Quote

AI Governance in Regulated Marketing – Part 3 The evolving roles of Risk Manager and Risk Owner

Executive Summary

As regulated organizations across North America and Europe transition from experimental artificial intelligence (AI) pilots to scaled, production-grade deployments, the fundamental architecture of corporate risk management is undergoing a profound paradigm shift. The integration of generative AI and the rapid emergence of agentic AI—autonomous systems capable of executing multi-step workflows across enterprise environments—has fractured traditional, point-in-time governance models. Consequently, the roles of the centralized Risk Manager and the executive Risk Owner are evolving from compliance-driven gatekeepers to continuous, operational orchestrators of delegated algorithmic authority.

The analysis of current regulatory frameworks, organizational maturity metrics, and market data reveals several core insights defining this evolution. First, accountability has proven to be entirely non-delegable. Despite the heavy reliance on third-party foundation models and vendor-supplied AI agents, regulatory bodies across both continents have established that legal and operational accountability remains exclusively with the deploying enterprise. Second, the rise of agentic AI forces continuous governance; autonomous systems introduce novel risks such as privilege escalation, behavioral drift, and multi-agent emergent effects, rendering annual model validation cycles obsolete in favor of runtime controls.

Furthermore, regulatory divergence is actively shaping organizational role architecture. North American organizations are navigating a fragmented, materiality-driven environment characterized by divergent national standards, whereas European organizations face a rigid, statutory, and cross-sectoral compliance mandate driven by the European Union (EU) AI Act and the Digital Operational Resilience Act (DORA). To cope with this velocity and complexity, highly mature organizations are abandoning purely centralized risk structures. Instead, they are adopting federated “hub-and-spoke” models that embed “AI Champions” directly within business lines. Finally, a significant “audit-ready” traceability gap remains. A massive chasm exists between regulatory expectations for explainability and the operational reality of enterprise IT, exposing organizations to unprecedented regulatory and litigation risks.

The transition to AI-driven operations is also polarizing the labor market, creating a “two-track” workforce. The adoption of AI is professionalizing entry-level roles, requiring junior employees to exercise senior-level human judgment and strategic oversight to manage and audit automated outputs effectively.

Key Metric / StatisticOperational SignificanceSource Reference
40% Cancellation RateGartner predicts over 40% of enterprise agentic AI projects will be canceled by 2027 due to inadequate risk controls, unclear business value, and escalating costs.[cite: 1, 2]
54% Scaling RapidlyMore than half of organizations expect to have at least 40% of their AI experiments moved into production within the next six months, outpacing governance.[cite: 3, 4]
30% Governance ReadinessOnly 30% of companies currently deploying AI report high governance readiness, highlighting a severe operational vulnerability compared to technical readiness.[cite: 3, 5]
62% Wage PremiumThe average wage premium for workers possessing specialized AI skills has risen to 62%, reflecting the intense competition for talent capable of governing these systems.[cite: 6, 7]
95% Denial Overturn RateIn healthcare, AI-driven Medicare Advantage prior authorization denials face overturn rates of up to 95% upon appeal, exposing catastrophic algorithmic oversight failures.[cite: 8, 9]
€35 Million PenaltyThe maximum penalty under the EU AI Act for non-compliance regarding prohibited AI practices (or up to 7% of global turnover), fundamentally altering executive risk calculus.[cite: 10, 11, 12]
5.5% Achieving ROIOnly 5.5% of organizations report that more than 5% of their EBIT is attributable to AI, highlighting the performance gap between high-maturity and lagging firms.[cite: 13]

2. Quantitative Summary: The Evolution of Risk Roles

The adoption of autonomous AI systems requires a fundamental recalibration of how risk is identified, mitigated, and owned. The Risk Manager, traditionally an independent second-line-of-defense reviewer focusing on point-in-time audits, is transforming into a highly technical, continuous monitoring role. Simultaneously, the Risk Owner—typically a business line executive—can no longer treat technology procurement as a transactional IT decision. Because autonomous systems alter business processes and directly impact consumers, the Risk Owner assumes direct, long-term fiduciary and regulatory accountability for the AI’s operational outcomes.

2.1 The Evolution of the RISK MANAGER (Centralized Practice)

The role of the Risk Manager is shifting from bureaucratic oversight to technical governance. The demands placed on this role vary significantly by geographic location due to differing regulatory philosophies.

