Hello, everyone. Welcome to this short session on AI governance, risk, and compliance.I hope all of you are having a good time going through a lot of sessions at Women in Tech. Without delaying much, let me introduce myself. I'm Rohini. I work with HPE, and, I'm having, yeah, huge experience in the AI and data science field. My experience grow in the same direction as how AI and data science, you know, has evolved. I work with HP, global sales team, especially the cybersecurity team. So since coming from the data science and working with the cybersecurity, overall, I work at the intersection of AI and cybersecurity. So I look at the market trend solutions and services around using security for AI, which is the topic of today's.

And also, I look at how do we bring in this cutting edge AI for cybersecurity. So the topic of today where I'm gonna talk about where where in very simple and then, in very small time is about AI governance, risk, and compliance. In short, we call it as GRC. So the GRC and the GRC frameworks is not new to the organizations. It's not new to the IT teams, it's not due to the organization, you know, overall frameworks. It is there. What we are talking about is how do we adopt this same framework or similar frameworks for AI so that we look at overall organizational governance from also the AI perspective and also talking about AI. Because these AI solutions are everywhere now. If you look at any organization as today, it's the digital era where we are in.

To be specific, AI digital era, where all the organizations are in every other operational aspect, be it related to the business decisions or be it related to the operational decisions. The leadership is trying to bring in AI as much as possible. Maybe from last one, one and a half year because of so much, you know, like about Gen AI. They're trying to bring in Gen AI so that we can automate this and then teach machine how to really perform some of the activities which humans were performing and also more accurately and more faster. So how do we control these AI solutions? Because at the same time, though AI is that cutting edge technology of the current digital era, it is also called as, double edged sword.

So it has two ends to it. One is the positive end and second is the negative end, which is about what are the risks which this AI is bringing in? How do we control these risks? Are we aware of the risk we are taking up? Majority of the risks are unaware. So because of these concerns, leadership is working on the POCs, creating the solutions that hesitant to really take it to the outside the market. Because of which if we see the, you know, market trends, 70% of the AI solutions drops at the POC level. Either because it is not aligned and bringing the right output which is expected by the leadership, the organizations.

The second thing is about the risks and the concerns related to that. How do we control these risks? How do we create awareness of the risks? So that's the second aspect. And the third aspect is about compliance. Because Gen AI is working on all the data which is available globally, And also, organizations are bringing in these Gen AI black box models to internal systems and, you know, feeding in the organizational data to it and providing these, Gen AI solutions to the internal employees, there is a risk.

And the risk is driving lot of regulatory compliance from the nations. Because when we talk about AI, it is nothing without data. And the data is an asset, not for just organization, but the overall data is an asset for the nation as well. So to control the data and to control all the risks which this AI is bringing in, which in majority of the cases unaware, the nations are trying to add on the regulate regulations around it. How do we control these AI outcomes? How do we control these AI solutions? How do we control the data is fed into the AI solutions so that it is still maintaining the privacy and it is still maintaining the confidentiality of it. So we're gone. These are just a list of act to, AI regulations which, you know, Copilot has given to me.

In fact, I have created the slides as well using Copilot. Earlier when I was trying to create the slides, it used to take time. So Copilot, which is basically Gen AI system, helped me so much and, you know, it made this presentation just in few prompts. So this is a bit list. This list is limited, but there are lot of new regulations and bills which many more organizations are trying to create at the organization level, at the industry level, and also at the national level. This list is at the national level. EU AI act, US executive order, NIST AI RMF, which is the officially launched the first, you know, risk management framework. These are couple of regulatory compliance requirements which nation has released and are in the phase of release. But we look at what all these regulations are talking about because compliance is one of the principle within the GRC block.

