatives, companies can bring shadow AI into the light while maintaining appropriate oversight. Regular training on the policy helps employees understand not just the rules but the reasoning behind them – particularly the security and privacy risks that shadow AI can introduce. When employees understand both the "what" and the "why," they're more likely to follow guidelines voluntarily. The proliferation of shadow AI creates a fundamental governance challenge captured by the insight that "you can't protect what you can't see." Organizations first need visibility into AI usage before they can establish effective governance. This requires technical solutions to detect AI applications across the enterprise, combined with cultural approaches that encourage transparency. Bringing Teams Together One clear message from the conference: AI governance and engineering must work hand-in-hand. No single person or team has all the answers for creating responsible AI systems. This calls for collaboration across departments and sometimes specialized roles like AI Compliance Engineering. A key challenge is that traditional organizational structures often separate these functions. In practice, it appears that AI governance cannot be effectively separated from AI engineering, yet many companies attempt to do just that. Successful organizations are creating new collaborative structures that bridge these domains. The automotive industry provides useful parallels. As one presenter noted, "automotive has 180 regulations, now AI is being introduced from an IT perspective." This highlights how AI governance is emerging from IT but needs to learn from industries with long histories of safety-critical regulation. However, important differences exist. One speaker emphasized that "IT works differently than the automotive industry," suggesting that governance approaches need adaptation rather than simple transplantation between sectors. The growing consensus suggests that use case-based approaches to AI risk management may be more effective than broad categorical rules. Defining clear interfaces between governance and engineering appeared as a potential solution, with one suggestion to "define KPIs for AI that should be part of governance." This metrics-based approach to governance integration could help standardize how AI systems are measured and evaluated within governance frameworks. Moving Forward As your company builds AI capabilities, you'll need both effective safeguards and room for innovation. This is a chance to strengthen your organization's foundation through better data management and security practices. The most successful companies will develop approaches tailored to specific uses rather than applying generic rules everywhere. And as AI systems become more independent, finding the right balance between automation and human oversight will be crucial. The rise of autonomous AI agents introduces new challenges. As AI systems become more sophisticated, there are legitimate concerns that certain types of AI agents might operate with limited human oversight and could potentially act in unexpected ways depending on their autonomy levels. These considerations highlight the need for governance approaches that can handle increasingly sophisticated AI systems. The conference acknowledged that "an evergreen process has not been developed yet" for AI governance, suggesting that organizations must remain adaptable as best practices continue to evolve. This dynamic environment creates space for innovation in governance itself – developing new methods and controls that can effectively manage AI risks while enabling beneficial applications. In this changing landscape, the winners will be those who can blend good governance with practical engineering while keeping focused on what matters most – creating value for customers and the business. By addressing AI governance as an enabler rather than just a constraint, organizations can build the confidence needed for successful adoption while managing the inherent risks of these powerful technologies.

Every organization faces an uncomfortable reality that few discuss openly: some people deliberately circumvent established standards & protocols, and break rules. While compliance systems effectively guide well-intentioned employees, they often fall short when confronted with those who intentionally work around safeguards. The Expansive Scope of Modern Compliance Today's compliance encompasses far more than basic regulatory adherence. Organizations must navigate obligations across multiple domains: Safety protocols protecting employees, customers, and communities Security frameworks safeguarding information and physical assets Privacy requirements preserving confidential and personal data Quality standards ensuring product and service excellence Sustainability commitments upholding environmental and social responsibility Regulatory mandates meeting industry-specific legal requirements Each domain creates unique challenges when addressing deliberate non-compliance. Beyond Good Intentions: The Triple Purpose of Compliance Compliance frameworks serve three essential functions across these domains: Guiding well-intentioned people through complex requirements Preventing accidental missteps through education and systems design Limiting harm from deliberate circumvention through detection and consequences Most compliance efforts focus heavily on the first two—creating dangerous blind spots when confronted with intentional violations. The Sophisticated Strategies of Willful Non-Compliance Those who deliberately circumvent standards rarely do so openly. Instead, they use calculated approaches: Feigning technical confusion ("This sustainability reporting system makes no sense") Creating plausible deniability ("The privacy assessment? That was handled elsewhere") Pressuring compliance professionals ("We'll miss our safety certification if we document every test") Undermining specialized expertise ("Security doesn't understand what we're trying to do") Finding technical loopholes while violating the spirit of commitments How Rule-Breakers Navigate Different Types of Obligations Regulatory Requirements: Calculated risk-takers understand enforcement limitations and make cold assessments about detection probability. They hide deliberate violations within seemingly compliant operations—whether in financial reporting, environmental compliance, or product safety. Voluntary Standards and Certifications: When organizations publicly commit to voluntary standards (ISO certifications, sustainability frameworks, industry best practices), some individuals view these as optional "stretch goals" rather than binding commitments—creating significant reputation risks. Organizational Values and Commitments: Most concerning are those who publicly champion quality, safety, or ethical commitments while systematically undermining them behind closed doors—appearing compliant