The rules never effectively applied, as just a month after they were published in their final form, the SEC, under then-Chair Gary Gensler, stayed them amid a legal battle. Then after Trump started his second term, in March 2025, the commission voted to end its defense of the rules, further rendering them void. 

In its announcement Friday, the SEC said the rules exceeded the commission’s statutory authority. They would have required some entities to disclose details about climate-related risks, strategies and governance, and for a smaller number, would have obligated them to report material Scope 1 and Scope 2 GHG emissions. As proposed in 2022, the original rules also would have required disclosure of Scope 3 emissions, but that plank was removed from the final rule adopted in March 2024. The final rule also exempted many types of companies from having to report emissions altogether. 

In a statement, Atkins said, “SEC disclosure obligations should comply with the commission’s statutory authority, be guided by materiality as the North Star, avoid the practical effect of dictating corporate behavior and be imposed only when the expected benefits justify the likely costs and burdens.”

Indeed, cost estimates for the original rules were high. One analysis suggested annual costs would have exceeded $6 billion, or more than double registrants’ previous total SEC regulatory compliance spend. 

While companies were never really on the hook for SEC-mandated reporting, many for whom the SEC’s rules would have applied may also be covered by one or more sets of ESG-reporting rules, both at the state level in the US and extending throughout much of the rest of the world, including the EU.

The post SEC Moves to Formally Rescind Climate Reporting Rule appeared first on Corporate Compliance Insights.

New products & platforms

Auditoria.AI, an agentic AI developer for CFOs, introduced Governed Autonomy, an operating framework for finance AI allowing autonomous agents to execute work inside defined guardrails instead of requiring human approval.

Smarsh, a communication compliance provider, unveiled an integration with Anthropic’s AI tool Claude Compliance API, allowing customers to capture and manage Claude Enterprise interactions, conversations, prompts and activity directly within Smarsh Capture.

CPRS, a cost-recovery auditing platform, released a new accounts payable recovery audit powered by AI and machine learning that the company says will cut recovery timelines from months to weeks.

Sherlocq publicly launched as a financial services regulation software provider, promising to deliver AI-driven regulatory intelligence that is precise, traceable and usable at institutional scale.

SaaS security provider AppOmni launched an agentic tool named Marlin AI, designed for investigation and guided remediation.

Partnerships

Socure, a provider of identity and risk intelligence, and Prisma Data, a financial underwriter analyst, announced a partnership to bring cash flow analytics directly into Socure RiskOS, Socure’s fraud, compliance and risk-decisioning platform.

The post GRC News Roundup: Smarsh, Socure, CPRS & More appeared first on Corporate Compliance Insights.

Regtech platform Corlytics has appointed Lisa Miles-Heal as CEO, the Dublin-based company announced. Her appointment is expected to take effect in June. 

Miles-Heal has nearly two decades of executive experience and a history of growing technology-led businesses, the company said in a news release. Most recently, she managed compliance platform Silverfin’s integration into the Visma group following an acquisition. Corlytics founder John Byrne will remain on the company’s executive team in a product development role. 

In 2024, Corlytics announced it had received a majority equity investment from Verdane, a specialist growth firm.

“Growing local champion technology businesses from smaller markets like Belgium and New Zealand into international success stories is something I’ve done before, and I see the same potential here,” Miles-Heal said in the news release.

The post Regtech Firm Corlytics Names New CEO appeared first on Corporate Compliance Insights.

The legal risks associated with building stadiums and other megaprojects are structural rather than exceptional, writes Brian W. Boschee of Howard & Howard. In today’s stadium boom, legal risk rises just as quickly as steel. Ignoring that reality is often the most expensive risk of all.

The resurgence of stadium construction and other commercial megaprojects has reshaped American cities and reinvigorated public investment in sports and entertainment infrastructure. At the same time, these projects have fundamentally changed the legal risk profile of the construction industry. Disputes arising from stadiums and megaprojects are broader in scope, higher in stakes and increasingly resistant to early resolution compared to traditional commercial construction conflicts.

Recent legal decisions demonstrate that these risks are not theoretical. Courts across the country are addressing disputes involving schedule compression, public financing structures, aggressive risk allocation and insurance coverage gaps often with outcomes that surprise experienced industry participants.

Scale and complexity multiply legal exposure

Modern stadiums are among the most complex vertical construction projects undertaken today. Retractable roofs, long‑span steel systems, integrated broadcast infrastructure, accessibility requirements and mixed‑use components dramatically increase coordination demands among designers, specialty consultants and contractors. This increase in complexity can lead to increased design errors, engineering disputes and professional negligence claims.

Additionally, stadium and commercial megaprojects often exceed budgets due to design changes, inflation, supply-chain issues or other unforeseen site conditions. When costs exceed estimates, disputes typically arise over who is responsible for the cost overrun, and the answer is rarely ever just one party. Multi‑defendant litigation involving architects, engineers, construction managers, fabricators and specialty trades has become routine. Courts continue to permit substantial recovery where defects or coordination failures delay openings or require costly remediation even where construction has substantially progressed.

The legal lesson is that complexity multiplies exposure, and courts are increasingly willing to engage in nuanced allocation‑of‑fault analyses when stadium or megaprojects unravel. But even with the understanding that exposure is increased, these projects continue to move forward because of the enormous economic impact to the parties involved with the projects and the cities benefiting from the revenue from the projects.

Fixed deadlines and accelerated schedules fuel disputes

Unlike conventional commercial projects, stadium developments are frequently tied to immovable deadlines, such as the start of a sports season, broadcast commitments or similar considerations. Failure to meet those dates can expose owners to significant financial and reputational harm, as the deadlines are not typically flexible and municipalities and organizations are dependent on meeting specific dates.

In Ben‑Oni v. Wood, plaintiffs sought to halt construction of a publicly funded university stadium on constitutional and procedural grounds related to student‑fee approvals. Although the court denied a temporary restraining order and allowed construction to proceed, the litigation illustrates how publicly funded stadiums routinely attract lawsuits unrelated to construction performance but capable of disrupting schedules and increasing legal costs.

