Ep.29 | Privacy through a governance lens (Guests: Paul Crafer & Esther Chung)

Show Transcript

[00:00:00] Hello and welcome to episode 30 of Privacy Lawls where I Donata Stroink-Skillrud speak with amazing privacy professionals. And we have some laughs along the way as well. Today I’ll be speaking with Paul Rafer and Esther Chung about viewing privacy through a harmonized governance lens. Paul is the Vice President of services at Assess Intelligence with a mission of eliminating governance gaps and ensuring that critical sectors can scale technology in a way that is both secure and responsible.

Paul spent over a decade at Apple and has over 20 years experience in business development, pivoting to pursue a meaningful impact in the field of AI governance risk and compliance. Eser is the Chief Privacy and Risk Officer at Assessed Intelligence. She’s an attorney licensed in New York, an advisory board member of the International Association of Privacy Professionals and a non-resident fellow at the Cornell Brooks Center on Global Democracy.

Esther holds the [00:01:00] A-I-G-P-C-I-P-P-E-C-I-P-P-U-S, and CIPM certification. Both Paul and Esther are four Humanity fellows contributing to independent audit frameworks aligned with the EU AI Act, GDPR, NIST and ISO standards. So Paul and Esther, thank you so much for joining me today. Thank you, Don, for having Yeah.

Thank you for having Nice introduction. Absolutely. Um, can you give us a bit of a background to the company that you worked for as assessed Intelligence? Uh, yeah, sure, of course. Happy to. I’ll take this one. Um, first of all, pleasure to be here. Um, uh, uh, a moment of, um, truth and honesty. Um, I did have to ask Esther just before we came online where laws comes from.

Um, uh. Forgive me, I just, probably just a little bit too old to get the joke, but, uh, okay, now I get it. So yeah, so we can have a bit of fun with the, with the wording, right. Um, at Assessed Intelligence, [00:02:00] we’re a, uh, specialized advisory firm. Um, we’re kind of built on a conviction for working within a high stakes environment.

So our, a kind of underlying principles are trust, credibility, uh, discipline, right? That’s because we operate where the cost of failure is highest. We’re in cybersecurity, obviously a very mature discipline and domain, but we’ve got many, many years within cybersecurity. We’re in, uh, AI governance. We’re in highly regulated sectors such as defense, tech, healthcare, uh, financial services, public administration, uh, and just recently construction.

So within those areas, what we’re doing is we’re, we’re looking at how organizations. Um, they, they seem to stumble into compliance and governance through some kind of form of theater, and I honestly think that platforms like LinkedIn have kind of almost contributed to this, right? ’cause people want to be seen to be doing the right thing [00:03:00] and they want to be ticking boxes and saying, yeah, we’re good.

And if you look on LinkedIn and you see some of the posts and you know, yeah, we’re compliant with that and we’re compliant with this, and you gotta trust sites like. trust.company name.com, and they’ve got all the little badges everywhere, right? I, the one that makes me laugh is the GDPR badge. Who gave you that badge?

Nobody gives out GDPR badges. Right? Who gave you that badge? Um, you know, it’s, it is a theater, right? So, you know what, what we wanna do is we wanna overcome that theater and operationalize what really companies really should have for compliance with the structural, structural integrity and capability. So.

Within that area. We work on integrity. We work on mission first, dedication and adaptability. So right across the board we’re looking at, you mentioned them. We’re in with nist. We’re in with iso. Um, we’re in on CMMC audits. We’re doing SOC two compliance. We’re doing EU AI act. I’m not gonna say compliance, ’cause hardly anybody’s complying with it.

Right now [00:04:00] we’re in GDPR compliance. Um, uh, state laws for, for privacy. At one point we were even in doing, you know, the Bias law from, from New York City, but I don’t think anybody bothers with that anymore either. So, you know, it’s, we’re kind of adapting as the laws change and that’s kind of, companies decide where they want to comply with, but our goal is to, is to create that, that high level compliance, you know, right through the organization.

I think it’s interesting. It’s interesting that you’re mentioning theater. Um, one of the things that I do for my job, and this is totally unrelated, it is vendor due diligence. So when you go to the company’s about page, it’s all about how they’re family and, and everything’s great. We all get along, we all work together.

