About a year ago, a risk analyst on one of my client teams told me she had just reviewed a 94-page SOC 2 report in twelve minutes. She used Claude. She did it at her kitchen table at 9 PM because she had two kids and the workday had long since ended.
Across large enterprises, boards are approving AI governance frameworks. The policy approval meeting has become a standard board agenda item: AI use case register, model risk policy, ethics principles, human oversight requirements. The vote passes. The governance record is clean.
The Netherlands Authority for the Financial Markets has warned that artificial intelligence is being adopted rapidly across the Dutch asset management sector, but many firms are still falling short on governance, policy, and internal controls.
Meta has paused its work with data vendor Mercor after a security breach that may have exposed sensitive elements of how leading AI models are trained. The decision, first reported by WIRED, is open-ended. For now, the work simply stops.
The White House has released a set of legislative recommendations outlining how Congress should approach artificial intelligence policy, offering a framework that spans child protection, economic infrastructure, intellectual property, and federal-state coordination. The March 2026 proposals stop short of introducing a single, overarching regulatory regime, instead setting out a series of targeted measures intended to guide AI development and oversight across sectors.
AI isn’t waiting for governance to catch up and that gap is quickly turning into one of the most serious risk challenges organizations face today. As companies push ahead with more advanced, increasingly autonomous AI systems, many are doing so without the controls needed to manage them effectively. What was once a manageable oversight issue is becoming something more structural. Agentic AI is beginning to operate beyond traditional human decision loops, and the longer governance lags behind, the harder it becomes to rein it back in.
In my most recent article on my site, I raised a concern that should not be easy to dismiss. The term “agentic AI” is being used far too loosely across the GRC market, often applied to capabilities that, while useful, fall well short of anything resembling true autonomy or orchestration.