And if you look at all these regulations and pick up the keywords from these regulation explanation, I see that risk is one of it and the second is oversight, which is basically visibility and the control and policies, security, ethics. So these are the key terms which we can pick from all these regulations and what nations are trying to enforce on this AI and this gen AI solutions. So overall, if we look at the GRC principles and the GRC frameworks, it works on five key principles picked up from all the regulatory notes. The accountability, which is where who is accountable for these AI outcomes. We can't really say that AI solution is accountable. Instead, there is a human accountability and also the system accountability combination is added here and transparency. We've been hearing lot about AI black box models. We don't know once we input to these models what comes out and what goes on inside. No one is aware.

That's why we call these as black box because unaware. But the nation's regulatory compliance requirements are enforcing on bringing a transparency and bringing explainability to these model outcomes, Especially critical applications, there's a mandate from majority of the regulatory norms that it should have an explainability angle to the AI solution.

Otherwise, it cannot be accept if we go with the audit compliance checks. Cybersecurity, which is the critical which is also one of the critical part of this. How do we secure this whole AI and the underlying components in it involved solutions, a stack of items in the whole AI solution? How do we protect? Most importantly, data and the privacy. How do we make sure the data which we are feeding into the system is aligned to the privacy regulations as well? In the benefit of time, I'll just go a little fast here. I'm talking about GRC. I'm talking about AI GRC. But what is the difference? Because organizations are already having traditional GRC. They are having policies, procedures, and frameworks. And what are we suggesting or proposing in terms of AI GRC? How do we have to embed this? Because when we are talking about traditional GRC, it's like I mentioned, policies, regulations, controls, procedures, all from the traditional aspect.

Those cannot be adapted as is for the AI GRC because AI GRC talk about ethics, the ethical use of the solution, and the algorithms, which is the black box models we are talking about, and the data driven controls. Earlier, we have the human centered controls. Now it's data driven. Risk based controls is what we are adopting to with the integration of AI everywhere. How do we add this GRC into traditional GRC without creating an issue or a roadblock for the innovations? Because the other aspect which AI GRC brings in at least on the, you know, leadership thoughts is that if we include or add this AI GRC, what are the complications? Are we limiting the innovations? Because that's the, you know, key part for organizations that they wanted to innovate on AI driven solutions. So with these AI GRC norms, are we limiting it?

Are we holding the hands of our research engineers with not integrating black box models, the advanced models because we are unaware of the solutions. Considering all these things, what we proposed are, you know, what we are at HPE is doing is we have added or integrated into this AI GRC, into our traditional GRC framework in such a way that the GRC frameworks are easily adoptable for the AI solutions and with very minimal additional effort and guidelines, we will be able to control the governance, risk, and compliance of the AI solutions.

How do we do that? These are the practical aspects. I'm not talking about traditional GRC, the policies and processes, but if we want to embed AI governance framework, the AI GRC framework into the traditional GRC with an operational implementation perspective. The key things which we have to do in addition, I'm enforcing on this in addition because I'm not changing the existing GRC and it has to be applied to AI just like it applies to every other business solution which an organization is building and delivering and placing it outside for the public.

I'm talking about only AI, specific AI governance operational aspects. One is ethical guidelines because the traditional GRC don't talk about ethics, the ethical way of looking at the solution. We have to build those ethical guidelines, policies, and procedures specific to AI. What is right? What is not right? What is correct? What has to be changed? What has risks? What has to be considered as, you know, an alternative? What is good for the public? What is not good for the public? What is good for the customer who is gonna use this solution? And if there are issues, what is not right for them. Considering the data which we capture, uses of the data, and how disastrous this solution outcomes can be for the customers, or the users of the solutions. We have to establish these guidelines, policies, and procedures, which in a way give us an indicator what are our limits, where do we have to stop, what applications we have to add additional view or oversight into it.

