Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

BigID: Who Owns AI Governance in Your Organization?

BigID
07/01/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Welcome to Control Alt AI. I'm Dimitri Sirota on the show. I sit down with the leading voices of what's next in AI, data, and risk. We go beyond the buzz to unpack the real world strategy shaping the future. Your shortcut to clarity in a world built on data and driven by intelligence. Every organization right now is asking the same question about AI, and it has nothing to do with which model to use or whether to build or buy. The question is, who's actually in charge of it? It sounds simple, it isn't. Because AI doesn't fit neatly into any single team. It touches security, it touches privacy, it touches legal compliance, data engineering, it touches the board. And in most companies, everyone has a piece of it, which in practice can mean nobody really owns it. I've been having this conversation a lot lately with CISOs, with privacy leaders, with data governance professionals, and other people responsible for enterprise secure and responsible AI use. Today, I'm pulling together three of the most important conversations to give you something useful, a real picture of where organizations actually are on this question, and what the smartest people in the industry are doing about it today. You'll hear from Trevor Hughes, President of the IAPP, the Global Association of Privacy Professionals. You'll also hear from Heather Jalen, CISO of Box. And lastly, from AXA, Taylor, Chief Research Officer at Sacker. So let's get into it. AI is not a single thing. AI is an aggregation of many different issues. Without question, privacy is a hot topic in AI, but so is discriminatory outcomes, so is intellectual property, even competition and government access to data, the training data that goes into it, the explainability and transparency of algorithmic decision-making, the ability to put humans in the loop. There are dozens and dozens of things that we need to put into a good AI governance system. And it's not a single thing. It's not just a single domain like privacy, but rather an aggregation of multiple domains that are coming together. And that's why one of the things that we are seeing amongst our member companies is that there are very few that have a single chief of AI governance, very, very few. The Chief Privacy Officer, sometimes the Head of Legal, sometimes the Head of Risk, sometimes the CISO, CISO, they're getting handed some of this AI risk, but it is more often that a committee is coming together, that there is a gathering inside organizations, a structure to make sure that AI is being governed appropriately. So I would say that we are seeing the early formative stages of AI governance inside organizations today. The maturity curve, I think, is still on the shallow beginning of the curve. We're not even in the steep uphill part of the maturity curve on AI governance yet, but many, many organizations are building as they implement and doing so quickly. They're throwing a bunch of resources to it. That committee model is showing up everywhere right now. And here's the problem with it. Committees set principles, but principles don't actually govern anything day to day. Heather Jalen at Box has been thinking about how exactly and where the gap lives and what we need to do to fill it. The challenging thing about where we are with AI is companies, they have security teams, they have privacy teams, they have compliance teams. Companies are really just starting to get folks that are dedicated to AI governance. So all of this governing that we've been doing has been by committee, I would say, in most organizations. You have some people from security, some people from engineering, some people from IT, some people from privacy, legal, compliance. And when you have this governance by committee and you have all these different teams involved, it can make things really difficult and even slow us down. So I think one thing that's important is to just kind of recognize where we are in the industry with that. And these governance bodies, they should make guiding decisions, right? And they should make guiding principles that the organization should follow. But I think where we really struggle is if those governance committees become operational in nature, right? Then it just slows us down too much. So we have to be able to set the right principles and then we need dedicated AI governance professionals to be able to help enforce those and operationalize those. Dedicated AI governance professionals, that's still a rare thing. And while organizations are working out the org chart, the actual exposure from AI is already here because AI isn't waiting for anyone's governance committee to get stood up. Aksa Taylor and Sakhar put it in a way that I think reframes the whole conversation. AI in itself, one thing to understand is that it's unavoidable now. Whether how much ever you may want to say that, hey, I don't want to use AI right now or I'm not ready for AI, it's going to be used. Your employees are using it, their laptops, they're using prompts, they're probably uploading files. And also it's just become a part of lifestyle. And that's an acceptance that I think security leaders should have. So whether in your visibility or not in your invisibility, AI is invading lives of people, identities, data, everything you're doing in the organization. And so the thing about securing AI needs to evolve as part of your standard security strategies across every pillar. And that means how are you creating your softwares? Are your developers using white coding tools or platforms? And what is the risk that may be introduced by that? You need to think about AI as a lifecycle problem and not just a point solution for one particular thing. It's not just about identities or just about data or just about sensitive credentials. It needs to be your entire org strategy and it needs to be a part of your processes as well and not just part of your products. An org-wide lifecycle problem. That's a big ask when you've got privacy, security, legal, compliance, and engineering all operating in their own swivel lanes. Trevor Fuse had the sharpest description I've heard of what that actually looks like from the inside. I had a chat last year with the chief privacy officer of a large telecommunications company and he said something really smart to me. He said, you know, Trevor, when I think about these silos of risk across the organization and I have to report to the board twice a year when they look at privacy risk, I have said to the board, this is the CPO speaking, that it is as if we are all medical professionals in an operating theater and we're all operating on the same patient but none of us are allowed to talk to each other. And so we all want the best outcome for the patient but the fact that we all come from differing domains and don't speak the same languages has created real challenges for us in getting the right outcome for the patient. And I think in that is a nugget of truth that is very, very valuable. There are differing disciplines of risk management within organizations. We've highlighted some of them. GRC regulatory type risk, security type risk, operational risks, but there are others as well. Trust, kids, safety, consumer protection, you name it. If you are not creating a combined and cohesive approach to those risks, you don't know what you're missing. You don't know what's falling between the cracks and you don't know what's being lost in the translation between those domains. If your CISO CISO is not having a conversation with your GC, your chief privacy officer, your AI governance officer, you are absolutely missing some of those risks that are absolutely there right now. So what does it look like when a company starts to actually solve for this? When they move beyond the committee and start embedding governance as a daily work? I'll let Heather close it out. You know, I'm talking to a lot of CISOs in this space. I'm seeing some actually start to build dedicated AI security functions. And I think that's a model that could definitely work. I also think there's a model that works and we recognize that AI is embedded into all of the security functions we perform, right? So if we look at our, you know, our platform security function at Box, AI is embedded into all areas of that. And we have people who are experienced in AI security risks in particular that are looking specifically at AI threat models for our AI products, for our agents that we roll out on our platforms. So for us, the model that we're going with is more of an embedded model, but that's not to say that like a dedicated AI security function couldn't work. I think there's many scenarios in which that may be a better solution. There is no single answer yet. And that's honestly the most honest thing you can say about where we are with AI. What I take from these three conversations is this, the organizations that are getting ahead of this aren't waiting for a perfect governance structure to drop from the sky. They're making deliberate choices about where accountability lives, they're standing by the people who own it day to day, and they're making sure that the teams used to operate in parallel, i.e. security, privacy, legal engineering, are actually in the same room. Whether that looks like a dedicated AI governance function, an embedded model, or something in between, it's going to depend on your organization. But the one thing that isn't an option is leaving it to the committee indefinitely. Thanks for listening to Control Alt AI. If this format worked for you, let us know, and make sure you subscribe, and don't miss the full-length conversations these clips come from. We'll leave comments, and thank you again. Well, that's it for today's episode of Control Alt AI. If you liked today's conversation, make sure to subscribe so you don't miss the next one. And for more insights on AI, data, and risk, visit bigid.ai. See you next time. ♪ Go, go, go, go, go, go, go, go, go, go, go, go ♪

