Hello, everyone. So, again, welcome to to the session.I I my plan for today is to basically just walk you through some of the key concepts on AI governance and sharing a few observations from my experience and, you know, more importantly, offering some practical insights on how to actually implement AI governance in practice. Just a quick introduction about me. I'm a senior manager in Protiviti. It's a global consulting firm. I am located in in London and, working in the data and analytics team. I come from a bit of a mixture, a kind of a dual background. My career started as a business analyst within the IT functions, and then I later transitioned into regulatory compliance and spent quite some time, in the projects focusing primarily on GDPR and data protection. So my interest in AI governance really developed quite organically in viewing the strong intersection between governance and data and compliance. And I'm really enjoying this topic.

And over the past three years, I had the chance to get involved in in in projects, you know, actively working on the topic, in relation to AI governance or how to make make it work, how to operationalize AI governance. I am making, you know, research research about it. I'm I'm trying to contribute to the wider conversations, you know, around responsible and effective AI governance. But having said that, personally, I I truly don't believe that, you know, becoming an expert in AI is is is an is a possible task in that sense. We are, I think, all in this continuous learning journey. It's these platforms like, you know, today's, conference is giving us the opportunity to come together and, you know, bounce ideas off each other and and learn collectively. So this is basically an ongoing process for all of us. So it's really good to be, you know, contributing to this, to this arena as well.

The aim today is is simply to contribute to to that wider discussion as I mentioned, you know, share some of the things that I have been observing or experiencing throughout those projects, and hopefully leave some time at the end to hear your thoughts and questions as well.

So I can see the chat. Please feel free to add anything in the chat, so maybe we can, kind of come back to that, later, you know, in the in the presentation. That will be fab to have a more interactive session, to be honest. So, I quickly put together an agenda. You know, it's just a set of slides for today, but nothing too heavy. And, hopefully, it won't feel like a lecture. So we will, start briefly by looking at some of the current challenges, you know, particularly as organizations are now moving beyond the initial phase of AI experimentation. From there, we will explore what AI governance really means and how we perceive it, you know, how we see it.

I will then share, a few insights on how AI governance can strike the right balance between innovation and risk management. And building on that, we will look at the some of the common fit pitfalls causing AI governance programs to fall short. And then I'll also touch on how AI governance interacts with the existing infrastructure, the organizational structures. And finally, I will close it up with a set of practical actions that you can, take away and hopefully apply immediately. Okay. Let's crack on. So, yeah, what we are seeing across the organizations now is, that the experimentation phase on AI is largely over. Now the big question has shifted from what can we do with AI to what is actually delivering value.

You know, a lot of organizations are now struggling with struggling to demonstrate that, you know, return of investment clearly. And at the same time, navigating through that, you know, regulatory landscape constantly changing, as well as the technology, you know, developing and then changing rapidly. And there's also this uncertainty around how the use cases are being selected, are prioritized, you know, how how the organization is actually approaching to which use case and which initiative, AI initiative. That's there's also some sort of a confusion across the organizations that we are seeing on that. You know, also, there is this competing stakeholder interests, you know. And and with this, it's even becoming harder to move forward because there are those teams, who are more risk averse and there are the teams who are more enthusiastic on AI wants to and there is this pressure coming from the board, or, you know, high level management. So there's a lot of moving parts when you look at the interest of different stakeholders.

And on top of this, we often see these foundational gaps, you know, lack of trust in data, the information security or the cybersecurity angle, that needs more attention. And how it impacts the organization? Are we seeing this lack of standardized, you know, AI definitions, the terminology that that there's this growing tension between innovation and risk management? And it is still, you know, it is still uncertain who does what. The accountability bit is still lagging behind. There is this still unclear, you know, unclear accountability models. And and in some cases, we see a lot of lack of sponsorship or maybe, not, you know, having the right sponsors in in in the game. And, also, the shadow AI is becoming a a more critical issue now. We keep seeing it, you know, raising also in the in the reports, when it comes to cybersecurity incidents and the breaches.

And we we it is still a struggle to have this centralized tracking for AI use cases and all AI, initiatives that Organizations are struggling are still struggling to see what AI they have, what AI is in use, what it which one is in idea stage, what is launched, or and also circling back to the shadow AI topic, what the employees are are using.

And this leads organically to this, you know, dilemma between this, you know, perceived high risk versus the actual risk. And, you know, in this in this kind of unclear uncertainty, you know, in uncertain environment, we are also seeing as AI governance is sort of proposed as this silver bullet to all these questions, which might sometimes overwhelm the stakeholders in many ways. So that's why I just wanted to spend some time on what the governance is, you know, even let alone the AI bit. What is it, you know, that we hope to, you know, that we hope that, you know, it will basically be this silver bullet or it will help us with all of those, issues. There are many definitions out there, on governance or and also AI governance. But at its core, it is basically putting together those, the right structures and practices, and also enforcing them, to guide how AI is developed and used.