Table 1: Shifts in the RISK MANAGER Role – North America

AttributeNorth American Evolution (US & Canada)
Shift in RolesTransitioning from compliance auditors to technical governance architects. In the US, the role focuses on managing materiality thresholds (e.g., SR 26-2) and applying the NIST AI RMF. In Canada, the role involves enforcing prescriptive 5-stage lifecycles (OSFI E-23) across all models, explicitly including Generative and Agentic AI.
Shift in SkillsEscalating demand for threat modeling, adversarial testing, bias mitigation, and MLOps expertise. Strong emphasis on conducting vendor “black-box” testing and translating AI performance drift into operational business risk metrics.
Shift in ExperienceShifting from traditional financial audit and compliance backgrounds to hybrid profiles that heavily blend data science, cybersecurity, and enterprise risk management (ERM).
Shift in StructureMovement toward decentralized, federated models where the centralized Risk Manager orchestrates global policies but relies on embedded risk stewards within business units to scale oversight effectively.
Other FactorsIncreasing reliance on automated compliance tools and continuous integration/continuous deployment (CI/CD) pipelines to monitor algorithmic behavior in real-time, bridging the gap between risk and engineering.

Table 2: Shifts in the RISK MANAGER Role – Europe

AttributeEuropean Evolution (UK, Germany, France, Spain)
Shift in RolesTransitioning to formal “AI Compliance Officers” or “AI Auditors” managing intersecting statutory mandates (EU AI Act, DORA, GDPR). The role focuses heavily on managing third-party conformity assessments and systemic risk reporting.
Shift in SkillsMastery of EU AI Act Annex III high-risk classifications, conducting Fundamental Rights Impact Assessments (FRIA), data provenance mapping, and dual-mapping AI risks into ICT risk registers for DORA compliance.
Shift in ExperienceIncreasing demand for ISO/IEC 42001 certification experience, deep legal/privacy backgrounds (specifically regarding GDPR interplay), and experience coordinating with national supervisory authorities.
Shift in StructureEstablishing direct interfaces with new national supervisory authorities (e.g., Spain’s AESIA, France’s CNIL, Germany’s BNetzA) and managing mandatory incident reporting structures for high-risk AI deployments.
Other FactorsIn Germany specifically, the role increasingly requires experience negotiating with works councils (Betriebsrat) regarding the deployment of AI systems that impact employee data and workplace surveillance.

2.2 The Evolution of the RISK OWNER (Business Executive)

For the Risk Owner, the era of unchecked experimentation is concluding. The realization that organizations cannot delegate legal responsibility for AI outputs to third-party vendors has forced executives to maintain continuous, human-in-the-loop oversight.

Table 3: Shifts in the RISK OWNER Role – North America

AttributeNorth American Evolution (US & Canada)
Shift in RolesEvolving from a distant project sponsor to a continuous lifecycle owner. Responsible for defining the explicit boundaries of delegated authority for agentic AI and establishing pre-deployment ROI versus risk parameters.
Shift in SkillsEnhanced AI literacy required to credibly challenge technical teams and vendors. Ability to evaluate automated decision-making in high-stakes scenarios (e.g., healthcare prior authorization, credit underwriting) to prevent systemic failures.
Shift in ExperienceMoving beyond general business management to require a deep understanding of third-party risk management (TPRM), data architecture, and proactive cybersecurity incident response protocols.
Shift in StructureRisk ownership is increasingly tied to specific product lines or regional deployments, utilizing multiple risk registers to isolate exposure while maintaining a unified corporate view.
Other FactorsPrimary focus remains on mitigating class-action litigation risks (e.g., discriminatory hiring algorithms, wrongful healthcare denials) and protecting corporate intellectual property from data leakage.

Table 4: Shifts in the RISK OWNER Role – Europe

AttributeEuropean Evolution (UK, Germany, France, Spain)
Shift in RolesAssuming direct personal and corporate accountability for AI outcomes. In the UK, Risk Owners are held personally accountable under the FCA’s Senior Managers and Certification Regime (SM&CR) for algorithmic failures.
Shift in SkillsStrategic alignment of business objectives with strict regulatory constraints. The ability to design “audit-ready” operational workflows and ensure continuous compliance with mandatory transparency and human-oversight obligations.
Shift in ExperienceRequirement to navigate complex legal liability, cross-border data transfer implications, and public sector procurement standards (where applicable) to ensure vendor compliance.
Shift in StructureGovernance is integrated into the highest levels of the corporate board. DORA mandates that the management body is ultimately responsible for managing ICT risk, stripping away the ability to delegate risk ownership to IT departments.
Other FactorsIntense focus on avoiding crippling regulatory fines and reputational damage. The EU AI Act introduces penalties that force Risk Owners to prioritize regulatory alignment over deployment speed.

