Governing AI in the Innovation Race
- Laura Sawka
- Mar 31
- 6 min read
In the race to innovation, no organization wants to be left behind. Companies are racing to adopt AI. They are sprinting towards a finish line that hasn’t yet been defined. A finish line that could result in cost savings or time reduction, increased quantity, or perhaps increased quality. Whatever the business goal is, AI promises to be there to help.
However, amid this rush, organizations must remember that the enthusiasm for AI adoption introduces new challenges. The way AI enters an organization can vary: it may be driven top-down through strategic initiatives, bottom-up by curious employees, or both. Regardless of how it happens, deploying AI without first establishing necessary governance and guardrails can quickly lead to challenges.
Unintended Consequences
At machine speed, AI can surface information and insights from across the organization that may not have been designed for broad consumption, like human resources data or upcoming M&A activity. Company-sensitive information or customer data can accidentally make its way into AI tools that may lack the necessary safeguards to protect confidentiality and prevent it from being used to train AI models. And AI Agents can make decisions and implement processes that may have a lasting impact. Payments, deletions, and sending information. All actions that an organization can’t take back. These actions can have a profound impact on an organization and on the customer’s perception of its trustworthiness.
The insights from AI tools are driven by the data and access provided. When data has not been classified or locked down based on sensitivity, AI can read and consume broad swaths of an enterprise’s information. Hallucinations and misinformation can then spread incorrect information throughout an organization or inform key decision-making. Similarly, when access permissions don’t enforce least privilege and protections for privileged access, AI Agents can gain elevated permissions to perform actions they weren’t intended to perform.
The effects of these unintended consequences surface rapidly and sometimes faster than organizations can react. The very innovation companies hoped to achieve might be undermined if these risks materialize. If this scenario sounds familiar, you're not alone. Many organizations face similar challenges as they race to keep up with business demands.
Given this reality, what are CISOs and GRC leaders to do? They must balance supporting business objectives with ensuring the organization operates securely and compliantly. This mandate can seem daunting, but leveraging established risk management strategies can help address AI-related risks.
Immediate Response
Leaders faced with this challenge can use timeless risk management approaches to identify, assess, prioritize, and manage AI risks.
Identify - The first step is to discover what AI tools (e.g., Generative AI, AI Agents) have been deployed in your environment. Assess direct use cases as well as AI integrated into third-party tools. Seek to understand the details of the use cases for these tools in an attempt to define the scope that you're working with.
Assign Owners - Assign owners for each AI deployment. Ownership is the accountability party in the business who is responsible for each tool and business outcome. Defining that is critical to have impactful conversations about risk exposure and mitigation.
Assess Risk - Next, assess the risk to your environment of each of these deployments. Consider data sensitivity and the business-criticality of the use cases. Think about the impact that AI can have on your business and your customers. For example, AI Agents deployed in production-facing systems are likely more critical than Generative AI that can only access internal (non-sensitive data). Consider the number of users with access to the tools, and the likelihood and impact of issues arising in each AI deployment. Also consider whether any controls have been put in place to minimize the impact. This might be contractual, technical preventative controls, or detective controls.
Prioritize Risks - Prioritize the AI deployments that pose the greatest risk to the organization, based on likelihood and impact, and consider any existing controls that mitigate those risks. The most critical risks are where your efforts should be focused to help the organization reduce risk to an acceptable level.
Manage Risk - For your prioritized risks, develop a plan with the owner for each AI deployment outlining how risk will be mitigated to an acceptable level. This could take the form of mitigation (new/additional controls), avoidance (blocking or stopping the use of the AI tool), acceptance (the business accepting the risk), or transfer (relying on insurance). Assuming organizations focus on mitigation, this could take the form of administrative controls (e.g. policies, training, contract language, vendor reviews), preventative controls (e.g. checks and guardrails in the software development lifecycle (SDLC) process, identity and access management, data classification), detective controls (e.g. logging, monitoring, and alerting on critical risks to enable action to be taken to reduce the risk). There are many approaches that an organization can take to mitigate risk. The costs and benefits need to be weighed, as well as the speed at which these controls can be rolled out. In the next section, we’ll focus more on a strategic uplift approach.
Strategic Uplift
When an organization steps back from firefighting risk, it creates space and clarity to take an intentional approach to managing risk associated with AI deployments. Some organizations may start here if they are intentional about proactively addressing risk. I’m an advocate of “slow down to go fast”. This may require more investment upfront, but ultimately will enable an organization to securely innovate quickly. Key elements of a strategic uplift approach include:
Oversight and Governance - Establish a cross-functional oversight group to govern AI at your organization. Representation should include leaders from security, privacy, safety, legal, compliance, ethics, technology, and the business. This group would be responsible for establishing the AI policy, overseeing key metrics, and serving as an escalation point for executive management on any key risks or additional support needed. Teams deploying AI should define key success metrics that track both business outcomes and the control coverage to mitigate AI deployment risk. Leveraging a continuous improvement mindset, the governing body should provide feedback and suggestions for how the organization can continue to improve its outcomes.
AI Policy - Define an AI policy for your organization. Input for this policy should come from the cross-functional AI governance group. Specify what is permitted and not permitted for your organization based on the organization’s risk appetite. This may include the data classification that can be used in AI tools, the key controls that need to be implemented before an AI tool can be used, what types of actions always require a human to be involved in the final decision-making, and what actions are not permitted by AI tools and require immediate revocation.
AI Ownership - Define accountabilities and responsibilities for AI tooling. These should start with the business that is using the tool for its business purpose. Owners should be clear about their role in managing risk and seek advice and guidance from security, privacy, safety, and legal teams.
Establish Guardrails - Guardrails are a mechanism for an organization to enforce key controls and checks early in the deployment process. Controls are defined and then enforced through code or checks during the SDLC process. Implementing controls early in the life-cycle is a proactive risk approach and reduces the time and effort required to retrofit security controls in tools once deployed.
Identity and Access Management - Define a clear strategy and approach for managing Agentic AI identities and permissions. These are an extension of non-human identities (NHI), but are non-deterministic (similar to human accounts). Ensure all AI Agents have an accountable human owner and access permissions that are a subset of the owner’s permissions. These actions help to minimize unintended outcomes and support oversight.
Logging and Monitoring - Review your organization’s logging requirements and make any updates needed to account for AI tools. Ensure AI tools have the necessary logging enabled and that logs are flowing to your monitoring tools. Visibility is key to proactively alert on potential issues and to retroactively investigate events that occurred. Actions that are not permitted for AI tools (as defined in the AI policy) must have alerts configured to detect them and enable swift action.
It’s Time to Act
AI adoption is moving quickly. Now is the time to act. Similar to the familiar challenge of “shadow IT”, users and teams will inevitably start using AI to achieve their business goals, if an alternative is not available. Users need a secure and compliant solution to do their work.
I encourage you to “slow down to go fast” so that your organization sets itself up for success with AI deployments and you minimize playing catch-up. When risks happen at machine speed, organizations need to be intentional about their approach to AI. This approach should be rooted in governance and reinforced through controls. As an industry, we’re not starting over with AI risk management; we’re just extending a proven approach to the latest technology.
Is your organization racing to deploy AI?
Contact our strategic advisor to discover how an AI governance and guardrails approach can help you move forward with confidence.
