A

Foreign. Hi, everyone, and welcome to this episode of GRC and Me, a podcast designed to break down the complexities of GRC and turn them into practical strategies that you can use every day. I'm Jan Tataro and today we're tackling AI governance.

B

Today.

A

Today I am so excited to be joined by Logic8's director of customer Experience, Chris Clark. Chris will be exploring how organizations should be leveraging AI governance to drive meaningful business value. So let's get into it. Welcome to the show, Chris. It's great to have you here today.

B

Yeah, thanks for having me, Jane. Good to be here.

A

Yes. Well, let's start off with one kind of fun icebreaker question we love to ask our guests and kind of get to know everybody. What is one thing that's not on your LinkedIn that we should know about you?

B

Well, there's probably a lot on my LinkedIn that's not on my LinkedIn. I don't, I don't do a great job keeping up with it, but I think the most recent thing that I've been really proud of that. So my friends and I do a crossword league. So we compete. There's like 16 of us and we all do the New York Times mini as quickly as possible and we like, just compete every day. But I recently broke a one year streak in completing the full crossword. So 365 days of doing the New York Times crossword, which is probably always, hopefully the most boring thing you hear from me today.

A

I don't know. That's pretty interesting. That's all?

B

Yeah. Thank you. Very, very proud of it. Cool.

A

I love that. Okay, well, let's move into our first, first section here. It's called GRC mythbusters, where guests debunk common myths and misconceptions in the GRC space. So we'll start with a myth or fact question for you. If a vendor provides the AI, the risk sits with them.

B

So I'm going to give the classic consultant answer of it depends. So I'm going to, actually, I'm going to go with Nick and, but partially so I think when interacting with a vendor and interacting broadly with the ecosystem of AI, I think some of the risk sits with the vendor. Right. When you embed AI in your platform or in the tools that you're selling to customers, you do have some level of responsibility, whether that's transparency, whether that's definitely the security and data and training model for the vendor. But I think the big difference with AI versus a more traditional either software or services is the level of control and review over the output of AI, which is really responsible on the customer. So it's a new dimension of risk in the bias of the models, the transparency, the fairness. And we'll talk about this with AI governance. But I do think a lot, there's a lot of the, A lot of the risk shifts to the way the AI is being used and consumed and the way the outputs are being managed, which is kind of a shift from like your traditional vendor customer relationship. So I think that the risk profile of those things is shifting. It's a myth. Partially.

A

Okay, partially myth. Yeah, we'll take that answer and I think we'll get into this a little bit further as we move on. So excited to kind of circle back to that one. Let's move into some just kind of Q and A. Starting out with how should organizations look at government? Government approaches to AI as more than just a regulation, but as guidance for building trust and scale.

B

Yeah, I. A lot of this, you know, we're. It's a global economy now, particularly in the us it feels inevitable that at some point governments will try to regulate AI. And we're seeing some of this in states. Whether that's like Colorado, I think Texas has an act. States are slowly trying to figure out what the right way to do it is. And then of course, you're seeing it in Europe already, just like AI is necessary, like they're. They are trying to regulate AI. What's kind of interesting, I think in a lot of this is AI companies are actually for the first time trying to be proactive about regulations and telling governments they're making policy recommendations to governments on the types of things that they believe need to change with the new way AI is going to be impacting the world. I think that's a really interesting shift from what we've seen with really any other technology, like Internet. Companies didn't go to the government and say, here's how you should be regulating the Internet. But AI companies are saying that inevitably there is going to be this need to change the way we work. I think for companies, I think regulation oftentimes it kind of sets the baseline for what they need to do of like, you need to comply with these things. It gives you the minimum threshold that you need to work on. But companies nowadays, though, because the government hasn't set those standards. I think what's interesting is companies are doing it because there is really. AI is going to be such a business enabler, but it's also such a paradigm shift that they also need to Figure out how to, how to get the full advantage of leveraging AI without the downsides of risks, of breaches, of exposure, of misuse. And so they're trying to walk that line because there's immense value there. And really, I think that's where we start to see AI governance playing that role, is the government's not telling us how to do it. So we need to figure this out for ourselves. We need to figure out the right way to get that, to capture that value. Right.

A

And I kind of want to dive in a little bit deeper to what you just said about toeing the line of using AI governance for a business enabler. So can you talk a little bit about that and how organizations should be viewing AI governance as a business enabler within their existing risk framework specifically, and rather than just that compliance challenge that we just talk about?