3. Research Details, Commentary, Key Insights, and Examples

The adoption of AI in regulated industries has evolved from the deployment of static, predictive machine learning models to the integration of highly autonomous agentic systems. This technological leap has fundamentally destabilized traditional governance frameworks, which were designed for deterministic software and stable operational environments.

3.1 The Agentic Era and the Crisis of Delegated Authority

The introduction of agentic AI—systems capable of pursuing goals, breaking them into sequential steps, and executing actions across an enterprise’s environment using real permissions—represents a profound shift in organizational risk14. Unlike generative AI, which merely produces text or code for human review, agentic AI actively invokes application programming interfaces (APIs), queries databases, and initiates workflows.

This operational autonomy introduces the concept of “delegated authority.” In organizational theory, delegated authority involves granting an entity the right to act within defined limits while retaining ultimate accountability15. However, when authority is delegated to an AI agent, the risk profile expands exponentially. Organizations face risks such as privilege escalation, where agents quietly accumulate permissions beyond their intended scope, and multi-agent emergent effects, where interacting agents produce amplification loops that no human explicitly programmed14. Consequently, the governance of these systems requires an identity-centric access control approach, treating AI agents as “non-human identities” that require real-time monitoring, blast-radius analysis, and immutable audit trails14.

3.2 Navigating Divergent Regulatory Ecosystems: North America vs. Europe

The risk management landscape is increasingly fragmented, heavily dictated by geographic location and jurisdictional philosophy.

The European Approach: Statutory and Cross-Sectoral In Europe, the regulatory approach is highly prescriptive. The EU AI Act imposes a tiered, risk-based classification system. Systems deemed “high-risk” under Annex III, such as those used in employment screening, biometric identification, or credit scoring, must undergo rigorous conformity assessments, maintain exhaustive technical documentation, and ensure mandatory human oversight prior to deployment17.

Enforcement is managed by newly established or empowered national authorities. In Spain, the pioneering Agencia Española de Supervisión de la Inteligencia Artificial (AESIA) is running regulatory sandboxes and publishing comprehensive compliance guides20. In France, the CNIL enforces a strict intersection of GDPR and AI, mandating that purpose definition and data subjects’ rights are embedded into AI system development24. In Germany, the draft KI-MIG designates the Bundesnetzagentur (BNetzA) as the primary market surveillance authority, while German labor laws require intense coordination with works councils (Betriebsrat) for AI deployments affecting employees26.

Furthermore, the Digital Operational Resilience Act (DORA), which became fully applicable in January 2025, mandates that EU financial entities map these AI risks directly into their Information and Communication Technology (ICT) risk registers. This creates a dual-compliance burden that requires integrated governance, forcing Risk Managers to align AI risk dimensions directly with DORA’s resilience testing and incident reporting mandates29.

The North American Approach: Principles and Materiality Conversely, North America has adopted a fragmented, materiality-driven approach. In the United States, the Federal Reserve’s SR 26-2 guidance on Model Risk Management (MRM) explicitly excludes generative and agentic AI from its strict validation schedules, directing banks to manage these novel technologies under general operational risk frameworks, thereby reducing regulatory friction for smaller institutions32.

Canada, however, is taking a much stricter stance. The Office of the Superintendent of Financial Institutions (OSFI) Guideline E-23 establishes a rigorous, prescriptive 5-stage lifecycle for all analytical models—explicitly including generative and agentic AI—across all federally regulated financial institutions32. This cross-border divergence means that a multinational bank operating across New York, Toronto, and Frankfurt must maintain a highly configurable, jurisdiction-aware risk architecture to satisfy vastly different supervisory expectations32.

3.3 Third-Party Risk and the Illusion of Vendor Delegation

A pervasive misconception among business leaders during early AI adoption was the belief that procuring models from tier-one technology vendors transferred the associated liabilities to those vendors. Regulatory bodies and legal precedents have thoroughly dismantled this assumption. The organization deploying the AI agent is legally and operationally accountable—not the vendor that supplied the foundation model, and certainly not the agent itself14.