And then you go read their Glassdoor pages, uh, which is like company reviews from employees, and it paints a completely different picture. And I think it’s very similar in compliance. We’re on their website, [00:05:00] we’re GDPR compliant, we’re CPRA compliant. We’re compliant with this, we’re compliant with that.

And then you start looking into their documentation and it has. You know, they’re not compliant at all. I mean, you know, your privacy policy doesn’t even list the GDPR rights. So I, I think it’s very true that there is some kind of theater going on of these companies presenting themselves as very compliant, have everything together.

They’re ready to help you comply with laws or do these things, but then in reality, they have nothing set up. Um, so I, I totally can resonate with that. Sure. Yeah, so you have just released a publicly available governance and assurance model called the Arise Framework, and when you showed me the framework, honestly I could not believe that it was publicly available because there’s so much work that went into it and it’s so comprehensive and there’s so much that you can do with it.

Um, we’ll talk about the [00:06:00] Arise framework, but can you just very briefly tell us what it is? Sure, absolutely. You’re right, it’s publicly available. You can go to the, uh, you can go to a rise framework.com right now, and all you need is an email and you can access it. And there are multiple views, um, and, and dozens of controls that you can work through and, and compliance.

Um, um, uh, compliance processes that you can approach across, you know, a whole range of frameworks and, and regulations. Um, essentially what it is, it’s, it’s, it’s, it’s the foundation for how assessed in intelligence delivers value to organizations. Um, and we wanted to make it free because, um, you know, alignment really shouldn’t be kind of.

Restricted to the people that can afford the biggest bills with the Big four. Right? Alignment should be something that we all share and we support [00:07:00] together. Compliance should be something we all support and share together. And then in order to make it really real, in order to kind of bring it to that high level of operational, uh, rigor, then you can bring in people like assessed intelligence or you can use it internally yourself to lift up your, your policies and practices.

So essentially it’s, it’s a one stop. Right. It’s not an additional framework to add to all the other frameworks out there. It’s a single pane of glass to view all the existing frameworks that some of your company might be working on already. You might have somebody sitting within the privacy office working on GDPR or state Privacy Law compliance.

You might have somebody sitting over in the. Security council working on cybersecurity, CMMC or SOC two compliance. Never the twain shall meet, right? So the single pane of glass is that is the ability for everybody to sit behind the window and look at the same things at the same [00:08:00] time. Um, it’s unifying all of those frameworks, um, so that people can work together on these things.

So that’s essentially what arise is. And we gave it a, um, you know, a nice moniker because I mean, that’s branding nowadays, right? But really what it stands for is assurance of responsible, innovative, and secure environment. And one of the things that Josh, our CEO said when Astra and I first joined Esra, and I joined pretty much on the same day, I think, was that there is no, uh, tech, there is no responsible technology without secure technology.

So from the ground up, it was all about having a secure environment and then building a responsible environment on top of that. So that you could have an innovative environment so that emerging technologies could then bloom within organizations. Um, and it’s similar to the kind of the mandate that for humanity works under.

So it’s about making sure that you are mitigating the risks in order to maximize the upside. Um, so that’s, that’s pretty much what it is. I mean, if you were [00:09:00] to kind of look for a, a one-liner in a motto, it’s a website that has loads and loads of f frameworks mapped into it by humans over hours and hours and hours and hours.

That’s what it is. Well, we’ll definitely save a lot of people, a lot of time and a lot of effort because just trying to look all this stuff up and trying to map it together is as, you know, an absolute nightmare. So, you know, having that already in place and knowing that somebody already did that for you is, is absolutely huge.

Um, moving on to you Esther. Can you tell us a bit about for humanity and its mission. Sure. Warrior Humanity is a nonprofit and we’re dedicated to building an infrastructure of trust for ai, autonomous algorithm, algorithmic systems, something we call AAA Systems. And our mission is to use a crowdsource.

Process to move away from what our vague ethical principles and toward rigorous and reliable [00:10:00] binary audit criteria to ensure that AI is safe, fair, and accountable. And we also provide free instruction on these audit criteria. As well as access to a robust body of knowledge, and we currently rely on just about 3000 volunteers.

I think we hit 3000 quite recently, and these volunteers are spread across 101 country at this time. Anyone can join as a volunteer. All we ask that is you provide an email address to register and sign a code of sign. A code of conduct to join our Slack channel. Very cool. So what types of projects have you worked on as a fellow at For Humanity?