TL;DR

  • AI governance doesn't fit into a single department, requiring coordination across security, privacy, legal, compliance, and engineering teams, with most organizations currently using committee-based approaches that struggle with operational execution.
  • AI adoption is already widespread across organizations regardless of formal governance structures, with employees using AI tools daily, making it essential to treat AI as an organization-wide lifecycle problem rather than a point solution.
  • Successful organizations are moving beyond committees to either dedicated AI governance functions or embedded models that distribute AI expertise across existing teams, with the critical factor being clear accountability and cross-functional collaboration.
  • The industry remains in early-stage AI governance maturity, with very few companies having appointed dedicated Chief AI Governance Officers, creating risks from siloed teams operating without coordinated communication.

The AI Governance Challenge

Organizations face a fundamental question about AI that transcends technology choices: who is actually responsible for governing it? AI doesn't fit neatly into any single department, touching security, privacy, legal, compliance, data engineering, and board-level concerns simultaneously. Most companies have adopted a committee-based approach, bringing together Chief Privacy Officers, CISOs, legal heads, and risk managers to collectively oversee AI initiatives. However, this governance-by-committee model, while comprehensive in representation, often struggles with operational execution. Committees excel at establishing guiding principles but frequently become bottlenecks when they attempt to manage day-to-day AI governance activities. The industry is still in the early stages of AI governance maturity, with very few organizations having appointed a dedicated Chief AI Governance Officer.

