The Big Red Stop Button: Who Really Decides the Fate of AI in Your Company?
- Robert Westmacott
- Aug 6
- 4 min read
There’s a war in your company.
No smoke. No sirens.
Just quiet moves and sharper elbows.
Tech wants speed.
Compliance wants safety.
Both want to keep their jobs.
GenAI didn’t ask permission.
It arrived like a gust of cold air.
Everyone felt it.
Nobody agreed what to do next.
Tech says: move first. Learn fast. Win.
Compliance says: slow down. Read the rules. Survive.
They’re both right.
They’re both wrong.
That’s the problem.
The org chart lies
Budgets live with Tech.
Veto power lives with Compliance.
Influence lives with whoever briefed the CEO last.
The CIO who brings numbers.
The CISO who brings headlines.
Guess which one the board fears more.
Answer: it depends on the week.
The myths that keep the fight alive
Compliance isn’t anti-innovation.
They’re anti-career-ending-mistakes.
Tech isn’t reckless.
They’re allergic to being left behind.
Both sides caricature the other.
It’s easier than listening.
The Big Red Stop Button
Every project has a moment.
One meeting.
One slide.
One sentence that tips it.
Compliance can freeze it: “Regulatory exposure.”
Tech can force it: “Table stakes. Competitors are live.”
You’ve seen it.
You’ve felt it.
That pause before someone blinks.
What’s really driving this
Not policy.
Not even strategy.
Personal risk.
Tech wants a legacy.
Compliance wants plausible deniability.
So tech runs pilots in the shadows.
Compliance runs the clock in the open.
Each calls it “prudence.”
Each means “self-preservation.”
Shadow AI: the office black market
Marketing has it.
Sales has it.
Your analysts have had it for months.
It’s faster.
It works.
It’s unapproved.
Tech hates the sprawl.
Compliance hates the risk.
The business loves the results.
Bring it into daylight.
Or keep losing to your own employees.
Regulator as weapon
Compliance wields “the rules.”
Tech wields “the market.”
Both are persuasive.
Both are incomplete.
The truth lives between a consent order and a missed quarter.
The false-flag pilot
“Just a sandbox.”
“Internal only.”
“Limited scope.”
Six weeks later it’s saving time and money.
Now it’s politically untouchable.
Funny how that happens.
Boardroom theatre
Act I: Catastrophe.
Act II: Gold rush.
Intermission: confusion.
Most boards don’t speak AI or regulatory.
They speak risk-adjusted outcomes.
Give them that in plain English.
You’ll get the vote.
When it works: harmony in the wild
Morgan Stanley, wealth management.
Tech built with controls; Compliance set the guardrails.
They ran expert evals, grounded answers in firm content, and matched entitlements to user permissions.
Result: a Copilot that’s useful and defensible. That’s partnership, not theatre.
*Source: Morgan Stanley, OpenAI
PwC, ChatGPT Enterprise at scale
First global reseller. Largest enterprise user.
Security, SOC 2, SSO, admin controls.
Tech operationalised. Compliance codified.
Governed rollout, not a free-for-all.
*Source: PwC, AI Magazine
A&O Shearman, with Harvey
Lawyers + engineers built agentic workflows for complex legal tasks.
Grounded in firm precedents. Guardrails for confidentiality.
A real co-design between risk owners and tool builders.
Output: faster senior-grade work without torching client trust.
*Source: Financial Times, A&O Shearman
JPMorgan, the turn
They banned public ChatGPT. Then launched an internal LLM suite with controls for 200k staff.
Same ambition. Better venue.
Tech and Compliance met in the middle, inside the fence.
*Source: Investopedia, The Wall Street Journal
Why “joined-up” thinking is rare
Incentives are misaligned.
Tech is paid for speed.
Compliance is paid for nothing bad happening.
You can’t fix culture with memos.
You fix it with shared outcomes.
The unholy alliance
Sometimes they team up.
Not for virtue.
For velocity.
They bypass a third faction, procurement, HR, finance, to land the plane.
If you’re the CEO, don’t punish it.
Productise it.
Then document it.
The playbook (use it or lose to someone who does)
1) One scorecard.
Tie innovation and safety to the same OKRs.
If either side can win alone, the company loses together.
2) Joint approval sprint.
Cross-functional triage that clears low-risk pilots in five days.
Not five months.
3) Ground the model.
RAG over your own gold-standard content.
No orphaned data. No mystery sources.
Compliance will sleep at night.
4) Permissions first, magic later.
Fix access before features.
Over-permissioned tenants are how data leaks become headlines.
5) Pseudonymise at the edge. (Optional but highly recommended)
Mask sensitive fields before they ever hit an LLM.
Reverse on return.
You keep context. You lose exposure.
6) Visible shadow.
Catalog every unapproved AI use.
Bless the good. Block the reckless.
Make it boring to go rogue.
7) Kill switch, real one.
Define the thresholds.
Who pulls it. What triggers it.
No surprises. No heroics.
8) Prove it works.
Do live evals.
Compare model answers to experts.
Publish the deltas.
You’ll earn the right to scale.
9) Audit trails or it didn’t happen.
Prompts, outputs, plugins, data sources.
If you can’t reconstruct it, you can’t defend it.
10) Tell the board the truth.
No hype. No doom.
Show how the guardrails make the economics better, not worse.
The cadence of control (a lightweight operating model)
Weekly: pilot stand-up.
Monthly: risk and results review.
Quarterly: scale or sunset.
Annually: reset the guardrails.
Short cycles.
Small bets.
Documented wins.
Defensible decisions.
What to say the next time the room goes quiet
“We will move fast and stay safe.”
“Here are the controls.”
“Here is the value.”
“Here is the kill switch.”
Then stop talking.
Let the work speak.
The final beat
If you hand AI to Tech alone, you get speed without a seatbelt.
If you hand it to Compliance alone, you get policy without progress.
Give them the same goal.
Give them the same numbers.
Make them win together.
That’s how you keep fingers off the Big Red Stop Button.
That’s how you decide the fate of AI in your company - on your terms.
Comments