Fast‑track and design‑build delivery models further magnify this risk. Contractors are often directed to proceed on incomplete or evolving design documents, increasing exposure to acceleration, inefficiency and constructive delay claims. Courts reviewing these disputes focus less on whether delays occurred and more on whether contract language genuinely allocated that risk at the outset. 

However, given the complexity of the projects in question, it can be difficult to ascertain how to deal with acceleration costs and delay claims in the underlying contracts. Given the unpredictability of material costs, inflation and labor, assigning a liquidated damage number to delay claims in construction agreements for projects of this scope is almost impossible. At the same time, that creates a different type of pressure and uncertainty for insurers and sureties attempting to ascertain and assign risk to the project.

Public financing expands the litigation field

Public funding mechanisms, including bonds, tax revenues and public‑private partnerships, introduce a second layer of legal exposure absent from private projects. Disputes are no longer confined to owners and contractors; unsuccessful bidders, taxpayers and oversight entities increasingly enter the fray.

The magnitude of potential liability is illustrated by recent megaproject litigation outside the stadium context. In BML Properties, Ltd. v. China Construction America, Inc., a New York appellate court affirmed a $1.6 billion judgment after finding that misrepresentations regarding construction progress and completion capability caused the collapse of a publicly backed project. While not a sports venue, the decision underscores the extraordinary exposure that can arise when public or quasi‑public projects fail.

For stadium developers, the problem is obvious but without a realistic solution: Public oversight increases — not reduces — legal vulnerability when projects fall behind schedule or over budget. But at the same time, without public funding initiatives, many of these projects cannot get off the ground.

Compliance

How Unannounced Workplace Visits Are Forcing Companies to Rethink Immigration Compliance

by John Connolly

December 9, 2025

New DHS rules ending automatic EAD extensions mean recent training programs may no longer be accurate

Read moreDetails

This all leads to additional concerns related to outside attention. Stadium projects, and to a lesser extent commercial megaprojects, are highly visible public projects. With that comes intense media and public attention, which creates an added level of pressure on owners and contractors to, among other things, accelerate construction, approve design changes that carry more risk than would normally be acceptable and possibly work to conceal early cost problems and overruns. If these issues become public, as they often do, they increase the likelihood of litigation down the road, which is another legal risk parties have to consider when taking on projects of this magnitude.

Aggressive risk allocation invites contract litigation

Given the financial stakes, stadium contracts are rarely standard‑form agreements. Owners frequently attempt to rely on heavily negotiated provisions designed to shift extraordinary risk downstream, including broad indemnities, tight notice requirements and narrow change‑order rights. Conversely, contractors and suppliers have to ascertain how much of that risk they are willing to take on, balancing the immense financial circumstances that can come with projects of this size.

Courts, however, have shown little tolerance for attempts to escape contractual obligations when economic conditions deteriorate. In Skanska USA Civil Southeast, Inc. v. The Lane Construction Corp., the 11th Circuit affirmed an $80 million judgment against a joint‑venture partner that attempted to abandon a $2.3 billion public‑private megaproject after cost overruns mounted. The court held that unfavorable project economics did not excuse contractual performance or fiduciary obligations.

The decision reinforces a recurring theme in stadium litigation: Aggressive risk allocation may increase certainty at signing, but it often increases the chances of high‑stakes litigation when reality diverges from projections. Parties can only mitigate so much in the underlying contracts.

Insurance and surety coverage gaps

Stadiums and megaprojects also stress the insurance market because they involve extremely high values and multiple levels of exposure. Typically, insurers and sureties identify risks like workmanship defects, construction site accidents, fire and water damage during construction and operational liability from large public venues. Even in the early stages of projects like these, such risks can produce disputes among contractors, owners and insurers about coverage scope and exclusions.

If project participants can work out the scope and exclusions in the coverage insurance, they might assume that insurance will serve as a safety net. Recent appellate decisions demonstrate otherwise. Courts continue to hold that design and construction activities — even when alleged to be negligent — do not constitute accidental “occurrences” under standard commercial general liability policies.

That principle was reaffirmed in Hartford Fire Insurance Co. v. Turner/Devcon, where the 9th Circuit held that insurers owed no duty to defend or indemnify a construction joint venture against ADA accessibility claims arising from the San Francisco 49ers’ stadium construction. The court emphasized that intentional design and construction choices do not become “accidents” merely because they allegedly violate statutory requirements.

Surety exposure can be equally severe. In Arch Insurance Co. v. Centerplan Construction Co., a federal court enforced a broad general indemnity agreement and required contractors to reimburse more than $39 million following the surety’s takeover and completion of a delayed stadium project.

These decisions confirm that contractual indemnity obligations frequently outstrip available insurance protection on stadium projects, and the precedent would likely also apply to any mega-scale commercial endeavor.

With the boom in stadium and megaprojects, scale, complexity, compressed schedules, public oversight and aggressive risk allocation combine to create disputes that are larger, more technical and more expensive than traditional construction litigation.

For owners, contractors and designers, early legal involvement, disciplined contract drafting, realistic scheduling and proactive dispute‑avoidance strategies are essential.

The post Stadium Booms & Megaprojects: How Construction Scale Is Driving Legal Risk appeared first on Corporate Compliance Insights.

A recent executive order on college sports frames eligibility violations, improper NIL arrangements and transfer-related conduct as potential federal funding compliance issues — not just athletic department governance problems. Baker Donelson attorneys Kordell Caldwell, Benjamin West Janke and Lesli Harris explain what covered institutions and third-party market participants need to understand before an August deadline.

In April, President Donald Trump issued an executive order designed to promote a uniform national approach to core college-sports rules — especially athlete eligibility, transfers, revenue-sharing and pay-for-play activity — by leveraging federal grants and contracts and by pressing the NCAA to update or clarify its rules by August.

The order’s operative provisions apply to “higher education institutions” as defined in the Higher Education Act but only if an institution reported at least $20 million in intercollegiate athletics revenue in the preceding academic year (adjusted annually by the consumer price index). In practice, this threshold is aimed at larger athletics programs, although there is speculation that, to the extent they are upheld, smaller programs will likely adhere to the regulations as well.