So both Paul and I have spent quite a lot of time drafting these binary and independent audit criteria for AI systems, and it’s actually where we first met. We’ve also contributed to the body of knowledge. And we’ve worked on policy accelerators, which which are [00:11:00] essentially like regulatory sandboxes in which we partner with corporations to take our audit criteria from what theory to practical audit.

And this year I will also be serving as the chair of the curriculum oversight. And, um, for that role, I will be assisting the executive director on curriculum development and the credentialing process. And I think Paul can also. The experience you’ve had as well. Yeah, and there are, there are 66 fellows worldwide and there’s a board of six people and then you’ve got around about 3000 contributors.

And these are people that turn up in daily or weekly meetings around, um. Personal data privacy, cybersecurity, AI in healthcare, AI in education, AI literacy, cognitive bias, ethics. I mean, the list just goes on. The channels within the slack, uh, community and the amount of, [00:12:00] the amount of written word and documents that have been created over the years for humanities, just incredible.

And, and the robustness of that content is just remarkable. You’ve got people who lead organizations like. Um, JTC, uh, JTC 42 that are right, that are dealing with the, the, uh, EU AI Act, um, harmonized standards. He’s, uh, wards on one of the founding board members at AT for Humanity. Um, the lady that runs, um, the C-A-I-D-P Murphy Cock, um, the exec, the executive director, uh, C-I-I-D-P, she’s a fellow of for humanity, right?

So this is not a, a fringe organization. This is. Um, experts and pioneers through the years that have been kind of leading the charge for mitigating the risks of AI systems. And, and I think both Estro and I are super, super happy to be able to further that mission as well in, in this small [00:13:00] way that we do.

Um, just recently we’ve been working on a, a news, um, data protection scheme for Dubai, which looks like it’s gonna be approved by the data commissioner. Um, and we’re also convening, uh, new working groups. One for the Nigeria, which is for data, again, based on the Data Protection Act 2023, together with the the local data commissioner’s office and also.

Just getting off the ground this year is gonna be an online child safety project, um, in Ghana, which is gonna start in Ghana with local partners. All of these are all run with local partners. This is not UK or US or Western European or Western Hemisphere. People coming in telling people what to do. This is driven by local partners.

So there’s people in Dubai, there’s people in Ghana, there’s people in Nigeria, um, that are driving these projects and we support them. So it’s, it’s, it’s really exciting. That’s really cool. Yeah, it makes me think of the work that, uh, we do at the American Bar Association at the [00:14:00] Rule of Law Initiative, um, which also, um, you know, can get grants or go into other countries to help ’em set up, um, you know, different laws or frameworks or train judges or train, um, prosecutors, you know, of, of trying to ensure that the rule of law stays up.

Um, and they, they do some work on internet freedom as well. Um, I participated in some of it in East Asia. And, uh, it, it’s really cool. It’s, it’s really fun. Um, and it’s really interesting ’cause you get to meet a lot of different people and share ideas and, and just help improve things, um, which is just a great place to be and, and a great thing to do, um, to, to work with people.

It’s very satisfying. It feels very purposeful. And as you said at the beginning, I spent over 10 years at Apple. At the time, the world’s most admired company, the world’s most profitable company, and yet I’ve never felt as purposeful as I do now. So you can really see the difference. Absolutely. Um, so [00:15:00] let’s get into our main topic for today, which is viewing privacy through a harmonized governance lens.

For any listeners that may be new to this topic, what does it mean to say that privacy professionals are working in a silo? When we say that privacy professionals are working in a silo, what we mean is that they’re pretty much operating on an island in isolation. So privacy professionals have all the responsibility for compliance, but often very little disability.

And so that actual machinery of the company. So what you have is, uh, something like where the team responsible for protecting the personal data works completely independently from other departments like for instance, cybersecurity or IT that actually handled that data. They might have entirely different Es, they might be operating with entirely different frameworks.

They might be trying to comply with different laws or regulations or standards, and you can see where problems might start to arise. Absolutely. [00:16:00] Yeah. That, that’s a problem that strikes a lot of companies, um, where privacy professionals are just, you know, sitting in their own box and, and away from everybody else.

So what types of problems do companies run into when they handle privacy, ai, cybersecurity, and data governance separately. Oh my gosh, so many problems. Okay, so where are we? Uh, first you can have a conflict of goals across team. So you have privacy that wants to minimize data. While data science wants to maximize data because more, more data makes for better models.

