Transcript
Welcome to Control Alt AI. I'm Dimitri Sirota on the show. I sit down with the leading voices of what's next in AI, data, and risk. We go beyond the buzz to unpack the real world strategy shaping the future. Your shortcut to clarity in a world built on data and driven by intelligence. Every organization right now is asking the same question about AI, and it has nothing to do with which model to use or whether to build or buy. The question is, who's actually in charge of it? It sounds simple, it isn't. Because AI doesn't fit neatly into any single team. It touches security, it touches privacy, it touches legal compliance, data engineering, it touches the board. And in most companies, everyone has a piece of it, which in practice can mean nobody really owns it. I've been having this conversation a lot lately with CISOs, with privacy leaders, with data governance professionals, and other people responsible for enterprise secure and responsible AI use. Today, I'm pulling together three of the most important conversations to give you something useful, a real picture of where organizations actually are on this question, and what the smartest people in the industry are doing about it today. You'll hear from Trevor Hughes, President of the IAPP, the Global Association of Privacy Professionals. You'll also hear from Heather Jalen, CISO of Box. And lastly, from AXA, Taylor, Chief Research Officer at Sacker. So let's get into it. AI is not a single thing. AI is an aggregation of many different issues. Without question, privacy is a hot topic in AI, but so is discriminatory outcomes, so is intellectual property, even competition and government access to data, the training data that goes into it, the explainability and transparency of algorithmic decision-making, the ability to put humans in the loop. There are dozens and dozens of things that we need to put into a good AI governance system. And it's not a single thing. It's not just a single domain like privacy, but rather an aggregation of multiple domains that are coming together. And that's why one of the things that we are seeing amongst our member companies is that there are very few that have a single chief of AI governance, very, very few. The Chief Privacy Officer, sometimes the Head of Legal, sometimes the Head of Risk, sometimes the CISO, CISO, they're getting handed some of this AI risk, but it is more often that a committee is coming together, that there is a gathering inside organizations, a structure to make sure that AI is being governed appropriately. So I would say that we are seeing the early formative stages of AI governance inside organizations today. The maturity curve, I think, is still on the shallow beginning of the curve. We're not even in the steep uphill part of the maturity curve on AI governance yet, but many, many organizations are building as they implement and doing so quickly. They're throwing a bunch of resources to it. That committee model is showing up everywhere right now. And here's the problem with it. Committees set principles, but principles don't actually govern anything day to day. Heather Jalen at Box has been thinking about how exactly and where the gap lives and what we need to do to fill it. The challenging thing about where we are with AI is companies, they have security teams, they have privacy teams, they have compliance teams. Companies are really just starting to get folks that are dedicated to AI governance. So all of this governing that we've been doing has been by committee, I would say, in most organizations. You have some people from security, some people from engineering, some people from IT, some people from privacy, legal, compliance. And when you have this governance by committee and you have all these different teams involved, it can make things really difficult and even slow us down. So I think one thing that's important is to just kind of recognize where we are in the industry with that. And these governance bodies, they should make guiding decisions, right? And they should make guiding principles that the organization should follow. But I think where we really struggle is if those governance committees become operational in nature, right? Then it just slows us down too much. So we have to be able to set the right principles and then we need dedicated AI governance professionals to be able to help enforce those and operationalize those. Dedicated AI governance professionals, that's still a rare thing. And while organizations are working out the org chart, the actual exposure from AI is already here because AI isn't waiting for anyone's governance committee to get stood up. Aksa Taylor and Sakhar put it in a way that I think reframes the whole conversation. AI in itself, one thing to understand is that it's unavoidable now. Whether how much ever you may want to say that, hey, I don't want to use AI right now or I'm not ready for AI, it's going to be used. Your employees are using it, their laptops, they're using prompts, they're probably uploading files. And also it's just become a part of lifestyle. And that's an acceptance that I think security leaders should have. So whether in your visibility or not in your invisibility, AI is invading lives of people, identities, data, everything you're doing in the organization. And so the thing about securing AI needs to evolve as part of your standard security strategies across every pillar. And that means how are you creating your softwares? Are your developers using white coding tools or platforms? And what is the risk that may be introduced by that? You need to think about AI as a lifecycle problem and not just a point solution for one particular thing. It's not just about identities or just about data or just about sensitive credentials. It needs to be your entire org strategy and it needs to be a part of your processes as well and not just part of your products. An org-wide lifecycle problem. That's a big ask when you've got privacy, security, legal, compliance, and engineering all operating in their own swivel lanes. Trevor Fuse had the sharpest description I've heard of what that actually looks like from the inside. I had a chat last year with the chief privacy officer of a large telecommunications company and he said something really smart to me. He said, you know, Trevor, when I think about these silos of risk across the organization and I have to report to the board twice a year when they look at privacy risk, I have said to the board, this is the CPO speaking, that it is as if we are all medical professionals in an operating theater and we're all operating on the same patient but none of us are allowed to talk to each other. And so we all want the best outcome for the patient but the fact that we all come from differing domains and don't speak the same languages has created real challenges for us in getting the right outcome for the patient. And I think in that is a nugget of truth that is very, very valuable. There are differing disciplines of risk management within organizations. We've highlighted some of them. GRC regulatory type risk, security type risk, operational risks, but there are others as well. Trust, kids, safety, consumer protection, you name it. If you are not creating a combined and cohesive approach to those risks, you don't know what you're missing. You don't know what's falling between the cracks and you don't know what's being lost in the translation between those domains. If your CISO CISO is not having a conversation with your GC, your chief privacy officer, your AI governance officer, you are absolutely missing some of those risks that are absolutely there right now. So what does it look like when a company starts to actually solve for this? When they move beyond the committee and start embedding governance as a daily work? I'll let Heather close it out. You know, I'm talking to a lot of CISOs in this space. I'm seeing some actually start to build dedicated AI security functions. And I think that's a model that could definitely work. I also think there's a model that works and we recognize that AI is embedded into all of the security functions we perform, right? So if we look at our, you know, our platform security function at Box, AI is embedded into all areas of that. And we have people who are experienced in AI security risks in particular that are looking specifically at AI threat models for our AI products, for our agents that we roll out on our platforms. So for us, the model that we're going with is more of an embedded model, but that's not to say that like a dedicated AI security function couldn't work. I think there's many scenarios in which that may be a better solution. There is no single answer yet. And that's honestly the most honest thing you can say about where we are with AI. What I take from these three conversations is this, the organizations that are getting ahead of this aren't waiting for a perfect governance structure to drop from the sky. They're making deliberate choices about where accountability lives, they're standing by the people who own it day to day, and they're making sure that the teams used to operate in parallel, i.e. security, privacy, legal engineering, are actually in the same room. Whether that looks like a dedicated AI governance function, an embedded model, or something in between, it's going to depend on your organization. But the one thing that isn't an option is leaving it to the committee indefinitely. Thanks for listening to Control Alt AI. If this format worked for you, let us know, and make sure you subscribe, and don't miss the full-length conversations these clips come from. We'll leave comments, and thank you again. Well, that's it for today's episode of Control Alt AI. If you liked today's conversation, make sure to subscribe so you don't miss the next one. And for more insights on AI, data, and risk, visit bigid.ai. See you next time. ♪ Go, go, go, go, go, go, go, go, go, go, go, go ♪