The first wave of obligations under Europe’s AI Act quietly came into force on August 2, 2025. It was the moment organizations were meant to turn policy debates into practice, especially for general-purpose AI models already woven into customer service, analytics, and day-to-day operations. But just as this new era of AI oversight began, another development signaled how uneven the landscape still is.
Climate has dominated ESG discourse for years. Carbon pathways, transition plans, emissions reporting have all become standard boardroom topics. Yet the most fundamental risk is one that companies often only notice once it’s too late, which is the natural systems that businesses depends on every single day.
Third-party risk teams have spent the last few years preparing for a world where ESG reporting would continually grow in scope, depth, and regulatory expectation. Companies were told to map emissions throughout their supply chains, understand human-rights risks in their upstream tiers, and gather detailed data from suppliers that had never before been part of formal reporting channels. For better or worse, the direction felt clear.
For years, AI governance has been built around preventing bad decisions before they happen. Organizations assess training data, test accuracy, evaluate bias, write principles, and sign off on models before they go live. That made sense when AI produced insights and humans made the choices that followed.
It was supposed to be a step toward global unity. The G7’s Hiroshima AI Process was meant to signal the dawn of an international consensus on how to govern artificial intelligence. Instead, it’s become a reminder that the world’s biggest powers are not building one system of AI governance, but several. Each reflects a different philosophy of risk, control, and trust. And for compliance and risk leaders, that’s where the real work begins.
When Carole Switzer talks about lawyers and their role in governance, risk, and compliance, she doesn’t sound like someone reading off a checklist. She sounds more like a coach urging a team to play the bigger game.
When JPMorgan Chase’s CISO took to the stage earlier this year and called on SaaS providers to “do better” on resilience, it wasn’t just another passing soundbite. It was a rare public signal from one of the most security-mature organizations on the planet — and the timing could not have been sharper.