This week Dario Amodei published an essay that I think people will point back to as a marker. For two years, the CEO of Anthropic argued that transparency was the right regulatory posture for AI: disclose the safety testing, report the incidents, let the evidence accumulate. This week he declared that era over. “The risks are clearly here,” he wrote, and the moment calls for “more serious and binding regulation of AI” (source). He proposes regulating frontier AI the way we regulate aviation: models tested by qualified third parties against real standards before they fly, with the authority to ground anything that fails.
What makes the essay powerful is not the list of proposals. It is that he earns them. Plenty of AI leaders have published calls for action that read as policy wish lists; this one builds the why underneath each mechanism. The argument runs: AI capability has compounded along a predictable exponential for a decade, the risks have moved from hypothetical to demonstrated, and the institutions meant to respond operate on cycles measured in years. Every proposal in the essay follows from that gap, and he shows his work at each step.
He opens with an image that earns its place: policy as Treebeard, Tolkien's wise tree-creature who takes a full day just to say hello, asked to respond to a technology that compounds monthly. It is the right image, and it is not only about government. Every enterprise has a Treebeard of its own. Yours is probably called the quarterly risk committee: wise, careful, and deliberating at committee speed about systems that decide at machine speed.
Critics may read self-interest into the essay: regulation favors incumbents, and the company proposing the testing regime can afford to pass it. Fair, as far as it goes. I built my firm around exactly this work, so when I tell you that governance and risk management matter, apply the same discount to me. What survives the discounting in both cases is the observable fact underneath the argument: the people closest to this technology, with the most visibility into what it can do, keep arriving at the same conclusion: the era of governing AI through voluntary, informal approaches has stopped holding.
Whatever becomes of his proposals in Washington, here is the leap that matters for everyone else: regulation and governance are the same discipline operating at two altitudes. Regulation is governance imposed from the outside, once informal assurances stop being enough. Governance is regulation you apply to yourself, on your own terms, while it is still your choice. So the verdict just delivered about frontier labs, that transparency and informality cannot carry this technology anymore, applies with equal force inside the walls of every enterprise deploying AI. Here is the version of it I have watched from the inside for over 15 years.
Governance and risk management are not new concepts; what has changed is that companies can no longer get by with “good on paper” programs, improvised practices that hold until they don't, or minimum compliance requirements that are not aligned with the company's lived risk appetite.
To see why, set the corporate vocabulary aside for a minute and get into your car. The first thing you do, before a single conscious thought, is reach for the seat belt: an active choice that repetition has made implicit. The belt is a control that never prevented a crash in its life; it exists to minimize the consequences of one. And it is overridable: skip it, and sometimes nothing happens, until the day something very bad does. Pulling out, you check the mirror and judge the gap with no math at all. Steering assist detects your drift toward the line and nudges you back, and you can override that too. The airbag, you cannot.
And the same logic scales all the way up: the kind of car a company chooses to build decides which rulebook it lives under. Build a Formula 1 car and you answer to the FIA's technical regulations. Build a self-driving one and the regulatory perimeter multiplies. Build a family sedan and the rules still come standard. Choose the car, choose the rules; and whoever drives it owns the risk on the road regardless: laws to follow, a belt to buckle, oil to change. You drive differently at night, in rain, on the road where deer cross, not because a regulation says so but because you intend to arrive. That is all risk management has ever been: looking down the road at what could keep you from your destination, then removing it or steering around it. Risk intuition wrapped in layered controls, ownership that travels with the driver, rules set by what you chose to build: that is the entire architecture of governance, and every person and every company already operates a version of it, written down or not.
Risk management did not arrive with the EU AI Act, and how much of yours is written down depends almost entirely on which industry you grew up in. If you are in financial services or another regulated sector, you have had documented governance for decades: charters, committees, three lines of defense, model risk frameworks, examiners who check. If you grew up outside the regulated world, in software, retail, media, manufacturing, your governance has mostly lived in people's heads and habits, and it worked anyway. When an engineering lead holds a Friday release because something in the test results feels off, that is risk management. When a founder will not let a contract out the door without a second set of eyes, that is a control. When everyone in the sales organization knows which promises you never make to a customer, that is risk appetite, whether or not a sales playbook says so.
Here is the uncomfortable part, and it applies to both worlds. Even in the most heavily regulated institutions, the documented apparatus covers what regulators demanded, at the cadence regulators expected: quarterly committees, annual reviews, periodic validation. The day-to-day risk sense still runs on experienced human judgment: knowing which deal deserves a second look, knowing which customer promise never gets made. Watch a CEO pause over a decision they could simply hand to the risk committee: that pause is the informal layer working inside the formal one. The documentation describes the system; people run it. And in unregulated industries, people are typically the entire system.
So here is what AI actually changes, because it is not the informal layer that suddenly broke. The weak parts were always broken: the house of cards that looked good on paper but was never operationalized, the ad hoc practice that worked until the day it didn't, the controls that were theater, the risk decisions nobody could name an owner for. Companies got away with it because consequences surfaced slowly, over years, often after the people responsible had moved on. AI ends the getting-away-with-it twice over. It runs the risks you already had at machine speed and machine scale, with no hallway for the hesitation to happen in; the judgment your best people would have applied now executes ten thousand times before anyone looks up. And it shines a spotlight on every weak spot at once: the processes, the controls, the decision rights, the lived ownership versus the documented ownership, the organizational behavior, the workforce trust. None of those needs is new. The exposure is. Which is why the bar has quietly moved: the question is no longer whether you meet the minimum compliance requirement. It is whether you are methodical about your own risk because it serves you, regulator or no regulator.
