How to Manage Access in the AI Era

Concerned about agentic AI risks cascading through your system? Consider these emerging smart practices which adapt existing AI governance best practices for agentic AI, reinforcing a "responsible by design" approach and encompassing the AI lifecycle end-to-end: ✅ Clearly define and audit the scope, robustness, goals, performance, and security of each agent's actions and decision-making authority. ✅ Develop "AI stress tests" and assess the resilience of interconnected AI systems ✅ Implement "circuit breakers" (a.k.a kill switches or fail-safes) that can isolate failing models and prevent contagion, limiting the impact of individual AI agent failures. ✅ Implement human oversight and observability across the system, not necessarily requiring a human-in-the-loop for each agent or decision (caveat: take a risk-based, use-case dependent approach here!). ✅ Test new agents in isolated / sand-box environments that mimic real-world interactions before productionizing ✅ Ensure teams responsible for different agents share knowledge about potential risks, understand who is responsible for interventions and controls, and document who is accountable for fixes. ✅ Implement real-time monitoring and anomaly detection to track KPIs, anomalies, errors, and deviations to trigger alerts.

A lot of companies think they’re “safe” from AI compliance risks simply because they haven’t formally adopted AI. But that’s a dangerous assumption—and it’s already backfiring for some organizations. Here’s what’s really happening— Employees are quietly using ChatGPT, Claude, Gemini, and other tools to summarize customer data, rewrite client emails, or draft policy documents. In some cases, they’re even uploading sensitive files or legal content to get a “better” response. The organization may not have visibility into any of it. This is what’s called Shadow AI—unauthorized or unsanctioned use of AI tools by employees. Now, here’s what a #GRC professional needs to do about it: 1. Start with Discovery: Use internal surveys, browser activity logs (if available), or device-level monitoring to identify which teams are already using AI tools and for what purposes. No blame—just visibility. 2. Risk Categorization: Document the type of data being processed and match it to its sensitivity. Are they uploading PII? Legal content? Proprietary product info? If so, flag it. 3. Policy Design or Update: Draft an internal AI Use Policy. It doesn’t need to ban tools outright—but it should define: • What tools are approved • What types of data are prohibited • What employees need to do to request new tools 4. Communicate and Train: Employees need to understand not just what they can’t do, but why. Use plain examples to show how uploading files to a public AI model could violate privacy law, leak IP, or introduce bias into decisions. 5. Monitor and Adjust: Once you’ve rolled out your first version of the policy, revisit it every 60–90 days. This field is moving fast—and so should your governance. This can happen anywhere: in education, real estate, logistics, fintech, or nonprofits. You don’t need a team of AI engineers to start building good governance. You just need visibility, structure, and accountability. Let’s stop thinking of AI risk as something “only tech companies” deal with. Shadow AI is already in your workplace—you just haven’t looked yet.

According to a recent BBC article, half of all workers use personal generative AI tools (like ChatGPT) at work—often without their employer's knowledge or permission. So the question isn't whether your employees are using AI—it's how to ensure they use it responsibly. A well-crafted AI policy can help your business leverage AI's benefits while avoiding the legal, ethical, and operational risks that come with it. Here's a simple framework to help guide your workplace AI strategy: ✅ DO This When Using AI at Work 🔹 Set Clear Boundaries – Define what's acceptable and what's not. Specify which AI tools employees can use—and for what purposes. (Example: ChatGPT Acceptable; DeepSeek Not Acceptable.) 🔹 Require Human Oversight – AI is a tool, not a decision-maker. Employees should fact-check, edit, and verify all AI-generated content before using it. 🔹 Protect Confidential & Proprietary Data – Employees should never input sensitive customer, employee, or company information into public AI tools. (If you're not paying for a secure, enterprise-level AI, assume the data is public.) 🔹 Train Your Team – AI literacy is key. Educate employees on AI best practices, its limitations, and risks like bias, misinformation, and security threats. 🔹 Regularly Review & Update Your Policy – AI is evolving fast—your policy should too. Conduct periodic reviews to stay ahead of new AI capabilities and legal requirements. ❌ DON'T Do This With AI at Work 🚫 Don't Assume AI Is Always Right – AI can sound confident while being completely incorrect. Blindly copying and pasting AI-generated content is a recipe for disaster. 🚫 Don't Use AI Without Transparency – If AI is being used in external communications (e.g., customer service chatbots, marketing materials), be upfront about it. Misleading customers or employees can damage trust. 🚫 Don't Let AI Replace Human Creativity & Judgment – AI can assist with content creation, analysis, and automation, but it's no substitute for human expertise. Use it to enhance work—not replace critical thinking. 🚫 Don't Overlook Compliance & Legal Risks – AI introduces regulatory challenges, from intellectual property concerns to data privacy violations. Ensure AI use aligns with laws and industry standards. AI is neither an automatic win nor a ticking time bomb—it all depends on how you manage it. Put the right guardrails in place, educate your team, and treat AI as a tool (not a replacement for human judgment). Your employees are already using AI. It's time to embrace it strategically.

