AI's Current Path Has Limited Guardrails But Opportunities Abound: KPMG Organizations should maintain awareness of the key foundational elements needed to establish and maintain trust while also being mindful of the direction regulations are moving in, says KPMG's Cybersecurity Considerations 2024 report

The public and private sectors must work together to offer practical solutions for support during innovation and development to ensure security and privacy are embedded from the outset. The concern over business outcomes and the need to foster trust among employees and customers, specifically, and society, in general, has sparked a broad ethical debate around how AI can be controlled and deployed responsibly, transparently, and with integrity. To that end, regulation in this space is ramping up.

Organizations should maintain awareness of the key foundational elements needed to establish and maintain trust while also being mindful of the direction regulations are moving in. This will go a long way toward minimizing the work needed to ensure compliance with these regimes in the future. "Data is the critical linchpin for security in general and privacy in particular. The industry needs government bodies worldwide to harmonize because having disparate legislation under which some countries are stricter than others disincentivizes innovation. The market needs to balance that need for innovation with effective regulatory guidance and guardrails," said Sylvia Klasovec Kingsmill, Global Privacy Solutions Lead,KPMG International and Partner, KPMG in Canada.

Even local approaches to how AI models and algorithms should be managed, deployed, and legislated are murky. Organizations should maintain awareness of the key foundational elements needed to establish and maintain trust while also being mindful of the direction regulations are moving in. This will go a long way toward minimizing the work needed to ensure compliance with these regimes in the future. Although the absence of legislation is a clear speed bump, the good news is existing privacy legislation has similar principles that can and should be applied to new AI algorithms. Privacy factors such as notice, consent, explainability, transparency, and risk of harm are all codified in existing law. To remain competitive in the market, CISOs should partner with Chief Data Officers and Data Protection Officers to support the business objectives that are reliant on AI and determine how to harness this game-changing technology effectively and responsibly. At the same time, they need to wrap sufficient governance and controls around processes that may have operated largely without oversight for some time. This harmony between enablement and governance is where successful adoption lies.

"CISOs and other senior leaders and their teams need to support the business objectives that are reliant on AI and determine how to harness this game-changing technology effectively and responsibly. At the same time, they need to wrap sufficient governance and controls around processes that may have operated largely without oversight for some time. This harmony between enablement and governance is where successful adoption lies," Katie Boswell, MD, Cyber Security Services KPMG, US.

To facilitate their adoption of AI, organizations must make crucial choices that will shape their approach, such as determining whether to create in-house models or rely on third parties. While it may seem that one option is less uncertain, the truth is that both come with inherent risks that organizations must recognize and effectively manage.

"Organizations must educate themselves about the safeguards around transparency, accountability, fairness, privacy, and security so they can innovate and deploy with confidence. For example, look to large technology companies and jurisdictions that are further along in their AI journey for guidance around responsible development. The industry needs government bodies worldwide to harmonize because having disparate legislation under which some countries are stricter than others disincentivizes innovation. The market needs to balance that need for innovation with effective regulatory guidance and guardrails," the report added.

This is a cultural mindset shift as well as a technological shift, with change management as a critical success factor. To integrate privacy- and security-by-design thinking with AI and other emerging technologies, the professionals that manage them — not just the technologies — must advance privacy- and security-first mindsets. If the organization considers privacy and security from the beginning, they will become natural components of the operating model.