RSI Security recently hosted a webinar titled Building a Robust AI Governance Framework with ISO/IEC 42001. Marketing Coordinator Anna-Laure Iman opened by introducing the speakers, John McLaughlin, Sales Development executive, and Patrick Murphy, Manager of Cybersecurity and Risk Services, who would lead the discussion about effective ISO 42001 governance.
AI Governance and Compliance with RSI Security
McLaughlin began the presentation proper with an introduction to RSI Security. Founded in 2008, RSI Security is a comprehensive security and compliance advisory provider. With 50 employees and over 400 consultants, RSI Security’s leadership draws on collective decades of experience in all matters related to cyberdefense in both traditional IT environments and new, emerging technology. We operate a 24/7 security operation center (SOC) out of San Diego.
Over the years, RSI Security has been a leading provider across various regulatory contexts, including but not limited to PCI, SOC, NIST, and CMMC. This expertise has positioned us to help organizations acclimate to new and emerging frameworks such as ISO/IEC 42001.
McLaughlin encouraged attendees to explore RSI Security’s extensive catalog of resources, including our cybersecurity blog and events schedule. He also provided an overview of our continuous compliance services, including managed security, virtual chief information officer (CISO), and third-party risk management (TPRM), before segueing into Murphy’s segment.
Why and How to Create an AI Governance Framework
Before getting into effective compliance with ISO 42001 in particular, Murphy provided a definition of AI governance more broadly. AI governance is a set of practices, policies, and procedures that ensure AI systems are operating ethically, securely, and efficiently. These qualities amount to responsible, reasonable, and effective use of AI for all stakeholders.
AI governance is critical because it builds trust, ensures compliance, and mitigates risk.
Given the uptake of AI in sensitive industries such as healthcare and defense, Murphy remarked that secure AI is non-negotiable. However, there are several challenges to implementing sound AI governance, such as bias, emerging vulnerabilities, and gaps between existing regulations.
Murphy also stressed that AI governance is just as critical for users of AI technology as it is for its developers. Any organization that uses AI tools, in any way, needs to prioritize governance.
Enter ISO 42001, which is emerging as a gold standard for comprehensive AI governance.
A Practical Overview of the ISO/IEC 42001 Framework
Next, Murphy provided some more specific context for ISO 42001 compliance. The text was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), with its first edition published in 2023. It’s a guide to managing AI systems, parallel to how ISO 27001 guides overall cybersecurity management.
Focal points of the framework include but are not limited to ethical AI use, risk management, and continuous improvement. The framework prioritizes the context of the organization rather than AI systems in isolation, and this starts with commitment from top-level leadership. A risk-based and proactive approach is essential to effective AI system management.
These general principles are reflected in four core components of ISO 42001:
- Leadership and governance – ISO 42001 explicitly requires clearly defined roles and responsibilities related to AI use, along with commitment from high-level leaders. These qualities ensure accountability throughout the organization, starting from the very top.
- Risk management – Organizations need to identify, assess, and mitigate risks specific to their AI systems, along with any broader threats that could implicate AI indirectly. For instance, biased algorithms, model inaccuracy, and data breaches need to be managed.
- Compliance and accountability – ISO 42001 emphasizes the importance of aligning AI use and governance with applicable laws, standards, and regulations. At present, this is left open-ended, as many of these rules are still being written. But there is interplay with other codes, like the European Union’s new AI Act, which is based on ISO 42001, and the General Data Protection Regulation (GDPR), which is based heavily on ISO 27001.
- Performance evaluation – In 42001 and all ISO standards, performance evaluation is critical to accurate assessment of existing efficacy. It also enables effective adjustments to remediate weaknesses, accommodate infrastructure changes, or prepare proactively.
These foundational elements, implemented effectively, optimize AI performance and security.
