The 2026 CISO Report is Here Download Now

Dark teal and black gradient

Webinar

AIData Governance

AI Meets Data Governance: Building Trust, Driving Innovation

By Vauri Shean

As AI adoption accelerates, data governance is facing a critical stress test. Without clear oversight, organizations risk introducing bias, compliance gaps, and reputational harm—often without even realizing it. So how do leaders align innovation with responsibility? In this expert-led session, Tevora’s Risk & Strategy team breaks down how to build a unified approach to AI and data governance. Whether you’re starting from scratch or integrating AI into existing programs, this webinar offers a practical roadmap for balancing risk, speed, and structure in an evolving landscape.

Key Takeaways:

  • Where traditional data governance falls short for AI
  • How to bring AI oversight into existing governance frameworks
  • Responsible AI in practice: from sandboxing to model monitoring
  • What a unified AI + data governance strategy looks like—and why it matters
  • How to prioritize oversight based on risk and compliance needs

Whether you’re navigating NIST AI RMF, ISO 42001, or internal risk strategy, this session delivers clarity on building trust and transparency in your AI initiatives.

I think this is a good point to get started here. Then I know we have a lot to cover today. First and foremost, thank you all for joining, I want to say thank you to my team. Thank you to the I see some clients on the list here as well, and some new faces and new names. Thank you all for making the time this afternoon and joining us for this webinar. My name is Anir Desai. I’m a director here at Tevora. My team primarily oversees enterprise risk management, privacy management, third party risk management, from assessment standpoints to governance and program build outs for organizations for existing clients and new clients. We’re excited to share this conversation on the interconnectedness with data governance and AI governance with you all. But before we jump in, my panelists, Luke and Bill. Luke, if you want to introduce yourself and then kind of popcorn, it to Bill.

My name is Luke Miller. I’m Associate manager part of the Strategic Services team. I also lead the data governance branch here. With all the things from strategy to process implementation and tool guidance and consulting there, part of that group to support this. Excited to talk about the data governance side of AI here. Bill, do you want to introduce yourself?

My name is Bill Kachersky. I’m a senior information security analyst in the Strategic Services team, so working under Luke and Anir and I’ve been with Tevora for about three and a half years now, focus on primarily doing risk assessments, also build programs for folks help with also security authorization system security plans. Do pretty much a lot of things. I’d say I’m a jack of all trades, master of none, and proud of it. To that end, though, I do love my AI, I think it’s an amazing developing field, and there’s such an important moment. We’re at a watershed moment for really being able to see effective governance come into play. There’s a lot of different frameworks out there for AI and data that don’t necessarily touch on the intersectionality between the two. Really excited to see how from the AI perspective, in combination with Luke, from the data governance perspective, we can contribute to the conversation today on this call.

A couple housekeeping items before we dive in for our attendees here, before we set started, just please know if you have any questions for our panelists here, for Bill, Luke, even myself as a moderator, you can enter them into the Q and A box, and we’ll do our best to respond live at the end of this conversation here. I know this is a hot topic, and I know there’s a lot of attendees here, so if there are questions that we’re not able to get to, please go ahead and send them to sales at Tevora.com and we’ll be kind of addressing those as they kind of get it, but throughout our conversations, we’ll be asking a few poll questions to kind of understand your governance approach and its impact on your organization and your role. It’s a great way to learn from peers and keep an eye out for the polls and the participant section there, perfect. Let me say, just set the stage here for everyone that’s in attendance. Data governance has been a hot topic this year for not only our team, but the industry as a whole and the clients that we work with. Now the conversation is kind of has shifted slightly, data governance with the flavor of AI governance. With some clients wondering, I don’t even have a data governance program now I’m supposed to worry about AI governance. Just with the fast pace of how things are moving and folks utilizing AI in their day-to-day responsibilities, day to day job functions, we can take this conversation in several different directions, and it’s huge. Rightfully so, and important to talk about these things. Today we’re going to hear from two individuals who are at the forefront of these conversations with our clients. Luke and Bill serve as analysts, as project leads for our clients, and they’re deep into the trenches with our clients, so to pull them out for those webinars. Thank you both for making the time here. Let’s dive right in. For audience members, what are the key differentiators between AI governance and data governance? I’ll start with Luke from the data governance side, and then Bill can chime in with the AI governance side.

As anyone who’s ever been in a data governance meeting or a call. We’re all big on definitions here. Ultimately, it’s always good to have those squared away. From a data governance side of what we primarily, you know, community to our clients, is what’s the purpose, right of data governance. It’s ultimately to keep it data accurate, data secure, data compliant, data usable. The big pieces of feeding into that, really being the data quality, making sure that the quality that goes into your processes, allows you to have actionable insights. Have a lot of the good data in good data out kind of methodology there, and that feeds into metadata management, to where, how you’re tagging and tracking that data, making sure that it’s where it’s supposed to be, where it’s protected and it’s compliant with those pieces, so and then feeds into access control, obviously, or once you have the quality of the data, where it is, who has actually has access to that, and implementing those pieces, and then diving into the compliance piece, of making sure it’s meeting all the requirements that are established for your usage, how you process it, and stuff like that. Ultimately, that at its core. Is the primary purpose of data governance. There are obviously the nuances of AI that’s creating a lot different of a definition, especially when you think about where data what data governance covers, really is where it lives. It’s in the databases, it’s in the SharePoint sites, it’s in the structured and unstructured data sources across an enterprise. You know, AI is creating that a little different approach. Bill, do you want to kind of dive into maybe some of the AI governance pieces there?