For covered institutions, agency heads that provide grants or contracts must (as appropriate) evaluate violations of the applicable, lawful and operative governing-body rules in effect as of Aug. 1 concerning: (A) eligibility limits; (B) transfers; (C) revenue-sharing between institutions and student-athletes; and (D) permissible vs. improper financial activities. The order also directs the Office of Management and Budget in consultation with US General Services Administration (GSA) to issue guidance to reinforce suspension and debarment policy relating to such violations.

Urged rule updates by Aug. 1:

• Eligibility limits: Age-based limits and a five-year participation window (with limited exceptions such as military service, missionary service and other absences in the public interest), plus a restriction on professional athletes returning to college sports.
• Transfer rules: One transfer with immediate eligibility during the five-year period, plus one additional transfer with immediate eligibility after earning a four-year degree; transfer windows should support academic continuity and avoid disrupting athletic seasons or academic calendars.
• Medical care: Treatment for athletics-related injuries during enrollment and for a reasonable period thereafter.
• Revenue-sharing: Implementation in a manner that preserves or expands scholarships and opportunities in women’s and Olympic sports.
• Federal funds: A prohibition on using federal funds for NIL or revenue-sharing payments, or for coaching compensation, consistent with applicable federal law.
• Name, image and likeness (NIL) collectives: A prohibition on improper financial activities, including collectives or other entities facilitating third-party pay-for-play arrangements.
• Agents: A national student-athlete agent registry and reasonable protections against excessive agent commissions.

Data collection and reporting:

• The GSA is tasked with proposing regular information collection from institutions to evaluate compliance with the covered rule areas.
• The Department of Education is directed to consider action (including rulemaking) to require reporting on (A) roster spots by varsity teams and (B) total spending on athletically related student aid and other payments, reported separately for men’s and women’s teams overall.
• The FTC chair is directed to take appropriate action to enforce the FTC Act and the Sports Agent Responsibility and Trust Act (SPARTA) with respect to student-athlete agents and related entities.

Finally, the order directs the attorney general to take appropriate measures to pursue actions to invalidate state laws that conflict with NCAA rules and that (A) discriminate against or unduly burden interstate commerce, (B) impair contractual relationships or (C) are otherwise invalid under federal law.

NIL-specific provisions

The order’s NIL aspects are among its most operationally significant for institutions and third-party market participants. It defines a “fraudulent NIL scheme” as paying above the actual fair-market value for goods or services (including NIL services) in connection with a student-athlete’s participation in intercollegiate athletics, including payments routed through collectives or similar entities. At the same time, it recognizes two key safe harbors: (1) revenue-sharing that is consistent with governing-body rules; and (2) fair-market value compensation paid by a third party not affiliated with the institution’s athletic department for a valid business purpose, such as promoting goods or services to the general public for profit, that is not tied to participation in a particular institution’s athletics program and is comparable to rates paid to non-student-athletes with similarly valued NIL rights.

The order also defines “improper financial activities” for covered institutions and their officers, agents, affiliates and representatives to include:

• Intentionally devising or participating in a fraudulent NIL scheme.
• Knowingly accepting contributions (financial or otherwise) from persons who intentionally devise or participate in a fraudulent NIL scheme.
• Using federal funds for NIL or revenue-sharing payments, or for certain payments or benefits to coaches, recruiters or other team-management personnel.
• Tortiously interfering with a contract between a student-athlete and another covered institution, including a scholarship agreement.

Featured

‘If It Quacks Like a Duck’: Prediction Markets, Sports Betting & Insider Trading

by Jennifer L. Gaskin

January 14, 2026

An incredibly well-timed trade on a predictions market regarding the US capture of Venezuela’s president has catalyzed an ongoing conversation about the risks to corporate America of prediction markets, online gambling and prop betting.

Read moreDetails

What this could mean for colleges & universities

Scrutiny over federal funding eligibility increases

The order is designed to link compliance with certain governing-body rules to the “present responsibility” analysis used in federal procurement and grant administration. Covered institutions should anticipate more questions — internally and from sponsors and grant administrators — about how athletics compliance is monitored, documented and escalated.

NIL and collective oversight will likely intensify

Athletic departments may need stronger controls around donor and booster involvement, collective relationships and the internal review of NIL deals for fair-market value and business purpose. The “knowingly accepting contributions” concept may drive additional diligence on major donors and third-party funding flows.

Transfer/eligibility compliance may become a procurement risk issue

If governing-body rules change (and survive legal challenges), athletics eligibility and transfer compliance could become a cross-functional issue involving athletics, compliance, financial aid, procurement, grants management and university leadership.

Women’s and Olympic sports considerations

The order frames revenue-sharing implementation and reporting in a way that seeks to preserve or expand opportunities in women’s and Olympic sports. Institutions evaluating roster management, scholarship allocation or program changes should consider the interplay with existing federal requirements and evolving reporting expectations.

What this could mean for NIL collectives, brands, sponsors, platforms & agents

Emphasis on fair-market value and business purpose

Third-party NIL deals that are demonstrably tied to a legitimate marketing or endorsement purpose and priced at fair-market value consistent with comparable non-athlete endorsers are expressly recognized by the order. Barring forecast litigation to determine whether “fair market value” is a legally sound metric by which to judge business activity, businesses should, in the interim, strengthen valuation methodologies and maintain documentation of deliverables, campaign metrics and payment rationale.

Independence from athletics departments is a key theme

The safe harbor is framed around third parties not affiliated with an athletic department and payments not tied to participation at a particular institution. Businesses should review governance, communications and contracting practices to reduce the appearance of institutional control or recruiting inducement.

Agent and athlete-representation compliance

The order anticipates a national agent registry and directs FTC enforcement activity under the SPARTA and the FTC Act. Agents and platforms should review disclosure practices, contract terms, commission structures and state law compliance to prepare for increased scrutiny.

Contract interference and transfer-era conduct

The order’s “tortious interference” concept may increase risk around inducements to transfer schools or communications that could be construed as tampering. Businesses working with athletes should adopt clear protocols to avoid conduct that could be alleged to intentionally interfere with existing scholarship or NIL contracts.

