I ask this question a lot lately: who took a self-driving car to work today?

Nobody. And that's kind of the point.

There's a version of the AI conversation in financial services that treats the technology like it's going to take the wheel completely. That's not what we're seeing in practice, and it's not how we think about it at Orion. AI is the GPS. It gets you where you want to go faster. It flags things you might miss. But you're still driving.

The reason I open with that framing is that the actual problem most firms face right now has nothing to do with the technology. The tools exist. The capabilities are real. What's holding firms up is organizational readiness — specifically, governance.

Many firms using AI today are still in the early stages of establishing formal governance programs. Most are still in what I call pilot purgatory: experimenting, but not yet structured to scale. That gap isn't going to close by acquiring a better AI tool. It closes when compliance gets its house in order first.

 

What AI Does Well — and Where It Stops

It's worth being direct about this, because the hype makes it easy to over-index in both directions.

AI is genuinely strong at pattern recognition, communication surveillance, text and image analysis, and processing large volumes of material to surface what needs a closer look. It catches things humans miss. At scale, that's enormously valuable.

Where it falls short is anywhere nuance and intent matter. Compliance professionals often need to evaluate context and intent in addition to the written rule. Understanding that difference is Adam's job. Adam — the fictional CCO we use to walk through these scenarios — isn't worried about being replaced. He's thinking about how to stay the decision-maker while AI handles the volume.

That's the right orientation. Compliance stays in the loop. AI accelerates the workflow.

 

Getting the Governance Foundation Right

Before any of the exciting stuff becomes possible, Adam needs centralized documentation, updated policies, and a governance framework he can actually point to. Spreadsheets and shared drives get firms part of the way there. They don't scale.

Within Orion Compliance, the Library gives Adam a structured document repository where he can manage versions of his AI governance framework, link to it from certifications and testing controls, and give his team a single place to work from. It's not glamorous, but it's foundational. You can't demonstrate readiness without it.

 

Vendor Due Diligence at Scale

Every compliance team is getting requests right now. Everyone at your firm wants to adopt some new AI tool, and Adam is the one who has to evaluate whether that's safe. Doing that through email threads and spreadsheets works until it doesn't.

Certifications inside Orion Compliance let Adam build a customized set of questions and send them to anyone with a valid email address — including external vendors. He can build an ethical AI certification that asks vendors directly: how are you handling data? What's your governance around the model? How are you mitigating bias? The responses pull back into the system automatically, run through a workflow, and produce on-demand reporting.

It turns a reactive, ad hoc process into something consistent and auditable.

Orion Compliance Users Discussing AI

See Orion Compliance in Action

Ready to build a governance framework that scales with your AI ambitions?

 

Holistic Risk Assessment

Vendor sign-offs are one piece. But Adam also needs a macro view: across his entire compliance program, where does AI introduce risk, and what controls is he using to mitigate it?

The Risk Assessment module in Orion Compliance lets him define risk categories — data management and privacy, model bias, books and records — and attach specific identified risks to each one. He can weight them on a scale that fits how his firm actually works: one weighting column or six, depending on the complexity of the program. As he reviews a time period, exceptions bubble up automatically and link back to the controls he's already documented.

The result is something he can actually show a regulator. Not a spreadsheet with VBA macros. A documented, auditable record of how his firm evaluates AI risk and what it's doing about it.

 

The AI Washing Problem

This is getting more attention, and rightfully so. Firms have been called out for making AI claims in marketing material they can't actually support. From a compliance standpoint, that's a real exposure.

The Forms module gives Adam a structured intake process for marketing review. Marketing submits a piece. Adam can review the questions and answers, open the attachment, approve or return it with comments, and the exchange becomes an exportable audit trail. Who was involved. What changes were made. What got approved.

That audit trail is the answer when someone asks: are we using AI the way we say we're using it?

 

AI-Powered Marketing Review: The Use Case That's Actually Taking Hold

Of everything we're building and watching in compliance, AI-powered marketing review is the most widely adopted use case right now. The reason is practical: it immediately reduces friction.

As AI-assisted marketing review capabilities continue to emerge across the industry, these tools can analyze materials, flag missing disclosures, call out language that may need to change, and surface potential issues before compliance review. Compliance remains responsible for the final review and approval. Compliance then reviews a cleaner submission, makes a final call, and moves on.

The human is still in the loop. The review still happens. It just doesn't require ten rounds of email.

 

Bringing It Together: The Campaign Module

At some point, Adam has all the pieces — governance framework, vendor certifications, risk assessment, testing controls — and he needs to manage them as one program, not as separate workflows that happen to share a topic.

The Campaign module does exactly that. He packages his AI readiness controls into a single campaign, delegates them in whatever sequence makes sense, and gets one unified view of findings, comments, and sign-offs. It's the difference between managing a compliance program and managing a checklist.

 

The Honest Summary

AI governance in compliance isn't a technology problem. It's an organizational one. The firms that will get the most out of AI are the ones that do the unglamorous work first: build the framework, establish the processes, run the assessments, get the documentation in order.

Once that foundation is in place, the technology pays off. Pattern recognition gets faster. Marketing review gets streamlined. Risk reporting becomes something you can actually export on demand.

Adam stays in the driver's seat. AI keeps him from missing the turn.

Ready to build your AI governance foundation?

Orion Compliance gives compliance teams the tools to govern, test, and scale AI readiness — without the spreadsheet chaos.