https://carney.wiki/tags/enterprise-risk/Recent content in Enterprise Risk on carney.wikiHugo -- gohugo.ioenTue, 20 Jan 2026 00:00:00 +0000https://carney.wiki/blog/ai-risk-is-a-business-risk-not-just-a-technical-one/Tue, 20 Jan 2026 00:00:00 +0000https://carney.wiki/blog/ai-risk-is-a-business-risk-not-just-a-technical-one/AI risk is business risk. That sounds obvious until you look at how most companies still manage it. Too often, AI risk gets pushed into the technical corner. The security team worries about exposure. The data team worries about model performance. Legal gets pulled in late. The board gets a sanitized update after the pilot has already become operational. That is backwards. If an AI system influences customers, employees, financial outcomes, operational decisions, or regulated processes, the risk is not contained inside the model.https://carney.wiki/blog/the-cisos-guide-to-governing-generative-ai/Sat, 10 Jan 2026 00:00:00 +0000https://carney.wiki/blog/the-cisos-guide-to-governing-generative-ai/Generative AI is now part of the enterprise control surface. That is the CISO’s problem, whether the CISO asked for it or not. Employees are using AI tools. Vendors are embedding AI features. Engineering teams are experimenting with model APIs. Business teams are building copilots. Data teams are connecting retrieval systems to internal knowledge. Some of this is useful. Some of it is risky. Most of it is moving faster than the policy process.https://carney.wiki/blog/what-boards-need-to-know-about-ai-risk/Sun, 02 Nov 2025 00:00:00 +0000https://carney.wiki/blog/what-boards-need-to-know-about-ai-risk/Boards do not need to understand every AI model. They do need to understand where AI creates business risk. That is the important distinction. AI is moving into customer interactions, employee workflows, software development, analytics, content production, fraud detection, security operations, and decision support. Some systems are low risk. Some can materially affect customers, employees, revenue, compliance, or reputation. Board oversight should focus on the second group. The question is not “Can the board explain how the model works?