Key open questions and litigation risk

The order expressly states it must be implemented consistent with applicable law and does not create privately enforceable rights. Its practical impact will therefore depend on (i) how the NCAA and the College Sports Commission update their rules by Aug. 1; (ii) how federal agencies operationalize “present responsibility” evaluations; and (iii) whether courts uphold or enjoin particular provisions. Commentators have noted that many provisions could be challenged as inconsistent with existing case law or as exceeding the practical reach of executive action absent congressional legislation.

The post Executive Order Targets College Athletics Compliance & Federal Funding appeared first on Corporate Compliance Insights.

Most compliance programs are made to face outward, to uncover a fraudster or shady vendor, Deb Muller of HR Acuity writes. However, the everyday tensions that eventually result in complaints are beyond those compliance programs almost by design, creating a significant blind spot in enterprise risk management.

Every CCOs’ dashboard can explain exactly where an enterprise stands on policy violations, third-party risk and regulatory filings.  

What most CCO can’t derive from a dashboard is what’s happening between employees and managers every day. It’s the most significant blind spot in enterprise risk management right now. 

After years of sitting across the table from distraught employees on the worst day of their careers, I can tell you where the next compliance failure usually starts: an accommodation request that got quietly set aside or a manager who handled an FMLA conversation badly and never heard about it again.  

Most companies don’t see these issues until they surface months later as a formal complaint or filing, long after the damage has already been done. Disability accommodation filings surged by 42% last year, and federal discrimination lawsuits topped 20,000 for the first time since 2009. Each of these filings started somewhere: a moment that was never logged, never dealt with and completely invisible to the people managing risk. 

What compliance leaders overlook

Employee relations already generate the leading indicators compliance leaders are looking for. 

The first signal to watch is retaliation allegation rates. This tells you whether employees feel safe raising issues internally before they take them somewhere else. When that number rises, it’s a sign that your internal culture is eroding faster than your case log reflects. 

What happens after a case closes matters just as much as the case itself. Post-case voluntary attrition tracks whether your internal process actually resolved something or simply moved it off the books. An employee who leaves quietly three months after a complaint was closed wasn’t satisfied with the process.  

From there, watch labor and regulatory filings. This is where an internal grievance goes on record and out of your control. By the time a charge hits, the organization has already lost control of the narrative. 

Finally, legal settlement costs translate all of the above into the only language that moves every room — dollars. This number has a way of ending debates about whether any of this is worth the effort. 

Think of these four metrics as a balance sheet of organizational health and legal exposure, one that makes visible what the standard compliance dashboard wasn’t built to catch. 

Take a logistics company with 24 documented complaints against the same regional manager over 18 months. Each case was logged and marked as resolved. But the trend was invisible because no one was looking for one. The next month, an EEOC charge hits. Those 24 complaints were the sound of the company’s internal trust crumbling. Management just didn’t hear it until it became a legal charge. 

HR Compliance

How a 2022 Law Is Complicating Sexual Harassment Claims

by Michael Kun

May 4, 2026

The implications could extend to wage-hour class or collective actions

Read moreDetails

You can’t fix the bridge until everyone agrees about the gap

Most compliance programs were built to look outward, to catch the fraudster or the shady vendor. The daily friction that eventually surfaces as a formal complaint sits outside that frame almost by design. 

The typical organizational structure reinforces this. Human resources owns employee relations, EHS owns safety and compliance owns the ethics hotline. Each function handles its piece, and nobody owns the view across all of them. 

The rub comes in here: An employee’s experience isn’t set up in terms of departments. When a manager treats them poorly, they don’t care if it’s an HR issue, a safety issue or a legal issue. They just know they’re being mistreated, and when we slice those problems into different buckets, we lose the thread. 

A single manager relationship can contain a safety concern, a failed accommodation and a pattern of exclusion that no single function ever sees in full. 

This is a CCO-level decision. Get everyone in the same room with the same definitions. Align employee relations, compliance, legal and finance on a shared framework: what gets measured, how it gets categorized and why it connects to enterprise risk. If legal counts it one way and HR counts it another, no one ever sees the full number. Ninety days of standardized documentation, shared across business units and categorized consistently, moves you from reacting to the latest filing to seeing where the sparks are starting. 

The organizations that have done this work don’t wait for filings. They see the retaliation risk, the anonymous reporting spike, the accommodation backlog, all before any of it becomes a formal complaint. That’s what happens when you stop organizing risk by function and start seeing it the way employees actually experience it. 

The post Your Compliance Dashboard Can’t Tell You Everything About Employee Relations appeared first on Corporate Compliance Insights.

Reliable AI tools perform consistently to expectations. But that same consistency can be a danger if human consequences aren’t considered, writes Andrew Bloom, an AI ethicist and adviser. Safety has to be the foundation of considerations when enterprise leaders are contemplating AI systems. 

As AI systems become more deeply embedded in institutions, boardrooms and daily operations, the language we use to evaluate them matters enormously. Two terms appear constantly in governance discussions, vendor claims and regulatory guidance — reliable and safe. The failure to distinguish between these two characteristics is producing real harm.

Reliability constitutes whether a system performs consistently. Safety is whether that performance stays within ethical and operational limits. An AI system can be highly reliable and profoundly unsafe at the same time.

For enterprise leaders, understanding this distinction is the difference between choosing a tool that performs well in a test environment and a system that can be trusted when real people are affected by its decisions.

Reliability vs. safety

A reliable system performs predictably. It delivers accurate results, maintains stability and operates as expected across a range of conditions. Reliability is measured by accuracy rates, uptime, output consistency and reproducibility. When a system is reliable, it earns confidence because it appears dependable.

But reliability answers only one question: Does the system work? It does not answer the more consequential question: What happens when it works in ways that produce harm?

This is not a hypothetical concern. Reliable systems can and do operate precisely as designed while generating outcomes that are biased, discriminatory or dangerous. Their reliability actually makes the problem worse. A system that consistently produces harmful outputs could be performing exactly as intended.

When we praise reliability without asking what it is reliably doing, we risk confusing consistency with responsibility.

A safe system focuses not on whether a system performs but on whether its performance stays within acceptable limits. A safe system prevents harmful outcomes, protects privacy, reduces bias and keeps actions aligned with ethical and legal standards. It can limit or halt its own operation when risk becomes too great.

Safety is about defining what outputs should never occur, regardless of how efficiently or consistently the system produces them.

