Policy Governance in the Age of AI: What Corporates Need to Know

Governance is a topic that has gained much attention in the business community in recent years. Writing policies, managing controls, and keeping up with new and changing regulations is vitally important. There have been many improvements in the field of governance, but there is still a lot of manual work involved with the templates that help to write policies. They provide a good starting point, but if you don't review them and modify them to suit your environment, you end up with an ineffective digital paperweight that does more damage than good.

Adapting to dynamic environments

People still rely on spreadsheets and shared folders or drives to create, track, and monitor policy and controls, but this is not suitable for dynamic environments. Good governance goes beyond compliance, and a good practitioner needs to be proactive. Policies and controls are not static but need constant attention. There have been some efforts to improve this, and there is more potential for improvement as AI evolves and becomes more embedded in environments for real-time evaluations and change.

Here’s where AI can make a significant difference in the Governance and policy making process:

1. Auditing: There are many aspects of auditing that are still very manual and stressful for everyone involved. Auditors spend a lot of time in meetings, requesting evidence, reviewing the same, creating reports, and more. Even though some of these things may be well-suited to more human interaction, such as conducting meetings, there's a lot of potential for AI to improve processes, for example, in policy review.

   Auditors who review policies to ensure they align with the processing that is taking place, should take a moment to consider this: What if AI could go through and handle reading and reviewing the policies to highlight key areas that align with the framework, baseline, or regulation applicable to the organization? You'd then know exactly what to ask for during follow-up conversations.

   • Now, on to the dreaded topic of audit evidence? AI can help auditees gather up the necessary evidence quicker once they know what to provide. And for auditors, AI can make the process of reviewing population, sample sizes, and deviations less prone to human error and hypothetically more independent of human biases. In theory, these changes could streamline the entire audit process, which means less headache for the auditees and more time for the auditors to write reports and, most importantly, to build a great personal professional relationship with their clients. It's a win-win for everyone.

2. Documentation: Another somewhat unpopular thing to do in the governance, compliance and security world is documentation. Professionals will ask themselves “How am I supposed to do all the things and write down what I'm doing in a logical, cohesive, easy-to-understand manner so someone else can do it when I finally win the lottery one day?” This is especially true when the environment is constantly changing, making it just really hard to write. Policies and procedures are not static; they need to reflect the current state of your environment. Otherwise, you risk failing audits, confusing others, and performing tasks incorrectly. AI can help by updating your policies based on changes to your environment, or by giving you a template when writing. For example, a recovery playbook for a system could be generated from its initial configuration, so you have accurate documentation when things go wrong. Documentation is vital for everyone in security, and automating it could benefit your team and your company, and save you time.

3. Data and AI processing: Data helps you find patterns, facts, risk, behaviours, in the past, present, and future. For organizations with huge data and transaction volumes, like banks, big data can help practitioners know what customers are doing to evaluate things like fraud potential or future risks. And AI loves data. It needs it to grow and improve so it can be more helpful. If companies use big data to improve their governance and compliance, they can feed that data to an AI tool to boost its risk identification, processing, notifications, or management abilities. The more complex the data, the more AI learns. This can reduce a company's risk footprint as they can make smarter decisions on how to handle risk.

4. Vendor management: Currently, most companies use the same or different long questionnaires to evaluate potential vendors. They need detailed and current data from vendors to assess the risks they may bring. AI can help make this process easier for both sides. For example, AI could help create tailor-made questions based on the vendor type or risk level. This can result in shorter questionnaires that address the main concerns better. Then, the vendor can answer manually or with the help of AI and provide evidence or a summary of their security situation, controls and so on. This saves time and effort for both parties, allowing them to focus on building trust and making good decisions for their business.

5. Benchmarking: How about measuring your controls against a standard and adjusting them as needed? AI Can help you do that. Benchmarking is comparing something to a reference point. In security, there are many standards and frameworks to use. For example, NIST CSF, CIS Top 18, ISO 27001 and 27002, and more. Depending on your industry or security program, benchmarking can help you find your strengths and weaknesses without an auditor. Some platforms already have this feature. AI can make benchmarking integrations better by fixing the gaps or risks based on the environment. But there are some challenges. Changing an environment can be hard and sometimes things do go wrong. So, there will still need to be some human input to make sure it’s the right action and it won't hurt your business or your customers.

AI and humans, together, save time and simplify processes

Human skills such as relationship building, emotional intelligence, and business understanding are essential for governance and compliance. AI can help save time on identifying risks and let you focus on explaining to the business why they should accept or mitigate them. External auditor could save time by reducing on-site evidence collection and you could spend less time filling out lengthy security questionnaire and dedicate the time to higher value activities.

The same applies to creating metrics and dashboards. You can quickly see and adjust to any changes between regulatory updates and your environment, meaning you can spend your time persuading others and leading different security initiatives that will enhance your company's standing. AI can really help practitioners to be more proactive in making positive changes and well-informed decisions for themselves and for their stakeholders.

AI is knocking on the door, and it's bringing lots of surprises. But how will it affect governance and policy compliance and the security community? That's a big question that needs careful consideration: People should weigh up the benefits and risks, as well as the governance and legal issues, as they join the AI bandwagon .