For years, AI governance has been built around preventing bad decisions before they happen. Organizations assess training data, test accuracy, evaluate bias, write principles, and sign off on models before they go live. That made sense when AI produced insights and humans made the choices that followed.
It was supposed to be a step toward global unity. The G7’s Hiroshima AI Process was meant to signal the dawn of an international consensus on how to govern artificial intelligence. Instead, it’s become a reminder that the world’s biggest powers are not building one system of AI governance, but several. Each reflects a different philosophy of risk, control, and trust. And for compliance and risk leaders, that’s where the real work begins.
When Carole Switzer talks about lawyers and their role in governance, risk, and compliance, she doesn’t sound like someone reading off a checklist. She sounds more like a coach urging a team to play the bigger game.
When JPMorgan Chase’s CISO took to the stage earlier this year and called on SaaS providers to “do better” on resilience, it wasn’t just another passing soundbite. It was a rare public signal from one of the most security-mature organizations on the planet — and the timing could not have been sharper.
Across boardrooms and back offices, the promise of AI is animating strategy sessions and shaping budgets. Everyone wants in on the productivity gains, the streamlined operations, the predictive insights. But behind the excitement lies a quietly growing tension: how do you govern a technology that can improvise, evolve, and sometimes go off-script?
The UK’s data protection regime has just undergone its biggest recalibration since Brexit. On June 19, 2025, the Data (Use and Access) Act (DUAA) received Royal Assent, introducing a suite of reforms aimed at modernizing how organizations collect, use, and share personal information. But unlike GDPR’s transformative shake-up in 2018, this legislation is more evolutionary than revolutionary, nudging UK data protection in a direction that’s lighter on red tape, but still recognizably rights-driven.
In the U.S., the regulatory landscape is trying to catch up, but in true American style, it’s a bit of a mess. It’s fragmented, complex, and, at times, contradictory. The goal of the legislation is to manage the risks, promote innovation, and make sure AI is used responsibly. But how we get there, and who’s in charge of making the rules, is anything but straightforward. As AI moves from being an abstract concept to a core part of business operations, understanding this evolving legal maze is crucial for companies.