AI governance really is about ensuring that AI systems are behaving reliably and ethically. The thing here, though, is that modern AI can learn from all the data across your enterprise. Our SharePoint sites, email systems, file shares, Cloud Storage teams, chats, all that structured and unstructured data, AI could potentially learn from all of that. The scary thing about that is, it doesn’t even necessarily need to have the data, all in one place to kind of paint a complete picture, because AI, by nature, is built around the concept of inference. What we’re really talking about is these seemingly disparate pieces of information can actually tie together and create a very complete, startlingly complete picture of business intelligence and insights and even potentially other sensitive forms of data that you don’t want that AI to necessarily have access to or have that information stored within the model itself. Brings in a whole separate term, that’s the idea of reliability and ethics is to make sure that, we know reliably what data is going in. We know reliably how the AI is going to behave, and ethically that we have it, built out in such a way, we’re not going to be having to worry about any sort of compliance, regulatory issues, and obviously, personal issues, things that can produce lawsuits, that kind of thing as well.

Bill for, for those that are hearing these kind of terminology for the first time, can you just kind of cover some key vocabulary that we’re going to go over for this hour here? Training data, model, all that good stuff.

I think it’s really important to establish a taxonomy. We’re talking about governance, and no governance discussion is complete without defining our terms, as anyone who sat through a government’s meeting knows. Let’s get those things out of the way in terms of data governance. Well, I’ll cover the AI governance. I’ll hand it to Luke with the data governance stuff. When we’re talking about AI governance, we’re talking about the policies and controls that are ensuring that our AI is reliable, ethical and aligned with our values and business objectives. Think things like bias testing, explain ability performance monitoring. That’s going to be some of those governance mechanisms that we want in terms of operations, day to day, operations, AI governance is, again, about making sure that the AI behaves properly and explains itself. That’s going to be sort of the baseline there in terms of some key vocabulary, just to get some things in plain terms. When we speak about training data, we’re talking about what AI learns from. When we talk about the concept of a model, we’re talking really about the AI’s compressed memory. When we talk about the concept of inference, we’re really talking about AI connecting dots you didn’t know existed. When we talk about the concept of hallucination, which I’m sure many of you are familiar with, that’s AI confidently making things up. I’ll pass it back to Luke to lay out some baseline prerequisite taxonomy around the data governance side of things.

What we talk about from a data governance side is when we think about policies, that’s the really, the documentation, the controls that we have in place, ensuring that our data is accurate, available, secure, kind of those high-level data governance pieces that I was talking about. When we say classification, how do we classify the sensitivity of the data based off its risk? Ultimately, just making sure that your data is safe, clean and compliant with all your regulations and stuff like that. But ultimately, from a data governance perspective, there’s a lot of overlap with AI pieces there, but those are kind of the core, core definitions we want to establish here.

Jumping into our next question here. Data governance itself isn’t new. To many organizations, I think organizations have had elements of data governance embedded in their processes for years. Even if it’s not labeled as data governance. So, what’s changed in my perspective, is the visibility and the urgency of it. The explosion of data volumes, evolving regulatory demands and the, of course, the emergence of data security, posture management tools. I think those elements combined together, have pushed data governance to the forefront as kind of a distinct and strategic discipline for organizations. Luke, let me start with you. Where have you seen traditional data governance failed to keep up with some of the AI advancement that are happening right now?

I think with AI, there’s four or five things that we’ve seen over several projects, right from, from a data governance perspective, especially folks trying to either integrate AI with third parties integrate or build their own AI, you know, for their own application systems. You know their own models for internal business solutions. Ultimately, how data governance has been slow to respond to that is typically through the speed in the update cycles that typical governance has right when you think about data governance, there’s quarterly meetings, there’s annual reviews. AI works at a way, way more rapid pace than that. It’s retraining itself daily, continuously, a lot more rapid of a cycle. Ultimately, that leads to a very slower process to making sure that the policies, procedures, that the data sets that you’re trying to govern feeding into those AI pieces are very, very slow to correct there. Obviously, AI models that change that quickly. There’s going to be gaps where maybe there’s data that’s biased, there’s stale data, there’s all the implications of kind of going back to having basically a very ad hoc governance framework itself. Another piece that I would say that really comes from the AI pieces, there’s some blind spots really to bias. So ultimately, governance is really good at capturing at the very forefront. Here’s where our data is at. Here’s our lineage, here’s the definitions, here’s how we protect it from a static perspective, but ultimately the downstream effects, the biases that come from AI slowly over time, and as quickly as it goes, it’s leading to some issues with feedback loops in the governance leading into some blind spots. From a bias perspective, trying to think of other examples here. Another one that we’re seeing too, is around, really the governance councils, right from a data governance perspective, they’re very knowledgeable in the sense of how to do governance from a traditional standpoint, but often it’s now missing that critical AI, machine learning engineering, like Bill mentioned right the ethics implications of AI and really domain experience across just leveraging AI, the models, the risks that come with it, to really understand the AI risk and how that it impacts the data governance group. How did that impact the organization as a whole? Then the last one here that comes to mind really is around policies. When we talk about a lot of the more mature organizations, there’s a lot of strong policies, we’re really great at having all the documentation, have it all defined, but really the process to actually execute on that becomes very, very light, meaning in the sense that we might have all of it great on paper, but really when we talk about executing it, it’s very, very tough to identify those risks, to mitigate those risks, and ultimately, the controls aren’t as effective as we have it down on paper, so and it’s just essentially missing some of the AI features to that as well.

