For a long time, compliance has lived in the margins of the enterprise, summoned when needed, consulted when required, and too often encountered as a final checkpoint at the edge of a decision already in motion. It has been, in many organizations, a function of restraint, and a necessary friction applied to ensure that ambition does not outrun obligation.
There are periods when geopolitics hums in the background of corporate life, unsettling, tragic, but still distant enough to be categorized as “external.” And then there are moments when the map seems to press directly against the operating model of the enterprise. Escalation involving Iran sits firmly in that latter category, not because conflict in the region is new, but because it concentrates so many interlocking systems (energy corridors, cyber capability, sanctions regimes, proxy networks, global shipping routes) into a single geography where instability reverberates quickly and unevenly.
There is a particular moment in every technological transformation when enthusiasm gives way to recognition. It is not the moment when innovation falters, nor when critics grow louder. It is the moment when institutions begin to understand that what has been built is now too consequential to remain loosely governed.
For a long time, ESG risk in the supply chain was treated as something adjacent to the business rather than integral to it. A matter of policy statements, supplier codes of conduct, and questionnaires circulated once a year, often completed quickly and filed away quietly. The appearance of diligence was usually sufficient. Oversight, such as it was, could be delegated.
Third-party risk rarely announces itself with alarms. More often, it arrives quietly, disguised as an assumption. The assumption is that responsibility can be shared without consequence. That accountability can be distributed, diluted, and still hold its shape when pressure arrives. That contracts, frameworks, and carefully worded clauses will stand in for human judgment when systems fail and decisions cannot wait.
Organizations are very good at moving on. Leadership changes. Systems are replaced. Vendors rotate in and out. Strategic priorities shift with the market. What organizations are far less good at is remembering why things exist the way they do.
The first wave of obligations under Europe’s AI Act quietly came into force on August 2, 2025. It was the moment organizations were meant to turn policy debates into practice, especially for general-purpose AI models already woven into customer service, analytics, and day-to-day operations. But just as this new era of AI oversight began, another development signaled how uneven the landscape still is.