Historically organisations had years to adapt governance and risk management to technological change, AI is compressing those cycles into months. For me the blind spot for C-Levels I speak to is understanding the most important impact of AI, is not intelligence, it is speed. The challenge for leadership teams is that governance, procurement, compliance and risk functions were never designed for this velocity. The irrelevance now is whether AI will be adopted, the question is how organisations maintain control once it is to maintain their legitimacy to operate.
Truth be told, this is not really about AI, nor is it about Cyber, Governance or Risk Management, the goalposts have moved, it is about TRUST (yes a theme you will be familair with in my missives):
- Trust that your operating model remains fit for purpose
- Trust that your governance and risk management approaches can keep pace
- Trust that you remain in control when things start moving by themselves
Regulation has not fundamentally changed. Obligations around recordkeeping, supervision, transparency, accountability and customer protection still apply, regardless of whether decisions are made by people, algorithms or AI agents.
What has changed is the environment in which those obligations operate. AI introduces speed, volume and complexity that traditional compliance and risk-management models were not designed to handle. Oversight that once operated periodically, or after the event, now risks falling behind the systems it is meant to control.
This exposes a structural weakness. Compliance frameworks built around static policies, sample-based testing and retrospective review struggle when decisions are continuous, automated and produced at machine speed. Compliance was designed for human speed with traditional models built around relatively visible human activity. That model was never perfect but it operated at a speed that allowed human oversight to retain some practical meaning.
The growth of shadow AI illustrates the problem. Employees are already using unapproved tools to summarise documents, draft communications, analyse information and support decisions outside official systems. As with side channel communications, the activity may still be regulated even when it is difficult to detect, supervise or preserve.
The difference is that AI can do more than relocate a communication. It can transform information, introduce error, obscure provenance and influence judgement without appearing as the final decision-maker. AI changes the equation. The weakness is structural. Compliance remains organised around retrospective human inspection while the systems being supervised are becoming continuous, automated and increasingly autonomous.
Accountability therefore begins as soon as AI materially influences a regulated workflow. A human clicking ‘approve‘ does not necessarily provide meaningful oversight if they cannot understand, challenge or reconstruct the machine-generated recommendation. The result is a widening gap between the speed at which regulated activity occurs and the speed at which traditional compliance can observe, understand and challenge it. Without safeguards, ‘human in the loop‘ risks becoming little more than ceremonial approval, a human signature attached to a machine-produced conclusion. Effective governance requires visibility across the AI estate.
The same disruption is occurring in risk management. AI is not changing the risks, it is changing the speed at which risks emerges.Traditional risk processes depend heavily on periodic assessments, historical indicators, static registers and linear forecasts. They assume risks can be identified, scored and reviewed at a pace broadly aligned with organisational change.
AI weakens that assumption. New dependencies, attack paths, model behaviours and operational concentrations can emerge faster than the formal risk cycle can recognise them. By the time a risk register is updated, the underlying environment may already have changed. The future of risk management is not simply managing known risks better; it is continuously adapting to risks that have not yet been imagined.
Both compliance and risk management must therefore shift from periodic review to continuous evidence and adaptive oversight. Traditional approaches based on linear forecasts and single-point assumptions become increasingly unreliable.
This means dynamically discovering AI use, monitoring material decisions, preserving appropriate decision lineage, testing controls continuously and escalating when systems operate outside approved boundaries.
The objective is not to automate accountability but to equip accountable people with evidence at the speed required to govern. The focus shifts from predicting every threat to building resilience, adaptability and decision making capacity in the face of uncertainty.
The real threat could be classed as a new category of risk, notably institutional latency. The widening delay between technological action, organisational visibility and responsible intervention and evolution in mindset. For example shifting to Scenario Planning enables organisations to explore multiple plausible futures, assess how emerging technologies, market shifts, regulatory developments and threat landscapes may evolve and identify strategic responses before they are needed. Rather than attempting to predict a single outcome, scenario planning builds organisational adaptability, resilience and decision-making confidence, ensuring leaders can respond effectively as conditions change. In an AI-driven world, competitive advantage will increasingly belong to organisations that can adapt to uncertainty faster than others can predict it.
In an AI enabled environment, risk management and governance that remains slower than the systems they oversee will eventually become risk management and governance in name only. The organisations that manage the transition well will stop treating AI governance as a policy exercise owned by one committee, instead recognising it is a multidisciplinary operating capability spanning compliance, legal, risk, cyber security, data governance, procurement, model risk, technology and business ownership. Each function sees a different part of the risk. None can manage it alone.
The organisations that succeed then will not be those with the longest AI policis but those able to demonstrate, continuously and credibly, what their AI systems are doing, why they are permitted to do it and who remains accountable when they do.
Posted on June 26, 2026
0