AI Governance

Somewhere inside a government agency, a public institution, or a private company, an employee is almost certainly pasting information into an AI tool that nobody formally approved. The employee is probably not trying to circumvent policy. They are trying to get through their workday. A chatbot can summarize a report in seconds. A coding assistant can solve a technical problem faster than a colleague can respond to a message. An automated note-taking application can generate meeting minutes before participants have even left the call. The attraction is obvious. So is the speed with which these tools have spread through workplaces.

When European Commission President Ursula von der Leyen unveiled a new package of technology proposals this week, she did not frame it as an industrial policy announcement. She framed it as a matter of control.

A Swedish startup called Eggsplain spent the spring working with the country's privacy regulator on a question that has become surprisingly difficult to answer. When an AI supplier fine-tunes a model using personal data, who is actually responsible for that data?

Last week I argued that much of what is being marketed as agentic AI in GRC is not actually agentic. The market response was interesting because very few people challenged the core premise. Most practitioners already sense that something is off. They sit through the demonstrations and hear the language. They watch the AI summarize documents, answer questions, generate narratives, and produce recommendations. Then they leave wondering whether they just witnessed the future of GRC or a very polished presentation wrapped around capabilities that have existed in various forms for years.

More than 80% of the code merged into Anthropic's production codebase is now authored by Claude. The statistic appears almost casually in a lengthy report published this week by the Anthropic Institute. It arrives alongside benchmark results, productivity measurements, engineering data, and speculation about recursive self-improvement. Yet it is arguably the most important number in the document because it describes something that has already happened rather than something that might happen next.

One line in the Malta Financial Services Authority's latest AI guidance says more than the rest of the document put together. The regulator reminds firms that artificial intelligence does not change the objectives of financial regulation. The statement appears almost in passing, but it captures a problem regulators across Europe are beginning to see. AI is arriving inside financial institutions wrapped in promises of efficiency, automation and better decision-making. What it has not brought with it is any exemption from accountability.

The White House recently issued a sweeping executive order aimed at strengthening U.S. cybersecurity capabilities through advanced artificial intelligence while deepening cooperation between the federal government, critical infrastructure operators, and AI developers.