By Monte Fisher, CPA (Ret.), CFE  ·  Find your business's blind spots — take the free assessment →
AI Governance: The first rule is know who you're doing business with. In most of Asia, that's legally impossible. Here's what you can actually do — and why veterans need to read this too.
AI Governance · Forensic Accounting · Controls & Evidence · 2026

AI Governance Is a Fraud Problem.
Most People Govern It Like a Policy Problem.

A technologist asks whether the model is fair. A lawyer asks whether it is compliant. A forensic accountant asks a colder question: when this fails, where is the evidence, who had control, and can we prove it. That question builds a different kind of governance.

By Monte Fisher, CPA (Ret.), CFE  ·  Fisher Governance  ·  June 2026

Most AI governance is written by two kinds of people. Technologists, who ask whether the model performs and whether it is fair. And lawyers, who ask whether it complies with the rules that apply. Both questions are necessary. Neither is the question a fraud examiner asks first.

A Certified Fraud Examiner walks into the same room and asks something colder: when this goes wrong, where is the evidence, who had control at the moment it happened, and could we actually prove it to someone who was not there?

That is not cynicism. It is a discipline. Forensic accounting exists because things go wrong, records get reconstructed after the fact, and the difference between an explanation and a defense is whether the evidence was captured while it was still true. Bring that habit to AI governance and the whole exercise changes shape.

Governance built to answer "is it fair?" and governance built to answer "can we prove what happened?" are not the same system. Most organizations have only built the first.

Policy governance vs. forensic governance

Policy governance asks whether you have the right rules. Do you have an AI policy? A bias-testing standard? A model inventory? A human-in-the-loop requirement? These are good things to have, and most maturity models are organized around collecting them.

Forensic governance asks a different question about the same rules: if this policy were violated, would you know? And could you prove who, when, and what? A policy that cannot be evidenced is not a control. It is an intention. Fraud examiners learn early that the org chart of who is supposed to do what is nearly worthless in an investigation; what matters is the record of what was actually done, by whom, with what authority.

Applied to AI, that reframes the standard governance artifacts:

1

Audit trail before accuracy

The first forensic question is not "is the model right." It is "when the model acts, is there a durable, tamper-evident record of the inputs, the version, the decision, and the human who did or did not review it." If the answer is no, every downstream governance claim is unprovable.

2

Segregation of duties, applied to models

In accounting, the person who approves a payment cannot be the person who creates the vendor. In AI, the team that builds and benefits from a model should not be the only team that validates and monitors it. When those roles collapse into one, you have not just a bias risk — you have removed the check that would have caught it, and the incentive to look.

3

Control testing, not control listing

A list of controls is a claim. A test of controls is evidence. Forensic governance samples: pull ten real decisions, trace each back through the audit trail, and confirm the control actually operated. The gap between "we require human review" and "human review happened, and here are the ten records that prove it" is exactly the gap an investigation exposes.

4

Assume reconstruction

Build every AI process as if someone will one day have to reconstruct exactly what happened, from the records alone, without asking anyone. That single assumption — standard in forensic work, rare in AI deployment — forces the logging, the versioning, and the approvals that turn a governance policy into a governance defense.

Why the mindset matters more than the framework

None of this replaces NIST AI RMF, ISO 42001, or a good AI policy. It changes how you read them. A technologist reads a control and asks how to implement it. A lawyer reads it and asks whether it satisfies the rule. A fraud examiner reads it and asks: if a regulator, a plaintiff, or an internal investigator demanded proof this control operated on a specific date, could we produce it in an afternoon, or would we be reconstructing it under pressure while our credibility drained away?

That question is uncomfortable, which is why it is valuable. It is the question that separates organizations that have governance from organizations that can demonstrate it — and in AI, where decisions are automated at scale and the failure blast radius is large, the ability to demonstrate is the entire point.

You do not rise to the level of your AI policy. You fall to the level of your evidence.

The practical takeaway

If you are building or reviewing AI governance, run one forensic test on it: pick a single automated decision your system made last week and try to reconstruct it end to end from the records alone — the inputs, the model version, the logic, the human checkpoint, the outcome. If you can, your governance is real. If you cannot, you have a policy, not a control, and you will find that out at the worst possible moment.

The technologists will make the model better. The lawyers will keep it compliant. Someone in the room has to ask the fraud examiner's question — and answer it before it is asked under oath.