B

Yeah, so, because, I mean, because there's no legal obligation, they're mostly operating off of, like, controls that they need to certify against to still be compliant with what they're looking for. But here's where I think, like, the business enablement side is. And I mean, I think of this about all of grc, but with AI, I think it's a really tactical thing. So on one hand I use this line all the time. You have executives and leaders telling their organizations to use AI, and on the other hand you have people saying, we want to use AI, tell us how to use AI. And similar to any adoption curve, you're going to have strugglers. And where I think there's a really unique opportunity is for GRC teams help facilitate that and provide the guardrails and monitoring of usage, of effective usage to help both of those gain tremendous value. And so here's where I kind of, I, I go back to. So there's a pretty famous psychology study on, like, the paradox of choice. So two situations at a grocery store, the company is trying to sell jam, they're just trying to like. And the way you get free samples and then you can buy. So in the first situation, they presented 28 different types of jam, and in the second situation, they provided six. And so in the former, with 28, what they found was a significantly higher level of tasting that jam. So people like. They found that people were taking more samples, they were trying a lot more different flavors of it. They were just trying to explore the experience and then. But they weren't buying. Right. They were just taste, and then they'd leave. But on the other hand, with six, they found that people didn't taste as much they like. People generally knew what they liked, but they purchased a lot more. And what happens is when humans are given infinite choices, they are a lot less likely to do anything more than dabble in those choices. They will test the water and then get paralyzed from being too afraid that there's just too much out there. And so while governance oftentimes sounds like we're giving this rule book and we're trying to restrain the way people are working within it, what we're actually doing is telling people, you can do anything you want within these boundaries because it's safe. So just do go for it. And we'll help you monitor it. We'll make sure you're complying. Don't worry about that. We've got your back. And it's this opportunity for us to be a partner and work within the ways humans actually do want to work. We need constraints, but those guardrails actually free you up to do anything you want within there. And particularly with an AI where it's a, you know, it's a brave new world, it's a scary place sometimes. It's really freeing for people to be like, here's my idea, I need help doing it. I want to do it safely, so can you help me do that? And then I need help tracking that. This is going to be an effective and efficient way for our company. AI governance really allows us to centralize and structure that in a way that shifts this governance risk and compliance from the you can't do it to. Actually here's all the ways that you're going to do it and get value. So I think it's a, it's a, it's a nice flip from the traditional storyline around it.

A

Yes, that's a really interesting analogy that you share, and I would love for you to share an example of where you're seeing AI governance as a business enabler and how you're seeing organizations really get impact out of AI governance.

B

Yeah, of course. So I think with AI, It's changing rapidly. Everyone's trying to do it. What's been interesting to me is what are the common characteristics of a successful AI adoption and pilot? And so A16Z recently wrote an opinion article on where AI is having the most immediate impact and what the characteristics of that are. So I think it's really important and it's been trying to help me think about it as I think about, like, the way we're creating AI in our platform. Not that I'm responsible for it, but, you know, it's an interesting and some of those were basically saying, you know, the work is text based because most AI is a large language model, so they're both on language. The work has to be verifiable. So if an, if there's an ant, something is generated, you need some way to confirm whether that work was right or wrong. There needs to be a way for the human to be in the loop so the, you know, agent is not fully autonomous and running on its own. And then lastly, 100% accuracy is not necessary because for better or worse, like humans aren't 100% accurate. And so if you want 100% accuracy, just use a calculator, don't use AI. And then the last one, and I'll add this on to as like the fifth characteristic is to really get it, you need to build it into people's workflows, right? So you need to lower the barrier for adoption. So if you look at those five criteria in a lot of ways, I think it gives us a good framework for thinking about like where AI is going to be most powerful. And so some real world examples where this is really credible. And I think, you know, this plays in AI governance is you're hearing a ton about coding and like vibe coding it. And so if you think about coding, it's text based, it is verifiable, so you can run it and check. 100% accuracy. The first time is not necessary because in theory you should be reviewing that code and then at the very end you can build a human into the loop. And because this is the way people write code in a very structured format, it's also naturally built into the process. And so when you think about that through an AI governance perspective, where it's really good is you can provide and basically say here are we want to write code or xyz. What are the controls that I need to put in place? What are the, how do I test this to make sure it's effective? How do I make sure that it is meeting our criteria and standards for what we're looking to develop from a software's perspective? So I think those are. Coding is the most obvious example, but you're seeing this in a lot of different industries around, you know, here's the things that we're trying to do. What are the, like, what are the approvals and controls that I need in place to manage that? And then I think as we, one of the things that I encourage people to think about as they're thinking about adopting AI and the questions you want to be asking from a Governance perspective of how does this push efficiency and like effectiveness in your organization? Basically like if you could hire someone to sit next to you, what work would you give them? Because that's the type of work we should be looking to automate with AI and the type of work where you're going to find immediate value because it's the work that people need to do that they don't necessarily want to do that frees them to go, then focus on higher value work. And so if we think of AI governance through allowing people to do that and giving them the tools and resources to actually go and automate those things, that's where you're going to see this tremendous business enablement and like really acceleration of adoption.