And so without harmonization, you can get this because of war that ends up selling pro process across the entire company. You can also have a language barrier, right, because there’s. They have different backgrounds. They’re speaking with different words. They’re using different frameworks. The lawyer might be talking about GDPR, article 25, which is data [00:17:00] Protection by design, while the developer wants to talk APIs.

And the CISO at the same time is talking about encryption. And all three of these teams might be trying to achieve the exact same thing, which is protective data, but they have trouble communicating because they’re using different words. You can also end up with contradictory truths because different departments are using different definitions for the same thing as well.

So to a ciso, something like sensitive data might be an encrypt unencrypted password. To a privacy officer, it actually means something completely different. It could be something like a person’s political opinion, and so without shared definitions across teams, AI might be trained on protected data. That security actually is taking flag as public, and you could also see where problems might arise with that.

You could also end up with some risks falling into kind of like a no man’s plan or a gap between departments because no one [00:18:00] knows who owns what. No one. He is willing to take ownership. So for instance, who owns algorithm bias? Cybersecurity might think that it’s a data science problem, while data science might think that it’s a legal problem, and legal at the same time might think it’s a technical problem.

So you have different teams kind of pushing the problem around, and in the end it just ends up not getting addressed. So these gaps are where liability cut high. And, uh, last but absolutely not least, you could end up wasting a ton of resources, right? So while the privacy team is working to restrict data access to comply with gpr, at the same time, the AI team could be scraping that same data to train a model because there’s no communication across the team and the, the cybersecurity team.

At this time, it’s possible that the team hasn’t even vetted the third party [00:19:00] plugin that the AI team is using. So you’re handling tasks completely separately. Instead of as a unified team with a unified process and unified goals, you fix one problem and you end up creating three more. At this point, you are just moving the risks around instead of managing them.

Yeah, you can also have projects moving from department of department and that would keep projects. Second Ministry of Limbo. You could also have cases of last minute redesigns because the privacy team realized on final review that the data collection process violates a consent decree. And you can also have different teams like vendors and internal teams get hit.

Three different 200 question spreadsheets or questionnaires from three different departments. So this lack of communication, this lack of, um, unification, it creates, [00:20:00] um, a waste of resources that probably ends up doing morale. And this could burn through investments real fast. Absolutely. I could see companies wasting a lot of time and money, um, without harmonizing this.

Um, now. If an organization attempts to harmonize these requirements, what types of benefits should they expect to see? Um, oh my gosh. Okay. So, so many benefits. Uh, like I said, you, without the, without harmonization, you end up wasting a lot of resources. So with harmonization, you can save time and money. Uh, as I mentioned before about silo.

The, the sheer inefficiency, uh, wastes a ton of resources. So this harmonized approach would help to address those inefficiencies. Um, and additionally, most regulations overlap quite significantly. So by using unified controls, you can stop asking [00:21:00] developers the same questions three or four different times.

It would also alleviate audit fatigue unless your technical team’s focus on building instead of just answering the same questions. Um, you can also increase innovation speed. So what we have today in this siloed format, privacy and Security Act as breaks applied at the end of the process. But harmonization will move these to the beginning through privacy by design, and through this process, you can avoid 11th hour redesigns because the guardrails were built into the track.

Starting from day one, you can mitigate risk much more effectively. So, as I said, silos can hide in those gaps between departments. Harmonization would close these gaps and catching these early would prevent, uh, brand damaging headlines and massive fines. You can also surprisingly get better data quality for ai.

So not surprisingly, but you [00:22:00] know, some people are surprised by this. So when you harmonize, the data governance team ensures that the data is clean, the privacy team ensures that it’s legal to use, and the security team can ensure that. Protected. So this foundation, it actually ends up making AI models more accurate and less prone to solutions.

But what you actually have is better quality, more efficiency, right? And I think last you can absolutely gain a competitive trust advantage. I think that in 2026 today, transparency is, uh, it’s absolutely a product feature. So proving that your AI is safe through a unified, cohesive framework will absolutely help you to build trust not only with your investors and your clients or consumers, but also internally within your own team or board as well.

You, uh, you sold me at less questionnaires. Uh, I, I think that, you know, so many people in it and cybersecurity and, and even privacy and [00:23:00] compliance, just hate filling those out. And so many of them are just the same questions, repeating and repeating. Spend days on it and you want to do your actual job instead.

