Insights

Somewhere inside a government agency, a public institution, or a private company, an employee is almost certainly pasting information into an AI tool that nobody formally approved. The employee is probably not trying to circumvent policy. They are trying to get through their workday. A chatbot can summarize a report in seconds. A coding assistant can solve a technical problem faster than a colleague can respond to a message. An automated note-taking application can generate meeting minutes before participants have even left the call. The attraction is obvious. So is the speed with which these tools have spread through workplaces.

The first paper I wrote as an analyst at Forrester back in 2013 was about mitigating risk in the customer journey. That was also my first exposure to marketing’s alternative vocabulary for risk they call it customer pain points or challenges. I call it risk. Same thing, different outfit.

The second day of Risk-!n Zurich had a different character from the first. Day one was largely about visibility and how organizations can see risk clearly enough in environments shaped by artificial intelligence, cyber acceleration, operational complexity, climate exposure and emerging technologies. Day two moved the discussion one step further. If organizations can see more, faster and with greater precision, what exactly are they supposed to do with that visibility?

In a recent LinkedIn post, I argued that the biggest barrier to effective governance is not technology, cost, standards, or even board interest. It is management's reluctance to provide boards with reliable information on uncertainty and performance linked to Mission Critical Objectives (MCOs), combined with boards' reluctance to insist on receiving that information. The reaction to that post reinforced my belief that this issue sits at the center of one of the most important, and least discussed, governance challenges facing organizations today.

Last week I argued that much of what is being marketed as agentic AI in GRC is not actually agentic. The market response was interesting because very few people challenged the core premise. Most practitioners already sense that something is off. They sit through the demonstrations and hear the language. They watch the AI summarize documents, answer questions, generate narratives, and produce recommendations. Then they leave wondering whether they just witnessed the future of GRC or a very polished presentation wrapped around capabilities that have existed in various forms for years.

The first day of Risk-!n Zurich featured discussions on business continuity, enterprise risk management, internal controls, cybersecurity, climate resilience, artificial intelligence and quantum computing. On paper, it looked like a conference agenda built around a broad collection of risk disciplines. In practice, many of the presentations were wrestling with the same question. How do organizations maintain visibility into risks that are moving faster than the governance structures designed to oversee them?

Beneficial ownership is one of the most established concepts in anti-money laundering compliance. It is also one of the most persistently misunderstood in practice. At onboarding, most financial institutions collect beneficial ownership declarations, identify individuals with controlling interests, and document ownership percentages as part of standard due diligence. On the surface, this appears to satisfy regulatory expectations.