while subverting obligations and promises. The Critical Distinction: Deliberate Violations vs. Approved Deviations Not all deviations from standard procedures represent non-compliance. In complex environments, rigid adherence to every protocol may occasionally impede safety, quality, or other objectives. Smart organizations distinguish between: Unauthorized violations where individuals circumvent standards without proper review Approved deviations where exceptions receive documentation, risk assessment, and authorization Good compliance frameworks include straightforward processes for requesting deviations when legitimate operational needs arise. These typically require risk assessments, appropriate approvals, compensating controls, and time limitations. By creating clear pathways for authorized exceptions, organizations maintain integrity while allowing necessary flexibility. The key difference lies in transparency—approved deviations remain visible and governed, while violations deliberately hide. Why Traditional Approaches Fall Short Standard compliance tools assume good intentions. Policies, training modules, and basic monitoring catch honest mistakes but miss deliberate evasion. Cross-domain challenges make detection particularly difficult—a privacy violation might hide within technical security documentation, or safety shortcuts might be buried in quality process paperwork. Forward-Thinking Strategies Against Cross-Domain Non-Compliance Leading organizations are developing more sophisticated approaches: Integrated compliance frameworks detecting patterns across safety, quality, privacy, and other domains Root cause analysis examining motivations behind deliberate circumvention Cultural assessment tools measuring psychological safety for raising concerns Cross-functional relationship mapping identifying problematic influence dynamics Advanced detection systems finding subtle signals of potential circumvention The Evolving Role of Compliance Professionals Addressing willful non-compliance requires a more sophisticated stance: Building cross-domain expertise to spot evasion techniques Ensuring meaningful consequences for deliberate violations Implementing integrated detection frameworks across safety, quality, privacy, and other areas Developing partnerships with leaders who understand how compliance failures create cascading risks Creating genuine safe channels for reporting concerns about misconduct Building a Culture of True Commitment The most effective defence against deliberate circumvention isn't found in more policies—it's in creating environments where: Compliance serves as a strategic asset, not a necessary evil Leaders model commitment to standards, not just technical compliance People feel empowered to raise concerns without fear Those who circumvent standards face consequences, regardless of seniority The organization learns from past violations to strengthen its approach Moving Forward The uncomfortable reality about compliance is that it must function both as a guide for the well-intentioned and as a defence against those who deliberately subvert standards—across safety, security, privacy, quality, sustainability, and regulatory domains. By developing targeted approaches to identify and address wilful non-compliance, organizations protect themselves against potentially devastating threats from within. How does your organization manage the tension between strict compliance and necessary operational flexibility? Share your experiences in the comments.

What do quality, safety, security, sustainability, environmental, regulatory and ethics programs have in common ? All these programs have the same purpose. They exist to make certain that organizational values are realized by introducing change to culture, behaviours, systems, and processes within a business. Programs are the means by which operational governance steers. They also bridge the gap between organizational values and operational objectives. Management programs differ from management systems (examples: ISO 27001, ISO 9001, IOS 42001, etc) in the following way: Management systems are reactive by design to stay between the lines. Management programs are proactive by design to stay ahead of risk. Compliance Programs and Systems Programs are the feed-forward processes of Operational Compliance an example of double-loop learning. A thermostat (system loop) may help keep your room at a specified temperature. However, it will never tell you if the room is warm enough (program loop). The system loop regulates towards a specific target. The program loop adjusts the target to regulate towards better outcomes. This is one of the reasons why organizations need programs , they are essential to regulate systems. Systems by design optimize towards the set target by removing variation in its inputs, wip, and outputs and will never on their own adapt to higher standards. That's why you need management programs - they are the feed-forward process necessary to steer towards better outcomes.

The following diagram is a vertical orientation of our Operational Compliance Model updated to better emphasize how bridging the gap between the ends and means happens in accountable organizations.   Operational Compliance Model (Updated) We use the  Operational Compliance Model to ensure policy-driven outcomes, targets, standard practices, and rules arising from modern and risk-based regulatory designs are properly handled with assurance at the right level of accountability and responsibility from the top to the bottom of the organization.   The Operational Compliance Model includes built-in risk management, compliance, and governance right from the start in one integrative model.   It's also AI-Ready with reinforcement learning loops to not only course correct but also teach you how to improve at the same time. The Operational Compliance Model incorporates the essential principles to meeting obligations and keeping promises with accountability, scalable for all businesses from small, medium or large. This model is best implemented using the Lean Startup approach to achieve Minimal Viable Compliance (MVC), on which improvements can be made over time. At all times, you will learn how to be effective at compliance as you build capability from a scooter, motorcycle, and then a car. Compliance cannot be achieved by the parts alone. Only when the parts are working together as one system can the outcome of compliance be realized. Our methodology lifts businesses in highly regulated, high-risk industries above the reactivity of being buried by standards, frameworks, and controls focused on certifications and audits. By effectively meeting your safety, security, sustainability, quality, regulatory, and ethical obligations, you'll always stay on mission, between the lines, and ahead of risk. Book a meeting with me (Raimund Laqua) to discuss how Lean Compliance can help ensure your Mission Success Through Compliance .

