The compliance trap: Why it doesn’t guarantee good governance

Boards often ask whether their organisations are compliant. It is an important question. Compliance establishes minimum standards, creates accountability, and helps organisations meet legal and regulatory obligations. No responsible board should dismiss its importance.

As AI becomes embedded in decision-making, compliance is becoming an increasingly inadequate measure of governance effectiveness. The more important question is whether the organisation is capable of governing the technology it deploys. That distinction may determine the difference between organisations that create sustainable value from AI and those that simply create new forms of risk.

The UK Post Office Horizon scandal offers a powerful lesson.

For years, the Post Office relied on a digital accounting system called Horizon. When discrepancies appeared, the system’s outputs were treated as authoritative. Hundreds of sub-postmasters were blamed for financial shortfalls they did not cause. Many were prosecuted, financially ruined, or suffered severe personal consequences.

What makes the case particularly relevant to today’s AI governance discussions is that the failure was not caused by the absence of governance structures. Policies existed. Reporting lines existed. Audit mechanisms existed. Processes existed. Yet the system continued to produce harmful outcomes. The problem was not the absence of compliance mechanisms, but that governance capability failed to keep pace with technological dependence. Warning signs were missed. Assumptions went unchallenged. Reports were accepted without sufficient scrutiny. Individuals who raised concerns struggled to be heard. The organisation trusted the system more than the people affected by it.

The lesson for boards is profound.

Governance is not measured by the existence of policies. It is measured by an organisation’s ability to detect when reality diverges from assumptions. This is where AI presents a new challenge. Many organisations are currently focused on developing AI principles, responsible AI policies, regulatory controls, and compliance frameworks. These are important foundations. They establish guardrails and help create consistency in how systems are deployed and monitored. But governance cannot stop there.

An organisation can have an AI policy and still make poor decisions. It can complete risk assessments and still miss emerging risks. It can comply with regulations and still undermine customer trust. It can implement controls and still fail to intervene when systems behave in unexpected ways. The danger is that compliance can create the illusion of safety.

Boards may receive dashboards showing completed assessments, approved policies, training metrics, and audit results. All of these indicators may suggest that governance is functioning effectively. Yet none of them answer the question that matters most:

Can the organisation recognise when the system is producing outcomes that conflict with its objectives, values, or responsibilities?

That is a capability question.

As AI systems become more influential in workforce decisions, customer interactions, operational processes, and strategic planning, boards must expand their understanding of what governance requires.

The governance challenge is no longer simply ensuring that rules are followed. It is ensuring that the organisation remains capable of exercising judgement, maintaining accountability, and intervening when necessary.

This requires a different mindset.

Instead of asking whether AI systems are compliant, boards should ask whether the organisation can explain, challenge, monitor, and adapt them.

• Can management identify when outcomes begin to drift from expectations?
• Can employees safely challenge system outputs?
• Can decisions be reconstructed and defended?
• Can leadership intervene before small failures become systemic ones?
• Can the organisation distinguish between technical performance and real-world impact?

These questions move governance beyond compliance and into organisational capability.

This shift is particularly important in emerging markets. Many organisations are adopting increasingly sophisticated AI systems while governance practices are still evolving. This creates an opportunity to avoid mistakes made elsewhere by building governance capabilities alongside technology adoption rather than after failure occurs.

The organisations that succeed in the AI era will not be those with the longest policies or the most comprehensive compliance checklists. They will be the ones that develop the institutional capability to question assumptions, surface concerns, challenge outcomes, and respond effectively when technology behaves differently than expected.

Compliance tells us whether rules were followed. Governance determines whether people, truth, and the organisation itself are protected.

The Horizon scandal reminds us that an organisation can appear compliant while causing profound harm in practice. AI makes that lesson even more relevant because its decisions can operate at greater speed, scale, and complexity.

For boards, the responsibility is becoming clear.

The corporate governance of AI cannot be reduced to regulatory compliance. It must focus on building organisations capable of exercising sound judgement, maintaining meaningful oversight, and preserving accountability as technology becomes more powerful.

 

Amaka Ibeji, Founder of DPO Africa Network, is a Boardroom Qualified Technology Expert and Digital Trust Visionary. She advises boards, regulators, and organisations on privacy, AI governance, and data trust, while coaching and fostering leadership across industries. Connect: LinkedIn amakai | [email protected]