A balance exists between leveraging AI and recklessly exposing the business.
In just a few years, artificial intelligence has become an integral part of business innovation. This speed of adoption is accompanied by risks which, in the absence of effective governance, can have serious consequences in terms of loss of information, violation of regulations and brand image.
Mastering AI therefore becomes essential, and in the implementation of this new governance, cybersecurity and its managers have a key role to play. Indeed, AI manifests itself through flows, exchanges, content, all things that CISOs know how to detect, analyze and protect.
Governance as a security factor
Technologies evolve faster than laws, and even if governments have shown reactivity with the NIS2 directive in Europe or the AI Act in the United States, the translation of these recommendations into concrete measures still remains to be done.
Due to the almost universal reach of AI, its governance must call on multidisciplinary teams, recruited from the legal department, human resources and the finance department, and not just from the IT department.
Indeed, that is the whole point of a governance project: mobilizing all the skills behind a project on which the company’s sustainable innovation depends. In addition to thinking about safeguards in a more global way, the drafting of governance has the merit of bringing people together, which is not a small advantage in the current context.
Three axes, one base.
Field experience highlights three principles:
- Clarify. Distributing by basic skills and thereby making IT, legal and financial players responsible allows both appropriation of the advantages of AI and simplification of the principles of its use. These exchanges also avoid compartmentalization.
- Respect legal texts. Properly understood, standards such as ISO 42001:2023 and the European Union’s AI Act provide very useful guidance on the AI processes to be monitored. This framework makes it possible to identify indicators that will demonstrate this compliance at the time of audits.
- Involve stakeholders from the start. Service managers are major levers of the project. Their involvement will accelerate the acquisition of the key principles of AI, allow both to understand its limits and to deduce monitoring indicators.
Employees will thus be able to assess the risks of AI to the relevance of their profession. This human link, strong indeed, avoids finding itself tied hand and foot to purely algorithmic automation of decisions.
The most mature companies have already invested in programs that provide a better understanding of the impact of mastered AI for both technical and non-technical roles. Here again, users gain skills and teams work together.
Roles and Responsibilities
For CISOs, AI governance is a natural opportunity to further expand their responsibilities into areas of risk management and compliance.
We find the main areas of responsibility but, this time, increased by respect for governance:
- Data protection: protect in accordance with regulations and refine access rights.
- Model Security: Select AI models that are resilient to data manipulation, theft, or corruption.
- Transparency and control: ensuring that AI decisions can be explained to regulators, auditors and business stakeholders.
- Executive awareness: translate the complex risks of AI into language understandable by board members, in order to guarantee sustainable decisions based on the risks they integrate.
By taking ownership of these areas, security decision-makers become ambassadors for responsible AI adoption.
AI governance on the ground
The advantages of such an approach are visible very quickly and at all levels. As soon as governance is implemented, teams and processes prepare for compliance, but this time from operations to control, proactively. This time in advance makes it possible to speak more simply to the regulatory authorities, or even to offer them options which – in practice – avoid the application of the criminal aspect during imposed changes. In this context, users are all the more inclined to adopt AI because it is part of a transparent and secure framework, guaranteed by governance recognized by the entire company.
Conversely, uncontrolled use of AI without governance systematically results in data leaks with harmful legal and image consequences.
To be sustainable, AI governance must be a continuous process, register its developments on a daily basis and keep department heads and operational stakeholders mobilized. For CISOs, this implies a posture of continuous improvement, regulatory monitoring and above all permanent dialogue with non-technical stakeholders. By making AI governance a professional reflex, organizations reconcile innovation, security and compliance. Far from slowing down innovation, governance is a driving force behind it, ethical and secure.