A

That's a really great way to think about it. Love what you had to say there. I think oftentimes we're hearing organizations share concern of safely adopting AI and how do we implement it, how do we use it? So let's talk a little bit about that. How can organizations safely adopt AI using the risk and compliance structures that they already have today? I know GRC teams already have their framework set up, so they're looking to implement AI. What would you, what are your suggestions for that?

B

Yeah, I think to start the wrong way to do this would be thinking about AI risk as just another type of risk on your risk register or just another control framework that you need to comply with. Right. It's such a fundamental shift in the way people and organizations are operating that I don't think it's, it's going to work. However, you know, thankfully people we like there are international organizations who have talked about ways to structure and govern processes. So I think similar to any other piece of this is you need to start by just identifying where AI is within your organization today, just creating that catalog of approved AI so people know what they can and cannot do, knowing where they can go to find it. That centralization is not the flashiest or shiniest object, I would say, in your governance and compliance toolkit, but it is certainly one of the most effective ones. And then once you start to do that, that's where you can start to layer on the next pieces of, okay, like we have all of our AI, let's make sure that we make the process for reviewing and approving these new use cases as smooth as possible. Let's lower the barrier to adoption. Great. Let's make sure that we know how we are controlling and measuring, you know, these AI tools to make sure that, you know, we're, we're not at risk of any massive negative event around it. And then let's start to think about this through the lens of okay, you know, we're, we've hit our controls and our compliance. Now let's start to think about our risk. Where are our risks within these use cases? Can we think about do we have privacy risk, do we have compliance risk, do we have a security risk and then a new one of like AI output risk or just AI performance risk? Of we're, we should always be a little skeptical about AI and so making sure that we are verifying those outputs and that those outputs are performing just because this, that it is moving so much faster than anything else we've ever encountered before from a technological standpoint. So making sure that there's these built in verified checkpoints at consistent cyclical intervals, it's really important. And then lastly, like if you've done all those things and they're working smart and it's not like then we can start to actually track well, what's the performance of these AI tools? Are we getting value out of them? Do like is there a tangible ROI or like what does that value look like? And just starting to actually document those. Really what I think it allows folks throughout the organization to do is the people using it allows them to use it safely. It allows them to try and fail safely and experiment to find what's best. Because I think that's where we're going to find. You're going to get the best value from folks who are just solving their real problem and then rolling that out to your full organization. And then for like governance, risk and compliance professionals, this just becomes another part of your single pane of glass. Right. So like you can see if a model goes like if a model comes biased and, or there's a security risk around that, what third parties are impacted from using that model, what controls do you need to make sure are in place in monitoring, you know, what cyber risks are going to be impacted? Like this is just another part then of your broader risk and compliance ecosystem. And then for leaders having that all in one place, you can just make smarter and quicker decisions on that data which is going to have a lot of impact rather than just, you know, trying to just automate your, the review and approval process which has value but is not, that is not the, that's just the tip of the iceberg.

A

Yes. And you just mentioned, I want to touch on the impact in roi. I think that's a really interesting perspective of AI and actually taking a step back to measure is this working. How's the performance? So I want to ask, I'm curious, have you, have you heard from organizations on how they're measuring the impact of AI? Any success stories there worth calling out?