So I mean, just that is, is a huge win for everybody. I relate as a lawyer, I, I’ll definitely vote for less, less of that kind of work, please. Absolutely. Um, so Paul, when it comes to harmonizing governance, um, what types of requirements should we be trying to harmonize? Ooh. Okay, so you can go, what types of requirements should be trying to harmonize?

Okay, so the key word here is requirements, right? And, and that’s going to. That’s gonna vary based on who you are as an organization, right? It’s going to vary based on where your principles sit. But let’s take, let’s take it at the, the kind of the highest level of, of operational granularity, which is what [00:24:00] Eston was talking about with silos, right?

We wanna harmonize across those functional silos so that they’re not silos anymore, so that they’re integrated governance mechanisms, integrated governance, arms integrated governance departments. I mean, those are all fancy words of just saying people get people working together. Right. Um, so that, that could be just like a, a real game changer for a lot of organizations when you’re trying to harmonize governance.

And if you’ve got, I’m gonna keep calling it, I’m single pane of glass to look through as an organization, then people can all be looking in the same direction. Right. You could go another level down on kind of operational granularity. You could dig a little bit deeper into those requirements, right? You could talk about, okay, so let’s harmonize our governance and accountability processes.

Let’s harmonize our AI risk management. Processes. Let’s make sure our controls around cybersecurity are [00:25:00] in the same ballpark as the AI risk management folks, and there’s a governance and accountability folks, and you can go on into privacy and data protection, which is what we’re on this podcast for.

You could look at safety and ethics, and one day the safety and ethics departments gonna be thinking about alignment and control theory. I’m currently writing a paper on, on a philosophy of ai, and I find myself talking about future internal states of alignment and control theory, and even referencing the baseline test from blade round 2049 because at some point systems are gonna be so not conscious, but cognition, cognitive.

They’re gonna be able to do our bidding. We’re gonna make need to make sure that they’re not destabilized. So safety and ethics needs to be harmonized. Compliance obligations need to be harmonized. Evidence and assurance requirements need to be harmonized. So you’ve got all of these areas within a business, and after times people haven’t got their fingers on more than two or three of them, sometimes even, not even more than one of them.

[00:26:00] Um, so that, I mean, that’s one level of operational granularity. I, I could take it even deeper into talking about the difference between technical controls and legal obligations. Right. But I think, we’ll, we’ll stick there for a minute. We’ll, we’ll twist them a little while if we need to. Absolutely. So when it comes to the RISE framework itself.

How does that model specifically harmonize the requirements across cybersecurity, data governance, AI governance, and compliance? Like how does that work with this specific framework? Okay, so we talked about the fact that this has been a, a kind of a, a passion project, right? This started as a passion project by Ryan Carrier, who’s the executive director.

At For Humanity now. Now, the Arise framework didn’t start with Ryan. The Arise framework always started with Josh, our CEO, but this cross framework mapping really kind of got going when [00:27:00] Ryan, the executive director at For Humanity and Josh, the CEO of assessed Intelligence. They almost completed working together on the four humanities, cybersecurity, governance, uh, certification scheme as long, uh, with the working group, not just those two, but those two started to map cybersecurity protocols and controls, and that then started this passion project.

Josh and took that work on. And then when he brought in myself, Esther, our chief strategy officer, Katie, uh, our Chief Ethics Officer, Laura, all of us as fellows at for Humanity, then that work continued the mapping, the hours and hours and hours of thinking, okay, what is the intent behind an ISO control?

Right? ’cause it’s all an aspect of perspective within iso, you can read. You can read a clause and you can read it like four or five times, and you’re trying to work out what are they trying to get me to do [00:28:00] In full humanity, you read one criteria and it says, you know, um, go to that room there, open that box.

Look at this record what it says. Make sure it doesn’t meet, it doesn’t exceed your risk appetite to your risk threshold. Go back and report that into your, uh, you know, your, your, um, AI risk committee. Make sure the ethics committee knows about it. Be a hundred percent sure that the cybersecurity lead has, has knowledge about this, and then reported up through your enterprise risk, right?

It’s so. Robust. So that mapping process, you can look at an ISO control and you can sell a clause, you can say, that fits in on 10 different places. How do we map that across different criteria? So that’s, that was the job behind. Harmonizing requirements. Once that work is, has been completed at least across, you know, half a dozen, uh, mappings, which is where [00:29:00] we’ve got today with your Arise framework, and there’ll be more in the future, but now we’re at this point, you can go to that arise framework.com and you can use, for example, the framework overview, sorry, the framework overlap view.