Many companies opt to create custom internal systems to manage access, but these are often resource intensive and can still lead to risky over-privilege and poor end-user experience. Apono helps organizations adopt a modern approach to access management that ensures users only get the access they need without weighing them down with unnecessary friction. Here’s how to get there in 4 steps: Discover and continuously sync all of your GCP projects and resources in minutes. Establish secure guardrails around access with dynamic access flows that are built to scale with constantly changing environments. Enable users to to get the access they need, when they need it by requesting access in slack/teams, the Apono portal, or even directly in the CLI. Report on the least privileged model you’ve established with comprehensive, real time auditing, AI anomaly detection and smart suggestions to help you right size policies given the unique access needs of your users. With Apono’s unified cloud access platform, organizations can use these 4 steps to simplify their journey to #JIT across #GCP, #AWS, #Azure, #K8s, databases and more…

"On Nov 6, the UK Department for Science, Innovation and Technology (DSIT) published a first draft version of its AI Management Essentials (AIME) self-assessment tool to support organizations in implementing responsible AI management practices. The consultation for AIME is open until Jan 29, 2025. Recognizing the challenge many businesses face in navigating the complex landscape of AI standards, DSIT created AIME to distill essential principles from key international frameworks, including ISO/IEC 42001, the NIST Risk Management Framework, and the EU AI Act. AIME provides a framework to: - Evaluate current practices by identifying areas that meet baseline expectations and pinpointing gaps. - Prioritize improvements by highlighting actions needed to align with widely accepted standards and principles. - Understand maturity levels by offering insights into how an organization's AI management systems compare to best practices. AIME's structure includes: - A self-assessment questionnaire - Sectional ratings to evaluate AI management health - Action points and improvement recommendations The tool is voluntary and doesn’t lead to certification. Rather, it builds a baseline for 3 areas of responsible AI governance - internal processes, risk management, and communication. It is intended for individuals familiar with organizational governance, such as CTOs or AI Ethics Officers. Example questions: 1) Internal Processes Do you maintain a complete record of all AI systems used and developed by your organization? Does your AI policy identify clear roles and responsibilities for AI management? 2) Fairness Do you have definitions of fairness for AI systems that impact individuals? Do you have mechanisms for detecting unfair outcomes? 3) Impact Assessment Do you have an impact assessment process to evaluate the effects of AI systems on individual rights, society and the environment? Do you communicate the potential impacts of your AI systems to users or customers? 4) Risk Management Do you conduct risk assessments for all AI systems used? Do you monitor your AI systems for errors and failures? Do you use risk assessment results to prioritize risk treatment actions? 5) Data Management Do you document the provenance and collection processes of data used for AI development? 6) Bias Mitigation Do you take steps to mitigate foreseeable harmful biases in AI training data? 7) Data Protection Do you implement security measures to protect data used or generated by AI systems? Do you routinely complete Data Protection Impact Assessments (DPIAs)? 8) Communication Do you have reporting mechanisms for employees and users to report AI system issues? Do you provide technical documentation to relevant stakeholders? This is a great initiative to consolidating responsible AI practices, and offering organizations a practical, globally interoperable tool to manage AI!" Very practical! Thanks to Katharina Koerner for summary, and for sharing!

The Cyber Security Agency of Singapore (CSA) has published “Guidelines on Securing AI Systems,” to help system owners manage security risks in the use of AI throughout the five stages of the AI lifecycle. 1. Planning and Design: - Raise awareness and competency on security by providing training and guidance on the security risks of #AI to all personnel, including developers, system owners and senior leaders. - Conduct a #riskassessment and supplement it by continuous monitoring and a strong feedback loop. 2. Development: - Secure the #supplychain (training data, models, APIs, software libraries) - Ensure that suppliers appropriately manage risks by adhering to #security policies or internationally recognized standards. - Consider security benefits and trade-offs such as complexity, explainability, interpretability, and sensitivity of training data when selecting the appropriate model to use (#machinelearning, deep learning, #GenAI). - Identify, track and protect AI-related assets, including models, #data, prompts, logs and assessments. - Secure the #artificialintelligence development environment by applying standard infrastructure security principles like #accesscontrols and logging/monitoring, segregation of environments, and secure-by-default configurations. 3. Deployment: - Establish #incidentresponse, escalation and remediation plans. - Release #AIsystems only after subjecting them to appropriate and effective security checks and evaluation. 4. Operations and Maintenance: - Monitor and log inputs (queries, prompts and requests) and outputs to ensure they are performing as intended. - Adopt a secure-by-design approach to updates and continuous learning. - Establish a vulnerability disclosure process for users to share potential #vulnerabilities to the system. 5. End of Life: - Ensure proper data and model disposal according to relevant industry standards or #regulations.

⚠️Privacy Risks in AI Management: Lessons from Italy’s DeepSeek Ban⚠️ Italy’s recent ban on #DeepSeek over privacy concerns underscores the need for organizations to integrate stronger data protection measures into their AI Management System (#AIMS), AI Impact Assessment (#AIIA), and AI Risk Assessment (#AIRA). Ensuring compliance with #ISO42001, #ISO42005 (DIS), #ISO23894, and #ISO27701 (DIS) guidelines is now more material than ever. 1. Strengthening AI Management Systems (AIMS) with Privacy Controls 🔑Key Considerations: 🔸ISO 42001 Clause 6.1.2 (AI Risk Assessment): Organizations must integrate privacy risk evaluations into their AI management framework. 🔸ISO 42001 Clause 6.1.4 (AI System Impact Assessment): Requires assessing AI system risks, including personal data exposure and third-party data handling. 🔸ISO 27701 Clause 5.2 (Privacy Policy): Calls for explicit privacy commitments in AI policies to ensure alignment with global data protection laws. 🪛Implementation Example: Establish an AI Data Protection Policy that incorporates ISO27701 guidelines and explicitly defines how AI models handle user data. 2. Enhancing AI Impact Assessments (AIIA) to Address Privacy Risks 🔑Key Considerations: 🔸ISO 42005 Clause 4.7 (Sensitive Use & Impact Thresholds): Mandates defining thresholds for AI systems handling personal data. 🔸ISO 42005 Clause 5.8 (Potential AI System Harms & Benefits): Identifies risks of data misuse, profiling, and unauthorized access. 🔸ISO 27701 Clause A.1.2.6 (Privacy Impact Assessment): Requires documenting how AI systems process personally identifiable information (#PII). 🪛 Implementation Example: Conduct a Privacy Impact Assessment (#PIA) during AI system design to evaluate data collection, retention policies, and user consent mechanisms. 3. Integrating AI Risk Assessments (AIRA) to Mitigate Regulatory Exposure 🔑Key Considerations: 🔸ISO 23894 Clause 6.4.2 (Risk Identification): Calls for AI models to identify and mitigate privacy risks tied to automated decision-making. 🔸ISO 23894 Clause 6.4.4 (Risk Evaluation): Evaluates the consequences of noncompliance with regulations like #GDPR. 🔸ISO 27701 Clause A.1.3.7 (Access, Correction, & Erasure): Ensures AI systems respect user rights to modify or delete their data. 🪛 Implementation Example: Establish compliance audits that review AI data handling practices against evolving regulatory standards. ➡️ Final Thoughts: Governance Can’t Wait The DeepSeek ban is a clear warning that privacy safeguards in AIMS, AIIA, and AIRA aren’t optional. They’re essential for regulatory compliance, stakeholder trust, and business resilience. 🔑 Key actions: ◻️Adopt AI privacy and governance frameworks (ISO42001 & 27701). ◻️Conduct AI impact assessments to preempt regulatory concerns (ISO 42005). ◻️Align risk assessments with global privacy laws (ISO23894 & 27701).   Privacy-first AI shouldn't be seen just as a cost of doing business, it’s actually your new competitive advantage.