Makes sense, though. Anything to add from the other side? Looking at an AI Governance Program, where have you seen some gaps when they’re trying to fit the AI governance program into their data governance program?

I can kind of build on what Luke was saying here in terms of the key points that he touched on. That idea of static data sets, right things that are not necessarily going to be changing very frequently. That’s going to be more in the realm of traditional data governance, where AI models are going to be changing over time, and albeit much more quickly. They’re basically regarded as a dynamic asset in that sense. To that end, you can hear that even some of the folks that these AI engineers in these various companies, the big companies that are building out the big models, things like anthropic, open, AI, lot of these folks don’t even know how their own AI works at the end of the day. In terms of model oversight, there’s really no clear definition for how to go about doing that. There are definitely methodologies for developing and training models. Let’s not confuse that at all, but in terms of model oversight and how, once it has that training data in its system and it’s up and running, how it starts to iterate and evolve in that knowledge base, that dynamic aspect of it, that’s something that’s a bit harder to pin down in terms of the behavior and predicting behavior or outcomes or evolution. That being said, traditional governance for data governance stops at data. It doesn’t really cover how the algorithms are processing that data. That’s where AI governance really needs to be able to meet data governance where it’s at, and continue the discussion, evolve the discussion, rather than just showing up in a vacuum and focusing strictly on model specific concerns, to that idea of the biases right that might be in data sets and subtle, an AI can amplify those significantly right, and then suddenly you’ve got your organization systematically. Excluding or refusing to hire women. Or potentially some other sort of ethical implication right, like targeting for certain minority groups, right and discriminating against them in some way. It could be claims filing right for like, medical data, that sort of thing. There are all sorts of ways that subtle data biases that might be unintentional or unconscious, even by the organization historically, that are sitting in those data sets, can then suddenly be identified, inferred by that AI, and then amplified exponentially and become systematic. That can really present some ethical implications at that point too, and potentially lawsuits, that sort of thing. The other thing too is, to Luke’s point, the speed gap. AI is evolving exponentially faster than our typical policy cycles do for data governance initiatives. A model might be updated weekly, right when the governance is going to be reviewed annually. That leaves gaps where biased or still data might persist that’s unnoticed, that to that point, I’d say AI is introducing new data sets. It’s taking those old governance sets, those source data sets and it’s iterating on them. It’s producing new dynamic data sets as it starts to even just parse that information. Not only that, but our end users can produce new data sets, aggregate data sets that exist, that the model’s trained on or that it has access to, and actually build, and complete new data sets that we don’t necessarily have the ability to then apply data governance policy to immediately. Becoming even aware that those data sets exist now and that they were generated in the span of five minutes, right by the AI and a curious accountant.

That’s a big piece there, when we talk about, like the data sets. We, from a data governance perspective, a lot of people are really good. Okay, let’s get our source data secure, all the controls in place, right? But that’s all done before we stick it in the AI, and then we’re good with AI. It’s handled from there. It’s the synthetic data that comes out of that that might contain the customer data, the risk with bias, the risk of model, compromise there, all those risk factors kind of get we’re seeing across the board, are really kind of forgotten about. It’s leaving a lot of issues with a data governance perspective, is, once it goes into the AI, how do we track it? How do we remove it? The other piece there, I’m sure we’ll touch on this question later, is from the data in the AI models that you train it against some forms and usage. If you use a third party, you’re not able to necessarily remove it. There’s a big risk from a privacy and compliance perspective of the data that you’re using to train. What’s feeding into that, and how do we track that, from a lineage perspective, it gets a lot, lot more complicated and a lot harder to remove.