B

So I haven't. I think we're still pretty new in a lot of cases. I have seen a lot of organizations ask the question up front of what's the projected ROI around these use cases like what are we expecting to be saving or what are we, how much more effective do we expect people to be at their jobs? And so I think that's the right question for leaders to be asking. The one I would be asking too if I'm making any investment like AI is expensive. Now where I think we need to do is close the loop where in checking on the back end of once we've piloted this like just starting to define those checkpoints of like you know we are saying it's. You said it was going to make this much like based on what you've seen, are you. Is this ROI starting to be realized? It's running it similar to any project that you would in an organization that has cost like organizations have some expected rate of return. We should be doing the same thing with AI and you know, it might look a little different but I think that's where the opportunity for governance, AI governance come in is like while that you have this centralized place of all of these uses cases being approved and tracked, you can then start to actually go back and measure them more effectively rather than having to worry about leaders doing this on their own. There becomes this like built in review mechanism that is impactful because you're starting to actually track the measure the business value and letting the best uses rise to the top and gain visibility across the organization. Which I think is really important because visibility is the first step towards, you know, improvement.

A

Okay, and let's talk about the other side of the coin here. I know we talk about strategic enablers and how we can use AI to business advantage but obviously you mentioned there's risks as well associated with AI. So I want to touch on that and hear your opinion on what some of the biggest AI risks risks are right now and recommendations for GRC teams to get ahead of the risks. They become bigger problems.

B

Yeah, I mean like the first, I mean the first one just pointed the obvious is like we've seen some of these cyber attacks being powered by AI. You know, like if the good guys have AI, the bad guys do too. And I think it's just, it opens a whole new arena for that Cyber and information security folks need to consider, which is, I'm sorry all of you about that. And so just like continuing to be smart about that type of security, phishing is going to get smarter. Spam, like all of those things that we thought were great already are just going to continue to get better. And so I think information security teams need to continue to be on their toes. The second piece, and I think this is just like no matter what I say, it's going to undersell it, but the pace of innovation with AI we just, I don't think humanity is ready for it. I wish I could remember this but like the speed at which, if you think about our technological growth curve, 200 years ago we didn't have steam engines and now we are building literally self learning computer models. Like that is wild. And our ability to adjust to that rate of change is just an inherent risk. And so I think that with part of that though is we are going to need to use AI to better manage the risks around AI. So I think you're going to start to see agents become a part of these cyber like GRC tools by default. And they're going to have to be because if we rely on humans to be managing all this, I think we're, we're going to lose our grip on the reins very quickly. And I really think like those are the two biggest ones. I'm sure there's, there's infinite more but I think to get start, to get ahead of it is like control what you can control. Start with the basics, make sure your team knows how to use AI smartly and safely, know where it's being used and then just start to build from there so that you can mature quick enough to stay, stay with the curve.

A

So thank you, that's great input. Things are moving really fast. So to carry on that subject of AI growing at a rapid pace, I have one final question for you. We like to leave our listeners with practical advice, call to action. So with that being said, last question for you Chris is as organizations think about their AI journey, what should they be doing today to understand their risk and how they can prepare for these risks that will change as the use of AI grows so rapidly.

B

Yeah, so I touched on this a little bit earlier. It's following a kind of traditional framework but I think most immediately is like define first define what acceptable use of AI is within your organization. Right. Like that's your first, I would say like tightrope, that you need to walk. Every organization is going to have a different risk acceptance around that. So you just know what yours is and define it. And once you've defined it, the next step is going to be starting to understand and catalog where AI is being used in your organization. So what's the intake process? How do I control make sure that unapproved uses of AI can't happen? Is there any way for me to say, leverage a discoverability platform to check where in the organization AI might be that I can't see yet? And then once you've start to do that and you start to approve it and centralize it, then you start to tie it, I think to your broader risk and compliance ecosystem. And so shameless plug. You know what's great at connecting your risk and compliance data? Logic 8 and so what that really does is allows you to connect these pieces of information that are related and see in real time how any one impact on a control or a third party or a vendor or a model or a use case or regulation or a privacy impact assessment like understand those downstream effects because everything is connected. Nowadays we don't nothing. While we may work in silos, data does not live in silos. And we need to find ways to connect and provide that visibility. And then once you do that, starting to really understand what controls, what processes are really necessary to manage that risk and observe how AI use is being done within your organization. You kind of put all this together and you get that full kind of risk and compliance life cycle that really allows leaders to sleep at night and feel good about what they're trying to do in managing that risk.

A

Thank you. Well said. Well, we're at time so wanted to say thank you Chris for joining us and it was so great having you on the episode hearing all things AI, AI governance. And that's a wrap for this episode of GRC and me. Let us know in the comments what you have think about your AI journey, AI governance, how your organization is implementing and managing AI. Thank you so much.

B

Thanks King. Thanks everyone.