The compliance trap: Why it doesn't guarantee good governance - Businessday NG

Boards often ask whether their organisations are compliant. It is an important question. Compliance establishes minimum standards, creates accountability, and helps organisations meet legal and regulatory obligations. No responsible board should dismiss its importance.

As AI becomes embedded in decision-making, compliance is becoming an increasingly inadequate measure of governance effectiveness. The more important question is whether the organisation is capable of governing the technology it deploys. That distinction may determine the difference between organisations that create sustainable value from AI and those that simply create new forms of risk.

The UK Post Office Horizon scandal offers a powerful lesson.

For years, the Post Office relied on a digital accounting system called Horizon. When discrepancies appeared, the system’s outputs were treated as authoritative. Hundreds of sub-postmasters were blamed for financial shortfalls they did not cause. Many were prosecuted, financially ruined, or suffered severe personal consequences.

What makes the case particularly relevant to today’s AI governance discussions is that the failure was not caused by the absence of governance structures. Policies existed. Reporting lines existed. Audit mechanisms existed. Processes existed. Yet the system continued to produce harmful outcomes. The problem was not the absence of compliance mechanisms, but that governance capability failed to keep pace with technological dependence. Warning signs were missed. Assumptions went unchallenged. Reports were accepted without sufficient scrutiny. Individuals who raised concerns struggled to be heard. The organisation trusted the system more than the people affected by it.