This principle is heavily emphasized by the New York Department of Financial Services (NYDFS), which explicitly states that while an institution can outsource its operations to a vendor, it cannot delegate the responsibility for compliance35. Similarly, DORA places designated Critical Third-Party Providers (CTPPs) under direct EU oversight, yet explicitly leaves the ultimate responsibility for ICT risk with the financial entity’s management body29. This dynamic forces Risk Owners to institute robust Third-Party Risk Management (TPRM) programs that go beyond annual questionnaires, demanding continuous black-box testing of vendor models to benchmark outputs against internal challengers32.

3.4 Industry Case Studies in Traceability and Accountability

The consequences of inadequate AI risk ownership are starkly visible in the US healthcare sector’s use of AI for prior authorization. Insurers, particularly Medicare Advantage (MA) plans, aggressively deployed AI algorithms to review and deny medical claims. Congressional investigations revealed that the use of these algorithms led to unprecedented denial rates for post-acute care, sparking class-action lawsuits and significant provider burnout9.

Crucially, data indicated that when these AI-driven denials were appealed, they were overturned at extraordinarily high rates—up to 95% for certain MA plans—demonstrating that the initial AI determinations were deeply flawed8. This scenario perfectly illustrates the “traceability and accountability gap.” The AI systems functioned as opaque denial engines without sufficient human-in-the-loop oversight. In response, regulatory bodies like the Centers for Medicare and Medicaid Services (CMS) have intervened, mandating that final medical necessity determinations be made by licensed physicians and demanding greater transparency regarding algorithmic logic38.

3.5 Organizational Practices Facilitating the Shift

To navigate this complex environment, leading organizations are actively restructuring their operating models, relying on specific methodologies to balance innovation with compliance.

Minimum Viable Governance and Agile Frameworks Traditional centralized governance, where a single committee reviews all AI models, creates crippling bottlenecks. Research from the MIT Center for Information Systems Research (CISR) advocates for “Minimum Viable Governance” (MVG) and structural agility. MVG applies the least amount of governance required to manage risk effectively without stifling innovation42. By utilizing Agile policy frameworks, organizations move away from rigid, up-front planning toward iterative, responsive oversight. This involves building compliance directly into developer platforms to automatically log prompts, track lineage, and screen for hallucinations, effectively shifting governance from a pre-deployment roadblock to a continuous background process42.

Objectives and Key Results (OKRs) for AI Safety Mature governance is measured, not merely declared. Organizations successfully navigating AI risk are utilizing OKRs to quantify governance performance. Rather than relying on subjective attestations, Risk Managers track specific key results, such as model drift detection rates, false-positive ratios in bias testing, and the closure rates of audit findings44. By tying executive compensation and team performance to these risk-based OKRs, the organization ensures that AI safety remains a strategic priority alongside revenue generation.

Geographic Hub-and-Spoke (Federated) Models Given the regulatory divergence highlighted previously, purely centralized risk management often fails to grasp local jurisdictional nuances, while pure decentralization leads to massive regulatory blind spots. The optimal practice is a Federated (Hub-and-Spoke) model5. The central “Hub” (an AI Center of Excellence) establishes enterprise-wide standards, shared infrastructure, and foundational risk guardrails. However, execution and accountability are pushed out to the “Spokes”—the individual business domains and geographic regions. Domain-specific “AI Champions” who intimately understand the contextual nuances of their data, and the specific demands of their local regulators (e.g., a local compliance officer interfacing with the CNIL in France), take responsibility for validating the models and owning the escalations5.

3.6 Labor Market Dynamics and the Skills Earthquake

The transition to AI-driven operations is fundamentally altering the labor market. According to PwC’s 2026 Global AI Jobs Barometer, the demand for AI skills has triggered a 62% wage premium globally6. More importantly, AI is driving a “two-track” labor market by automating routine execution and placing a premium on trusted expertise.

Entry-level and junior roles in highly AI-exposed sectors are being rapidly “professionalized.” Because AI systems handle the basic generation of content, code, or analytics, junior employees are now required to possess traditionally senior-level skills—such as strategic decision-making, emotional intelligence, and complex risk judgment—to validate and audit the AI’s outputs6. For Risk Managers and Risk Owners, this means that human-in-the-loop oversight cannot be delegated to untrained junior staff; the personnel overseeing AI must be highly skilled, analytically rigorous, and capable of credibly challenging algorithmic logic6.

