[00:00:00] Speaker A: Hi everyone. In this episode we'll talk about why AI governance needs a serious upgrade and what that looks like now that agentic AI is in the picture. I'm your host, Bill Coffin and this is the Ethicast.
Eighteen months ago, the biggest AI governance challenge most ENC teams faced was was keeping up with employees who were already using ChatGPT without telling anyone. The instinct was to write a policy, maybe run some training and try to stay ahead of the curve. But that curve has since moved. Today, companies are deploying AI agents that can take real actions in real systems. Scheduling, executing, deleting, deciding, often with minimal human intervention. And meanwhile, boards that were once cautious observers are now mandating AI adoption outright, which means a new population of users is coming online. Employees who weren't early adopters, who don't have much intuition for what AI can and can't do, and who are now being asked to implement it anyway.
The result is a gap between how AI governance was designed and how AI is actually being used.
That gap is where things can go wrong and we've already seen it happen. In one high profile case, an AI agent deleted an entire startup's database in a matter of seconds and it looked like the tech had run amok. But when you look closer, it was really a governance failure, plain and simple. It had insufficient controls, insufficient permissions, and no one in the loop when it really mattered. So the question isn't whether your AI governance framework needs updating, it's how far behind it already is and what you need to do about it.
With us today to share her insights on this is Laura Jacobis, Executive Vice President, Strategic Advisory Services at Mitra Tech, a global technology organization that aids corporate legal risk and compliance and HR professionals in enhancing productivity, controlling expenses and mitigating risk. Laura brings deep hands on experience in design and implementation of corporate compliance programs that genuinely resonate with company values and employee behavior. Laura, it is so good to see you again. This is not our first time getting together on camera, so I'm delighted we could have you on the ethicast.
[00:02:13] Speaker B: Yeah, absolutely. Great to be here with you, Bill. As always, I appreciate the opportunity to talk with you about about AI today.
[00:02:20] Speaker A: About 18 months ago or so, what constituted robust AI governance felt very different than how it feels now. And as we move into the use of agentic AI and a split between companies that build and sell AI products versus companies that use AI products, do you feel like it's time for folks to re examine their AI governance? Or to put it another way, do you feel like AI Governance 2.0 is upon us.
[00:02:44] Speaker B: Yeah, that's a great question. I do feel that AI governance has reach the 2.0 stage. And yeah, to get to that point, I think it helps to look at where we were 18 months ago.
that point we were really seeing the early efforts to structure AI governance and attempt to anchor an AI governance program structure to a framework. Right. Like NIST or the EU AI Act.
Those efforts, to me at least looked a lot like the early days of us all realizing that GDPR was really going to happen. Right. We were trying to figure out from an organizational perspective how to, how to manage that. So I think there was, you know, there was an acknowledgement that AI was happening, but I don't think we had any idea of how fast it would actually move.
So let's say, you know, 18 months ago, there wasn't yet any best practice for, for how to build or organize an AI governance team and also whether that governance team should be independent or maybe integrated into privacy and compliance. So, you know, from my perspective, and I started at Metra Tech just over two years ago and I, you know, I spend most of my days talking with SECOs and Chief Risk Officers and CISOs and, and what I was hearing 18 months ago was that if someone had an AI governance structure, it was different than the company down the block, right? Those structures were incredibly diverse and knowledge was still being gained.
I actually saw an interesting stat from Deloitte and they had done a survey in, I think it was May to July of 20. Yeah, May to July of 2024.
So 79% of boards said they had limited to no AI knowledge, which is terrifying.
AI's grown a lot since then, Right. And then in early 2025, they asked that same question and the number changed to 66%.
So, I mean, definitely an improvement, but not enough of an improvement to stay up to date or certainly not. Yeah, not ahead of AI.
I'd also say that early AI governance involved a lot of conversation about defining policies and defining what the, you know, what any organization's, their real statement would be about how they viewed AI, right? What was their kind of ethical use or, you know, responsibility to use, to use AI in an ethical manner. And although we saw a lot of organizations putting those policies and statements in place, fewer than 25% of those policies and statements had board level approval 18 months ago. So I also said something, right? So While there were CCOs and CISOs and CROs who were understanding AI was coming and that there were things that they needed to do there. There wasn't necessarily a lot of board engagement there.
I would also say we saw four gaps a year and a half ago in terms of AI governance.
The first is that we saw instead of operations, we saw org charts on paper.
A lot of those. I would ask people for what their AI governance programs look like and again, an org chart back. So I think a lot of that, that was a gap.
Importantly, third party risk management may have been, people may have been focused on improving the, you know, improving their third party risk management programs, getting those off of paper, making them more automated, but they weren't that focused on AI 18 months ago.
And honestly more than half of all AI failures now come from third party tools, right? I mean, it's a huge, huge risk. And almost 80% of organizations use third party AI tools.
