AI Governance for the Real World

AI has arrived. What about the controls?

Artificial intelligence (AI) has come at us like a tsunami. We barely had time to watch it form before it is just a normal part of life, embedded into every piece of technology that we use.

It is unlikely that everyday people are thinking about AI governance or even the risks that come with using tools such as chatGPT or Gemini. We are often taken by how amazing a new tool or technology is, and security and risk often tend to be an after thought.

You can’t blame people for this. Human beings tend to be wowed by new things, especially those things that make our lives inherently easier, which in the case of AI tools - if used correctly they often do.

For much of my career I have worked across a diverse range of sectors, whether banking, insurance, shipping, government, and all have given me the opportunity to review controls. Most of the time this starts top down, from governance via strong leadership through to operational controls run by operational teams.

AI has taken us by storm but there are still two distinct camps. Those that use AI for virtually every part of their lives, versus those that don’t use it at all.

I genuinely believe there is a happy medium in the middle where AI is used as a tool or a medium to help us be more efficient and give us more time to do other things, like being creative or more strategic focused.

Regardless of who you are and whether you do or don’t use AI, it is likely you will be impacted in the near future.

The ISO standards are industry leading and prescribe principles of best practice, and somewhat give guidance as to good controls. Historically it would be the larger businesses such as your banks, and other regulated institutions that would lean towards ISO certification.

The ISO standards like most of the governing frameworks are quite dry and often require teams of people to apply and deploy. As a result this tends to put these frameworks out of reach for smaller or even medium sized businesses.

Over the coming newsletters we want to deep dive into ISO42001 (AI Management Systems), ISO27001 (Information Security Management Systems), and ISO277001 (Privacy Information Management Standard).

We are keen to show how we can break down complex management system frameworks into fundamentals which everyone can apply for purposes of risk management and information security.

The above frameworks represent different frameworks but all have synergies and cross over patterns, especially when it comes to controls and ongoing protection.

As we go along we will ask and answer the following questions.

• What does it mean to have an AI Management System

• How do we define leadership and roles and responsibilities - especially when teams are smaller

• 38 controls define ISO42001. What is practical for you and where should you start

Signup for our newsletter where we aim to have raw and honest conversations about risk management and information security.

Each week we will talk about something new and give you our honest opinions.