Samuel Rasmussen

There is a peculiar imbalance taking shape inside many organizations. Over the past two years, companies have assembled AI governance committees, drafted acceptable-use policies, updated risk registers, and launched internal working groups dedicated to understanding the implications of artificial intelligence. Compliance teams have studied emerging regulations. Privacy officers have debated data-sharing restrictions. Boards have asked increasingly pointed questions about oversight, accountability, and risk.

At one point during the scramble around the EU Deforestation Regulation, people in compliance departments were trying to determine whether a shipment of cattle-derived products could be reliably traced back to land parcels that, in some cases, had changed ownership multiple times across jurisdictions with inconsistent land registries and uneven digital infrastructure. There were meetings about satellite imagery. Meetings about geolocation coordinates. Meetings about whether suppliers in rural regions would even understand the documentation requests they were suddenly receiving from European multinationals. Entire teams found themselves discussing forests they would never see.

For decades, anti-money laundering compliance has been defined by accumulation. More alerts, more filings, more controls, more documentation. Each layer added with the quiet understanding that no one would be faulted for doing too much, only for doing too little. The result was not failure, exactly, but a kind of defensive equilibrium. Programs became expansive, but not necessarily incisive. Activity was measurable. Effectiveness was not.

There was a time, not long ago, when sustainability lived comfortably in the realm of language. It was shaped in marketing decks and annual reports, polished into pledges and promises that felt, if not always precise, then at least directionally virtuous. Companies spoke of pathways and commitments, of journeys toward net zero and stewardship, and for a while that was enough. The words carried weight simply because they were spoken.

For a long time, compliance has lived in the margins of the enterprise, summoned when needed, consulted when required, and too often encountered as a final checkpoint at the edge of a decision already in motion. It has been, in many organizations, a function of restraint, and a necessary friction applied to ensure that ambition does not outrun obligation.

There are periods when geopolitics hums in the background of corporate life, unsettling, tragic, but still distant enough to be categorized as “external.” And then there are moments when the map seems to press directly against the operating model of the enterprise. Escalation involving Iran sits firmly in that latter category, not because conflict in the region is new, but because it concentrates so many interlocking systems (energy corridors, cyber capability, sanctions regimes, proxy networks, global shipping routes) into a single geography where instability reverberates quickly and unevenly.

There is a particular moment in every technological transformation when enthusiasm gives way to recognition. It is not the moment when innovation falters, nor when critics grow louder. It is the moment when institutions begin to understand that what has been built is now too consequential to remain loosely governed.