Welcome to the show. I'm Sofía Navarro, and we need to start with a date that every corporate board is going to remember: February 23rd, 2026. On that day, COSO released new guidance that officially ended the playground era of generative AI. It did. For three years, companies treated LLMs like toys or supercharged spellcheckers. But COSO -- the Committee of Sponsoring Organizations -- just pulled the emergency brake. They basically declared that AI is no longer a technology experiment. It is a core component of your internal control environment. And that distinction, Jack, changes the entire structural foundation. Traditional enterprise software is deterministic. You write a line of code, you input data, and you get the exact same output every single time. It's a spreadsheet. But these generative systems are probabilistic. Right. Probabilistic means we are dealing with systems built on statistical likelihood, not rigid logic. The same prompt today might give you a slightly different revenue summary tomorrow. In physics, we look at chaotic systems -- where small variances in input lead to unpredictable outputs. You cannot audit a chaotic system using a point-in-time check once a year. Exactly! An annual audit is completely useless when the model's behavior shifts dynamically based on user feedback loops. That is why COSO is forcing a transition to continuous monitoring. But the real structural pivot in this document is what they call the Reliance Threshold. Now, that term is going to keep risk officers awake at night. The reliance threshold is the precise moment a tool stops being a convenience and becomes operationally necessary. If your supply chain or your financial reporting breaks the second your AI agent goes offline, you have crossed that threshold. And crossing that line triggers a regulatory domino effect. Once you cross the reliance threshold, that AI is legally part of your internal control over financial reporting. You need documented controls, continuous audit evidence, and formal risk assessments. There is no more "it's just a pilot project" defense. It forces a level of discipline that has been completely absent. Up until now, companies have been launching agents into production with nothing but vibes and a prayer. COSO is pointing out that if those agents are making decisions that impact SEC disclosures, the board is on the hook. Personally. Which brings us to how we actually operationalize this. Because right now, most companies are approaching this completely backwards. They are building what I call "vendor-centric" policies. They have a "ChatGPT Policy," a "Claude Policy," or a "Copilot Policy." Which is completely useless. It's like having a policy for blue pens and a different policy for black pens. The market moves too fast. Tomorrow, your employees will be using five new models you haven't even heard of yet. COSO's guidance insists on capability-based governance instead. Yes! It is about what the system is doing, not who built the model. Is it extracting contract data? Is it executing financial transactions? Is it summarizing customer complaints? Those are capabilities. If a system is extracting revenue data, the control is built around the extraction process, regardless of whether it's running on Gemini, OpenAI, or an open-source model. That shifts governance from a reactive game of Whack-a-Mole to a durable architecture. But to build that architecture, you first have to know what's actually running inside your walls. And right now, Shadow AI is completely out of control. It makes the Shadow IT era of the 2010s look like a minor misunderstanding. It is terrifying. We are seeing departments quietly integrating API keys into critical workflows without telling their IT partners. Employees are pasting proprietary code and sensitive customer data into public models to automate their daily tasks. And because these systems are probabilistic, they can leak that data, hallucinate calculations, or alter financial summaries without leaving an obvious trace. You cannot govern what you do not catalog. The very first step of the COSO roadmap isn't building controls; it's a brutal, comprehensive inventory of every single AI endpoint currently touching your enterprise. It sounds daunting, but this is actually where the strategic opportunity lies. The companies that treat this COSO guidance as a bureaucratic bottleneck are going to fail. But the organizations that build a robust, capability-first governance framework are going to move infinitely faster. Because they will actually have trust in their systems. It's like having better brakes on a race car. The brakes aren't there to make you go slow; they are there to give you the confidence to take the corners at two hundred miles an hour. Beautifully put, Jack. The future isn't going to belong to the most reckless innovators, nor will it belong to the ultra-cautious. It belongs to the enterprises that can prove their AI is auditable, explainable, and under control.
Audio Coursesby Jellypod