We have examples all the time where traditional data governance controls come into play. We have our retention requirements. We have our destruction requirements. We go destroy the data, and then we go query the AI about it, and it pulls up that information just like that, even though we wiped it from our systems. It just goes to show that the models will store the data, and we have to come up with techniques to be able to exclude data right out of the gate from our AMI models that we’re using, and controls to keep that data out of those systems. Or techniques which there are emerging, but I would not place any sort of trust or confidence in them just yet, they are emerging techniques and technologies around how to actually remove from a trained model that’s in operation, remove certain data elements. But again, that’s all very nascent technology, bleeding edge stuff. Would not count on that in terms of an enterprise solution from a compliance or regulatory perspective.

I know some of these things kind of tie in with oversight. I’m going to shift gears here into, I know loop. You’ve seen data governance oversight committees. You’ve seen data governance committees and, and all those folks that folk work hand in hand with security, privacy, legal and kind of our combined group. Now there’s AI oversight. An AI oversight committee or AI committee. In your guys’ perspective, what are the first steps an organization can take to bring AI oversight into an existing data governance program? Bill, I’ll start with you kind of break down what is AI oversight first. And then Luke, I’ll pass it to you to describe how it fits into existing data governance.

What is AI oversight? I would say it boils down to some really ground floor processes being in place before we even start actually launching our AI systems. We want to make sure that we’re validating the systems, but we also want to introduce controls once those systems are up and running, to be able to observe them, right, and be able to start introducing cycles and checks for accuracy, fairness, and also compliance with whatever compliance requires we have, both internally and when we talk about any sort of regulatory or external compliance requirements. To that end, we want to make sure we have a system for performing those ongoing checks and being able to get a sense of any sort of bias or fairness skewing that might be happening. There could be periodic audits that we are starting to conduct to detect and mitigate harmful bias. We want to make sure we also develop explainability requirements. This would be things like documentation and tools that allow humans to understand the AI decision logic. And that’s actually really, really critical when it comes to making sure whether we have resources that we’re disseminating within the organization for our end users to reference. Just as much as using the AI effectively is really important to train our users on, we want to also be able to give them access to how to actually understand the AI decision logic and how it’s operating under. The hood, and that gives them a more informed approach towards being able to craft more meaningful prompts and how to actually keep sensitive information effectively out of there, and also disparate pieces of information that don’t necessarily feel sensitive. Based on understanding the decisioning logic, we can see what the inference would lead to. If x and y bits of information are there, it’s going to lead to Z conclusion, which is going to reveal sensitive data at the end of the day, and then to that point, ethics and compliance alignment. We really want to make sure that our outputs are staying within approved use cases and regulatory boundaries. When we think about, those ongoing checks for accuracy, fairness and compliance, that’s really getting into more of the granular details of what those checks should really be focused on. And then when we think about an example of how this actually plays out, let’s talk about the idea of an AI that screens job applicants right that must be regularly tested to ensure that we’re not adversely impacting against protected groups. I know I brought that example up before, but it bears repeating. It’s going to be a very vulnerable place, and it’s a place that we’ve seen a lot of organizations already implementing AI to just kind of sift through the 1000s of different resumes they get. And again, that’s where subtle biases can turn into just systematic bias. That’s actually discrimination at the end of the day. Making sure that we have a system for actually being able to test and validate how the AI is responding to a given demographic associated with applications or that sort of thing. That would be probably in terms of AI oversight, the real ground floor table stakes we want to be concerned about out of the gate and start introducing regular reporting and monitoring.

From a data governance perspective, all those are pretty key factors right into and building a more continuous process. Especially with the speed of AI and how its impacts are evolving on a really a daily basis. It’s really about from a data governance side. How do we create a culture? How do we create a structure to make our decisions run a little quicker in the data governance phase. Ultimately, right is it’s you’re going to be using any sort of existing governance structures. Many different organizations have different ways of doing it right, based off current committees, current staff, current really expertise. So ultimately, what you have to see from an AI perspective, feeding into the data governance is use your current committees. Use your current workflows and approval gates. Just add a little bit more of the AI specific requirements to them. Like a great example with that for that would be maybe from the inventory perspective. You’re going to want to identify not only the source data that you have for your models, that data that you have from an inventory lineage and mapping perspective, the assets that you have, but also map every AI model that you use. Where exactly is that residing? Where is that running? Is that a third party? Is that internally? What data are we feeding in that, and who owns that? Ultimately, what are the outputs that come from it? It’s really taking inventory at its core, right of AI assets, and incorporating that into your current, data maps and data inventories there, feeding into, those existing structures, having just AI as a part of that, and then creating the control layers, from an AI perspective, right of, from a pre deployment perspective, making sure that, like many of our priorities, from a data governance perspective, make sure the data quality there, from a pre deployment perspective, is up to speed. It’s up to the model documentation, the quality, all the validation that you need to have from that the good data in to get the good data out. That’s a pre deployment control vector or layer that you could use there, and then ultimately creating a post deployment check after every review, every deployment there. There’s cadences to measure. Is this model working effectively? Is this model creating that biases, the risks or the accuracy pieces there that we’re seeing over time. It’s not only just, here’s a quick check. It’s operating as intended. It’s creating more of a cadence periodically, whether that’s monthly, six months. Typically, we recommend about an annual cadence there, because it’s simply from a daily perspective that you’re just going to get overthrow with all the data of changes and drift and stuff like that, but ultimately measuring that risk right from a post deployment perspective of really just making sure that the drift or the bias that’s being in that the post deployment stage can be caught. Those are some key pieces there. Let me think. Another step, a big thing that we’re seeing is metrics. Data governance is always about trying to capture the metrics. To see operationally, do we have the data that we need to have? Do we have the processes for quality, for metadata, for compliance perspectives, but also creating the AI metrics right for how the models are performing. Are we finding models that have maybe some unfairness. Are we seeing spikes, setting those baseline metrics there. We’re able to capture this at a quicker pace with those monthly, reviews. Creating those metrics that are important to the organization, and the risk that is involved there. Those are the, those are the kind of top things I could think of from how AI would feed into that.