That will show you all the different frameworks and regulations that arise maps to. So that’s how it does it. It takes, it takes the intent of those clauses, of those criteria, of those annex controls, of those stipulations, of those attestations, and it says, if you do this, this, this, and this, you will meet this, this, this, and this.

Right. So, you know, you can go to, um, you can go to like privacy program, right? Go go to the control privacy program, which sits under Manage, or I think it’s government in privacy program. There are six different ways for you to do a data protection impact assessment. [00:30:00] Six different framework mappings that says this is what you need to do.

Now, a data protection impact assessment doesn’t need six different ways to do it, but when you’ve got six different professionals who might be thinking about a data protection impact assessment, or they might be six different frameworks that are saying you need to have robust data protection, you need to have data management, you need to have data governance.

There are six different approaches that people are taking to try and get to the same end. So it’s really about trying to just bring all of those controls together so that six different people are working on six different ways to, to boil the neck. Yeah, I really like that you can narrow it down by topic or area.

So I could narrow down like training, or I can narrow down the privacy program or DPIs. You know, if somebody comes to me as a compliance professional and says, you know, this company needs to be compliant with ISO 27,001. I’m gonna throw up, you know, there, there’s so much that I need to do versus with this framework, I can just say, okay, I’m gonna [00:31:00] focus on this particular area right now.

Yeah. And I’m gonna select the frameworks that I need and it’s gonna tell me exactly what I need to do. So I don’t spend all that time researching. I don’t spend any money because this is publicly available and I can know exactly what I need to do in the area that I’m working in right now, um, which makes things so much easier and so much less overwhelming.

Sure. Um, so when you say that a model is operational, what does that look like? Is it a set of controls, workflows, metrics, operating procedures, or something else? Sure. Yeah, you, you’re pretty close. Um, so, okay, so if we could take a couple of controls, right? I’m gonna go, I’m gonna go down deep down. I’m gonna go straight to thresholds and I’m gonna talk about metrics because those are two controls within Arise.

It is not just about policy documents, and we’re back to that whole kind of that governance theater topic again, right? An operational [00:32:00] model means you have defined quantitative limits. You have automated guardrails that trigger alerts or block actions or flag things, or make sure somebody looks at something, make sure somebody approves something.

Uh, make sure the human in the loop, you know, uh, reviews it, even if it’s post hoc. So, you know, it’s, it’s about making sure that if, if limits are crossed, because you can’t have an operational model that stops all limits or thresholds being breached, right? But if limits are crossed that somebody or something knows about it and can start to react to it, hopefully almost immediately, but within a, a reasonable amount of time.

It’s also about setting these things in advance so that you know what you’ve said. If I put my full humanity hat on for a minute. When we do audit criteria drafting, we often speak of metrics, measurements, thresholds. I can even put that [00:33:00] in inverted commas. It gets said so often. Metrics, measurements, and thresholds and, and these need to be aligned with your organization, operating parameters, right?

So a simple analogy might be that you have temperature is the metric Celsius is the measurement. A deviation of more than four degrees from what you’ve set as an acceptable level is the threshold. So this would be the metric, the measurement in the threshold for keeping a server room cool. For example, on a macro scale, a risk management level, for instance, many organizations look at critical operating parameters from the lens of say, risk tolerance and risk appetite.

So you set a risk tolerance, you set a risk appetite and you say, okay, all of the risks that we identify that fit into that risk appetite, if anything exceeds a threshold or breaches the threshold, we need to know about it. ’cause it might just upset our risk tolerance. So that whole process [00:34:00] also fits in so that.

That’s about being operational. Another key part about being operational is that you take away that governance theater that we’ve spoken about before. I just posted on LinkedIn, what, a week ago, maybe less, uh, an article called, you know, the Check Engine Light, right? You get these, you get these check engine light approaches.

To, to governance that you can get from a lot of GRC platforms, which is, you know, you get the, the flashing signal on the dashboard that says go check the oil pressure. You are not entirely sure what you need to do. I mean, okay, fair enough. I now have to check an oil pressure, but, um, my misses doesn’t, right?