4. Research Findings for the Four Hypotheses

Test of Hypothesis 1: Geographic Divergence in Role Evolution

Hypothesis: These roles are evolving differently North America vs Europe, partly due to different regulations in those geographic regions. Finding: Strongly Supported. The regulatory divergence between the two continents is actively forging two distinct profiles for Risk Managers and Risk Owners. In Europe, the environment is dominated by the EU AI Act, DORA, and stringent GDPR interpretations. European Risk Managers must act as statutory compliance officers, navigating complex requirements such as Fundamental Rights Impact Assessments (FRIA) and coordinating with national regulators like AESIA and BNetzA17. For European Risk Owners, the threat of severe financial penalties (up to €35 million or 7% of global turnover) forces a highly defensive posture centered on rigorous conformity assessments and incident reporting10.

In North America, the environment is characterized by principles-based, materiality-driven frameworks. The US SR 26-2 focuses on the material risk of quantitative models, explicitly excluding GenAI from strict MRM pipelines. This pushes US Risk Managers to adopt highly technical, configurable risk orchestration tailored to business value rather than statutory checklists32. Meanwhile, the UK FCA expects AI to be governed under the existing Senior Managers and Certification Regime (SM&CR), forcing UK executives to embed AI accountability into their personal regulatory responsibilities without relying on a dedicated AI rulebook11.

Test of Hypothesis 2: Third-Party Risks and the Shift in Risk Ownership

Hypothesis: AI solutions manage third party risks differently (companies can’t delegate AI risks to vendors). This requires a shift in RISK OWNER to be longer-term. Finding: Strongly Supported. The traditional enterprise software procurement model—where operational risk was largely transferred to the vendor via Service Level Agreements (SLAs)—has collapsed under the weight of AI. Regulatory mandates, such as the NYDFS guidelines on third-party cyber risk and the EU AI Act, explicitly dictate that the organization deploying an AI system retains ultimate legal and ethical accountability15. Because foundation models are opaque, dynamic, and prone to behavioral drift, a Risk Owner cannot simply sign off on a procurement contract and disengage. The role has fundamentally shifted to require long-term, continuous oversight. Risk Owners must enforce post-market monitoring, implement black-box testing against internal challengers, and maintain strict “human-in-the-loop” escalation paths to ensure the vendor’s evolving model does not violate internal policies or external laws14.

Test of Hypothesis 3: Decentralization of the Risk Manager

Hypothesis: AI adoption often requires RISK MANAGER role to be more de-centralized (closer to business) to keep up with both regulatory and AI advances. Finding: Nuanced/Supported. The hypothesis captures a real operational pain point: centralized governance models are too slow, creating bottlenecks that delay deployments by months and encourage unauthorized “shadow AI” usage42. However, pure decentralization is equally flawed, leading to inconsistent standards, duplicated efforts, and massive regulatory blind spots. The optimal practice observed in the research is a Federated or Hub-and-Spoke model. The Risk Manager’s function is decentralized into the business lines through embedded “AI Champions” or data stewards who understand the ground truth of the specific domain. Yet, these decentralized nodes remain tethered to a central Center of Excellence (the Hub) that dictates overarching risk taxonomies, shared technology infrastructure, and regulatory intelligence5. This allows risk management to operate at the speed of the business without sacrificing enterprise-wide control.

Test of Hypothesis 4: The Traceability and Accountability Gap

Hypothesis: Regulated organizations have a hard time bridging the gap between regulatory theory and reality – struggle to provide the required traceability and accountability that regulators expect in AI tools. Finding: Strongly Supported. There is a profound disconnect between the high-level principles drafted by regulators (e.g., transparency, fairness, explainability) and the technical reality of deploying complex neural networks and agentic AI. The research defines this as the “audit-ready accountability” gap33. During the “pilot phase,” organizations enjoy a misleading sense of safety because models are tested in controlled, low-volume environments with heavy human supervision54. However, as systems scale into production and operate autonomously, the decision-making logic becomes opaque. Organizations frequently fail to maintain dynamic model inventories, capture comprehensive audit logs of prompts and outputs, or define explicit boundaries for delegated authority14. The healthcare sector’s AI-driven prior authorization crisis perfectly exemplifies this gap: automated systems issued blanket medical denials that could not be adequately explained or justified, leading to regulatory backlash and systemic process failures9.

5. Key Actions for Senior Leaders to Maximize Opportunities

For leaders of progressive organizations seeking to turn AI governance into a competitive advantage rather than a bureaucratic hurdle, several strategic actions must be prioritized.