The Reality of AI Exposure

AI adoption is already happening across organizations whether governance structures are ready or not. Employees are using AI tools on their laptops, uploading files to various platforms, and integrating AI into their daily workflows regardless of formal policies. This reality requires security leaders to accept that AI has become unavoidable and must be integrated into standard security strategies across every organizational pillar. The challenge extends beyond isolated concerns about identities, data, or credentials—it requires treating AI as an organization-wide lifecycle problem that spans software development, operational processes, and risk management. The siloed nature of risk management creates a critical gap, with privacy, security, legal, and compliance teams operating like medical professionals in the same operating theater who aren't allowed to communicate with each other.

Emerging Governance Models

Forward-thinking organizations are moving beyond indefinite committee structures toward more actionable governance frameworks. Two primary models are emerging: dedicated AI security functions with specialized teams focused exclusively on AI governance, and embedded models where AI security expertise is distributed across existing security functions. Companies like Box have adopted the embedded approach, integrating AI-specific threat modeling and risk assessment into platform security teams while ensuring personnel have specialized AI security experience. The key differentiator for successful organizations isn't the specific structural choice but rather making deliberate decisions about where accountability lives, empowering dedicated professionals to operationalize governance principles, and ensuring cross-functional teams that traditionally operated in parallel—security, privacy, legal, and engineering—are actively collaborating in the same room.

Chapters

0:00 - Introduction
0:21 - The AI Ownership Question
1:21 - Trevor Hughes on AI Governance Complexity
3:17 - Heather Jalen on Committee Challenges
4:42 - Aksa Taylor on AI as Unavoidable
6:04 - Siloed Risk Management Problem
7:42 - Emerging Governance Models
9:25 - Closing Thoughts

Key Quotes

1:51 "AI is not a single thing. AI is an aggregation of many different issues."
2:09 "There are very few that have a single chief of AI governance, very, very few."
4:11 "If those governance committees become operational in nature, right? Then it just slows us down too much."
4:44 "AI in itself, one thing to understand is that it's unavoidable now. Whether how much ever you may want to say that, hey, I don't want to use AI right now or I'm not ready for AI, it's going to be used."
6:26 "It is as if we are all medical professionals in an operating theater and we're all operating on the same patient but none of us are allowed to talk to each other."

FAQ

Should AI governance be a dedicated function or embedded across existing teams?

Both models can work depending on organizational context. Some companies are building dedicated AI security functions with specialized teams, while others like Box embed AI expertise across existing security functions. The critical factor isn't the structure itself but ensuring clear accountability, empowering professionals to operationalize governance daily, and facilitating cross-functional collaboration between security, privacy, legal, and engineering teams.

Why do governance committees struggle with AI oversight?

Committees excel at setting guiding principles and strategic direction but become bottlenecks when they attempt operational governance. When committees composed of privacy, security, legal, compliance, and engineering representatives try to manage day-to-day AI decisions, the process slows significantly. Organizations need committees for strategic guidance but require dedicated AI governance professionals to operationalize those principles effectively.


Categories:
  • » Webinar Library » BigID
  • » AI & Machine Learning
  • » Cybersecurity » Compliance & GRC
  • » Data Protection
Channels:
News:
Events:
Tags:
  • AI & Machine Learning
  • Compliance & Governance
  • Executive Briefing
  • Best Practices
  • Security Operations
  • AI Governance
  • Organizational Structure
  • Cross-functional Collaboration
  • Risk Management
  • Privacy and Security
  • Committee-based Governance
  • AI Security
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: BigID: Who Owns AI Governance in Your Organization?

              Upcoming Webinar Calendar

              • 07/02/2026
                10:00 AM
                07/02/2026
                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges
                https://www.truthinit.com/index.php/channel/2011/building-resilience-insights-from-hybrid-threats-amid-cloud-challenges/
              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                02

                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges

                07/02/202610:00 AM ET
                • Jul
                  09

                  The HUMAN Experience: Empowering Agentic Trust in Practice

                  07/09/202601:00 PM ET
                  • Jul
                    14

                    Crafting an Elite Security Team to Achieve Championship-Level Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in AI Data

                      07/14/202602:00 PM ET
                      • Jul
                        21

                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                        07/21/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version