That’s all great info there. I’m going to shift gears and going to Bill. I know this one is this one’s near and dear to Bill right, you’ve identified this countless times, and you’ve kind of embedded this with the clients that you kind of work with. Governance just does not equal just a policy. You can write up the document, it could sit on the shelf, and you can’t just call that governance. What does responsible AI governance look like in practice, not just policy, but day to day decisions that organization leaders need to make when they’re trying to establish an AI governance program for their organization?

I completely agree. Governance is about where the rubber actually hits the road. We can have a governance policy, but it doesn’t mean anything if we’re not operationalizing it. Let’s kind of build on what I was talking about initially when we talk about those first steps of AI oversight. Because what we are really kind of trying to get at here is, how do we introduce AI oversight mechanisms, and then, what does it look like from a very high level to operationalize them? That’s kind of what Luke was getting at. Let’s kind of talk about, how do we start to dig into those things. Then expand on that? Day to day responsible AI governance is really about integrating guardrails, observability mechanisms and escalation paths to make governance part of the existing processes rather than something we’re bolting on after the fact, right? We need to also can factor any sort of organizational change, management considerations, culture shifts that need to occur, making sure that we’re socializing this appropriately with our stakeholders, where we’re going to be actually introducing AI into workflows and system level processes. With various teams and implementation teams, development teams, that sort of thing. That being said, we want to really make sure that we’re working with them to build consensus and acceptance around the integration of those governance processes into their existing processes, rather than having it be something bolt on. We want to make it easy. We want to incentivize it for them, and we want to really be there as a partner and a source of clarity when they need it, rather than just an authority and oversight. We really want to position ourselves as a partner and a business enabler. To that end, we really want to focus on if we’re going to be doing in the development process for building out an AI system, we want to focus on introducing automated bias scans and fairness checks during training, right so we can see how the training is actually evolving. And we want to make sure, like Luke was saying, that we’re documenting the data sets that we’re training on. We’re documenting our model parameters and our validation results as part of every release, right for the AI model or whatever happens to be, this even goes for fine tuned models. You can grab a model, out of the gate from any of the major providers, an open source model actually, definitely recommend checking out the recently open sourced AI model, the GPT Oss. It’s actually pretty solid. I ran the 20 billion parameter version on my own hardware, and I was actually pretty impressed with the results. That being said, fine tuning models is definitely applicable here in terms of making sure that we have, documenting our data sets, our model parameters, validation results, and all that stuff. Even for fine tuning activities, we want to make sure we’re keeping a human in the loop, especially for critical outcomes. Any AI making decisions in a regulated or high impact area should absolutely require human approval before action. The AI should not be able to act autonomously in a high risk situation or a highly regulated environment. A great example would be in healthcare. An AI diagnostic process might furnish recommendations for how to proceed here with a treatment plan, but it absolutely should be confirmed by a licensed physician. If it got the medication dosage off. Or, if the recommendation is just completely off the map and it’s hallucinating. We want to make sure we have that human, that human oversight element there. And obviously, health is a really easy, low hanging fruit sort of approach to contextualize this. This goes for product development as well, right in organizations that maybe aren’t necessarily immediately dealing with immediate consequences, but downstream effects could still produce similar impacts or results or safety concerns, model cards and fact sheets. We really want to make sure we’re maintaining living documents for each AI system, showing its purpose, its inputs, performance metrics known limitations, as we identify them and change history, so any sort of updates or configuration or modification changes or enhancements that we’re applying to the model, so we can kind of see the evolution over time. We also want to make sure we have some monitoring stack right and observability tools in place, so making sure we have real time dashboards that, to Luke’s point, we don’t necessarily need to be looking at them all the time and have information overload, but we want things that we can at any moment in time just drop into those dashboards and track drift, accuracy and compliance metrics at a moment’s notice. Just single pane of glass, just take a glance, see what’s going on whenever it feels appropriate to do so, and then setting up automated alerts to governance teams whenever thresholds are breached so that they can take according to action. To that end, we can potentially start looking at that as a problem, that a problem management situation. I wouldn’t necessarily put it at the level of an incident, but in some cases, we might want to carve out a niche for incident, as it relates to AI governance teams being able to respond to that incident in that in a similar manner and treat it with a similar degree of importance. We also want to make sure we have clear boundaries and escalation paths. We want to define what the AI can and cannot do, and we want to make sure that users know how to escalate if something looks off, which means that they need to also be aware of what the expectations are of what AI can and cannot do, so that they can then easily identify when there is an inconsistency or an anomaly, and they can report that up the chain. For example, there would be a financial services chat bot that can answer policy questions, but it can’t approve alone that’s going to be escalated to human agent. Everybody heard about the AI that the at the, I think it was a GMC dealership where customer got it to sell them a car for $1 so that’s a great example in practice for you guys of that one. That’s pretty much what I think is important in terms of what day to day responsible AI, governance really should look like.

