Data Breach TodayArchived May 29, 2026✓ Full text saved
GSK's Nancy Paul on Why Static Governance, Risk and Compliance Fail in AI Era Traditional governance, risk and compliance principles still hold, but periodic, checklist-driven governance is a dangerous mismatch for AI systems that continuously evolve and make millions of decisions per second, said Nancy Paul of GSK.
Full text archived locally
✦ AI Summary· Claude Sonnet
Artificial Intelligence & Machine Learning , Governance & Risk Management , GRC
AI Is Making Decisions. Who's Owning Them?
GSK's Nancy Paul on Why Static Governance, Risk and Compliance Fail in AI Era
Suparna Goswami (gsuparna) • May 29, 2026
Credit Eligible
Get Permission
Video Player
00:00
00:00
Nancy Paul, principal, governance, risk and compliance, GSK
Traditional governance, risk and compliance fundamentals, which include risk-based thinking, change management, incident response and continuous assurance, still hold in an artificial intelligence-driven environment. What must change is the assumption that systems remain predictable after deployment, said Nancy Paul, principal, governance, risk and compliance at pharmaceutical manufacturer GSK.
See Also: Know Thy Enemy: Threats to Cyber Resilience
"We have to wake up. And in a dynamic AI environment, we cannot have a static governance. It will become a dangerous mismatch. Traditional things have to be there, but the stasis has to go," Paul said. "For governance to be effective, it must be embedded in the workflow itself and not treated as a document or a review checkpoint. Teams need to know who approves decisions, what testing is mandatory and where accountability sits before incidents occur, not after."
When no single function controls the outcome, accountability gets lost between teams. The most effective governance model maps roles across the full decision life cycle early, so when something goes wrong, the organization already knows who owned what, she said.
In this video interview with ISMG, Paul also discussed:
Why AI traceability requires preserving decision lineage, not just documentation;
How governance must evolve from compliance theatre to operational controls;
Why AI governance is now a board-level conversation requiring a top-down approach.
Paul is a GRC professional with 15 years of experience across highly regulated industries. Her expertise spans AI governance, privacy, audit and assurance, cloud governance, incident management, and regulatory frameworks, including HIPAA, ISO 27001, SOC 2, GDPR and MDSAP.