ai-governance

AI governance needs domain knowledge where technical behaviour changes route, evidence, controls, and monitoring.

Assigning roles to AI agents can look like governance. It only becomes useful when the role has a loss function, an evidence boundary, and an output contract.

Agent governance cannot stop at model behavior. Once AI systems use tools, the governed object is the whole workflow.

Proportionate AI governance only works when the lighter path is earned by evidence, not granted by missing concerns.

Citing a vendor defender product in a paper that argues the threat surface is moving faster than controls undercuts the case it is supposed to support.

Model risk reviews the model. Application security reviews the application. Neither sits behind the agent at execution time, watching the verbs as they go out.

Most agentic AI governance frameworks treat logging and assurance as the same thing. They're not. One records what happened. The other judges whether it was correct.

Banks have AI ethics principles. They don't have risk tiering. That's the gap that matters.

The AI governance conversation is stuck in the wrong frame. The pattern that works isn't autonomous agents — it's exoskeletons. Micro-agents handling narrow tasks, with human judgment at every point that matters.

Not every goal is a flywheel. The most common mistake in personal systems is treating a checklist as something that compounds.

When your AI can see its own fuel gauge, you're one config write away from self-preservation instinct. Biology solved this problem — and the solution was keeping the organism away from its own selection pressure.

The highest-leverage consulting prep is building the tool before you need it

The most useful reframe I've found for AI governance in financial services

It's not enough to say humans are in the loop. You need to show the loop is in the system.

Mathematical impossibility results are the best meeting-room weapons I know.

Open-source agent adoption can outpace enterprise security controls by weeks. Governance teams need a policy before the agents arrive uninvited.

Every AI fairness debate is secretly a values debate disguised as a technical question.

Adding detail to a deliverable doesn't fix credibility — it creates new interrogation targets.

The strongest slide in my interview deck wasn't about what I'd built. It was about how I built the deck itself.

DeepSeek V4 launching on Huawei Ascend NPUs signals that China's AI ecosystem is decoupling at the silicon layer — deeper and more durable than model-level divergence.

The DoD-Anthropic dispute reveals a new category of operational risk: foundation model vendors can unilaterally revoke access based on their own values, not just SLA violations.

MAS, PBOC, and HKMA are independently arriving at similar AI governance requirements. Banks regulated by all three have a narrow window to build one superset framework instead of three silos.

Most AI governance frameworks are technically-focused risk checklists. Three structural risks are missing from almost all of them.

OpenAI took the Pentagon contract Anthropic refused. Your AI vendor just became a political statement — and enterprise procurement hasn't caught up.

I expected the hard parts to be the technical sections. They weren't. The governance sections were harder, and more useful.

Your AI governance framework is a routing spreadsheet pretending to be a compliance programme. Regulators will spot the difference.

Hong Kong has quietly run one of the most sophisticated GenAI experiments in global banking. Almost no one outside the region is paying attention.