So if she’s in control of the car. Then she has to take it to a garage and she has to find the right garage, and she has to know who to ask and blah, blah, blah, right? So if you don’t have somebody that’s ultimately able to drive the car, then a check engine light is not gonna get you there. And now I follow a guy called Russell Parrot on LinkedIn, and I recommend people have a look at his stuff.[00:35:00]

He wrote something called the standardized definition of AI governance. Um. I am not gonna say it is the standardized definition of AI governance, but he calls it that. And he compared the structural tests that, no, sorry, I’ve compared the structural tests that he wrote with the criteria within four humanities certification schemes, and these are the only two publications that create a structural integrity to go.

They create the foundations that you just cannot miss, right? That’s where eyes kind of sits in, and that’s what an operational model does. You always know where you are. With an operational model, you always know where you failed. And in the future, when regulations, regulators, even competitors, try and hold you accountable.

And I say competitors ’cause the EUA act as a product safety law. When they try and hold you, uh, accountable for your product, you need to be able to go back to your controls and say, we did this, this, this, [00:36:00] this, this, and this. Then, then, then, then, here, here, here and here. We tried, we’ve made our best effort to govern this, this system.

And that’s an operational model. Yeah.

Um, so not to take us on a tangent, but uh, my grandfather thinks that, uh, the check engine light is just, he and I quote, he says, it’s diagnostics and electronics. So his car had a check engine light and I was driving it and I was like, grandpa, this has a check engine light on it. He’s like, you know, don’t worry about it.

It is just diagnostics or electronics. Five days later, my husband and I are driving behind him and he just stops and the car’s dead and has to get a tell. And I had to explain to him that a check engine light is not just something that you ignore. You have to actually like look at it. You have to use the, the car reader that a lot of people have.

We have one of those. You have to take it to the [00:37:00] shop. You have to like actually figure out what’s wrong, because this isn’t just some random light that turns on. You actually have to do something about this. As, as someone who’s owned a 1965 VW B tool, I know exactly what a check engine light means. Uh, I’m, I’m not any good at reacting to it, but I know what it means.

Yeah. As somebody who you sew in a Jeep, I know what a check engine light is too. Yeah. Um, so Esther, let’s get onto you right now. Um, as we start this new year, what do you think will be the biggest drivers pushing companies towards, uh, integrated governance? Uh, that’s a good question. I think that this year in 2026, we’ve moved away from watching and waiting to more active enforcement, so, um.

Now we have the grace periods for major regulations like the EU AI Act that are now officially over. And what we’re seeing [00:38:00] now is the first wave of heavy fines and mandatory audits, and we have regulators. That want technical proof, uh, like dfa, watermarking and machine readable disclosures. And so I think that integrated governance is probably going to be the only way forward to produce the technical documentation.

These demand. I think there’s also, um, simultaneously a move away from policy to evidence-based accountability. So I would say the trust US era is now over. The Trust US statement is no longer gonna be a valid compliance strategy moving forward. Uh, so as I said, auditors and enterprise customers are going to demand real time proof.

They want to see your data maps, your bias testing logs or kill switch protocols. They’re see the evidence. Uh, I think there’s also. Simultaneously and probably relatedly, right? They’re all working [00:39:00] together in tandem. There’s, uh, increasing investor pressure to comply with ESG principles, ESG, environmental, social and governance.

Um, so I think that’s, um, at this time, investors view poor AI governance as a material financial risk. And AI ethics is actually now a core pillar of ESG reporting. So harmonize governance would help turn responsible ai, this big thing called responsible AI into a competitive advantage for track and capital.

It’s not just an ethical thing anymore, even though that’s also very important. It’s also an investment, obviously. So at this time, I think I would say the biggest driver is no longer just the pure of a fine. Um, more than that. In a world of agent AI and fake integrated governance is going to be the only thing that keeps a company’s reputation and its data from spiraling out of [00:40:00] control.

Yeah. May I just add and esta quoted investors and that’s a, that’s a massive one. Um, but also insurance companies. Insurance companies are starting to opt out of offering policies if you are running AI systems, whether you’re deploying or providing. Now, that’s a hugely generalized statement. I’m not saying that, you know, I’m not saying that all insurance companies are doing that, but some certainly are.

So, policies might be harder to come by and even, you know, direct legis, uh, direct, um. Um, lawsuits against, uh, offices of companies is starting to happen, as we’ve seen, you know, so, um, I think that’s, that’s also gonna push toward companies towards, you know, thinking about, okay, how do we do this better? I think it’s good that we’re moving past the trust model into the verify model, because to be honest with you, these companies cannot be trusted.

