Towards Unified Governance of AI, Data, and Cybersecurity Initiatives
Enterprise data governance is critical to effective use of AI. One of the clearer pieces on this topic is Seth Earley’s Accelerating Data and Analytics Capabilities Age of Generative AI: How Governance is a Key Enabler.
According to Earley, a "governance framework" consist of three things:
Decision making bodies.
Decision making rules and procedures.
Mechanisms to ensure compliance with these rules.
One challenge that enterprise data governance must address is how AI systems can integrate the processing of data that can be both external and internal to the enterprise. When dealing with the use of LLM based applications trained on data external to the enterprise, guardrail rules and processes may be needed to ensure that errors, mistakes, or irrelevancies don't creep into system operation. With AI systems that incorporate internal and enterprise specific data, effective data stewardship principles and procedures may also be needed to ensure that data quality and accuracy are maintained.
We also need to consider the governance implications of cybersecurity requirements such as NIST's cybersecurity supply chain risk management (C-SCRM) practices for systems and organizations. These guidelines address different levels of supply chain risk management (enterprise level, mission and business process level, operational level). They suggest establishing an organization unit (the “C-SCRM PMO”) to coordinate implementation of cybersecurity processes across the enterprise (see page 34 of NIST Special Publication NIST SP 800-161rl).
A centralized PMO (project management organization) for coordinated governance of data, AI and cybersecurity makes sense, but there are caveats. For example, traditionally structured or mature organizations may have already evolved complex management, operational, and technology structures for collaborating on the “ownership,” exchange, and use of corporate data across different organizational units. Siloes may exist. A unified data governance plan may be lacking.
Existing policies and practices may therefore have to be modified to support a more coherent and strategic approach to data, AI, and cybersecurity governance. This requires more than just a dedicated organizational unit but also a coherent strategy and serious commitment from top management.
The cost and complexity of unified governance may not be trivial. Continuing evolution of requirements for improved AI, data, and cybersecurity governance will force increased attention by top management to improve–and unify—policies and practices. In the case of government IT contractors, for example, the DoD, NASA, and GSA are already proposing to standardize cybersecurity requirements for unclassified Federal information systems. Ignoring requirements for such changes (for example, by not having a plan for at least Level 1 C-SCRM controls) will potentially disqualify one from winning some government contracts.
In terms of implementing manageable AI, data, and cyber security governance practices, the sooner that senior management recognizes the need for an integrated approach, the better. Even if a special organizational unit such as a PMO is established to coordinate governance work, responsibility should not be viewed as solely an IT responsibility. Nor is unified governance something one can easily purchase from an outside consulting organization, or solved by buying a specialized software tool. Unified governance is a top management responsibility and must be managed from the top down.
Text copyright © 2024 by Dennis D. McDonald. The graphic at the top generated by Microsoft Designer on 1/8/2024 in response to the following prompt: “Create an abstract line drawing that illustrates the challenges involved in simultaneously managing corporate AI, data governance, and cybersecurity initiatives.”