Implement a Federated Operating Model Organizations must dismantle rigid, centralized approval committees that slow innovation. Establishing an AI Center of Excellence will define global standards and provide shared infrastructure, but accountability must be embedded directly within the business units. Empowering local Risk Owners and “AI Champions” who possess the necessary domain expertise allows the organization to validate models in context, adapting to regional regulatory nuances rapidly5.

Adopt Minimum Viable Governance (MVG) and Agile Controls Oversight must be calibrated to the actual risk of the application. Progressive leaders are automating low-risk approvals while enforcing strict human-in-the-loop protocols for high-stakes decisions (e.g., credit underwriting, healthcare diagnostics). By building compliance directly into the developer platforms to automatically log prompts, track lineage, and monitor drift, governance shifts from a pre-deployment roadblock to a continuous, agile background process42.

Unify ICT and AI Risk Management (The DORA Advantage) For financial institutions operating in Europe, treating AI risk and cyber resilience as separate silos is a costly error. Leaders must integrate AI risk dimensions (bias, transparency) directly into existing DORA-mandated ICT risk frameworks. Utilizing a dual-mapping approach reduces audit fatigue, simplifies incident reporting, and creates a cohesive operational resilience strategy that satisfies both the EU AI Act and DORA simultaneously30.

Invest Heavily in AI Fluency and Reskilling AI polarizes the labor market. As routine tasks are automated, the value of human judgment, ethical reasoning, and strategic oversight skyrockets. Progressive leaders must invest significantly (high performers dedicate upwards of 20% of their digital transformation budgets to AI) in upskilling their workforce. Risk Managers and domain experts must be trained to confidently interact with, challenge, and audit AI outputs, ensuring that human-in-the-loop oversight is substantive rather than performative6.

6. Key Actions for Senior Leaders Falling Behind

For organizations that are lagging, operating with fragmented pilots, or treating AI risk as a theoretical future problem, immediate defensive actions are required to mitigate exposure.

Construct a Dynamic Enterprise AI Inventory An organization cannot govern what it cannot see. Leaders must immediately catalogue all AI systems currently in use across the enterprise. This inventory must include formal data science projects, vendor-supplied SaaS features, and shadow AI tools used by employees. These systems must then be classified based on their risk tier according to relevant frameworks (e.g., EU AI Act Annex III, NIST AI RMF) to expose immediate compliance gaps10.

Lock Down Delegated Authority for Agentic AI If autonomous AI agents are deployed, their boundaries must be strictly defined. Leaders must implement identity-centric access controls, applying the principle of least privilege. Any agent capable of executing actions in production environments must be equipped with a documented kill-switch, an immutable audit trail, and mandatory human approval workflows for consequential actions14.

Revamp Third-Party Risk Management (TPRM) Organizations must cease relying on generic vendor attestations. Procurement contracts must be updated to demand transparency into training data provenance, algorithmic limitations, and incident notification timelines. Furthermore, risk teams must institute continuous black-box testing to monitor vendor model outputs for drift or bias independently of the provider, ensuring the organization maintains regulatory defensibility32.

Assign Clear Executive Accountability Accountability diffusion is a primary driver of regulatory enforcement. Leaders must explicitly designate a Senior Manager (aligned with frameworks like the UK’s SM&CR) or a specific business executive as the definitive Risk Owner for every AI system in production. This individual must clearly understand that they bear the legal and reputational liability for the system’s outcomes, transforming AI deployment from an IT project into a governed business decision11.