It's not just about control, but it's about, you know, enabling safe and responsible AI. And more importantly, it's it shouldn't be, and it is not static. It is a dynamic environment. It needs to evolve as the technology regulation and and business priorities change. It also involves a wide range of stakeholders, which is another big challenge because this cannot be something owned by one stakeholder or one function. And, ultimately, it's about finding that balance between the innovation and risk, which is crucial. But this is, like, the, the biggest challenge because what we see when we look at the governance structures is basically definitely not the the this, you know, you know, the good picture or the this, you know, basically shiny picture that we are trying to portray. What we understand in practice is it's bureaucracy, you know, additional layers of bureaucracy. It is, you know, burdensome.

Basically, it's just a, you know, tick box exercise, and it doesn't reflect the reality of the operations. It is definitely not proactive. It's trying to catch up all the time, and it's slowing us down. That's what we understand. And, this shouldn't necessarily be that way because if you perceive it in this way, there's definitely it's a big sign that there's something wrong with that governance model, and it's not working appropriately. So then let's have a closer look at what AI governance is. So there are a huge number of AI governance frameworks out there today. Yeah. It's like an overwhelming amount of, you know, governance frameworks. It it feels like that, you know, almost every day another one is emerging. But when you distill, you know, distill these down and, you know, across those recognized laws, regulations, and and best practices, you start to see a consistent set of pillars appearing.

And these pillars are really there to provide, you know, practical, actionable areas of focus. They help organizations move from theory into implementation. And at the same time, they highlight where things often go wrong, you know, basically, the gaps between, you know, what's being designed and what actually gets implemented. And importantly, none of this exist in isolation. So it needs to connect back to existing data risk and control frameworks. So, when you look at the pillars here, you will see, you know, nothing is kind of unfamiliar for, you know, for anyone who's been in in, you know, in this you know, in the governance world in in trying to also implement compliance, you know, infrastructures and, you know, a transformation project.

But as as as I mentioned, this is just an a kind of, an ideal snapshot to be able to give the right direction to the organization to kind of, you know, move along the journey to to, you know, in this AI journey. So that's why the real challenge begins when we try to implement these pillars in practice. You know, how do we do that without slowing down the innovation, without overwhelming the stakeholders, or, you know, creating this unnecessary friction while still keeping the organization, its people, safe and secure. Yeah. That's the biggest challenge mainly. You know, how do you enable innovation while still managing the risks? So in in this, you know, slide, I just try to kind of collate the key areas that are standing out to be able to strike that balance. It definitely starts with the clarity on, you know, roles and responsibilities so the people would know what they are accountable for and what the expectations from them.

A centralized center of excellence is working very well according to also our observations and experience. It is, you know, helping, you know, bringing it's helping organizations to bring that consistency and coordination across the organization. And another critical element here is this focus on, the the stakeholder and the customer experience. These stakeholders, these customers could be internal or could be external. It doesn't matter. But the AI governance should never be designed in isolation, you know, from the people who actually use it or are impacted by these systems. And one point I always emphasize is, you know, the stake about the stakeholder experience. Yeah. AI solutions don't work well for users, you know, if they are not you know, if if if it doesn't work well for the user, for the person who's using it or who's being exposed to it, there is no way that there will be an appropriate adoption in that organization.

And, you know, it doesn't matter how, you know, well governed it is. Cross functional collaboration is super crucial in this. AI decisions shouldn't sit only with the IT teams or with data teams or with data scientists. It is literally a teamwork, a big teamwork. At the same time, governance needs to be flexible. It cannot be rigid. It slows down everything. And the innovation pipelines and idea management is also playing a crucial role in this to, you know, manage the return of investment angle and to to create some tangible success, tangible outcomes. And things like feedback loops loops and iterative learning are key to making this work in practice. So now what are the common pitfalls? What is it that's kind of basically making it, you know, fall short or, you know, fail?

There is where we see, you know, many of the organizations are struggling with, you know, no clear plan about what to do with AI. So what is our AI strategy? What is that business problem or the opportunity that we are trying to address here? And, also, we are seeing this, you know, uncertainty around the sponsorship, the executive level sponsorship because the most in in the most cases, we are observing right now, the programs are starting without a strong executive sponsorship or support, which makes it very difficult to scale.

And it is not just about, having a sponsor right beside you, but it's also about preparing your board members to try to drive that AI AI sponsorship appropriately, to also, train them in a way to understand, you know, what the, what the, you know, opportunities are and what the challenges are and what the risks are.

