Crafting a Cutting-Edge AI Governance Program: A Must-Know Guide for Businesses

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi. I’m Justin Daniels, I am a shareholder and corporate M&A tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:58

This episode is brought to you by — hello, where’s my dinky, really Red Clover Advisors. We need a new drum band here. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture with integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com

Justin Daniels 1:36

Should we tell our audience that we’re sitting here sweating like crazy because it’s 96 degrees out, and they are putting in a new HBC.

Jodi Daniels 1:44

Yeah, so we’re going to, we’re going to have our podcast without interruption, but just in case you hear some like weird, loud bang, we’re fine. We’re good. It just might be our new AC system that hopefully will cool us on our 96 degree heated, hot day. We did choose to live in Atlanta. Sometimes, I’m not sure why.

Justin Daniels 2:05

As long as you agree, you’ll be retiring in Boulder, Colorado.

Jodi Daniels 2:10

Um, you know what? Really hot there too. But okay, let’s get back to business. So we are very excited today we have Arsen Kourinian, who is a partner in Mayer Brown, Mayer Brown’s AI governance and cybersecurity and data privacy practices. He advises clients regarding data privacy and AI laws and frameworks, and has published numerous articles regarding nuanced issues in these fields, including a forthcoming book entitled implementing a global artificial intelligence Governance Program. Arsen, welcome to the show.

Arsen Kourinian 2:42

Thanks for having me.

Jodi Daniels 2:44

Welcome to the silliness.

Arsen Kourinian 2:48

Yes, well, so, and I can’t say in Colorado, it’s actually really hot in the summer, and you have the altitude, so you don’t want to experience that heat.

Justin Daniels 2:56

But wait, there’s no humidity. It’s the humidity that in Atlanta, it is what is crushing.

Arsen Kourinian 3:02

I don’t know. I’ll take the humidity over that suffocating altitude difference, but that’s all for another day. It is.

Jodi Daniels 3:11

All right, we’re gonna bring it back.

Justin Daniels 3:13

But come on, I think Colorado will come back into the conversation because of our topic today, but we’ll get to that. All right, so Arsen, tell us about your career journey.

Arsen Kourinian 3:23

Well before law school, I had always a strong interest in technology, just keeping up with the latest trends and developments. It’s really fascinating the way you know, civilization has evolved, including from ancient times to the modern day. And I also had an interest in human rights issues, you know, looking at some of the abuses throughout history when it comes to data privacy. And, you know, the Stasi after World War Two and use of genetic data to harm individuals. It was something I was always interested in. And you know, after law school in the US at the time, were mostly dealt with sectorial privacy laws. Those were really the ones that affect such as financial privacy, consumer protection statutes related to communications like caspam, TCPA. But then, you know, having a chance to audit companies and assess compliance with these sectorial laws. You know, the real the world really took off after GDPR and the CCPA and thereafter and data privacy and also AI, which was a subset of data privacy at that time, and now with post 2022 with the Gen AI praise, companies are more and more thinking about both data privacy and AI issues and how to build AI and that sort of brought my career to full circle where I’m advising on both the data privacy side and the AI governance side, and also just making sure that you know as part of the compliance process to think about consumer first as far as what. Would be beneficial for a consumer, and that’s helpful for company brand. And that’s sort of how my journey went from, you know, interest in technology to also helping companies protect, you know, human rights issues and consumer rights issues, so that they provide a product ultimately that’s, you know, beneficial for the public and profitable for the company.

Jodi Daniels 5:23

I posted the other day about why people love privacy, and what you were just talking about reminds me so much of the answers around just the passion people have for protecting human rights, protecting data. So thank you so much for sharing. Now we’ve been talking a lot about AI governance on this podcast, and in your opinion, what should an AI Governance Program include?

