The Importance of data governance when implementing AI

Marc Ashworth, Chief Information Security Officer, First Bank

Over the past few years, artificial intelligence (AI) has rapidly expanded within businesses, prompting IT and security teams to shift their focus and adapt. Users are actively utilizing AI as it is becoming increasingly difficult to prevent such activity due to the easy availability of new models. The new models are like Wack-a-Mole for the security team on the internet and as Microsoft continues to integrate it into their products it is becoming more difficult to control. Therefore, it's crucial for executives to make data governance a central part of their discussions around AI usage and implementation.

The risk of accidental leakage of company’s data has greatly increased with the availability of publicly available web-based AI platforms. This has brought extra attention to enterprise-wide data loss prevention (DLP) controls and the associated policies, procedures and end-user training. The evaluation of procedures and controls around data governance should be reviewed and closely monitored by security teams and data governance committees. Unfortunately, the current market for endpoint DLP controls that monitor browser, clipboard, file sharing and application usage is rather meager and unreliable. Hopefully, with the growth of AI in business this market will improve.

Along with the company’s policy on AI and data protection, a framework for implementation of AI should be established. This can be overseen by a committee that reviews business cases, AI proof of concepts (POC), training, risk assessments, and overall governance of AI implementation. This group can work closely with any established data governance committee and may want to report to the executive committee.

It is important to establish the appropriate roles and responsibilities in the project during the evaluation process as well as after the implementation is completed. A RACI table is a good example of a means to document these and should be maintained throughout the life of the solution.

“With the proper governance, controls and monitoring, an organization can safely embrace AI and begin reaping the benefits.”

Part of the guidance framework should include the submission of a business case. Any AI business use case should include the discussion of these controls, any associated risks, and return on investment. It is recommended that a POC of the business case is performed, when possible, and after the approved POC a follow-up of the objects is done 6-12 months after the permanent solution is implemented. The AI committee should establish guidelines for the POC and closely monitor the progress of the project.

As previously mentioned, DLP is rather lacking on the endpoint. Therefore, the company’s security teams need to move quickly to determine the best way to implement controls, detection and monitoring of AI usage in their environment. This may be challenging for most security teams due to resources, but part of the initial implementation of AI must include this crucial component in the governance of this new technology.

Much like training for phishing, training for using AI safely in the enterprise should also be the focus. Proper guidance is needed to ensure that the company’s policy on AI and data protection is followed. Provide the necessary information to guide users to the appropriate AI platform that contains necessary safeguards and monitoring to prevent accidental leakage of personal data or intellectual property to a public model.

Unlike many new technologies, the power of AI and the proliferation of it will be a game changer for most companies. The ability to sit back and watch could be detrimental to the organization and their market share. Therefore, with the proper governance, controls and monitoring an organization can safely embrace AI and begin reaping the benefits.

AI

Microsoft

Artificial Intelligence