The second one is risk management, risk assessment processes. Risk management again is not a new term. It is there and very much used to term. What we are proposing is how do we do this risk management, risk assessments for AI solutions? How do we look at the AI risk? How do we identify the AI risk well before the solution is put across to the end users? What are the risks of this solution? The risk can be categorized like EU AI act. We can categorize on the AI risk and create the mitigation measures for each of the AI risk. At least to the extent that we can think about those risks because they are still risk which we are unaware of, which we cannot control, but we can still create a protective layer around these OS AI solutions which could control this risk to an extent when it comes to really a disastrous behavior.

And the third one is regulatory compliance. Though not all the regulations are mandated, but there are a couple of, regulations which are mandated at the national level, the geo level right now, considering the industries it is in. For example, health care, there are couple of regulatory norms, which is already mandated. And finance, insurance sectors are also, you know, comes under the regulatory compliance even for the AI. So all the regulatory norms and the compliance has to be looked at before we publish our solutions to the end customers or the end users. The fourth very most important one is auditing and monitoring. We cannot have AI system left without monitoring.

We must have multiple and layered monitoring for the AI system at every part of or at every point of its life cycle starting from its creation, design, implementation, and further end use. So run and optimize also is a place where we have to look at what is happening with this AI system, what kind of changes are coming into this AI system. So we have to look at that. And finally, human oversight. So this is very important because here we are talking about how do we bring in human in loop. We can we are not leaving our AI systems unattended, not having any control. What we are talking here is every AI system system should have human in loop and should have control in human hand and also multilayer human control. It's not just one leadership person is having a human control over the AI system to press a button to revert back or to press a button to stop it.

It's not that. It has to be a layered and hierarchical oversight should be implemented in AI solution so that starting from the technical person to the strategy and the business person, everyone have accountability and control over the AI solution. That's pretty much, the kind of principles and the implementation aspects which I want to talk about as part of this solution. Sorry, as part of this session. Any questions I would like to answer? So your questions. So so I think, not really sure, but I can see the chat and answer the questions. Because the challenge in AIGRC is adoption. Creating a framework is not, you know, difficult. It is easy because organization already having an AIG GRC framework and what we are trying to add is additional aspects to it. But the problem is adoption.

Because when we are talking to the AI engineers, are these innovation research engineers, they consider these GRC aspects as roadblocks for them. We as they consider that, we are stopping their innovation. So the challenge is the adoption. How do we explain these research engineers or the data scientists who are developing these AI solutions that having these controls is important and is beneficial for the future? Because for them, it's solution. How do I bring the outcome? But in AI GRC team, it's about future. How do we have this long term control and how do we see this solution seeing the future? So adoption is the biggest challenge. And then the other question I see is are there any compliance tools that have been set up to assess AI?

Compliance tools, I see couple of vendors in this space already building the compliance tools, but as the regulatory compliance are getting new because the UAE act is, you know, the one which we see officially, is also not active. And whatever we have from US, from, in honest also, they're not mandated. So these are all additional checks and, you know, if some checks which an organization wants to add at this moment to ensure that they are aligned to the sovereignty norms, they are aligned to the data security norms, they are aligned to the ethical norms. Again, ethical norms is something not mandated at. So compliance tools, everything is under creation. Lot many customers are vendors. We are seeing in this space are adopting their traditional compliance tools for the purpose of, AI by, using the regulations documents which we are getting to see from nations and the industry and adopting the tools to that. But there is no specific AI GRC tool. Certification courses, AI GRC, I've seen a couple of certifications from the privacy, perspective.

But overall, AI GRC is a topic still and course it also I haven't seen any new certification, but there are couple of small institutes who are developing these certifications. I'm also working with one of such institute to develop the material, which I can talk at this moment. But yes, it's coming. Maybe in two months, three months down the line, you will see lot of certifications in this space. But privacy enhancements and all, there are certifications exist already, which talks about ethics. Ethics specific topic, there are certifications exist already. Yes. This is a new topic, a topic which not many accept, at. So looking forward. Thank you all. Thank you for the wonderful questions. And let me know if I can be of any help.

You can reach out to me or my corporate and also personal email ID for any questions in this space. Thank you.