ILLUMENATI
AI GOVERNANCE / FIELD GUIDE

COWBOY CARL & CAREFUL CAROL

A Grown-Up's Guide to AI in GRC | Issue #021

By The Illumenati Team|June 4, 2026|7 min read
THE ILLUMENATIVol. MMXXVI · No. 021 · The GRC Funnies
Cowboy Carl and Careful Carol, a comic-strip guide to good and bad AI in GRC
Two coworkers. One AI tool. Two very different ways to use AI in GRC.

AI IN GRC, MEET GOOFUS AND GALLANT

My dad subscribed to Highlights magazine when he was a kid. Decades later, he subscribed again — this time for my kids. Now the issues land in our mailbox and we tear into them before we are even back inside the house.

Last week we turned to Goofus and Gallant, the two-panel cartoon where one kid does everything wrong and the other does it right. The nostalgia hit me sideways. Then a less wholesome thought arrived: Goofus grew up. He got a laptop, a corporate login, and a chatbot tab — and he is absolutely running amok in somebody's compliance department.

I know this because I have met him. I have watched sharp people shove AI into GRC problems it has no business touching — fast, confident, and one prompt away from a breach report. The tool is not the problem. The way they use it is.

So here is the grown-up edition. Meet Cowboy Carl and Careful Carol. Same tool. Same deadline. Six rounds. Two very different outcomes.

Cowboy Carl & Careful Carol · Round One

The Copy-Paste Cowboy

Shadow AI in GRC: Carl pastes a SOC 2 report into a public chatbot while Carol uses a sanctioned, logged tool
COWBOY CARL

Pastes the customer's SOC 2 report into a free public chatbot to "summarize it real quick." That data now lives on someone else's servers — and maybe in someone else's training set.

CAREFUL CAROL

Runs the same summary through the company's sanctioned model. Data-loss protection on, audit logging on, nothing crosses the boundary.

The difference: Carl saved five minutes. Carol kept the company out of a breach report. IBM puts the shadow-AI tax at an average of $670,000 added to every breach it touches.
Cowboy Carl & Careful Carol · Round Two

The Rubber-Stamp Robot

Human-in-the-loop AI in GRC: Carl lets an AI auto-approve access while Carol keeps a human decision-maker
COWBOY CARL

Wires an AI agent straight into the access-request queue and lets it approve grants at runtime. No human ever lays eyes on them.

CAREFUL CAROL

Lets the AI draft the recommendation and surface the risk — then a human makes the call and signs their name to it.

The difference: a human in the loop. The EU AI Act's high-risk rules — enforceable August 2, 2026 — require exactly that, with penalties up to €35M or 7% of global revenue.
Cowboy Carl & Careful Carol · Round Three

The Phantom Control

AI hallucination in GRC: Carl ships a hallucinated control in his SSP while Carol verifies evidence first
COWBOY CARL

Asks the AI to "write the SSP" and pastes whatever comes back. It confidently cites a control the company has never actually implemented.

CAREFUL CAROL

Uses the AI to draft, then checks every claim against the real system and links the real evidence before anything reaches the auditor.

The difference: Carol's evidence exists. Modern auditors want active discovery, not self-attestation — and a hallucinated control is a finding waiting to happen.
Running on Carl or Carol? Get an AI governance gut-check →
Cowboy Carl & Careful Carol · Round Four

The Keys to the Kingdom

Agentic AI in GRC: Carl gives an agent god-mode keys while Carol scopes least privilege and logging
COWBOY CARL

Spins up an autonomous agent with a god-mode API key "to automate compliance," then forgets it is running.

CAREFUL CAROL

Gives her agent least-privilege scopes, an inventory entry, and full logging — so it can act, but only inside the fence.

The difference: blast radius. NIST launched its AI Agent Standards Initiative in February 2026 precisely because ungoverned agents are the new insider threat.
Cowboy Carl & Careful Carol · Round Five

The Open Door

Prompt injection in GRC: Carl's agent acts on a malicious email while Carol treats model input as untrusted
COWBOY CARL

Points his agent at inbound vendor email and lets it act on whatever it reads. A booby-trapped message tells it to export the data room — so it does.

CAREFUL CAROL

Treats every model input as untrusted, sandboxes tool use, and never lets the agent act on instructions hidden in the content it reads.

The difference: prompt injection is the new SQL injection. It sits at the top of the OWASP Top 10 for LLMs for a reason.
Cowboy Carl & Careful Carol · Round Six

The "We'll Deal With It Later" Desk

AI governance in GRC: Carl has no AI inventory while Carol maps her program to NIST AI RMF and ISO 42001
COWBOY CARL

Has no AI inventory, no AI policy, and no idea how many tools the team is quietly using. "We'll govern it once it matters."

CAREFUL CAROL

Keeps a living AI inventory and maps her program to NIST AI RMF and ISO 42001 — so "it matters" never catches her off guard.

The difference: a paper trail. Gartner expects AI-related legal claims to top 2,000 by the end of 2026. Carol's program is the cheapest insurance she will ever buy.

HOW TO USE AI IN GRC WITHOUT BECOMING CARL

Here is the part the comic strip never said out loud: Carl is not stupid. He is in a hurry. Every one of his disasters started as a reasonable attempt to move faster on a real deadline.

The whole job of a GRC program is to make Carol's way the fast way too — sanctioned tools that are easier to reach than the shady ones, guardrails that do not require a meeting, and governance that runs at the speed of the business. We wrote more about the regulatory side of this in our breakdown of the EU AI Act timeline.

Do that, and the next person reaching for AI on a deadline reaches for the safe option by default. That is not bureaucracy. That is just good design — the kind that would have made the magazine.

Make Carol's way the default — talk to Illumen about AI governance →
✦ THE END ✦ STAY ENLIGHTENED ✦

The Illumenati // Boutique GRC for the AI-First Era // illumen.io

Sources

  1. Cost of a Data Breach Report — IBM, 2025
  2. The EU Artificial Intelligence Act — high-risk obligations, August 2, 2026
  3. AI Risk Management Framework & AI Agent Standards Initiative — NIST
  4. Top 10 for Large Language Model Applications — OWASP
  5. ISO/IEC 42001 — AI Management System — ISO
  6. Gartner forecast: AI-related legal disputes to exceed 2,000 by end of 2026.