CISO Perspectives: Insights on Generative AI Governance


Posted on by Laura Robinson

What are Fortune 1000 companies doing to govern the business’s use of generative AI (GenAI)?

This week, we’ll look at what it takes to govern the rapid, and often chaotic, adoption of GenAI in the enterprise. In recent discussions of the RSAC Executive Security Action Forum (ESAF)1 community of Fortune 1000 CISOs, a leading CISO talked about how their company is assessing and prioritizing GenAI use cases. 

This blog series is based on firsthand experiences shared by Fortune 1000 CISOs at invitation-only ESAF sessions. We’ve summarized those discussions for the benefit of the wider security community. Details have been anonymized to preserve confidentiality. 

Corralling All GenAI Proposals through a Review Board

At most large enterprises, the CISO and the security team are a key part of a cross-functional effort to oversee the company’s GenAI initiatives. In fact, according to the recent RSAC survey of Fortune 1000 CISOs, the security team is involved in GenAI policy and governance at 88% of companies and security team members are on the GenAI oversight committee at 74% of companies.2

So, what’s involved in GenAI oversight? According to a CISO at a recent ESAF session, a key element is establishing a review board to assess GenAI proposals. Their company’s GenAI use case review board has members with expertise in a wide range of functions including privacy, ethics, environmental sustainability, human resources, legal, and multiple aspects of security, and is led by a Chief AI Officer. 

Assessing the Risks of GenAI Use Cases

In looking at the proposed GenAI use cases, the review board assesses risks from many angles including:

Graphic 1 Blog 2 ESAF

The CISO noted that AI project assessment is broader than traditional assessments, and the security team must be trained to evaluate the additional facets. Besides risk, their GenAI review board assesses projects based on:

  • Business Value: Looking at cost, benefits, scope, and urgency.
  • Process: Must be clearly defined and a good candidate for AI.
  • Resource: Sufficiency of AI implementors, subject matter experts, and data source owners.
  • Data: Examining availability, quality, completeness, accuracy, and classification of data.
  • Technology: Must have adequate technological infrastructure.
  • Explainability: Must be transparent across processes and functions to build end-user trust.

Prioritizing GenAI Use Cases

When the company mandated that all GenAI use cases must first be cleared by the review board, proposals came flying in from across the business including operations management, R&D, manufacturing, marketing, customer service, HR, and finance.

The CISO explained, “We didn’t know what to expect, because we really had no central process or visibility inside of the company to have a sense of what was happening GenAI-wise. And we just got flooded with use cases…Even in departments that one would expect to have low technology acumen, there was somebody doing something with GenAI, exploring how they could make their business process or function better.”

In reviewing 800+ proposals, the review board identified an “unhealthy degree of chaos,” with company resources being expended without coordination or strategic direction. People were spending time and money on projects that were not feasible or too risky.

Ultimately, the review board prioritized the projects that were most aligned to the company’s core strategic areas, about 130 projects. Resources were reallocated to ensure effective and efficient implementation.

After that first wave, the average turnaround time to review a project is now about a week. Almost always, the review board says yes, with provisions. It provides detailed, prescriptive feedback on what must be done to make the use case policy compliant.  

AI Data Governance

Since the company considers data integral to the success of any AI strategy, they have paired use case oversight with data governance. The use case review board works in tandem with a data stewardship board, which sets data standards and taxonomy for the company’s key datasets. 

AI Security Standard

Another aspect of the company’s risk management strategy is ensuring GenAI system developers adhere to the corporate AI security standard. Their document is based on reference architectures and critical vulnerabilities of GenAI that are published in sources such as the OWASP Top 10 for LLMs list. 

The security standard document must be frequently updated as new techniques for attacking and misusing GenAI systems arise. The CISO emphasized that the security team requires the developers to continually reference the security standard, and to self-attest to compliance with the latest version. 

Up Next: Securing GenAI Systems

Next week, we’ll take a deeper dive into the technical security aspects of GenAI and share a detailed case study on securing an enterprise deployment of an internal customer service bot. If you missed it, check out last week’s post on the Risks of Rapid GenAI Adoption.

Read more from the RSAC ESAF community of Fortune 1000 CISOs in the CISO Perspectives series.

______________________________________________

1 ESAF is an international community. It consists of CISOs from Fortune 1000 companies and equivalent-sized organizations. 

2 Survey of 100 Fortune 1000 CISOs conducted by RSA Conference for an internal research study in Q2 2024.



Contributors
Laura Robinson

ESAF Program Director, RSA Conference

Machine Learning & Artificial Intelligence

Artificial Intelligence / Machine Learning policy management governance risk & compliance privacy ethics

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs