If you are a CISO, discussing AI with the board may present a challenge; they may inquire, "Where do we utilize AI? What if something goes wrong?," and you may well find yourself slipping into jargon. However, there is a template that will allow you to articulate what AI is, and both its upside and downside, without baffling them. I have leveraged some templates like this, and they will help elevate your confidence in discussions with leaders.
1. AI Adoption
Describe where AI is being used in the company, including AI tools that employees may be using without authorization.
2. Risks
Summarize the main risks:
Share risk metrics—you can break these into three buckets: how much sensitive data is at risk, the category of risk it falls into, and any close calls.
4. Gov & Controls
In this last section, provide information on your controls:
Also, try not to talk too much about technical details. The board wants to quickly understand the big picture - if it is a risk they need to be concerned about. Focus on the framework and the key aspects.
The board will have a much clearer understanding of AI, and you will look competent in your approach.
Coverage of the Template
The template divides your presentation into four primary sections. Each section answers questions the board will most likely ask:1. AI Adoption
Describe where AI is being used in the company, including AI tools that employees may be using without authorization.
2. Risks
Summarize the main risks:
- For example, data leaks through uploaded files or prompts
- Use of personal AI accounts for work purposes
- Unmanaged AI add-ons, or browser extensions
- Potential violations of privacy regulations, such as GDPR or HIPAA
Share risk metrics—you can break these into three buckets: how much sensitive data is at risk, the category of risk it falls into, and any close calls.
4. Gov & Controls
In this last section, provide information on your controls:
- Policies surrounding employee use of AI tools
- Training provided to staff members
- How vendors are evaluated
- Monitoring of AI use in your browsers and applications
How This Helps
This kind of template makes your comments easy to understand. The board will see:- Where you are using AI
- What potential issues might arise
- What level of risk to be concerned about
- What you are doing to mitigate the risks
Tips From Experience
When I present, I try to use fairly simple examples. For example, I often compare poorly controlled AI tools to "a guest in your house, someone you did not invite, who is now wandering around your house."Also, try not to talk too much about technical details. The board wants to quickly understand the big picture - if it is a risk they need to be concerned about. Focus on the framework and the key aspects.
Final Thoughts
If you have to share with the board about AI, simply use the framework to talk about adoption, risk, exposure, and the controls you have. This acts as a can simplifying the way you convey information, and puts you a position of leader.The board will have a much clearer understanding of AI, and you will look competent in your approach.