Um, I mean, we’ve been shown [00:41:00] time and time and time again. Um, you know, how. When you have more lax, um, rules and regulations and laws, you know, companies just say, oh, we’re doing our best and your privacy matters to us and we really care about this. No, they don’t. Um, I mean, through all the lawsuits and everything we’ve seen that they don’t.

So having a verification model. Definitely inspires more trust with consumers because this isn’t just, oh, we’ll take Mark Zuckerberg’s word for it. It, it’s more like, okay, here’s what they actually did. And I think that’s very important. Absolutely. Um, if you were advising a privacy leader who wants to mature beyond a siloed program, what’s the first actionable step that they should take?

The first actionable step that should they should take is absolutely, listen. I would say go on a listening tour outside of the legal department. Like I said, legal departments tend to be [00:42:00] pretty siloed and I think that’s, um. That’s, lawyers tend to be, we, we speak a different language. We’re a different creature, right?

We, we are very much invest in our legal, but I would say go on a listening tour, sit down with the head of data science, or the fiso ask is the one thing about our current privacy process that slow you down the most and try to identify the friction points. And once you’ve done that, I think that you found your first opportunity for harmonization.

Usually I think that it’s. Um, probably just, you know, a redundant form or confusing policy, which is relatively easy to fix. Um, and that’s, you know, a, a, an easy way to get started. So fix that first, and you’ll build the first cross-functional trust, which is absolutely necessary, right? I think everything begins with trust.

You have what you need to launch a fully harmonized model. Awesome, thanks. To add to that, um, we’re starting to publish [00:43:00] what we call Arise Stories in a video format on our YouTube channel. You’ll see them also published on LinkedIn. Um, and one of the arise stories that’s gonna come out in the next couple of weeks is called doing a gap analysis.

So anybody, a privacy leader who wants to take a step beyond a silo program, could do a gap analysis using the Arise framework. Uh, to identify perhaps where some of the, the gaps are in that, that harmonized governance structure. Yeah, that’s, that’s really great. Yeah, definitely look at the model. Play with it.

Play with it, you know, see what it says. Select the things that you want to do and, and yeah, just look at it and read it and, and see where you’re at. And I think a gap analysis is a great way to, um, see what you’re missing. You know, um, because it’s, it’s hard to know what you’re missing when you’re deep in the trenches of doing this every day.

Um, so my last question for the both of you. Where can people learn more about your new model, your [00:44:00] company, and, and yourselves? Assess intelligence.com. Arise framework.com. And we are both on, oh, uh, we’re on the, we’re both on the assessed website. Website and we’re on LinkedIn as well. Um, I imagine you’ll link, you’ll provide links I think if you want, for humanity.

I think it’s for Humanity Info. Is that right? Paul? Can you verify? For Humanity Center? Oh, oh, center My bad Center, yeah. The non-English way of spelling center obviously.

Yeah, Ari? Um, my mind all. Yeah. Ari, er. Oh, it’s er, okay. Whenever it’s Ari, I just, I can’t, my mind just shuts down. Um, I can’t process that. I, I would also like people to, uh, sign up and join us for our Arise Framework webinar launches. [00:45:00] Um, the US uh, webinar is 3:00 PM Eastern on the, um, 21st of January. On our Vimeo channel so that we can have multiple guests and multiple hosts.

Um, and then the EMEA launch will be on the 27th of January at 5:00 PM Central European time, again, on that Vimeo channel. So the, uh. The links are all over the internet on LinkedIn. Hopefully Don, you’ll be able to share some of those as well. We’ve got links to register for the US version and the EA version first hundred people get in the door.

Um, so if your name’s not down, you’re not coming in as the old song says, but it’s free

to.

Well, while it’s still available for the public, um, definitely check it out. [00:46:00] Uh, and even if it, when it, it does become paid, definitely check it out. ’cause it’s a really, really cool tool. Um, I, I definitely can see how it’s very, very useful for people. So, um, so Paul and Esther, thanks so much for, for taking the time to coming on today.

Yeah, this is super fun. It’s been a pleasure. It’s been fun. Awesome. And then for our listeners, make sure to subscribe to Privacy Laws, um, so that you don’t miss our next episode.