Keeping AI on track without wasting time 

Thom Langford at Rapid7 explains the importance of AI governance being brought into security training

 

Artificial intelligence is a topic that just keeps on giving. If you’ve been to a tech conference or opened LinkedIn in the past couple of years, you’ve probably heard enough about AI to last a lifetime. But love it or loathe it, AI is here to stay, and businesses can’t afford to ignore it. 

 

The truth is, AI isn’t just a shiny tool to automate tasks; it’s a force with great potential for reshaping how security organisations operate, from mitigating cyber-threats to simulating phishing attacks. But as its influence grows, so do its risks. Without proper oversight, even a small foray into AI can expose a company to unexpected cyber-threats. 

 

Enter the AI governance board. It’s not the most thrilling collection of words you’ll see today, but it’s an extremely important part of using AI safely and effectively. 

 

Why you need AI governance  

AI is increasingly woven into the fabric of business operations. From HR using AI to screen CVs, to customer service chatbots fielding inquiries, the technology is everywhere. But with great power comes great potential for things to go horribly wrong.  

 

Left unchecked, AI can perpetuate biases, misunderstand contexts, or make poor decisions based on flawed or stale data. There is also a growing security risk if AI solutions aren’t properly vetted, or people overshare sensitive data without knowing where it might end up. 

 

The stakes are even higher in cyber-security, especially as tools are increasingly deployed on the frontline of security activity. A poorly trained or secured AI-powered solution could end up creating more risk — not an ideal feature in a security tool. One overlooked issue is the fact that AI tools are increasingly trained on assets previously produced by other AI. Imagine an AI-based phishing simulator trained on substandard data that ends up teaching employees the wrong lessons. 

 

For example, like many people of a certain generation, as a kid I often recorded pop songs from the radio onto cassette tapes. When friends asked for a particular song, I’d make copies of my copies. And then sometimes they’d record yet another duplicate. Each copy-of-a-copy always ends up gradually degrading in quality.  AI, too, risks a downward spiral of quality if it keeps learning from its own imperfect creations. 

 

Governance steps in as the quality control mechanism. By establishing clear frameworks for AI use, organisations can ensure their tools are not only effective but also secure and aligned with ethical standards. 

 

Building blocks of effective AI governance  

The rise of AI demands a new kind of leadership within organisations. The role of a CISO is indispensable today, but it’s a relatively recent creation, first established by Citigroup in 1995. By the same token, the Chief AI Officer (CAIO) is poised to take the next seat at the executive table.  

 

Their role will encompass everything from ensuring AI systems meet ethical and compliance standards to driving innovation and digital transformation responsibly. As AI permeates every facet of business, the CAIO will act as the lynchpin connecting technology, security, and operational goals. 

 

However, even the most visionary CAIO cannot operate in isolation, and they will need the support of an AI governance board to get the job done. Much like a Change Advisory Board (CAB), this board provides the collaborative structure needed to oversee AI’s role across the organisation.  

 

An AI governance board will assess risks, approve projects, and ensure that AI deployments align with business objectives. To achieve this, it must be composed of representatives from across the business, including IT, security, HR, legal, and operations. And perhaps most importantly, to do it efficiently and with agility.

 

Making an AI board worth the while  

With so many players involved, it’s important to find the right balance of how often to conduct governance meetings. Likely few of the representatives will be too thrilled about adding another meeting to their calendar, so an AI governance board that meets too often risks becoming a burden.  

 

So, the temptation might be to meet monthly, quarterly, or even less. But meeting too infrequently could lead to delayed decisions and overlooked risks, losing the agility that is so crucial for keeping up with developing tech.  

 

It’s about striking the sweet spot for your company, where governance supports agility and efficiency without micromanagement. 

 

Alongside the logistics, establishing an actionable framework is key. A lack of focus could render it a glorified coffee club, bogged down in circular theoretical discussions. Organisations should start by defining clear AI use cases, setting strict data quality standards, and conducting regular audits of AI performance. By keeping governance flexible yet structured, businesses can avoid stifling innovation while ensuring their AI tools are secure and effective. 

 

Having a single person to take ownership and drive change will help keep the governance board productive and focused on outcomes. Companies that have already embraced the burgeoning CAIO role have an obvious candidate to step into these shoes, but in the meantime, the CIO and CISO are other strong choices to take the lead. The Chief Risk Officer (CRO) is also a role that may see itself pressed into serving in this position.

 

The path forward for organisations  

Ultimately, effective governance isn’t just a matter of security — it’s a competitive advantage. Organisations that get this right will foster an image as an innovative yet reliable company, building trust among stakeholders including employees and customers.  

 

Governance frameworks should be agile enough to accommodate innovation while maintaining clear boundaries. Experimentation is essential, but it must be guided by protocols that prioritise security, ethics, and data integrity. Start small with well-defined use cases, and scale governance practices as confidence grows. 

 

AI is here to stay, bringing both promise and peril. A strong governance framework is your best defence against an AI project going rogue — whether through a dodgy product or through good old fashion human error.

 

By striking the right balance between oversight and agility, businesses can turn AI into a strategic asset rather than an ungoverned liability. 

 

---

 

Thom Langford is EMEA CTO at Rapid7 

 

Main image courtesy of iStockPhoto.com and uchar