Leadership and Career

Why the Human Body Still Matters in an AI-Driven Workplace

by Chris Tamdjidi

May 25, 2026

Build short body-and-mood checks into risk meetings, and make it safe to say “something doesn’t feel right, but I can’t tell you why”

Read moreDetails

The reliability and safety gap is causing harm

The gap between reliability and safety has a documented history that is still being written.

The clearest recent evidence comes from hiring. In 2024, a class-action lawsuit was filed against Workday, alleging that its applicant screening platform engaged in a pattern of discrimination based on race, age and disability. The plaintiff, Derek Mobley, a Black man over 40 with a disability, reported being rejected by hundreds of employers using Workday’s system, often receiving automated rejection notices in the middle of the night with no human having ever reviewed his applications. In May 2025, a federal court certified the case as a nationwide collective action, refusing to grant vendors a special exemption from anti-discrimination law simply because the deciding factor was an algorithm rather than a person. The court’s reasoning was pointed: Removing the human from the loop does not remove the legal or ethical obligation. The system was reliable, screening candidates consistently and efficiently, but it could not distinguish between screening and discrimination.

A parallel case filed in March 2025 sharpens the point. The ACLU of Colorado filed a complaint against Intuit and its vendor HireVue after an Indigenous and deaf applicant was rejected in part because the video-analysis platform flagged deficiencies in her “active listening” skills, according to the lawsuit. The system had evaluated a deaf person’s attentiveness through audio-visual cues it was never designed to adapt. Its reliable output was functionally absurd and potentially illegal. The lesson is the same one the field keeps learning and keeps forgetting: what the system measures and what the system should measure are not always the same thing. When they diverge, reliability ensures the harm occurs at scale.

What good implementation looks like

What does it actually look like to build systems where safety governs reliability?

The answer requires moving ethics from aspiration to infrastructure. The NIST risk management framework identifies seven characteristics of trustworthy systems, and the ordering is deliberate. Valid and reliable come first followed by safe, secure, accountable, explainable, privacy enhanced and fair with harmful bias managed. That framework treats reliability as a necessary but insufficient condition.

In practice, building systems that are both safe and reliable requires at least four structural commitments that go beyond technical performance metrics and consider human consequences.

Problem framing as a safety question is the first consideration that must be addressed. Both the Workday and HireVue purported failures likely originated not in the algorithm itself but in how the problem was framed before development began. Workday appears to have chosen historical hiring patterns as the training signal. HireVue chose audio-visual cues as proxies for professional competence from the complaint’s description. In each case, the framing seems to have embedded inequity before a single line of code was written. Safe system design requires asking before training begins. Questions must be asked; What are we actually trying  to measure? What does the training data reflect? And what populations will be affected if the data is skewed?

The second consideration is outcome monitoring across demographic groups. A system that performs well on aggregate metrics can conceal underperformance for specific populations. Responsible implementation requires disaggregated testing, meaning breaking performance data down by race, gender, income, geography and other relevant factors before deployment and continuously afterward. Bias in tools must be surfaced.

The third is human oversight at consequential decision points. Workday’s recruiting tool and HireVue’s interview platform seem to not have required human review before generating an outcome. Consequential decisions, such as who advances in a hiring process, require meaningful human judgment, not just human awareness. Oversight must not be ratification of a result.

The fourth is the willingness to stop. Amazon disbanded its recruiting tool years ago rather than deploy a system it could not trust. That decision cost resources and time. It also prevented the systematic discrimination of an unknown number of job applicants. Organizational culture must support the ability to halt deployment when safety conditions are not met even if business pressure pushes in the opposite direction.

Safety as foundation

For these systems to be trusted at scale, performance must be built on a prior foundation of safety. 

This begins with foundational design questions that too few organizations ask at the outset: What actions are permissible? What outcomes are unacceptable, regardless of performance? Where must human oversight be required? Under what conditions must the system stop? When these constraints are embedded early, they can be operationalized through guardrails that prevent the system from bypassing them in real time. Only then does reliability become meaningful because the system is consistently performing within boundaries that have already been defined.

As these systems take on more consequential roles, the bar for trust will be earned through the assurance that systems are constrained, accountable and aligned with human well-being.

The hiring tools now at the center of federal litigation seemed reliable. They don’t appear safe. In each case, the institutions that signed the contracts may discover they cannot trust these tools.

Leaders considering these tools must ask not just whether the system can produce an answer but whether the organization has built the moral architecture to determine which answers should never be produced at all.

The post AI: Reliable or Reliably Unsafe? appeared first on Corporate Compliance Insights.

When board oversight strays, so do companies, and if board oversight doesn’t exist, well, that can lead to an $8 billion fraud. Protiviti’s Jim DeLoach continues his series on governance failures with three more examples that provide lessons in sound business decision-making.

Last month, I identified lessons from two corporate governance failures resulting in the demise of two companies — Blockbuster and Washington Mutual — and one involving an audacious fraud in another company, Theranos. Lessons from governance failures highlight the importance of ethical behavior, risk management, accountability and board oversight. These failures often leave in their wake significant losses, reputational damage, brand erosion and legal penalties. They also destroy enterprise value and investor portfolios that had been built over many years.

Here, I address three more failures, including one in which there was no governance at all.

Overcooked books

No discussion of governance failures is complete without a mention of Enron. Once the darling of Wall Street with a high-profile CEO, a COO who had the “magic touch” and a CFO who received accolades from Fortune and CFO Magazine, Enron is a classic example of “The higher they get, the harder they fall.” The 25-year anniversary of Enron’s collapse, one of the most infamous in history, is approaching this fall. The sad story is one of financial fraud perpetrated through an opaque corporate and reporting structure that stretched the bounds of mark-to-market accounting to record projected profits as if they were actual profits earned, thereby inflating earnings reports.

A waiver of the Enron conflicts-of-interest policy by the board of directors enabled the CFO to engage in massive self-dealing using special purpose entities he controlled that were designed to move assets and debts off Enron’s balance sheet. This deception made the company appear more financially stable and less indebted than it actually was. He engineered complex financial instruments that few understood, often involving intricate investment partnerships and transactions that served no other purpose than to disguise the company’s debts and faltering lines of business. He personally managed two hedge funds to which Enron could sell failing assets to inflate revenue and profits while also getting them off the company’s books. And, of course, he enriched himself with millions in “management fees.”