So there's a huge risk there. Right. The third gap I think we saw 18 months ago was that there wasn't really any focus on agentic AI and what that meant for compliance. Right. Is the one area when you think about any organization where when you say you're using agentic AI, people gasp a little bit, right? Because no one wants that DOJ conversation that, you know, that goes something like, well, why didn't you know who, who made that decision? And your response is, well, you know, our AI agendic AI made that decision for us. So I think there, there wasn't a lot of thought at that point in time what that was going to look like. And then I'd say fourth, organizations didn't really have their arms around designing a program that would address all of the different competing AI regulations. So there aren't that many. But what there are, those that do exist are somewhat conflicting.
And you know, while we still see, you know, we still see some similarities with organizations, you know, a C. CO who may own a global compliance program, trying to figure out how to deal with other types of competing regulations. I think AI already is so complex that when you think about, oh my gosh, now we have competing regulations on top of the complexity, I think that, you know, that added a whole different, a whole different layer. And so those, you know, those four things I think to a certain extent still exist, but we're seeing maturity in each of those.
And the one that stands out to me just because of where I work is that there are many organizations coming and saying we need third party risk management and we need it because we're worried about AI, right? Not just because our overall GRC processes need to be more integrated or need to be more Mature, but really because they are worried about AI coming into the organization. So definitely, definitely some improvement there on the maturity.
You know, in terms of looking at
[00:09:08] Speaker A: maturity, one of the big differences that I have noticed in AI use over the last 18 to 24 months is that during that initial AI hype cycle, E and C teams had to contend with the notion of employees enthusiastically embracing a tool without understanding its risks. But now, as boards increasingly mandate the use of AI, we're seeing employees who might have avoided using AI until now, and now they're beginning to implement it without really understanding what it can and can't do. So, Laura, how are you seeing this switch impacting how companies approach AI governance?
[00:09:41] Speaker B: First, let me say I love the term hype cycle.
That is new to me. I'm going to try to fit that into.
I'm going to try to fit that into my everyday vocabulary.
But I mean, honestly. Yeah, spot on. There are a lot of employees, aren't we all experimenting with AI tools right now to make our job simpler, to be more efficient?
There are also a lot of employees who are experimenting with AI outside of their jobs for use outside of their jobs. But they're doing that experimentation on a company's assets as opposed to working at home. So we're seeing a lot of AI use related to work, not related to work, happening at work.
And additionally, we've had boards with what I would say are at least seemingly contradictory stances.
They're both pushing the use of AI to lower costs and gain efficiencies, but then they're concerned about employee use of AI and third party risk management AI coming into the organization. So I think that's forced the, it's forced the position that companies need to think about AI governance in a different way. Like, we are there, we have to think about it differently. I think importantly, what you mentioned, shadow AI. Right. Shadow AI is just the use by an employee of an AI tool without understanding the organization's policies or what the approval process might be for those tools. If there is an approval process.
We know right now that about 80% of employees use shadow AI tools.
Fewer than 10% of those employees get any type of extensive training on AI. And so that's what's terrifying. Right?
That means that the vast majority of AI activity is actually happening without any rules or any oversight. I mean, that is a scary thought. And that alone creates a massive risk of data exposure. Right.
We are seeing a number of instances in the news of employees putting, you know, not intentionally, but putting company confidential information into public AI Tools. Right. So lots of data exposure there.
We also know that in IBM's 2025 cost of a data breach report they found that data breaches involving shadow AI cost organizations about $670,000 more than an average non AI related data breach. So yeah, so I think we're realizing we have to think about that, about that differently.
In terms of my work and I probably have, I don't know, I'm going to say three or four conversations each week with organizations about AI governance and their maturity level and say the ones that I think are really thinking Governance 2.0 are focusing on three things.
One of those is culture. Right. And we're seeing that focus on culture everywhere, even in terms of hotline reports. Right. The culture outside always is, you know, is always reflected on the culture inside an organization. But I think that, you know, we're seeing SECOs especially talking about, let's have a, you know, I would say a standard committee mindset for governance and instead thinking about invoking behavior change. Right. So not the typical top down process, but instead maybe really trying to figure out how to embed governance within their organizations. Like it's a little bit different than, you know, just training HR on how to use, you know, and how to deal with gdpr.
It's much different. Every single employee and they need to be educated and they need to understand what governance looks like for AI. So that's the first thing that focus on culture. The second is the process.
I think before and when, when we really started that hype cycle, achieved it for today.
Was that the term hype cycle?
[00:14:01] Speaker A: Yeah,
[00:14:04] Speaker B: check.
We saw and we heard organizations saying no, if you want to use this AI tool, the answer is no. We don't understand it, we don't know enough about it.
And so you can't do it. And still employees would utilize those tools.
[00:14:21] Speaker A: Right.
[00:14:21] Speaker B: It wasn't as they, if they didn't, they thought they could, they thought they could still use the tools even though they were told no. But I think now there's a real push toward saying there's a process. Right.
