Almost half of all GenAI use now occurs through personal accounts like ChatGPT, Claude, Perplexity, and others, entirely outside corporate oversight or control. This isn’t about a few rogue users acting in secret. We’re seeing widespread bypassing of approved tools across entire organizations, with the average company experiencing 223 shadow AI incidents each month, twice as many as just a year ago.
When the Digital Services Act entered into force two years ago, it was framed as a reset for the online economy. The rhetoric focused on safer digital spaces, stronger protections for fundamental rights, and curbing manipulative or harmful platform behavior.
There is a particular moment in every technological transformation when enthusiasm gives way to recognition. It is not the moment when innovation falters, nor when critics grow louder. It is the moment when institutions begin to understand that what has been built is now too consequential to remain loosely governed.
Let’s be honest: governance doesn’t usually make hearts race. The word alone can drain the excitement out of a meeting faster than a surprise PowerPoint. For years, governance has been typecast as the corporate hall monitor—clipboard in hand, ready to say, “No, you can’t do that.” But in the age of AI, that old stereotype doesn’t work anymore. Governance has gone through its own transformation, like a quiet glow-up. Today, it’s not about slowing innovation down; it’s about keeping it human. In fact, governance has become the new empathy.
In this article, Norman Marks reflects on a recent exchange sparked by Alex Sidorenko’s thinking on risk and decision-making, exploring where they strongly align and where a critical distinction emerges around the concept of uncertainty. While agreeing that risk management should move beyond static risk lists and toward enabling better decisions, Marks challenges how the term “uncertainty” is often understood and applied in practice. The result is a pragmatic reframing of risk conversations—one grounded in real managerial decision-making rather than abstract definitions or theoretical precision.
In my earlier piece, Risk Management Is Not a SOX Coloring Book: A Call for Risk Management as a Strategic Discipline, I argued that decades of Sarbanes-Oxley gravity have quietly reshaped how organizations understand risk—narrowing it into a compliance exercise defined by documentation, evidence trails, and audit satisfaction. That article challenged the idea that shaded boxes and completed control matrices equate to managing uncertainty. This follow-up goes a step further. It explores what risk management looks like once we finally put the coloring book down.
For a long time, ESG risk in the supply chain was treated as something adjacent to the business rather than integral to it. A matter of policy statements, supplier codes of conduct, and questionnaires circulated once a year, often completed quickly and filed away quietly. The appearance of diligence was usually sufficient. Oversight, such as it was, could be delegated.