Why AI Needs Good Governance

Throughout my career, I’ve found that one principle remains true: Although technology constantly changes, the patterns that govern it remain steady.

Over the last 30 years, I’ve seen huge shifts in technology: from mainframe computing to desktop computing to cloud computing, not to mention a host of new code-development approaches. Yet, despite these changes, I’ve found that governance patterns stay the same. Time and again I’ve seen people ignore those patterns, suggesting that the new way no longer needs the previous controls. And I’ve also seen these same people learn – often painfully – that indeed those patterns remained true and relevant.

Today, Artificial Intelligence (AI) is all the rage. It is the hot new technology everyone’s talking about. The sheer hive-mind processing power of AI – its ability to interpret language and apply complex logic to find answers in just seconds – has immense potential.

Yet it’s essential to remember that AI is still in its infancy. The technology is immature, untrained, and ungoverned. If it is to become a productive part of our society, it must be governed by the same principles that have governed all previous technology.

So what are the time-tested patterns we need to apply to AI? Here are five:

AI Access Rights Must Be Controlled and Limited

The proven principle of least privilege must be applied to AI engines and any software that incorporates them. I’ve been approached by vendors selling AI-powered technology who have asked for the keys to the kingdom — the ability to read and write to the most sensitive areas of my company. Organizations need to exercise great care when connecting to AI-enabled technologies.

AI Is an Identity and Must Be Governed as Such

All proven patterns of onboarding, certification, recertification, and termination must apply to an AI identity. This means  incorporating best practices around privileged access management, just-in-time access, and service account protection with the AI engine. Treat it like a person, and govern it like any other identity in your organization.

AI Must Be Monitored

Comprehensive monitoring is a proven pattern to detect anomalous behavior, including identifying rogue or compromised insiders. AI should be no different. Like any entity, it is subject to misuse by bad actors and capable of being manipulated into breaking rules and acting outside of its original purpose. We must monitor AI for deviations and indicators of malicious activity (IoMA), and be able to respond accordingly — including disabling access and isolating threats.

The Integrity, Accuracy, and Validity of AI Inputs and Outputs Much Be Checked and Limited by Validations and Rules

We’ve long proven the value of peer reviews, input and output validations in code, and other integrity-validation processes. These patterns must also be applied to AI as well. We must peer-check the output, perhaps with alternative AI or human actors; we must govern what inputs can be given by defining rules around input and access; we must govern the output; and we must apply the principles of data loss prevention (DLP) and intellectual property protection (IPP) to any implementation of AI that could access our critical corporate data.

AI Needs Lifecycle and Software Configuration Management

We must apply the proven principles of building test environments, rigorously validating and controlling change, and putting approval processes in place before allowing changes to AI systems. Because AI can dynamically change in production, but we should put guardrails in place. Production control is essential to prevent any unintended consequences of AI-powered software that were not well tested before implementation.

Certainly, there are more things to consider, but my rule of thumb is this: Treat AI like any other employee, identity, or system. Apply the same thinking and controls that you would for any of those. Don’t assume it to be infallible or all-knowing. Apply proven patterns to it, just as with previous technologies. In so doing you will keep your reputation, your customers, and the crown jewels of your company safe.

Interested in learning how Silverfort can help govern AI and protect identty? Reach out to one of our experts today.