A fundamental root cause of organizational dysfunction can be traced to Taylorism and scientific management approaches to organizational design. This management philosophy has fragmented organizations into isolated components that operate without understanding their function in relation to the whole system. Each unit focuses narrowly on its specific tasks rather than comprehending how its work contributes to the organization's broader mission. Taylorism, developed by Frederick Winslow Taylor in the early 20th century, revolutionized industrial management by breaking complex processes into specialized, measurable tasks. This scientific management approach emphasized efficiency through standardization, detailed time studies, and rigid division of labor—separating planning from execution and managers from workers. While it dramatically increased productivity in manufacturing settings, Taylorism's legacy includes the fragmentation of work into disconnected activities, the devaluation of worker knowledge and autonomy, and the creation of organizational structures where specialists operate in isolation without understanding how their work contributes to the whole. This mechanistic view of organizations treats humans as interchangeable parts in a machine rather than as adaptive components in a living system, laying the groundwork for today's organizational silos. This fragmentation has progressively diluted managerial accountability, creating a paradoxical situation where responsibility is distributed widely, yet true accountability remains elusive. The few managers who are genuinely accountable often lack sufficient span of control to fulfill their obligations effectively or to properly address organizational risks. Their authority is constrained to specific domains, preventing them from implementing comprehensive solutions that cross departmental boundaries. The Promise of GRC Governance, Risk, and Compliance ( GRC ) emerged as a framework intended to harmonize disparate control mechanisms and create organizational coherence amidst increasing regulatory complexity. In theory, GRC should align governance structures, risk management practices, and compliance activities to ensure strategic objectives are met while navigating uncertainty and meeting obligations. However, in practice, GRC has often deteriorated into a technical exercise focused on tools, documentation, and process integration rather than meaningful business outcomes. Organizations implement expensive GRC systems that track controls and compliance tasks but fail to create the integrative force. GRC has become fixated on the mechanics of integration while losing sight of its intended purpose—bridging the gap between the ends and the means through improved alignment, accountability, and assurance. The result is a parallel bureaucracy that adds complexity without addressing the fundamental disconnection between operational activities and organizational purpose, creating the illusion of better control while leaving the organization vulnerable to the very risks it aims to mitigate. The critical gap between means (how we operate) and ends (what we aim to achieve) persists, despite GRC's original promise to bridge this divide. A Path Forward GRC initiatives are fundamentally incapable of achieving their intended purpose without first addressing the root cause of organizational dysfunction—the Taylorist fragmentation that has created siloed thinking and diluted accountability. No amount of sophisticated GRC technology, integrated controls, or compliance documentation can overcome an organizational design where units operate in isolation, managers lack proper authority, and employees don't understand how their work contributes to strategic outcomes. Attempting to implement GRC in such environments merely adds another layer of complexity atop an already disjointed system. True GRC effectiveness requires a complete reimagining of organizational structure—one that reconnects fragmented parts into a coherent whole, restores clear lines of accountability with commensurate authority, and creates transparency between operational activities and strategic objectives. Only by rebuilding the foundation can GRC fulfill its promise as an integrative force rather than another disconnected management program. Here are actions you can take to deliver the promise of GRC: Reimagine Organizational Design : Move beyond Taylorist fragmentation by designing organizations around end-to-end value streams rather than specialized functions. This approach connects each activity directly to customer and stakeholder outcomes. Establish Clear Accountability Frameworks : Implement a formal accountability structure that clearly delineates decision rights, empowers responsible individuals with appropriate authority, and aligns accountability with organizational objectives. Expand Managerial Span of Control : Broaden the authority of accountable managers to encompass all resources necessary to fulfill their responsibilities, enabling them to address risks holistically across traditional boundaries. Redefine GRC Purpose : Shift GRC focus from mere integration of controls to becoming an integrative force that enhances organizational capability to achieve strategic objectives while navigating uncertainty. Implement Systems Thinking : Adopt a holistic approach where leaders and employees understand both their specific roles and how they contribute to the larger system, fostering shared understanding of interdependencies. Develop Integrative Leadership Capabilities : Train leaders to think across boundaries, understand complex systems, and make decisions that optimize the whole rather than sub-optimizing components. Create Mission-Focused Metrics: Develop performance measures that track progress toward strategic outcomes rather than merely monitoring compliance or departmental outputs, reinforcing the connection between daily activities and organizational purpose. The path forward requires courage to challenge deeply entrenched management paradigms that have shaped our organizations for over a century. By recognizing Taylorism's limitations and reimagining organizational design around wholeness rather than fragmentation, leaders can create systems where accountability flows naturally from clear purpose. This transformation demands that we reconceive GRC not as a technical solution but as a strategic capability that connects governance to execution through integrative leadership. The organizations that thrive in today’s complex landscape will be those that successfully unite their fragmented parts into purposeful wholes, establish meaningful accountability with appropriate authority, and leverage GRC as an integrative force that bridges the gap between strategic intent and operational reality. The challenge is significant, but the alternative—continuing to build increasingly complex control systems atop fundamentally flawed foundations—is a recipe for continued disappointment and organizational dysfunction.