Why Organizations Should Adopt the ISO 42001 Framework
Unlike many other IT, privacy, and security regulations, ISO 42001 is not presently mandated for organizations by any laws anywhere in the US or globally. There also are not industry mandates in the way that, for example, obtaining SOC 2 certification can be de facto required for service organizations. Still, there are many reasons organizations should adopt ISO/IEC 42001.
ISO 42001 not being strictly required is due largely to the fact that it and the technology it concerns are new and rapidly evolving. To that effect, there are no major regulations governing AI use and governance in the US, and rules in other parts of the world are in their infancy. Being an early adopter of this particular framework positions organizations for success by helping them prepare for inevitable regulations down the road. In addition, Murphy highlighted benefits like enhanced credibility, reduced operational risks, and improved decision-making with AI.
A core principle we believe in here at RSI Security is that discipline up-front unlocks greater freedom in the long run. Adopting frameworks like ISO 42001 proactively is a smart investment.
How to Implement ISO 42001 with RSI Security
Murphy then moved into a segment on how to implement ISO 42001 effectively. With the help of a trusted compliance partner like RSI Security, even a complicated process can be simplified.
To that effect, Murphy provided a 5-step process to implement the ISO 42001 framework:
- Understanding the organizational context – As noted before, ISO 42001 is holistic rather than isolated. All relevant stakeholders and applications need to be identified.
- Establishing a governance framework – Policies, procedures, and accountability structures need to be defined clearly and disseminated across impacted parties.
- Conducting risk assessments – AI-specific risks need to be identified, including potential biases and inaccuracies within algorithms and external risks to AI systems.
- Developing controls – Controls need to be developed and deployed, including:
- Technical controls such as encryption, model monitoring, and content filters
- Administrative controls such as training, monitoring, and access restrictions
- Monitoring and improving – ISO 42001 is not a static framework; it requires an interactive approach that incorporates recent and emerging trends proactively.
Murphy noted that another unique element of ISO 42001 is that it is not strictly prescriptive; it is designed to meet various organizations’ needs, means, and use cases. This includes flexibility and a capacity for growth and scaling inherent both to AI systems and broader IT infrastructure.
Pitfalls and Future Considerations for AI Governance
Murphy also spent a decent chunk of time talking about the kinds of problems organizations are facing or could face in the future with respect to AI governance—and how to solve for them.
Overlooking ethics is the most common issue right now, as other regulations often deal in matters of legality with stricter definitions and metrics. Ethics are less quantifiable as a whole, but this doesn’t mean they should be ignored. They need to be embedded in the AI lifecycle.
Other pitfalls, such as lacking stakeholder engagement, inadequate monitoring, and poor documentation, can be chalked up to the newness of the technology. There isn’t a general consensus around best practices, or even shared literacy, in the way that older, legacy technology infrastructure enjoys. Partnering with a quality advisor like RSI Security facilitates rapid, team-wide acculturation to what ethical and secure AI practices look and feel like.
Looking ahead, AI governance regulations will only grow in number, size, and complexity. We are already seeing a growing need for “explainable AI” and cross-industry collaboration. The ISO 42001 framework addresses these and related concerns both directly and indirectly, as it explicitly calls for transparency and figures to become a gold standard that organizations in any industry or location can implement. Managing all of these challenges will be easiest when working with a quality AI governance advisory partner who’s always looking toward the future.
Optimize Your AI Governance with RSI Security
Wrapping up the presentation, McLaughlin outlined RSI Security’s ISO 42001 services and client journey before addressing audience questions. Our comprehensive suite includes initial assessments and gap analyses, rounded out with training, support, and certification prep.
RSI Security’s client journey is a cycle, typically starting with discovery and scoping before a targeted implementation and then multiple rounds of assessment and adjustment, as needed.
McLaughlin also emphasized RSI Security’s commitment to business understanding, risk-based recommendations, and a systematized engagement process. These are all reasons that we’ve worked with organizations of all sizes and in every industry to rethink and optimize security.
To learn more about our ISO 42001 and other advisory services, get in touch today!