I think you can kind of see the overlap there. Explaining from a data governance perspective, and then the AI governance. There’s a lot of embedded oversight that needs to happen, but that can be built in conjunction with each other. Of just incorporating some AI governance factors into the data governance pieces. Having the oversight that you would have for just normal data sets and static data, and the overall processes, when then data governance, you’re going to have the same kind of expertise and features just built in with the AI nuances there. Making sure there’s human validation, making sure that’s oversight for documentation. You can kind of see there’s both groups having some overlap to where you can integrate into kind of an AI strategy, data governance strategy group really decentralize the process.

One more question, I guess that comes to mind on this exact very topic, is, if you can’t rebuild your governance program. A lot of what’s happening right now, and I know the three of us see it on a daily basis, is AI usage that’s happening, AI development that’s happening, and governance programs are playing catch up. If you can’t rebuild your governance program to embed AI, what is step one? Where do you start? If you’re new to this, AI, governance journey. I guess I’ll go to you, Bill first.

I think I just want to echo what Luke said earlier. He alluded to the idea that I think the most important thing is to make sure that we’re leveraging existing governance structures wherever possible. If we can’t do that, then obviously we need to start from the ground up. What we really should be focusing on in terms of just building out AI governance capability. First thing is inventory and mapping our current state. We want to list every AI system or use case in the organization, we want to include things that are experimental, third party embedded AI and vendor tools like it doesn’t necessarily need to be things that we are just going out and procuring specifically for an AI use case. Let’s look at those fringe cases where we have, CrowdStrike now with AI well that should be on our inventory. We want to know everywhere that AI is touching our infrastructure or our enterprise and where we’re interacting with it. This could be, involving soliciting feedback from our internal personnel to get a sense of if and where and how they’re using AI. Setting up transparency expectations and also incentivizing transparency around making sure that we can get an accurate snapshot of exactly what it looks like in terms of AI usage within the enterprise for each of those inventory records, we really want to make sure we’re capturing the purpose the data sources that are associated with that AI, the decision impact of that, AI, how is it being used, and what’s going to be the impact of that in terms of how it informs decision making, or what decisions it is making, and how that affects the processes that it’s associated with. Then the business owner too. We want to make sure that accountability mechanisms are baked into our inventory right out of the gate. Then I’d say that the next step from there is, once we have an idea of what our footprint looks like, then we want to really start to compare against those known good standards that are out there. Again, it’s very nascent field still, but there’s some great resources that we can rely on to start to baseline our governance capabilities against authoritative sources. We can use a framework like the NIST AI, RMF, or we can use ISO for those ISO folks and fans out there. There’s a couple different frameworks I would recommend starting with 42001 and we can use that to start identifying what’s missing that’ll give us a sense of also how to baseline and think about maybe different edge cases of potential inventory candidates that we just may not have thought of. We want to look for gaps in bias testing, explain ability, model monitoring and ethical review processes. Then from there, once we get a sense of the inventory and where we might not really be in we don’t have any sort of governance mechanisms in place for that inventory of systems. From there, we want to start prioritizing the most high-risk use cases first. Focusing limited resources on models with the greatest legal, reputational and customer impact. You have an AI that influences hiring or loan approvals that should be reviewed before an internal chat bot. The last piece here is, wherever we still can plug in AI oversight into existing processes. This would be things like adding AI specific checkpoints into current change management, risk review or governance committees. We want to try wherever we can to avoid creating a new bureaucracy. We want to leverage the approval and monitoring workflows that we already have in place wherever possible. Even if we can’t integrate the data governance program seeing where we can leverage other existing governance mechanisms, like our governance committees, our change management committees and change management process and any sort of risk review that we’re doing that’s going to be the good places to start baking in specific checkpoints and checks and balances around just, you know, is AI part of the equation here. To that end, we want to make sure we’re documenting and iterating on our documentation as well, so we can start with maintaining a lightweight oversight register for AI that records the owners, the risks, the monitoring cadence and decisions around that. Then we can improve that over time, and we can expand that coverage as our capacity grows too.