Arsen Kourinian 5:49

Yeah, you know, when developing an AI governance program, my approach is to stick closely with domestic and global AI laws, guidelines, principles and frameworks. I think it’ll get dangerous if you know, companies develop ad hoc what they think is best, without tethering it to a principle or a guideline or a framework. And so what I’ve done is I’ve done a study of the global AI laws. For example, countries are taking different approaches. One is the most stringent approach, of course, with the EU AI Act, which has very specific requirements on how to implement an AI Governance Program in conjunction with your compliance. And we have a mini version of that in Colorado, with the high altitude related to an AI Governance Program. And I think a lot of good information comes from there, and I think it’s going to serve as, ultimately, the model and a lot of state AI laws. Then you have, of course, the principles based approach, which the US on a federal level, with the White House AI Bill of Rights, and the UK issuing its own principles, and the OECD AI principles, and then you have an approach like Singapore, where they’re providing guidance and information on how companies can implement an AI governance program, but they don’t necessarily mandate it by law. And I think if you combine all of these together and also factor in how the major AI frameworks like RMF and the ISO IEC, 42 001, standards come into play. Although all of this, combining all of this in an AI governance program may seem overwhelming, they actually share so many common elements that it is actually very practical to do so. And so I think an AI Governance Program does need to have all of these elements in there. I think for companies that may have a limited footprint where, let’s say they’re not subject to all of these laws, or they don’t have the resources, at a bare minimum, they should be thinking about at least the principles based approach, and secondarily, if they have the resources to consider mapping to a major framework, because that should get you maybe about 70% there if you do map to some of the major frameworks.

Jodi Daniels 8:17

Arsen you mentioned around the Colorado AI Act, Justin’s favorite state, and that you thought some of it might serve as a baseline for others. Could you share a little bit more of maybe some of the areas that you think might be pulled out, or just a little bit more context on that?

Arsen Kourinian 8:35

Yeah, so with Colorado, the passage of their law was actually a coordinated effort with the Connecticut legislator. Connecticut didn’t end up passing theirs, but they actually we interviewed Senator Rodriguez as part of one of our podcasts. But one thing he mentioned is that they definitely coordinated efforts with Connecticut, and they actually ended up presenting nearly identical AI governance laws Colorado passed, Connecticut didn’t, but if you look at it also, California has pending legislation which initially started off it was an algorithmic discrimination law looking very similar to Colorado, and then the high risk categories were basically matched up. It’s since been watered down to only apply to in the employment context, and I think we’re two days away from finding out if it passes. But I think ultimately, like the privacy laws, we’re probably not going to see federal comprehensive AI legislation anytime soon, also considering it’s an election year, but we may see a state by state level dominoes falling, and I think Colorado’s will probably serve as a benchmark for what a comprehensive AI law would look like, and then on a state by state level, one other thing we’re seeing is very light versions of AI. Laws, such as in Utah and Illinois just passed one in the employment context, where the core requirement is transparency, to be transparent that you’re using AI. And then, of course, there’s also the employment laws too, like New York City Local law 144, and then Illinois prior Well, it’s still in effect, but the AI interview Act, which also requires transparency, so I think all in all doubt policy serve as a benchmark. It’s also a good benchmark to rely on in the US, because one of the things that Colorado’s AI law does is it actually expressly incorporates the NIST AR, MF and the ISO IEC, 42 001, standards, which sort of underscores the importance of these frameworks and how they’re sort of interwoven with these AI governance laws.

Jodi Daniels 10:54

So just a few months/

Justin Daniels 10:58

I guess, I have a question for the two of you, and we’ve this is like a theme in the podcast. So Arsen, I’m just curious for your perspective, I think we had a guest on where the United States is, like the only top 10 GDP country in the world that doesn’t have any kind of federal privacy security framework. And so now, if you think about it, as of today, we have 19 state privacy laws. You’re on our show, you’re talking about Colorado, Connecticut tried to pass law York. What do you think is being lost if you’re a company just trying to go out and use some of these tools, having to comply with all these different state laws, as opposed to having, like, a federal GDPR for AI and security. Just love to get your perspective on that.