Consider a pattern already showing up in consumer complaints: an automated system makes a small error, a charge, a booking, a profile detail. The old version of that error met a human who noticed it. The new version compounds confidently across accounts and identities, and by the time a human enters the loop, unwinding it takes months. Weaknesses that once took years to surface now surface in a quarter, in public. For the regulated firm, AI also outruns the formal layer: a quarterly committee cannot supervise a system making ten thousand decisions an hour, and AI risk cuts across functions the framework never mapped. For everyone else, the absence of any documented layer stops being survivable. Nothing about the underlying risk is novel. The speed, the scale, and the spotlight are.
What happens next: governance gets democratized
One of the quieter ideas in the essay deserves more attention than the headlines: regulatory markets, in which government does not inspect everything itself but authorizes qualified third parties to test and certify AI systems against standards. Whatever becomes of that specific proposal, the insight underneath it is correct and it generalizes: oversight cannot scale through central headcount. It scales by being distributed: to markets, to tools, and inside your company, to people far beyond the compliance department.
Inside a company, that distribution is what I call the democratization of governance, and I mean something specific by it. For decades, governance was a priesthood: a specialist function owned the frameworks, spoke the language, and audited everyone else on a schedule. That model assumed risk moved slowly enough for a small group to chase it. Democratization means that the core capability (the ability to evaluate a risk, name an owner, and reach a defensible decision) moves out of the priesthood and into the hands of everyone who proposes, builds, or approves AI: the product leader who can articulate a use case's risks in plain language, the deployment owner with named accountability for outcomes, the leadership team whose lived risk appetite (the one revealed by what they actually approve) matches the documented one. I can say this with the authority of someone whose job title said I owned it. As a chief compliance officer, I could tell every driver in the company to fasten their seat belt. I could train them on the compliance requirements and how to apply them to their daily responsibilities. I could even do periodic ride-alongs in the passenger seat. What I could not do is fasten their seat belts for them, or drive their car. Risk is managed (or not managed) in the moment of operation, by the person operating. The specialist function does not disappear. It graduates: from being the bottleneck inside every decision to being the architect of the system that lets a thousand drivers drive well without it in the passenger seat.
A line from a popular television drama captures why this matters better than any framework diagram. A newly arrived executive, trying to rebuild a broken news network, says: “I want to build things, but I can't build them if the ground isn't level.” That is the state of most enterprises and AI right now: enormous appetite to build, on ground nobody has leveled. Shared, explicit governance is the leveling. It is the common foundation of decision rights, risk language, and appetite that lets many builders build at once without the structure coming down, and it is why the companies that treat governance as the foundation get to build faster than the companies that treat it as the inspection at the end.
The payoff is not safety theater. It is decision speed.
Here is what explicit governance actually buys you, and it is the part the overhead framing always misses. Most enterprises today do not have an AI risk problem so much as an AI decision problem: every proposed use case, whether trivial or existential, gets the same anxious committee treatment, because nobody can say with confidence which kind it is. The backlog grows, the shadow deployments multiply, and the organization manages to be slow and unsafe at the same time. The opposite failure runs in parallel: decisions that deserved real scrutiny move too fast, precisely because nothing forced the pause.
Explicit governance resolves that by arriving at clear decisions quickly, in whichever direction the facts and the risk analysis point: (1) a confident no, delivered early, before countless precious hours are burned; (2) a yes with conditions you can actually name and implement; or (3) an easy “yes” that nobody has to re-litigate next quarter and can be confidently relied on. The measure of good governance is speed to resolution, not speed to approval. The companies that can tell those three answers apart, quickly and on the record, will simply out-decide the ones that cannot.
The work, concretely, is making the implicit explicit. A framework can help, but a framework alone will not do it; it only earns its keep once it is operationalized. Start by writing down what your organization already knows but has never stated. First, name the owners: who decides whether each consequential AI system ships, who decides that it continues running, and who owns the worst outcomes. Names on paper, in alignment with reality. Second, reconcile your risk appetite. The appetite your company actually runs on is the one revealed by what leadership approves, and it rarely matches the written statement. Close that gap yourself, before an incident or a regulator closes it for you. Third, build the inventory: write down everywhere AI is already making or shaping decisions in your business, completely. That knowledge exists today in people's heads, and the version in people's heads is exactly the version that no longer works.
I have spent over 15 years inside regulated industries doing what my titles called Risk & Compliance. I have come to believe the titles were the disguise. Deciding which risks a company can afford to take, and how fast it can afford to take them, was always the strategy job. AI did not change the nature of that work. It tore off the disguise and put a deadline on it.
The enterprises that win the AI era will not be the ones with the thickest compliance binders, and they will not be the ones that moved fast and broke things. They will be the ones that made their governance explicit while it was still a choice: because explicit governance is not overhead. It is how you get to the decision faster, and how you trust it once you are there.
That is also the honest case for compliance, which was never about virtue and never about doing what you were told. Managing your risk is strategic and self-serving, in the best sense: knowing the rules is what lets you play the game at all, and playing by them is what lets you play again tomorrow, and the day after that. The companies still building five years from now will be the ones that understood this early, not because someone made them.
Your people are already building. The only question is whether the ground under them is level.