7. Works Cited

  1. Enterprise AI Operating Model: Hub-and-Spoke, Federated, or Centralized? | Assembly, https://aiassemblylines.com/resources/ai-initiatives-operating-model
  2. AI Jobs Barometer – PwC Australia, https://www.pwc.com.au/services/artificial-intelligence/ai-jobs-barometer.html
  3. AI reshapes global labour market into two distinct paths, rewarding human skills: PwC 2026 Global AI Jobs Barometer, https://www.pwc.com/gx/en/news-room/press-releases/2026/pwc-2026-ai-jobs-barometer.html
  4. Prior Authorization Approval Rates: What 2026 Data Reveals – Insight Health, https://www.insighthealth.ai/blog/prior-authorization-approval-rate
  5. The Three Largest Medicare Advantage Organizations Denied Requests for Long-Term Acute Care and Inpatient Rehabilitation at Some of the Highest Rates – OIG, https://oig.hhs.gov/reports/all/2026/the-three-largest-medicare-advantage-organizations-denied-requests-for-long-term-acute-care-and-inpatient-rehabilitation-at-some-of-the-highest-rates/
  6. The Boardroom’s New Mandate – Citi, https://www.citigroup.com/global/insights/the-boardroom-s-new-mandate
  7. Future State—FCA Expectations, Governance and Skills – Kroll, https://www.kroll.com/en/publications/financial-compliance-regulation/fca-expectations-governance-skills
  8. McKinsey State of AI 2025: What It Means for Engineering Leaders – CoLab Software, https://www.colabsoftware.com/post/mckinseys-state-of-ai-2025-what-separates-high-performers-from-the-rest
  9. The Complete Guide to Agentic AI Governance – Drata, https://drata.com/learn/agent-gov/overview
  10. Delegated Authority Is a Data Privacy Problem Disguised as an AI Governance One, https://www.logarithmic.com/perspectives/delegated-authority-is-a-data-privacy-problem-disguised-as-an-ai-governance-one
  11. AI Agent Risk Manager – KnowBe4, https://www.knowbe4.com/products/ai-agent-risk-manager
  12. AI Auditing & Governance Course | EU AI Act (Spain) – Spanish Compliance Institute, https://spanishcomplianceinstitute.com/es-spanish/products/ai-auditing-governance-course-eu-ai-act-spain-1
  13. The EU AI Act: Applications and Principles – Dilitrust, https://www.dilitrust.com/eu-ai-act/
  14. El Reglamento Europeo de Inteligencia Artificial: Sistemas de alto riesgo – AESIA, https://aesia.digital.gob.es/es/actualidad/recursos/ria-sistemas-de-alto-riesgo
  15. AESIA, https://aesia.digital.gob.es/es
  16. Artificial intelligence act: a general approach – AESIA, https://aesia.digital.gob.es/en/present/resourcesria-aproximacion-general
  17. Ai Regulation Spain | Global Law Experts, https://globallawexperts.com/ai-regulation-spain/
  18. full-compilation-aesia-guide-english-june-2026 – Herbert Smith Freehills, https://www.hsfkramer.com/notes/madrid/2026-posts/full-compilation-aesia-guide-english-june-2026
  19. AI system development: CNIL’s recommendations to comply with the GDPR, https://www.cnil.fr/en/ai-system-development-cnils-recommendations-to-comply-gdpr
  20. Law / proposed law in France – AI Laws of the World – DLA Piper Intelligence, https://intelligence.dlapiper.com/artificial-intelligence/?t=01-law&c=FR
  21. Overview of all AI Act National Implementation Plans | EU Artificial Intelligence Act, https://artificialintelligenceact.eu/national-implementation-plans/
  22. EU AI Act in Germany: KI-MIG & Enforcement, https://euaicompass.com/eu-ai-act-germany.html
  23. AI Act Implementation Law: Germany’s AI Oversight Approved, https://www.aiact-akademie.de/en/news/ai-act-implementation-law-german-cabinet-ai-oversight
  24. Digital Operational Resilience Act (DORA) Compliance – Modulos AI, https://www.modulos.ai/dora/
  25. DORA Compliance 2026: Key Requirements Explained | Nemko Digital, https://digital.nemko.com/regulations/digital-operational-resilience-act
  26. DORA + EU AI Act: The Double Compliance Obligation for Financial Institutions, https://www.regulation-dora.eu/blog/dora-ai-act-convergence-financial-institutions-2026
  27. OSFI E-23 vs SR 26-2: How Canada and the US Are Diverging on Model Risk Management, https://www.yields.io/insights/osfi-e-23-vs-sr-26-2-how-canada-and-the-us-are-diverging-on-model-risk-management
  28. AI Governance in Regulated Industries — Horizon Scan 001, https://horizonsearch.org/publications/horizon-scans/001/
  29. AI Employer Liability: Compliance Guide, https://www.warden-ai.com/resources/ai-employer-liability
  30. NYDFS TPRM guidance: What financial institutions need to know – CPA & Advisory Professional Insights – Kaufman Rossin, https://kaufmanrossin.com/blog/nydfs-tprm-guidance-what-financial-institutions-need-to-know/
