AI Governance
By Rob Foxx
In the past few years, our world has turned a corner with new trends in technology. Unless you have been living a simpler and happier life than the rest of us you have either had an encounter with or conversation about Artificial Intelligence (AI). There has been a lot of talk and speculation about what that means for the work force. Will it replace traditional workers? Will it bring about the end of all things? Or something in the middle? Knowing the extent of its capabilities is important to its implementation. More importantly, how will we manage, limit, and protect ourselves from AI and its implementation? One of the best ways to answer these questions is with AI Governance.
AI is a wonderful tool. It is capable of completing work in just seconds that would normally take humans hours or days. AI can draft legal documents, policies, emails, and so much more ranging from the extraordinary to the mundane. This is not to say you can remove your work force. You could ask AI to explain how to perform a heart transplant in detail as if it were explaining it to someone with a 3rd grade education, and it will. Does that mean you should perform said heart surgery? Consider if it is something you could not do without AI, it’s something you should not do with AI.
Advanced AI already exists in the workplace and if it is not there it will be shortly. Windows 11 comes with copilot by default, and unless you disable it, copilot will be both accessible and collecting data in the background. Nextgen antivirus suites run on AI. Chat GPT and other AI engines are accessible from a web browser. Keep in mind these technologies are higher risk and lower maturity than your typical application.
How do you know who or what to trust? A good perspective to consider is if you are not buying goods or services then you likely are the goods being purchased. Your vendor provided services will usually specify items in the contract that should be things considered when risk assessing. These contracts should be reviewed with AI and privacy as a consideration. What data is collected? How will it be used? Will it use personally identifiable information? Will it gather critical or sensitive business data? It is even possible it will do this unintentionally? Another consideration is how AI is trained. AI is given data to train and learn from, but raw data may have a bias. AI, like anything else, can be inaccurate or even wildly wrong if it has too much or not enough information. AI can make a guess; this has been referred to as AI hallucinations.
For good management of AI consider restricting use of company approved tools. Always classify and protect your internal data. Know your risk and what you will accept. Define as an organization the proper use of AI tools. Allow for reporting of suspicious activity. Communicate your stances as an organization to your employees.
Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.