You can't use it until you go through X process. And that is huge for employees who really want to understand AI better or who are worried about their jobs. Right. They're worried about staying up with technology. And so they're thinking I've got to use this even if I'm being told I can't. And so I think there's much more of a kind of a give and take, tell us what you're using and we're going to do these five things and we'll come back to you, or you can't use that, but you can use this other thing. I think there's much more of that. And then I think the third is really focusing on literacy gaps. I mean, I think we all, right now have literacy gaps in leadership positions. All of our employees, even those, the ones that are most technically focused, have a literacy gap one day that they didn't have the day before, just because AI is moving so quickly. And so I think, yeah, that focus on literacy training is, Is really the third way that I see organizations trying to stay ahead of that.
[00:15:34] Speaker A: Laura, we recently saw a news story of a startup whose database was deleted in just a few seconds by an AI agent that was powered by Claude. And while the story initially looked like, you know, the tech had simply gone berserk, upon closer examination, this case really was more a matter of AI governance failure with controls or permissions handled really insufficiently.
So my question to you is that as companies seek to embrace agentic AI, is the state of AI governance having difficulty keeping pace with the state of AI innovation and implementation?
[00:16:06] Speaker B: Yeah, unambiguously, yes. Right. That is the defining governance challenge right now, trying to stay current on AI innovation and implementation. Right? That is the challenge.
It's so much different than we saw in, you know, 18 months ago, where people were like, it's coming. Let's get a governance model together. Let's figure out what everyone else is doing. This has become so incredibly, I think, terrifying for people that they. They really are struggling to just stay ahead of what's happening in the industry. And then trying to govern is, you know, is incredibly difficult.
I hear companies saying two different things, reasons for why they think they're failing. The first one is, you know, your typical governance problem, where someone isn't accountable for something. Right. There's no clear accountability.
That's not just in figuring out who should be sitting on an AI governance committee, but it's also trying to figure out that kind of intricacy of how organizations should fit together.
Cyber committees, privacy committees and AI committees. Right? Do they glom them all together? Which people sit on all of them? Very complicated right now. I have had so many conversations about these org charts, the governance org charts over the past couple of months. So that is a real challenge. Just trying to get that figured out. Actually, at the Global Ethics Summit this year, y' all let me do a presentation about AI governance and creating a racy model, right, for AI governance. And here we are, two and a Half months later, I would probably do a different presentation. I mean, I still think. Right. I still think that conversation about defining responsibility is critical. Absolutely is important.
But I would say if you haven't had that conversation yet, you need to do it yesterday. But because we're speeding past that now, and that's that second group of organizations I talk to who just say that they've had a governance model, they know who's responsible for what, but their governance program that they put in place, you know, a month ago and loved it, is now obsolete just because of the speed to market of these different AI technologies.
I'd also say, you know, there's so many reports that came out last year from different organizations saying that we're adopting AI exponentially faster than we can govern it. And McKinsey's most recent AI trust research did say that. It said enterprises can build agents themselves faster than they can build accountability for them. So in other words, yeah, I, I absolutely agree with you. Infrastructure is improving, governance structures aren't keeping place, and we really have to move to that point at which AI governance is continuous rather than a series of periodic checks. And so in thinking a lot about this, and I kind of hate that I'm saying this to be honest, right.
Because my real job outside of my, my day to day job is as an ethics professor. Right. But I would say that oddly enough, the way to accomplish successful AI governance is via AI, right? It's using AI agents to provide ongoing risk assessments, real time governance visibility and interventions that are, you know, that are light speed in nature.
You know, if you use AI for governance, you get proactivity, you get the continuous review, you eliminate what we do for other governance models, which are those periodic checks, it enables us to be proactive rather than reactive, which I know we're trying to do with all compliance. But yeah, this is really, that, you know, that use of AI to, to govern AI sounds a little, you know, sounds a little Jetsons, to be honest.
Yeah, and, and yeah, finally I would say that, you know, in thinking about the need to have AI governance be more mature, we know that there are organizations who are focused on creating AI symbiosis. For example, neuralink is focused on that. And AI symbiosis is just enabling humans not to be surpassed by AI, right? Not your governance program, but human beings not being surpassed by AI.
And that's somewhat of a frightening thought. And I think that is a compelling reason for us all to think about AI governance now in a different light, because it impacts more than just our organization's governance, but it impacts us as human beings.
[00:21:16] Speaker A: Well, Laura, I couldn't agree with you more, and thank you so much for joining us. This is the kind of conversation I think touches on what a lot of ethics and compliance professionals are considering when it comes to the expanding and disruptive and transformative effect that AI is having on the field. So, once again, thank you so much for joining us.
[00:21:33] Speaker B: Thank you so much, Bill. I really enjoyed it.
[00:21:36] Speaker A: To learn more from Laura, please make sure to follow her on LinkedIn and also be sure to stop by Mitra tech
[email protected] to learn how they can help advance your organization.
For a ton of free videos, presentations, blogs, features and more about AI governance and best practices within ethics and compliance, please visit ethisphere.com and check out our Resource center as well as our Insights page. That's all for now. We hope you've enjoyed the show. For new episodes each week, subscribe to us on YouTube, Spotify and Apple Podcasts. Also follow at the sphere on LinkedIn to learn more about how we help organizations like yours make themselves more successful and more resilient by advancing business integrity. Thanks for joining us. And until next time, remember, strong ethics is good business.