Off the Leash – AI, Controls, and the Illusion of Oversight

Artificial Intellingene
Written By John Hurt

Everyone’s talking about AI—and for good reason. Machine learning, LLMs, and automation are transforming how we detect risk, file SARs, monitor trades, and handle alerts. But here’s what’s not being said loudly enough: Most risk leaders don’t really know what the algorithms are doing. And that’s a problem. Because if you can’t explain how a control works, you can’t defend it. And if you can’t defend it, it’s not a control—it’s a blind spot.

The Automation Mirage

We’ve wrapped too many assumptions in automation: - If it’s system-generated, it must be right - If it has an audit trail, it must be defensible - If it flags anomalies, it must be smarter than we are But that logic breaks down fast when controls behave in ways nobody intended—or when bias, model drift, or data quality issues creep in unnoticed. We’ve confused automation with assurance. They are not the same.

When AI Escapes the Checklist

In traditional environments, you test a control, document exceptions, and trace results back to evidence. With AI-based systems, you may be testing an output without fully understanding the inputs, logic, or training data. Worse, many institutions deploy models without a clear owner—or with ownership split between IT, Compliance, and the business. That’s not governance. That’s diffusion of accountability.

Risk Doesn’t Sleep—But Neither Should Oversight

AI might run 24/7, but your oversight shouldn’t be asleep at the wheel. Risk professionals need to be embedded in model development, understand the alert suppression logic, and challenge assumptions baked into training sets. If your governance process doesn’t include dissent, you don’t have a process. You have a pass-through.

If You Can’t Explain It, You Can’t Defend It

The board doesn’t want to hear about vector embeddings or transformer architectures. They want to know: Is this decision safe, fair, and aligned with our risk appetite? That means translating AI logic into real-world consequences. It means knowing when to hit pause—not just trusting the black box because it’s efficient.

Closing Thought

AI is powerful. But it’s not magic—and it’s not exempt from the rules of risk. If your control breaks and nobody understands why—it wasn’t a control. It was a leap of faith in a hoodie. And until we start building controls we can explain, challenge, and trust… I’ll stay off the leash.

Hashtags

#OffTheLeash #AICompliance #ModelGovernance #RiskOversight #AuditLeadership #TrustButVerify

John Hurt
Previous

Audit SQL Script Handbook
Next

“Don’t Call Yourself a Leader if No One Would Follow You Into a Fire”