  31. What Is the Digital Operational Resilience Act (DORA)? – IBM, https://www.ibm.com/think/topics/digital-operational-resilience-act
  32. Third-Party Risk Management Life Sciences | USDM, https://www.usdm.com/governance/third-party-risk-management-in-life-sciences
  33. Briefing Book 2026: Artificial Intelligence Use in Health Insurance – KLRD, https://klrd.gov/2026/03/02/briefing-book-2026-artificial-intelligence-use-in-health-insurance/
  34. Medicare advantage becoming a disadvantage with use of artificial intelligence in prior authorization review – PMC, https://pmc.ncbi.nlm.nih.gov/articles/PMC12979811/
  35. The Prior Authorization Arms Race | The AI Health Pulse, https://hutchinsdatastrategy.com/the-ai-health-pulse/the-prior-authorization-arms-race
  36. How AI Is Reshaping Prior Authorization in Health Insurance – Forbes Councils, https://councils.forbes.com/blog/how-ai-is-reshaping-prior-authorization-in-health-insurance
  37. Balance AI innovation and risk with ‘minimum viable governance’ | MIT Sloan, https://mitsloan.mit.edu/ideas-made-to-matter/balance-ai-innovation-and-risk-minimum-viable-governance
  38. Full article: Balancing regulation and innovation: the need for agile AI governance in higher education – a cross-country study – Taylor & Francis, https://www.tandfonline.com/doi/full/10.1080/03075079.2026.2614986
  39. AI Governance Maturity Model: Matrix, Assessment, and Roadmap | Databricks Blog, https://www.databricks.com/blog/ai-governance-maturity-model
  40. Why Federated Governance Is a Prerequisite for Responsible AI – Cognizant, https://www.cognizant.com/us/en/insights/insights-blog/why-federated-governance-for-responsible-ai
  41. AI Federated Governance: A Path Toward Global Collaboration and Accountability | VE3 Blog, https://ve3.global/blog/ai-federated-governance-a-path-toward-global-collaboration-and-accountability
  42. Best AI Compliance Tools for France (2026): The Complete GDPR and EU AI Act Guide, https://frenchcomplianceinstitute.com/blogs/news/ai-compliance-tools-france
  43. 2026 Global AI Jobs Barometer report – PwC, https://www.pwc.com/gx/en/issues/artificial-intelligence/job-barometer/2026/2026-global-ai-jobs-barometer-full-report.pdf
  44. The German legislation implementing the AI Act – activeMind.legal, https://www.activemind.legal/guides/ki-mig/
  45. Spain makes progress on AI regulation: key points of the new Organic Law on governance, https://www.osborneclarke.com/insights/spain-makes-progress-ai-regulation-key-points-new-organic-law-governance
  46. AI and the UK Financial Conduct Authority – WilmerHale, https://www.wilmerhale.com/en/insights/client-alerts/20260429-ai-and-the-uk-financial-conduct-authority
  47. UK FS regulators publish their AI strategies – KPMG International, https://kpmg.com/xx/en/our-insights/ai-and-technology/uk-fs-regulators-publish-their-ai-strategies.html
  48. Protecting your data: Your weakest link may be outside your firewall | BLG, https://www.blg.com/en/insights/perspectives/12-strategic-priorities-for-privacy-cybersecurity-and-ai-risk-management/protecting-your-data-your-weakest-link-may-be-outside-your-firewall
  49. AI Governance After The Pilot Phase: Why AI Risk Becomes An Operating Model Question | by Kevin Pausicles – Medium, https://medium.com/@kevin.pausicles/ai-governance-after-the-pilot-phase-why-ai-risk-becomes-an-operating-model-question-e6cf944c70fa
  50. Centralized Privacy Office: The New Model for AI & Risk Governance – TrustArc, https://trustarc.com/resource/centralized-privacy-office-operating-model-ai-risk-governance-teams/
  51. Algorithmic Accountability and Continuous Audit in High-Risk Public AI Systems: A Narrative Review – Preprints.org, https://www.preprints.org/manuscript/202606.1380
  52. Canada report – 2026 AI Jobs Barometer – PwC, https://www.pwc.com/gx/en/issues/artificial-intelligence/job-barometer/aijb-2026-canada.pdf
  53. What Is AI Compliance And Why It Matters: Regulatory, Ethical and Operational Drivers for Businesses – DPO Consulting, https://www.dpo-consulting.com/blog/what-is-ai-compliance
  54. Who should be a risk owner in your organization? Guide for 2025 – TrustCommunity, https://community.trustcloud.ai/docs/grc-launchpad/grc-101/risk-management/who-should-be-a-risk-owner/

The idea, research hypotheses, and focus for this article/research are all original and mine. This article was written with my brain and two hands with the assistance of Google Gemini, Notebook LM, Claude, and other wondrous toys.

Leave a comment