The era of artificial intelligence (AI) adoption is testing the old ways of doing compliance, underscoring the need for continuous monitoring. Compliance isn’t a one-and-done activity, but sometimes organizational incentives and goals fail to prioritize the importance of this.
About the Author
Yasmine Abdillahi, executive director of security risk and compliance and business information security officer at Comcast, is an expert in governance, risk, and compliance (GRC). She brings a wealth of knowledge and experience to the table, having led the implementation of successful GRC programs for large global companies. Yasmine’s passion lies in bridging the gap between the technical and business aspects of cybersecurity, ensuring that risk management strategies are aligned with organizational objectives.
While your organization may only need to conduct an audit annually, compliance is a continuous process. Factors are constantly changing, whether it’s new regulations, the adoption of new technologies, or new threats arising.
As organizations rapidly adopt AI, a host of new security risks and compliance concerns proliferate, and leaders across the spectrum are quickly trying to put guardrails in place. A proven approach to staying ahead is continuous controls monitoring (CCM). When leaders have visibility into the compliance posture of information and technology they own, they are empowered to make better tech decisions.
The evolving world of risk & compliance
AI adoption is happening at breakneck speeds. In the latest McKinsey Global Survey on AI, 65 percent of respondents reported that their organization regularly used generative AI, nearly double the percentage from the same survey conducted 10 months prior. This adoption often happens without putting the security guardrails in beforehand. In many cases, security happens in parallel or as an afterthought; in some situations, it’s ignored or overlooked altogether.
Another security concern around AI is that without clean data to train AI models, organizations can face additional risks. Putting frameworks and guardrails in place to help ensure quality data is quickly becoming another facet of compliance.
New regulations and compliance mandates are also being developed and introduced, including the SEC’s cybersecurity disclosure rules for publicly traded companies, not to mention a number of industry-specific requirements.
AI is also quickly shifting the seas. Although there’s currently no overarching regulation for AI in the U.S., we should assume that more AI regulation is coming, especially with the European Union’s AI Act coming into force in August. The new regulation attempts to crack down on or regulate AI development and usage there despite how difficult it will be to enforce.
The role of continuous controls monitoring
One of the best ways to stay on top of all the different regulations–especially amid the adoption of new tools and the emergence of new risks–is to make compliance an ongoing process. Compliance is becoming a scenario where you can’t just check the boxes once or twice yearly to meet audit requirements. The digital world has begun moving too fast for that. Compliance is like a continuously exercised muscle that must adapt to new and evolving factors.
CCM can play a critical role. This emerging governance, risk, and compliance (GRC) technology automates controls monitoring and helps reduce audit stress. It helps organizations improve their overall risk management by identifying gaps and anomalies, and by raising alerts when issues are found. This empowers GRC teams to go beyond security and compliance to support strategy and drive outcomes. Most importantly, it enables leaders who own technology assets, sensitive data flows, and external relationships to make better technology decisions by having ongoing visibility into the security and privacy posture.
Best practices for CCM success
Look for solutions that take a cohesive approach. One way to do this is through a data fabric platform that gathers data from enterprise cybersecurity and IT solutions and then enriches that data with business data. This allows companies to conduct data analytics that help them measure internal control effectiveness and compliance with current laws.
You need an approach that will deliver consistent and accurate compliance dashboards and reports that measure risks and control effectiveness against the benchmarks you’ve established for your business. Placing cleansed and enriched data at the core will enable GRC teams to offer quick compliance answers and resolutions, and can reduce the time spent on audit preparedness.
You’ll also need to prioritize data quality and governance over a fancy visualization layer. Structured and streamlined data will drive adoption throughout your three lines of defense; the first line being operational managers, the second the teams responsible for risk management and compliance functions, and the third being the internal audit process. This approach also helps sustain the use of CCM in a scalable manner. Gradually build your CCM capabilities by prioritizing specific areas and going through the entire cycle with data providers, control owners and auditors. Driving maturity and adoption is like planting seeds and growing them into healthy, thriving plants; it doesn’t happen overnight, and it requires a careful process with constant attention. And the benefits can be harvested on an ongoing basis and in the long run.
Laying the foundation for compliance success
Compliance monitoring sounds like a straightforward concept. However, meeting compliance requirements can feel like trying to hit a moving target, especially when new policies and technologies abound.
As organizations rapidly adopt AI, compliance is becoming increasingly important, but in many ways, the rules are still being written along the way. CCM can provide a strong foundation for companies looking to stay compliant and secure despite the rapid changes.
No comments yet