I know you touched on the regulation aspect here. I know that that often comes up right when organizations are trying to strike a balance between innovation and regulation. I guess when you’re building, I’m going to transition to a unified governance model. If our attendees can follow along with me here for just a second, I’m going to call it unified governance model. You’ve taken your data governance model, you’ve taken your AI governance model, you’ve identified the overlap at this stage, and you’re on a path to success right now. You’re looking at bigger and better things and how you can kind of innovate. Essentially utilizing AI. Luke, I’ll start with you. How do you take this unified governance model and enable innovation for those that are within the organization, and when the compliance check bodies kind of come around?

I think, from an innovation perspective, when we think about how data governance can really enable that, it’s very similar to, just normal, static data as well. It just kind of treating the AI data as it’s another part of our data set, and it might be a little more critical, just due to the underlying nature, that it might have more information, might have more connections and context that we need so we’re. Really good way that we’ve seen organizations strike a balance between, how do we enable AI to go out and do its thing and get us some value as a business, versus the regulations. The unknown risks, everything kind of feeds into that is really built out. I call them test environments, but really, they’re kind of like sandboxes. Ultimately, they’re isolated environments that you guys have hardened, either with a third-party solution team. If you’re kind of outsourcing it there or internally. You create this environment similar to you do for if you could, ideally, test everything that you have, right from application perspective, but it’s really creating those isolated environments so where you can allow for the AI to and the models to be built, to have that R D, to understand what’s the limits of its impact in the business impact, before you actually let it go, Go run wild within your environment. It’s really creating that sandbox to protect it is a really key piece that we’ve seen. Just give a little more governance protection but also allow the teams to move quickly to get that completed.

Especially that comes back to kind of Bill’s point of high risk versus low risk, AI. A data classification perspective of a governance piece, there’s a lot more requirements and controls that we want to put on the higher sensitive data, versus maybe some internal data or public data that we were developing for marketing or anything like that. Ultimately, we got to create the pathways for each of the high-risk pieces to allow us to have a little more control over those versus the below risk. The more seamless process, the seamless approvals, the sandboxes, the policy updates that are a lot more enabling to help the business use those low-risk models, low risk opportunities. Use it a lot quicker, without having as much of a control over it as maybe the more highly impactful or sensitive data sets. I think that kind of comes back into embedded guard, what rails and really trying to establish AI checks into the actual process as well. Not only just building it as a bottleneck, we have we’re trying to use this AI for a certain application. Use it for ad creation tool. Use it for whatever the case may be. Ultimately, having those AI checks right to be built into checklist approvals, same as used like Bill mentioned, the change control the approvals for the business use cases and the requirements there. Ultimately, that’s all going to dive into just folding those AI checks there and making it quick based off the risk.

I think with a unified governance model, what’s really important to understand is that your data governance is only as strong as your AI governance. That’s the age that we’re entering right now, and that’s because you can’t govern what you don’t understand is flowing through your AI. Ultimately, to Luke’s point, we really want to focus on tiered controls. Internal chat assistance might have lighter governance and faster approval processes, and high risk AI is going to have rigorous and bias and fairness testing, explainability requirements and independent review. But when we’re talking about the idea of the integrated framework, what we really want to focus on is the idea that, when we’re siloed, when the governance is separated? Well, because I’m just kind of talking off of the last piece where we were talking about the hypothetical situation where we build an AI program from scratch, we still want to move towards governance that’s unified and integrated. The reason why is just think about the classic situation. Like I said before, data team says we deleted the customer data, and the AI team says, but the model still knows it, right? Who’s going to be responsible for that at the end of the day. Making sure you have a unified governance framework means that they share the responsibility for that visibility, being aware of the implications of that data within the model, and that there’s communication and there’s a shared sense of accountability for actually being able to govern the data that the model is consuming and that we actually have sitting within our enterprise that is there for the model to consume. That would be kind of the short answer that I have for you, I think what in terms of the unified governance model. What’s important, but I do think it’s also important to recognize that risk assessments in the AI landscape should be treated as dynamic. They should be really as AI use cases evolve, because this is, again, a very nascent field. Our risk assessment methodology and process should also be evolving with the use cases and just the different methods. When you look at things like agentic, AI and MCP, these are things that we didn’t even think, there was no risk assessment for those factors, six months ago. But now we’ve got to update, our methodology, and study up and scale up quick on these tools and these systems, understand how they operate so we can assess risk appropriately. Making sure that we have dynamic approach to risk assessment. It’s going to be really key here too.

My next one here for is for Luke. I know you’ve been leading some of the engagements here when it comes to data governance and AI governance, but from your perspective how has Tevora been helping clients with these two initiatives? And then after this one, I’ll open it up to the questions we’ve gotten, some questions here for you both that I’ll jump into.