Another common issue is being overly risk focused, you know, building controls, but not building the culture to support the adoption. And this is a very common issue that we are seeing mostly in regulated sectors, like banking and finance and insurance. They're they they really tend to, shift the focus to risk assessments and the, you know, all the risk management angle and sort of, overlooking the training, the literacy, and the governance model, angles. And there is this gap, also between designing the governance frameworks, but also actually running the day to day operation. And in most cases, we are seeing this the same teams or the same stakeholders are expected to do the both, You know, both performed at both tasks, which sort of overwhelms them in the long run, ends up with, you know, burned out teams and and stakeholders. So this is the decision that the organization should make. Are are we, you know, basically building a structured program, or are we trying to just save today?

And the other bit is the operational challenges. You know, we we can kind of talk about it all day long, but it's basically this, you know, the fragmented ownership, the, you know, unclear roles, the the and also overly complex assessments. Manual processes are also becoming a a showstopper in this. So the question becomes, you know, are we building something practical and scalable or something that looks good on paper and doesn't work in in reality? AI governance doesn't sit on its own. It builds on what already exist in the organization. So things like data governance, information security, you know, risk management, private. These are all foundational. So AI governance is really about layering on top of these capabilities, not replacing them.

So if these foundations are weak, so your AI governance will also struggle. And equally, if AI governance is designed in isolation, it will create duplication and confusion. So that's why it is kind of perceived as a as an extra layer or burdensome or so and so forth. It definitely needs to work hand in hand with the existing capabilities, infrastructures, and definitely leverage the existing strength. And a very common question is, you know, where do we actually start? One practical starting point is the policy work because it forces the organization to define what AI means in their context. It might look like a paperwork, a a daunting task, which will end up with a paperwork, but it's actually really a good exercise.

The exercise itself is making you think, you know, what we are doing with it, who's gonna be responsible for that, what sort of risk management we will basically enforce, and so on and so forth. And from there, it is important to understand the existing processes. You know, how decisions are currently made, how the risk is managed. Data is another key foundation. So what capabilities already exist and what gaps need to be addressed? You really need to understand your current data environment. Then comes the people angle, the roles, responsibilities, and whether teams have the right level of AI awareness. You know, understanding your current strengths, will also tell you what needs to be established, what needs to be maybe, improved. And finally, monitoring and, the reporting angle. How do we actually track and manage risk on an ongoing basis? The key here is to basically not, starting from scratch, but to build on what already exists.

So I think I'm going going to be answering, Manaswini's question because I'm also seeing I'm having a look at the chat at the same time. You know, do we have any sample AI governance and strategy document for look and feel of how it is as an example? Let's see if this slide is gonna answer the question, but happy to also pick it up afterwards. Because it needs to be, you know, be because it is not a task that you can do overnight and it is like a really, you know, a comprehensive big, you know, transformation, project type of work, it it it needs to be handled in, you know, in in stages. So it is a maturity journey. It is definitely not a one time off exercise or an activity. That's why we we sort of built this crawl and bulk and run approach to that.

And in this crawl stage, it's about visibility and and having these basic controls and basic governance model in place. The the governance committee, the basic, you know, policies, and also the use case inventory is very crucial to to start with with because this will give you the snapshot of the organization about what the what the organization is doing with AI or whether, you know, where the AI is.

Implementing these basic risk assessments, also, looking into the AI closes, from, you know, from a foundational, perspective, you know, adding those clauses into the vendor vendor contracts. The literacy program having, you know, basically taking those small steps in in, you know, training the the teams or having some sort of, you know, awareness activities around that and the simple reporting and escalation points. And in that second stage, in the walk stage, we are now getting it a bit more formalized, looking into areas like, you know, AI risk management frameworks, introducing more quantitative risk scoring, and also now deep diving into our data lineage and data governance, you know, the the data landscape, implementing the vendor due diligence processes, or aligning or improving our current, vendor due diligence processes in line with the, AI point, AI element in it.

And beginning, you know, internal audits, you know, slowly in in smaller sizes and tailoring the training approaches to your audience and to your operational needs. And the last stage is literally basically is is a more kind of organized and structured, framework where now the AI, risk management working groups are in place up and running. Also, AI risk controls are developed, you know, launched, and, the, you know, the automated monitoring and alert alerting teams are in place because you cannot keep things in excess. You will start, to build your own reporting mechanisms or your own, you know, tools, AI governance tools, build or procure, I don't know, implement, you know, depending on the choice. But there should be some automated monitoring involved in that. And also continuously, you know, testing, you know, the the tab process should be kind of in that continuous implementation, continuous improvement.