💂♂️ Do you have robust #AI guidelines & guardrails in place for your business/team regarding #employee use & #HR policies? 😦 We still hear about professionals who are having a 'bad time' after falling into AI pitfalls. For example, employees going 'rogue' and using AI without anyone knowing. Companies uploading proprietary information that is now available for the public (or competitors) to access. Sales teams sharing customer data with #LLMs without thinking through consequences. People passing off AI-generated outputs as their own work. ✅ Here's a good mini framework to consider: - Statement of Use: Purpose, Method, and Intent - Governance: Steering Committee, Governance & Stewardship - Access to AI Technologies: Permissions, Oversight & Organization - Legal & Compliance: Compliance with Industry-specific Laws/Regulations - HR Policies: Integration with Existing Policies - Ethical Considerations: Transparency, Privacy & Anti-bias Implications - IP & Fair Use: Who owns AI-influenced IP? - Crisis Plan: Creating an Internal Crisis Management & Communications Plan - Employee Communications: Internal Training & Feedback Loops ⛷ Shout out to #SouthPark for inspiring this #meme 👉 Need help to tailor AI Guidelines to your #business? We're here to help! Drop me a DM and I'd love to share some ideas on how to get your team on the same page, so you 'have a good time' when using #artificialintelligence.

Law firms: are you having difficulty managing client terms around AI use? I've spoken to several firms that require each lawyer to first seek written approval to use a GenAI tool on a client matter before being able to do so, because there is such variety in terms of what clients will allow. ✅ Some clients encourage use of AI on their matters, as long as the products used pass the firm's security protocols (and they benefit financially from the productivity gains...) ⚠️ Others allow it, but only for certain types of work, and require transparency over which of their data is used in these products. 🛑 Still others forbid use of GenAI altogether. 𝐀𝐬 𝐚 𝐥𝐚𝐰𝐲𝐞𝐫, how do you navigate these conflicting terms when you're working on multiple matters and want to make the most of the tools your firm provides? Using productivity tools should 𝘦𝘯𝘩𝘢𝘯𝘤𝘦 your productivity, but stopping to ask permission slows you down. 𝐀𝐬 𝐚 𝐟𝐢𝐫𝐦, how do you ensure compliance with client terms unless you have direct oversight over how your lawyers are using the tools provided? Enter: 𝐠𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐬𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬, one of the classes of AI deployment tools that are becoming a critical aspect of managing AI use at organizations and firms. Some of the features to look out for: 💥 Ability to bake in and update client terms 💥 Pushes alerts and guidance to lawyers and other end-users as they use an AI system, letting them know when they're hitting up against restrictions 💥 Automated gating - enter a client-matter number and you are either allowed to proceed or not, depending on the relevant client terms 💥 Metrics and breach tracking - administrator access to a dashboard that provides an overview of usage, including breach notifications and reporting. If you missed it, we published a piece last week that identified some of the solutions in the market offering these types of features. #legaltech #responsibledeployment #AI #GenAI