Stephen GilfusExecutive Overview

    AI · Cyber

    Governance and Compliance

    Governance and compliance are the connective disciplines beneath every assignment in this practice. Cyber resilience, AI accountability, and regulatory compliance are not three separate programs reporting to three separate committees — they are facets of one operating system that gives boards, regulators, and institutional investors the assurance they require.

    Governance and compliance are not a policy binder. They are the operating system a board uses to know — in writing, on a cadence, with evidence — that the enterprise is in control of its own technology and answerable to every regulator that asks.

    The frame

    One operating system, three disciplines

    Cyber governance, AI governance, and regulatory compliance are usually treated as three separate programs run by three separate teams reporting to three separate committees. That is how gaps form, attestations contradict each other, and disclosure timing slips. In this practice the three are run as one operating system — shared evidence, shared cadence, shared accountability — with three disciplines layered on top.

    The point is not to produce more documents. The point is to produce decisions a board can defend, in language a regulator recognizes, on a schedule that does not slip — and to do it once, not three times.

    Cyber governance components

    What a credible cyber posture looks like

    These are the components I expect to see — and to be able to evidence — in any enterprise that calls itself board-governed on cyber.

    • Risk register & appetiteA living register of cyber risks scored against an explicit, board-approved risk appetite. Not heatmap theater — a document the audit committee reviews and signs.
    • Identity & access controlsZero-trust identity, least-privilege access, and privileged access management evidenced through quarterly access reviews — not annual checkbox attestations.
    • Third-party & supply chainVendor risk tiering, contractual security obligations, and continuous monitoring of critical fourth parties. Most breaches enter through someone else's environment.
    • Detection, response & recovery24/7 detection coverage, a tested incident response plan, and recovery time objectives the business has actually rehearsed — including a board-level tabletop within the last 12 months.
    • Resilience & business continuityBackup integrity, immutable storage, and recovery procedures proven against destructive scenarios — not just outage scenarios. Ransomware changed the bar.
    • Disclosure readinessA materiality framework, decision log, and 8-K narrative pre-staged for the SEC cyber rule — so the four-business-day clock is a process, not a panic.

    AI governance components

    What a credible AI posture looks like

    AI governance is younger than cyber governance, but the components are converging fast. These are the ones boards and regulators are already asking about.

    • Model inventory & use-case registerA canonical inventory of every AI model in production — internal and vendor — tied to use case, business owner, data classification, and risk tier. You cannot govern what you cannot list.
    • Risk classification & approval gatesTiered review and approval — aligned to NIST AI RMF and the EU AI Act's risk categories — so high-impact systems pass through human review before deployment.
    • Data lineage & training provenanceDocumented sources, licensing, consent, and retention for training data and prompt pipelines. Auditable end-to-end so an external reviewer can reconstruct what the model learned from.
    • Evaluation, bias & safety testingPre-deployment evaluations for accuracy, bias, hallucination, and adversarial robustness — and continuous monitoring once the model is live. Drift is the rule, not the exception.
    • Human oversight & explainabilityDefined human-in-the-loop checkpoints, override authority, and explainability artifacts appropriate to the risk tier. A regulator should be able to see who decided what, and why.
    • Incident, audit & disclosureAn AI incident response process distinct from cyber IR — covering misuse, harmful output, and model failure — feeding the same audit trail and board reporting cadence.

    Compliance components

    What a credible compliance posture looks like

    Compliance is where governance meets the regulator. It is the discipline that turns a policy into a defensible answer to a question someone with subpoena power is going to ask. These are the components I install alongside the cyber and AI programs so the three speak with one voice.

    • Regulatory obligations registerA single, mapped inventory of every regime that touches the enterprise — SEC, NYDFS Part 500, GDPR, HIPAA, PCI-DSS, EU AI Act, sector-specific rules — with named owners and evidence locations. One source of truth, not five.
    • Control framework crosswalkA crosswalk that lets one tested control satisfy multiple regimes (NIST CSF / ISO 27001 / SOC 2 / NIST AI RMF) — so the enterprise is audited once and reported many times, not the other way around.
    • Policy lifecycle & attestationVersioned policies with owner, review cadence, and annual attestation by accountable executives. A policy without a date and a signature is a wish.
    • Privacy, data residency & cross-borderLawful-basis mapping, DPIAs, retention schedules, and data residency posture for every cross-border flow. The line between marketing data and regulated data is where most fines start.
    • Materiality, disclosure & regulator responseA pre-rehearsed materiality framework for cyber and AI events, an 8-K and Form 6-K narrative library, and a single inbox for regulator inquiries with named legal, comms, and technical owners.
    • Compliance training & cultureRole-based training tied to actual obligations — not the same annual click-through for everyone — with completion evidenced and remediation tracked. Culture is what people do when no one is auditing.

    How it runs

    The integrated operating cadence

    Three disciplines, one cadence. Components only matter if they run on a rhythm, and three rhythms produce three contradictions. The cadence I install is monthly at the operating layer (control owners, evidence reviews, exceptions), quarterly at the committee layer (audit, risk, technology), and annually at the full board — with one integrated dashboard that translates technical posture into the language audit, risk, compensation, and disclosure committees actually use.

    Where the three disciplines converge — incident response, vendor risk, model deployment, board reporting, regulator response — they share a single decision log. There is one timeline, one materiality call, one set of artifacts. Cyber, AI, and compliance leadership co-own the run; legal and disclosure counsel sit at the same table.

    Done this way, governance and compliance stop being the things that slow the company down and start being the things that let it move faster — because the board, the auditors, and every regulator with a question can see what they need to see, when they need to see it, in a form that has already been reconciled.

    If your board is asking sharper questions about cyber, AI, and disclosure than your current reporting can answer — and your three programs aren't telling the same story — this is the right room.