Insights

AI isn’t waiting for governance to catch up and that gap is quickly turning into one of the most serious risk challenges organizations face today. As companies push ahead with more advanced, increasingly autonomous AI systems, many are doing so without the controls needed to manage them effectively. What was once a manageable oversight issue is becoming something more structural. Agentic AI is beginning to operate beyond traditional human decision loops, and the longer governance lags behind, the harder it becomes to rein it back in.

In this article, Norman Marks explores a familiar but often misunderstood reality for risk and internal audit professionals—risk is everywhere, but not every risk deserves equal attention. Drawing on a reader’s challenge to conventional thinking, Marks examines the limits of risk registers, the pitfalls of overextending audit scope, and why effective risk management ultimately comes down to prioritization, judgment, and better decision-making rather than attempting to catalog or control every possible threat.

In my most recent article on my site, I raised a concern that should not be easy to dismiss. The term “agentic AI” is being used far too loosely across the GRC market, often applied to capabilities that, while useful, fall well short of anything resembling true autonomy or orchestration.

Artificial Intelligence has officially entered the chat—and the conference room, the Slack channel, and, yes, the committee meeting that could have been an email. What started as a shiny IT initiative has now turned into a full-blown organizational identity crisis. Suddenly, everyone is asking the same questions: Who owns AI? Who governs it? Who explains it when it breaks? And, most importantly, does it get a seat at the table—or just a really big monitor in the back? The truth is, AI isn’t just another tool. It’s an organizational shapeshifter. It changes how work happens, who makes decisions, and how people engage with each other. It doesn’t just automate tasks; it rearranges responsibility. And that means the org chart—that sacred map of power, politics, and parking privileges—is about to look very different.

Risk hasn’t just increased, it’s become more connected, more dynamic, and harder to contain within traditional GRC models. This report, developed with Harvard Business Review Analytic Services, explores how organizations are responding by rethinking GRC through AI. Not as a layer of automation on top of existing processes, but as a way to fundamentally change how risk is understood and managed.

In recent years, we’ve seen multiple cases when governance gaps that were created during digital transformation resulted in regulatory enforcement. In 2020, the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for failures to establish effective risk assessment before migrating significant IT operations to the cloud and to remediate quickly afterward. In 2022, U.K. regulators fined TSB Bank £48.65 million after a disruption caused by company’s core-platform migration that exposed weaknesses in risk management and governance.

Imagine a scenario that unfolds hundreds of times daily across organizations of all sizes and sectors. A senior analyst, facing a tight deadline, pastes the text of a confidential vendor contract into an AI-powered tool. She seeks a quick summary, perhaps highlighting key terms or comparing it with a previous agreement. The tool responds promptly. She gets the information she needs in seconds and moves on.