The company’s public disclosures were intentionally designed to be so complex that few investors and analysts could decipher the true nature of its financial dealings and health. All these factors led to a massive lack of transparency that invited skepticism and scrutiny and led to a loss of credibility and trust.

Lesson 

What was the board thinking? Its waiver of policy enabled a serious conflict of interest that impaired the company’s control structure by allowing the CFO to stand on both sides of significant transactions. A fundamental tenet of internal control is the presumption that transactions are undertaken at arm’s length. Despite directors’ claims during the post-collapse blame game, the board knew enough about what was going on. They not only approved many of the deals, but they were also aware of and condoned the manipulation. For example, the CFO had a spreadsheet that tracked the impact of the structured finance deals he engineered on Enron’s credit rating to show how they allowed the company to be rated BBB+ when it was really a BB- company. When it was presented to the board, a director on the finance committee called him “a f—— genius.”

One need only examine the construction of the Sarbanes-Oxley legislation of 2002 to recognize that the story of Enron has many lessons to it. The SOX Act reads as if someone wrote a list of myriad corporate abuses on a whiteboard and patterned the legislation to address each abuse. The lesson emphasized above is that a board undertaking actions that enable unethical and misleading practices contributes to a flawed corporate culture that could ultimately take a company down. A flawed culture starts with the tone at the top.

Governance

Lessons Learned From 3 Corporate Governance Failures

by Jim DeLoach

April 27, 2026

Innovation, risk management & honesty should never hit these lows

Read moreDetails

A duty of loyalty failure

If I were pressed to name the best ice cream I have ever tasted, Blue Bell would be high on my list. With distribution centers in Texas, Oklahoma and Alabama, Blue Bell Creameries sells its offerings in over 20 states across the Southern, Western and Midwestern US. In 2015, the FDA and several state health agencies found evidence of the listeria bacteria in its products, which had resulted in the deaths of three people. As a result, Blue Bell had to recall all its ice cream products and shut down all its production operations. Needless to say, the impact on the company’s operations was devastating.

The company’s limited partners brought forth a complaint that the board breached its common law fiduciary duties. In ruling for the plaintiff, the court noted: “Directors have a duty ‘to exercise oversight’ and to monitor the corporation’s operational viability, legal compliance, and financial performance. A board’s ‘utter failure to attempt to assure a reasonable information and reporting system exists’ is an act of bad faith in breach of the duty of loyalty.”

This historic decision demonstrated that the high bar of the formidable Caremark standard could be scaled by the plaintiff bar in certain circumstances. In this decision, the court was compelled by the facts of the case — the simplicity of the company’s business model, the obvious enterprise risk of food safety, the lack of board focus on overseeing food safety issues and the absence of protocols by which the board expected to be advised of food safety reports and developments. According to the court, the facts created “a reasonable inference that the directors consciously failed ‘to attempt to ensure a reasonable information and reporting system exist(ed).’”

Lesson 

Although it applied to a limited partnership, the court’s ruling has important ramifications for public boards and executive management. In understanding who is responsible for the key risks, the broad strokes of the risk responses in place and the nature of any issues arising from them, the board should effectively monitor mission-critical matters and have significant matters escalated to its attention in a timely manner, especially those related to compliance. In the Blue Bell case, had the board members put in place an information and monitoring system, that action might have substantiated their defense of, “We weren’t told anything until it was too late.” The point is clear: The judiciary will not respect a hands-off approach like when Blue Bell’s directors apparently left the matter to management after finally recognizing the full magnitude of the problem.

Duped by a siren song

In Greek mythology, Sirens were dangerous creatures that lured sailors to shipwreck with their music and voices. The siren song of FTX, a major cryptocurrency exchange, led to collapse in 2022, exposed widespread fraud, misrepresentations and mismanagement. At the center of the story is FTX’s founder and controlling shareholder, Sam Bankman-Fried, whose star power contributed to the deception. 

The story of FTX is not one of a startup that began on sound footing and then steered in the wrong direction. It was a scam from the very beginning. When customers opened accounts on the FTX exchange, the funds were directed into bank accounts controlled by a sister company, Alameda Research, also owned and controlled by FTX’s founder. Alameda Research traded in cryptocurrency and “borrowed” as much capital from FTX as it needed to trade, operate and cover its risky bets. When customers tried to withdraw their funds, FTX could not cover the withdrawals, leading to a liquidity crisis because a significant portion of the firm’s assets were either tied up in illiquid investments or had been lost in the sister company’s recklessly risky trading. As a result, a run on the bank occurred and, ultimately, FTX declared bankruptcy. 

The trading bets generated losses, and the recordkeeping was sloppy, leading to a lack of transparency and a loss of trust. In essence, more than $8 billion in customer deposits were embezzled and used for other purposes, including personal luxury items for Bankman-Fried, elaborate advertising campaigns and political donations — an egregious violation of trust and fiduciary responsibility that prioritized risky ventures over the safety of customer assets.

Several factors enabled the fraud. The story begins with Bankman-Fried. He pitched a message of ethics and morality. He spun a narrative that fooled everybody. But it may also be true that everyone he fooled with his lies simply wanted to believe — and the list of believers is long. They include:

• The hedge funds burned by the bankruptcy. Investing in FTX was likely seen as a market-neutral-exposure play on crypto markets emphasizing a fee income model and no trading or balance sheet risk. That is what Bankman-Fried offered them. At the time these firms invested, FTX was viewed in the marketplace as a rapidly growing and profitable cryptocurrency exchange, with a high trading volume and a unicorn valuation. Thus, it appeared to be attractive as a high-potential investment opportunity.
• The politicians who received donations and appearance fees. Bankman-Fried used $100 million of the stolen funds, federal prosecutors said, to make political campaign contributions to both major US political parties so he could lobby Congress and regulatory agencies to support legislation and regulation to facilitate FTX’s operating model and growth. FTX also paid significant sums to a former US president and a former British prime minister to appear at a conference. These investments, along with various celebrity endorsements, were part of a scheme to enhance FTX’s illusory public image and appearance of legitimacy.
• The regulators struggling to keep up with the crypto market. Regulators were several steps behind FTX and its founder for a number of reasons. FTX operated in a regulatory vacuum, as the crypto industry was relatively new and regulations were still being developed. Also, because FTX was headquartered in the Bahamas, it was challenging for US regulators to exert control over the company. In addition, the founder’s public image and advocacy for regulation created a narrative that may have led regulators to look past the red flags.
• The media. Forbes named the founder the richest person on the planet under 30. He told journalists he would never lie. His aggressive marketing campaign included Super Bowl ads, celebrity endorsements and naming rights to the arena where the NBA’s Miami Heat play. FTX’s marketing campaigns promised that people who put their money in its accounts would earn higher yields than the average bank. Ever heard that one before?
• And, of course, the investors. Those who boosted crypto claimed they were in the vanguard of a revolution that would democratize finance and lead to generational wealth for all those who chose to believe. Rapidly rising prices silenced the skeptics. Investors, particularly wealthy investors, wanted to board the train of higher returns. The founder was the boy genius to whom they gravitated.

Lesson

The new FTX CEO tasked with leading the crypto exchange through bankruptcy stated that never in his career had he seen “such a complete failure of corporate controls and such a complete absence of trustworthy financial information.” That is quite an indictment by the man who also oversaw the Enron bankruptcy. And where was the board? Well, there wasn’t one, unless you consider a board consisting of the founder, an unnamed lawyer from Antigua and Barbuda and a former FTX executive to be an effective governing body. It didn’t even hold meetings or maintain records.

More importantly, there was a lack of independent governance between FTX and its sister crypto trading company. As discussed above, the FTX scandal also underscored the need for regulation in the cryptocurrency industry. The accounting firm that audited FTX’s financial statements apparently didn’t do a very good job, and it agreed to pay almost $2 million to the SEC to resolve actions alleging misconduct in its audits of FTX and auditor independence violations.

The lack of governance is beyond stunning. But just as remarkable is the lack of due diligence. Had the founder been asked if FTX had a chief risk officer, the answer would have been no. Had he been asked if the firm had a chief financial officer, the answer would also have been no. Bankman-Fried often boasted that FTX’s controls were among the strongest in the industry, with strict adherence to investor protection principles. Had someone asked him to provide some examples of this alleged control structure, his “answer” might have been enlightening. Furthermore, an inquiry regarding the composition of the board of directors would have disclosed that a functioning board acting as a check on the founder’s actions wasn’t in place.

One can only conclude that the power of the siren song created by Bankman-Fried and FTX along with the irrational exuberance over crypto kept very smart people from asking the questions that would have sounded alarm bells. It would have saved a lot of people a lot of money and trouble.

As a subscript, Forbes introduced a “Hall of Shame” list in 2023, highlighting 10 individuals who had previously been featured on its prestigious “30 Under 30” list but whose actions or reputations made the publication wish it could take back its prior recognition. Needless to say, the FTX founder made that list, too.

Lessons learned are not just about avoiding mistakes. When embraced by leaders and directors, the lessons can lead to stronger, more resilient and more effective organizations that are better equipped to navigate the complexities of the business environment. They also highlight the need for healthy skepticism.

The post Enron, Blue Bell & FTX: Revisiting Corporate Governance Failures appeared first on Corporate Compliance Insights.

Putting controls in place isn’t enough if you want people to actually do good behavior. Tegan Gebert, Chris Audet and Doug Eckstein of Gartner argue that it’s up to compliance leaders to be coaches for the business rather than just system engineers.

Despite strong motivation among business leaders to manage risk and compliance, Gartner research suggests that only one-third feels confident in their ability to do so. Traditional approaches, such as policy distribution and annual training, are falling short of building the muscle memory organizations need to keep pace with today’s fast-changing regulatory landscape.

The traditional approach to risk management is being challenged by the increasing speed, complexity and cross-functional nature of modern risks. This shifting environment calls for compliance teams to do more than oversee controls; they must empower business, risk and control owners to work together more proactively and effectively.

It’s important to build “risk reflex,” a culture where risk ownership and response are instinctive across the organization. For compliance, this means making it harder for the business to bypass the right behaviors by embedding controls more directly into business platforms or workflows, encouraging the business to think critically by asking thought-provoking questions or delivering more specific insights and reinforcing the “right” business behaviors through proper recognition.

The future of compliance isn’t about adding more oversight. It’s about engineering systems that encourage the right behaviors. Compliance leaders need to act less like enforcers and more like high-performance coaches, guiding their teams to make compliance instinctive. To achieve this.  Compliance leaders should focus on three core approaches.

1. Integrate compliance into daily operations

Engineer “hard to avoid” compliance. This means not only embedding controls directly into platforms or everyday workflows but also ensuring those workflows are so clearly useful, with such great visibility, that wanting to circumvent them would be unlikely. When compliance tasks are seamlessly integrated into routine business processes, it becomes easier and more natural for teams to do the right thing.

For example, by building due diligence requirements into a contract renewal process, organizations can ensure that compliance checks cannot be skipped. Similarly, embedding approval checkpoints within project management tools helps guarantee that regulatory steps are addressed at the right time, making noncompliance harder than compliance itself. The goal is to design systems where the right actions are visible, expected and reinforced by how the work gets done. Ensuring compliance is hard to avoid is not just about technology but about creating workflows and social norms that make the right behaviors prominent and difficult to bypass.

Compliance

Starting a New Job as a Chief Compliance & Ethics Officer? Do This in Your First 100 Days.

by Chris Audet

August 23, 2023

Read moreDetails

2. Foster risk ownership through meaningful dialogue

This strategy centers on provoking critical thinking. Rather than simply asking leaders if they are compliant, organizations should prompt them to consider whether they truly understand the risks and exposures they face. This shift encourages business leaders to take ownership of risk instead of viewing it as the sole responsibility of legal or compliance teams whom they report to.