From a Tevora perspective, and how we’ve helped build and support this, especially with the growth of AI data governance coming together, those pieces that we all alluded to, the questions that we’re seeing from our clients, right is we do very extensive AI risk assessments where we’re helping lead organizations in assessing different threats, different scenarios around the usage of AI, whether that’s using it internally, externally, whatever the case may be. Ultimately, that leads into then also building the frameworks out right from a data governance perspective. How do we leverage the different frameworks, you know, NIST, AMI, RMF, that ISO, 42 zeros are one. How do we integrate that in those models and those checks into the actual governance frameworks that might be out there that organizations are using or building? We help build those, those processes, and then obviously helping from a strategic standpoint. When you’re talking to the governance councils, how do we actually execute on those strategies. How do we make sure we have the right expertise in place for privacy officers, for machine learning engineers, for the ethics aspects to it. We’re implementing those day to day tasks and governance to ultimately allow for us to capture the risks and issues that we received in talking about today. That leads also into the culture and change management feature pieces there. We help provide and develop training, ultimately help from an executive perspective, business units perspective, how do you actually use AI responsibly. How do you strategize from a culture perspective that takes it, we’re just doing this to meet compliance regulation or just to make sure that we’re secure, but how does it actually create value and risk driven decision making, and enable our teams to, not only, meet that compliance piece. How do we enable our organizations to really adopt AI and use it effectively, efficiently, but also provide them some value. Makes some incentivize to use it correctly, and then that leads into tool implementation. Obviously, from a DSPM other, got governance technology that’s out there helping integrate with AI model perspective and the pipelines and catalogs, those checkpoints, we can help support that as well.

I’m going to jump into some Q and A from our audience members here. The first one is, is a very common one. I know you guys have come across this recently as well, but we mentioned DSPM earlier in addressing AI usage right by employees. This individual is looking for AI usage by employees and how DSPM tool can help increase visibility for them within their organization.

I’d say it kind of breaks down into two pieces here. There’s the governance side, and then the risk side. Ultimately, from the government’s perspective, DSPM is going to really highlight the violations right of AI usage in real time. It’s going to find out, are we having people follow our policies. Are they moving data to where they shouldn’t? Are they using it into models that might not be approved? Where does that data going to go? Ultimately, it’s going to help prioritize the oversight right. It’s going to help governance teams really focus on high-risk areas. Ultimately, we wish we could cover all the data that comes into our organization and what we’ve process, but ultimately we got to focus on the ones that have a lot higher risk, cost, compliance, call reputational damage, cause all these issues with AI, I would also say from a governance side, there probably be really adding some more visibility right from the DPSM side, it’s going to allow you to have a quicker decision process and correcting actions. We’re seeing access that shouldn’t be happening for educating staff on their actions, where they’re not using, following the AI usage policies, looking at to the other AI tools that they’re expanding their bias or maybe doing actions that are unwarranted, we’re able to incorporate that and capture that from a DSPM side. From a governance side, from the risk side, it’s going to allow an organization to really focus on Shadow AI. When you think about, from an IT perspective, historically, we’re always worried about shadow IT. Are people buying SAS products that are out of our purview, putting data in there. It’s also going to allow us to prevent that from an AI perspective. Are we sending it to an AI that processing that third, fourth party down, exposure there, and then, it will help prevent, pasting internal external data into the AI prompts. It’s going to stop it from going to that outside piece there.

If you could improve one aspect of AI governance. I’m assuming that this organization, this individual, already has somewhat of an AI governance program set up. But if they could improve one aspect, with conflicting priorities for the rest of the year, what would it be?

In terms of quick wins for being able to kind of bootstrap your way through things, I would say that you want to focus on making sure that you have enhancements to your data classification schema already. Think about extending existing classifications to include things like AI training eligibility. If we’re looking to introduce AI into our systems and our enterprise, we want to start with kind of making sure that we earmark, in terms of our data classification schema, what’s actually going to be eligible for AI training and what’s off limits. Think about things like, level one is going to be safe for any AI training. Level twos internal AI only with controls. Level three could be something like no AI training permitted. And level four is no AI access, even for inference, taking our crown jewels of our data sets and making sure that that stuff can’t even be inferred. That obviously requires a little bit of planning there. But we can focus on sort of expediting some of that process, also by thinking about introducing a concept known as the data passport. This would be things like making sure each data set carries metadata about AI permissions, and that data metadata then travels with that data throughout its life cycle, and the AI systems can check that passport before training or inference. That’s a way that we can sort of, and that requires some training as well, in terms of, you know, making sure the AI system can recognize that metadata passport, if you will, and it can then from there that can be introduced as a control to have the AI support that decision making process of what data it’s going to touch and what data it’s not going to touch. So that would be, to me, in terms of a quick win towards getting there tag your top five sensitive data sets with AI permissions this week.

Thank you, Bill. I know we got about a minute left, there’s still some other questions that we didn’t get to, unfortunately. Is just nature of the topics. Is just huge, with so much ongoing moving pieces. If you do have additional questions, please email, email us, and we’ll get the questions kind of forwarded to our panelists here at [email protected] for those of you that have been in attendance with us, Bill and Luke have assembled as a readiness checklist, right as a as a thank you for being here for you guys. We’ll be sending that out to you guys for the attendees here. Thank you all for being here. I know we’re at the top of the hour here, so thank you all for being here. We appreciate your attendance.

Back to Resource Center

Explore More In-Depth Compliance Resources

View Our Resources