Insights

Artificial Intelligence has officially entered the chat—and the conference room, the Slack channel, and, yes, the committee meeting that could have been an email. What started as a shiny IT initiative has now turned into a full-blown organizational identity crisis. Suddenly, everyone is asking the same questions: Who owns AI? Who governs it? Who explains it when it breaks? And, most importantly, does it get a seat at the table—or just a really big monitor in the back? The truth is, AI isn’t just another tool. It’s an organizational shapeshifter. It changes how work happens, who makes decisions, and how people engage with each other. It doesn’t just automate tasks; it rearranges responsibility. And that means the org chart—that sacred map of power, politics, and parking privileges—is about to look very different.

Risk hasn’t just increased, it’s become more connected, more dynamic, and harder to contain within traditional GRC models. This report, developed with Harvard Business Review Analytic Services, explores how organizations are responding by rethinking GRC through AI. Not as a layer of automation on top of existing processes, but as a way to fundamentally change how risk is understood and managed.

In recent years, we’ve seen multiple cases when governance gaps that were created during digital transformation resulted in regulatory enforcement. In 2020, the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for failures to establish effective risk assessment before migrating significant IT operations to the cloud and to remediate quickly afterward. In 2022, U.K. regulators fined TSB Bank £48.65 million after a disruption caused by company’s core-platform migration that exposed weaknesses in risk management and governance.

Imagine a scenario that unfolds hundreds of times daily across organizations of all sizes and sectors. A senior analyst, facing a tight deadline, pastes the text of a confidential vendor contract into an AI-powered tool. She seeks a quick summary, perhaps highlighting key terms or comparing it with a previous agreement. The tool responds promptly. She gets the information she needs in seconds and moves on.

For a long time, compliance has lived in the margins of the enterprise, summoned when needed, consulted when required, and too often encountered as a final checkpoint at the edge of a decision already in motion. It has been, in many organizations, a function of restraint, and a necessary friction applied to ensure that ambition does not outrun obligation.

Engineering teams don’t debate where their source of truth lives. It’s in code. Changes are tracked, reviewed, and deployed through systems designed to create clarity and accountability. GRC has largely operated outside of that model.

In a recent LinkedIn post, I posed a question that has quietly lingered in governance circles for years. If courts in the United States have already made clear that boards are expected to oversee risks tied to Mission Critical Objectives, why haven’t regulators directly addressed deficient board oversight in this area?