By redesigning risk assessments and everyday conversations, compliance leaders can spark deeper engagement and more thoughtful responses. Ask questions to encourage business leaders to think about real-world effects and scenarios rather than just policy adherence. For example, instead of asking, “Have you done this compliance activity?” ask “What could go wrong for the business here?” This helps embed risk awareness and accountability across the organization. The quality of risk dialogue, whereby colleagues challenge assumptions, share insights and prompt reflection, is central to building reflexive risk ownership.

3. Celebrate and reward proactive behaviors

Finally, reinforcing the right behaviors is essential for building a culture of compliance. The focus must not only be on identifying the negative but acknowledging the positive.

Compliance leaders tend to report on violations; the emphasis is on what not to do. The counterbalance is giving greater recognition to people who do what they should be doing, reinforcing the actions or behaviors you want to see more often. Public recognition of teams and individuals who surface issues early or demonstrate proactive risk management can go a long way in shaping organizational culture. Sharing success stories and lessons learned helps normalize speaking up and continuous improvement, fostering an environment where compliance is valued and celebrated. Recognizing effort and openness, even when things go wrong, can spark a broader culture of learning and resilience.

The pace and complexity of today’s regulatory environment require a mindset shift from policing to coaching. Engineering compliance into daily operations, encouraging critical thinking and recognizing positive behaviors can close the confidence gap, empowering risk owners to better manage risk and compliance. Organizations who achieve this can make the right behaviors more automatic and more responsive to change. This creates lasting value. 

The journey to reflexive risk ownership starts now, and every business leader has an opportunity to shape a more resilient and responsive compliance culture.

The post How Compliance Officers Can Be Better Coaches appeared first on Corporate Compliance Insights.

Knowing how your business uses AI is pretty important in any situation, but that knowledge has taken on major compliance and risk relevance as the EU AI Act is rolled out, explains Sam Peters of ISMS.online. Companies need to know how they’ll be categorized under the act, which has important compliance dates starting later this year. The distinctions aren’t as clear as you may think.

As organizations prepare for the EU AI Act, most of the attention has gone to risk classifications, documentation requirements and looming enforcement deadlines. All of which are important. But there’s a more basic risk that isn’t getting nearly enough attention.

It’s not whether you understand the rules. It’s whether you understand what your organization’s role is under them.

The EU AI Act does not apply to organizations in a uniform way. The regulation applies extraterritorially, meaning that it applies to organizations that operate outside the physical borders of the EU. Section 2 of the act notes that any organization placing AI systems on the EU market or whose AI outputs are used in the EU may be in scope, regardless of where it physically resides.

What matters is where your organization sits in the AI value chain, not where your organization has offices. Get that wrong, and everything that follows, from risk assessments to governance controls, starts on shaky ground.

The regulation distinguishes among several roles, including providers, deployers, importers and distributors. Each carries a different set of obligations.

Providers face the heaviest lift. They are responsible for ensuring that AI systems meet strict requirements before entering the EU market, including conformity assessments, documentation and ongoing monitoring. Deployers, by contrast, use AI systems developed by others. Their obligations are narrower, centered on oversight, monitoring and appropriate use.

That sounds clean and easy to distinguish. In practice, the line between these roles is anything but clean.

How organizations could get it wrong

A common assumption is that if you are not building AI models from scratch, you are a deployer. That assumption can fall apart quickly. Under the act, a deployer can become a provider if it makes substantial modifications to an AI system or markets it under its own name. One should not look at that scenario as remote or an outlier. In fact, it generally reflects how modern software is built.

Take a typical SaaS company. It might integrate a third-party foundation model, fine-tune it for a specific use case and embed it into a broader product offering. That product is then sold into multiple markets, including the EU. What is that company, then? A deployer? A provider? Both? The answer is not always obvious.

Misclassification is only part of the problem. More often, organizations are not just one thing. A single company might develop parts of an AI system, integrate third-party components, deploy those systems internally and distribute them externally through partners. Each of those activities can trigger a different role under the regulation. The result is overlapping obligations that do not always line up neatly. Again, this is becoming standard operating reality rather than a rare exception.

For compliance teams, that creates a level of complexity most existing models were never designed to handle. Ownership gets blurry. Accountability gets split. And it becomes easier than it should be for critical obligations to slip through unnoticed.

Compliance

The EU AI Act’s ‘Wait and See’ Window Is Closing

by Naomi Grossman

April 6, 2026

AI literacy has survived attempts to water it down and remains a direct organizational obligation — not a policy aspiration

Read moreDetails

Why this creates real compliance risk

For organizations operating across borders, misunderstanding your role is a technical problem, yes, but it’s also a governance problem. If you assume you are a deployer when you meet the definition of a provider, the gaps show up quickly. Conformity assessments may not happen or documentation may be incomplete. Requirements around transparency, traceability and oversight could be missed altogether. And when regulators come knocking, demonstrating compliance becomes difficult.

The EU AI Act is clear on one point: It is not enough to say you are compliant. You have to be able to show it. This points to a broader issue. Many organizations are still treating AI as just another layer of IT, which is a mindset that doesn’t hold up.

AI systems behave differently. They evolve, depend on complex supply chains and can directly affect individual outcomes. That combination makes informal or loosely defined governance models hard to sustain.

Without clear structures to identify where AI is being used, assign ownership, understand how systems are built and modified and track how they are deployed across markets, organizations are left guessing. We all know that guessing is not a strong compliance strategy.

For compliance leaders, the priority is not to memorize every detail of the regulation. But they need to know enough to get clarity on where the organization actually sits within it.

That means asking some basic questions. Where is AI being used across the business, including in products, services and internal operations? Which of those systems have an impact on operations in the EU? How are those systems built, particularly when third-party components are involved? Are systems being modified, fine-tuned or rebranded in ways that change their classification? And who exactly owns each system from a governance standpoint?

The answers tend to be more complicated than expected, though that is not necessarily surprising given the complexity of the regulation itself. But if this complexity is not surfaced, compliance decisions are being made on incomplete information.

Misunderstanding your organization’s role under the EU AI Act is not a small mistake. It is a foundational one, that can cause a butterfly effect that ripples outward into larger compliance failures. Organizations that take the time now to get that foundation right will be in a much stronger position, not just for this regulation, but for what comes next.

The post The Most Overlooked Risk in the EU AI Act: Misunderstanding Your Role appeared first on Corporate Compliance Insights.