Risk is an ever-present feature of enterprise operations. Whether it manifests as operational disruption, regulatory change, strategic misalignment, or the volatility of emerging threats, risk is embedded in the daily conduct of business. Yet it is not the presence of risk that should concern us most, but the way in which it is understood, managed, and integrated into the lifeblood of planning and decision-making.
In one of the latest articles on my website, I argued that GRC platforms must re-architect around digital twins, knowledge models, and agentic intelligence if they intend to survive the coming decade. But there is a deeper implication that deserves equal attention.
Almost half of all GenAI use now occurs through personal accounts like ChatGPT, Claude, Perplexity, and others, entirely outside corporate oversight or control. This isn’t about a few rogue users acting in secret. We’re seeing widespread bypassing of approved tools across entire organizations, with the average company experiencing 223 shadow AI incidents each month, twice as many as just a year ago.
When the Digital Services Act entered into force two years ago, it was framed as a reset for the online economy. The rhetoric focused on safer digital spaces, stronger protections for fundamental rights, and curbing manipulative or harmful platform behavior.
There is a particular moment in every technological transformation when enthusiasm gives way to recognition. It is not the moment when innovation falters, nor when critics grow louder. It is the moment when institutions begin to understand that what has been built is now too consequential to remain loosely governed.
Let’s be honest: governance doesn’t usually make hearts race. The word alone can drain the excitement out of a meeting faster than a surprise PowerPoint. For years, governance has been typecast as the corporate hall monitor—clipboard in hand, ready to say, “No, you can’t do that.” But in the age of AI, that old stereotype doesn’t work anymore. Governance has gone through its own transformation, like a quiet glow-up. Today, it’s not about slowing innovation down; it’s about keeping it human. In fact, governance has become the new empathy.
In this article, Norman Marks reflects on a recent exchange sparked by Alex Sidorenko’s thinking on risk and decision-making, exploring where they strongly align and where a critical distinction emerges around the concept of uncertainty. While agreeing that risk management should move beyond static risk lists and toward enabling better decisions, Marks challenges how the term “uncertainty” is often understood and applied in practice. The result is a pragmatic reframing of risk conversations—one grounded in real managerial decision-making rather than abstract definitions or theoretical precision.