Full Report
Boards want answers on AI: Where is it used? What risks does it create? How is it governed? Keep Aware released a free template to help CISOs present GenAI adoption, risk, exposure & controls clearly to leadership. [...]
Analysis Summary
# Best Practices: Communicating AI Risk and Governance to the Board
## Overview
These practices focus on structuring the conversation between a Chief Information Security Officer (CISO) and the Board of Directors or AI Committees regarding the incorporation of Generative Artificial Intelligence (GenAI) within the organization. The goal is to effectively communicate adoption scope, associated risks, current exposure, and established governance controls, translating technical security details into business risk language.
## Key Recommendations
### Immediate Actions
1. **Establish Visibility Scope:** Immediately identify and document all sanctioned and "Shadow AI" usage across the organization to understand the actual breadth of AI adoption.
2. **Identify Top Data Leakage Vectors:** Begin tracking incidents or attempts where sensitive data is being input (prompts, uploads) into AI tools.
3. **Draft the Core Narrative:** Prepare preliminary metrics on current AI usage, focusing on adoption growth and the types of data potentially being exposed (e.g., PII, IP, regulated data).
### Short-term Improvements (1-3 months)
1. **Define Initial Risk Landscape:** Systematically document the primary risks introduced by AI adoption, explicitly listing data leakage, regulatory exposures (GDPR, HIPAA), and account switching vulnerabilities.
2. **Develop Risk Exposure Quantification:** Implement a system to report on sensitive data input attempts blocked, including categorization of the most at-risk data types, to quantify exposure metrics.
3. **Formalize Acceptable Use Policies (AUPs):** Finalize and distribute clear, enforceable Acceptable Use Policies regarding the use of sanctioned and unsanctioned AI tools.
### Long-term Strategy (3+ months)
1. **Integrate Data Lineage Controls:** Establish robust integrations between AI tools and existing data sensitivity labeling or classification systems to automate policy enforcement.
2. **Implement Continuous Training & Awareness:** Roll out mandatory, role-specific employee awareness training focused specifically on the risks of the AI tools currently in use.
3. **Establish Governance Feedback Loop:** Institute a regular review process (quarterly/biannually) for vendor risk assessment concerning new AI service providers and ongoing monitoring of AI security posture against evolving threats.
## Implementation Guidance
### For Small Organizations
- **Focus on Shadow AI Control:** Prioritize real-time monitoring or browser-level enforcement mechanisms to immediately address unsanctioned AI usage where formal procurement processes may lag.
- **Keep it Simple:** Focus initial board reporting on clear metrics: *How many people are using AI?* and *What is the single biggest risk we see today (e.g., accidental IP submission)?*
### For Medium Organizations
- **Sanctioned Tool Documentation:** Create a definitive, centrally managed list of sanctioned AI tools and ensure all users are aware of the approved catalog.
- **Policy Visibility Metrics:** Report quarterly on the effectiveness of AUPs through quantifiable metrics, such as the percentage reduction in sensitive data inputs following policy rollout.
### For Large Enterprises
- **Comprehensive Risk Register:** Integrate AI risks (e.g., model bias, intellectual property contamination, regulatory non-compliance) into the existing enterprise risk management framework.
- **Internal/External Auditing:** Schedule regular internal audits specifically targeting AI usage policies and external vendor risk assessments for AI services to ensure compliance with complex regulations (e.g., HIPAA, GDPR).
- **Account Activity Monitoring:** Implement controls specifically designed to detect and alert on account switching between personal and corporate accounts when interacting with generative AI platforms.
## Configuration Examples
*(Note: The source article focuses on presentation structure rather than specific technical configurations. Technical configurations should be derived from the chosen control method, e.g., CASB/SASE policies.)*
**Example Configuration Focus (Browser-Level Enforcement):**
* **Action:** Configure network or browser security tools (e.g., next-gen firewalls, endpoint detection, or specialized browser security platforms) to inspect outbound data streams directed toward known generative AI service URLs.
* **Rule Example:** Create a policy to block or quarantine HTTP/S POST requests containing data classified as "Confidential" or "PII" destined for domains like `*.openai.com` or `*.google.com/gemini` unless the traffic originates from a provisioned corporate account session.
## Compliance Alignment
- **NIST CSF:** Aligns directly with **Identify** (Asset Management, Risk Assessment) and **Protect** (Access Control, Data Security), and **Detect** (Monitoring for anomalous AI activity).
- **ISO 27001/27002:** Supports the implementation of Annex A controls related to information access restrictions and secure system acquisition/development, particularly A.14 (System acquisition, development, and maintenance).
- **CIS Controls:** Supports controls focused on **Boundary Defense** and **Data Protection** through visibility and enforcement mechanisms over web traffic.
## Common Pitfalls to Avoid
1. **Using Technical Jargon:** Do not present raw log snapshots or technical protocol details. Translate all findings into business impact (e.g., "We prevented a potential seven-figure regulatory fine" instead of "Blocked an API call violating DLP signature 4013B").
2. **Ignoring Shadow Usage:** Assuming only sanctioned tools are being used leads to an artificially low risk profile. Comprehensive visibility into unsanctioned use is critical for accurate reporting.
3. **Focusing Only on Threats:** Boards need assurance. Ensure the presentation balances risks with demonstrable **Guardrails in Action** (what security is actively *allowing* the business to achieve safely).
4. **Lack of Quantification:** Reporting vague statements like "Risks are high" is ineffective. Always back statements with measurable data, such as "Near misses involving proprietary code submissions increased by 15% last month."
## Resources
- **AI Monitoring Platforms:** Tools designed to provide full visibility and control over AI usage within the browser environment (e.g., Keep Aware).
- **CISO Presentation Template:** Structured frameworks designed to bridge the technical-to-business communication gap regarding GenAI adoption and risk management.
- **Internal Documentation:** Organizational Acceptable Use Policies (AUPs) for cloud services and generative AI.