Regulatory compliance should be formalized, more advanced, you know, stages in the vendor assurance and the the responsible AI culture. The the now it should turn into a culture rather than just a one time of training activity. So these are basically the the the the, you know, pieces that I wanted to, you know, walk you through today. And I just I don't know if you have time, but I think, I can maybe spend some time on the questions. As I mentioned, I I tried to maybe pick up one of them. Please feel free to, you know, add any more questions if you have any more anything else. But, you know, when you say any the one question that I'm gonna read again is do we have any sample AI governance and strategy document for look and feel of how it is, you know, as an example.

I think AI governance and strategy document is not something that you can build as, like, one document. It's a framework bringing together all these items that I have been mentioning. Maybe I can quickly jump back to that one slide about what it looks like, what are the what the key pillars are. So this is the snapshot of the AI governance framework. I would I would say it would be difficult to put together or collate everything in one giant document. It is, more of a mixture of all these policies and, you know, stakeholders and all these processes and the technology landscape and the risk landscape coming altogether. That's why you also probably are already seeing that the AI governance roles are evolving to more, like an intermediary roles rather than risk specialists or, you know, technical, specialists.

You know? Because what is on this what is perceived right now is the AI governance is is is is something that will need to be, you know, fulfilled by having this technical background or by having the risk background by focusing on these areas. But it is rather, this is intermediary role where you will need to have an have a good idea about what AI governance is, and then you will need to basically bring together all these stakeholders, and we'll we'll bridge them, in terms of creating the, you know, the right outcomes.

Yeah. I can I can go back to the crawl run and and that slide? I I just I see it a note in the chat, just this crawl walk and run slide. Yeah. And, the question is, I guess let me quickly do that. Yeah. And the question is, if your organization is still working on crawl, what to prioritize? That's a good one because now it is about, getting things more formalized and, having things, you know, more in, like, the data stems. I think it depends on where the challenges are, where the challenges are sitting. Like because if you're at the crawling stage, now you have a good understanding about what you are doing with AI and what challenges that you are experiencing.

So if if you say that it is the risk angle that is kind of lagging behind, I think that that will kind of need, more attention to get it more formalized. So what is this You know, what sort of a risk management framework that you are operating on right now? Are you relying on the current risk management, risk owners, and the risk management structure? Okay. There's another comment coming through. Now challenges are citizen developer model. Everyone can build agent agents. Okay. So it looks like that there is, yes. I understand. So that's something that we are also seeing, especially with the big, vendors, the providers being accessible by anyone in the organization. That rather looks like an issue about, that's there's something called we call as, like, the preliminary assessment and, basically, the feasibility assessment at the beginning of everything.

So it do you you might remember this point about the center of excellence. So we kind of recommend the organizations to create this hub environment where all AI initiatives will need to be first assessed and will need to be, you know, sort of evaluated by key stakeholders where we call them as the AI specialist or AI leads in this. They can come from different backgrounds. It could be the legal participating to those or the technical people whatsoever. But there will this need to really have a a a central mechanism to be able to manage this, you know, AI popping up from everywhere, and everyone has this kind of access to any sort of agent and building their own agent. Because this is very risky, and in a very short span of time, you will end up with having a 100 agents doing probably the similar task. So it it I think we kind of had the similar experience in the privacy world as well.

You will end up building this, you know, central hub or maybe regional hubs. You can kind of populate it, replicate it to your regions as well. But there should be those hub center of excellence hubs that will first need to they will kind of be on the front face of it, and we'll first need to understand what is this AI we are, you know, we are trying to build or we are trying to procure. Is it aligned with our strategy with which, you know, going back to my earlier point about which kind of opportunities that we are addressing you or the business problems we are addressing with. Do we have it somewhere else? Is it really necessary to basically, overcome this problem with AI solutions, or is there a non algorithmic option of it? Or what they are building is is it really an AI? Maybe sometime in some cases, they come to you with something kind kind of sophisticated workflow, which doesn't really it cannot be deemed as an AI.

So I hope this answers answer your question, but I I understand that it is the center of excellence. It is those hop structures, that you will need to focus on a bit more. Yeah. Thank you for this. I think we ran out of time, and I'm I'm already exceeding my time. I'm really sorry for that. I'm really, I I I so so happy that you've been kind of this is kind of interactive and really, happy to also hear your notes and messages about it because, as I said, this is a collaborative learning journey, and I'm I'm learning in every conversation that I'm having on this.

And, in the last slide, I edit my, I I I basically copied my, contact details. Happy to be in touch through LinkedIn and other, areas and continue the conversation. Thank you so much for your time.