Arsen Kourinian 11:40

Yeah, you know, I think de jure, we don’t have a federal comprehensive law, but de facto, we sort of do. And the reason why I say that is because on a state by state level, if you count Florida too, we’re up to 20. I know sometimes Florida gets excluded because it applies in a limited context, but if you look at these laws, yes, there, of course, there are some minor differences around, let’s say, getting consent for sensitive data, certain categories, etc, but more or less, they all share common elements. So implementing a compliance program harmonized across the board for all of these 19 or 20 comprehensive state privacy laws, it basically artificially created a de facto federal standard. So if you’re a multinational company, and you know you have, you offer products and services to residents, all in all, throughout the US, you know, one approach you can take is to harmonize all these requirements, not have privacy policies with 20 different state by state callouts, which I think is no longer feasible. But of course, certain companies still do that, and there’s some logical sense to doing that, but usually just having even thinking about doing an across the board all us, extension of privacy rights and a privacy disclosure that comports to all these requirements, and that basically future proofs you because when all new state laws passed in 2025 and 2026 which is inevitable, and we have a 50 state approach, like the data breach laws, you know, it’ll Future Proof it, and it’ll sort of get you ready to comply with all these new laws that are coming out.

Jodi Daniels 13:27

With all that we’ve been talking about, these multiple laws, multiple frameworks, privacy and AI. How should a company think about building an AI governance program with this kind of patchwork scenario?

Arsen Kourinian 13:42

Yeah, you know, when I did my study of the domestic and all of the global aa laws, guidelines and frameworks from my book, you know, I noticed that they all boil down to certain high level components, and the first component is forming an AI governance team, and I listened to your prior podcast, and Shoshana covered it really well, where she talked about how the AI oversight team should be developed and so going on, I guess, to the second high level components, it’s data governance. Data is a very important component. It serves as the lifeblood of training an AI model, or if you’re on the deployer side, it serves as the input prompt for your use of an AI system. And for that, it’s critical to understand whether you have the legal right to use the data in both training the AI model and also as the input prompt if you’re especially going to make significant decisions about individuals and to document all that, it’s often done in a data provenance record, where you trace the lineage of the data. And also, from a privacy perspective, we often document that in a data inventory, which a lot of data privacy professionals. Familiar with. So that’s like one component after leadership to have a Data Governance Program. The next component, which is basically present in all these laws, is a risk management process. I think it’s important to develop a risk management framework that comports with your practices and the law. And to think of it very broadly, to clearly identify areas where it’s a prohibited practice, where you’re ranking the risk. And for prohibited categories, you can use the EU AI Act prohibited categories. And then also there are laws of general applicability, where, like engaging in unfair and deceptive practices in the US or certain credit decisions that are automated without an ability to explain how the decision was made. And so to think of what laws apply in your jurisdiction, identified the prohibited categories. And then after that, you rank your high risk areas, and the high risk again. A lot of the law share common elements, whether it’s the high risk categories under the EU AI act, such as employment and healthcare critical infrastructure. And then high risk categories under Colorado’s law, which you know benchmark pretty well with the EU AI act, plus or minus a couple of areas, and then everything else either falls within low or minimal risk. And you know, with low, your main obligation is transparency, and with minimal, it’s basically optional to comply with some of these requirements, but you want to document all these risks and an impact assessment, you know, which I’ll cover in a minute too, and then document that with the understanding that this risk assessment is ultimately going to be produced to regulators after a risk assessment, it’s important to do a legal analysis. You would need to assess which specific laws are you subject to, and what is the delta left over of things that you do need to go do to bridge that gap. For example, if you’re subject to the EU AI act, even if you implement the risk management system that ranks the risk, and also, you know, you comports to a particular framework. There’s also some procedural requirements you still need to do, such as registering your AI system, putting the CE marking and other steps you would need to take. So it’s important to really understand the legal landscape, which not only includes AI specific laws, but also laws of general applicability that applied even in your AI use case. And then the last two steps, the fifth part, is mitigation measures. And so when I took a look at all the AI laws, a lot of the mitigation measures, they sort of match up together, like the core components. You know, they talk about things like transparency and explainability, avoiding algorithmic discrimination and bias, ensuring your AI system is accurate, robust, safe, secure, having certain technical documentation and continuous monitoring oversight of AI vendors, decommissioning the AI system. And so all of these core components would sort of match up well with a lot of the AI laws and frameworks. And then the last core component is accountability. So when you take all of these steps, your word is not enough that you’ve done all of it, you need to document it, and it’s often documented through policies and procedures and a record indicating that you’ve taken steps to enforce your policies and procedures and actually physical, actually adopted in your corporate minutes that these this is the official company policy.

Justin Daniels 18:43

Funny, when you were citing those different components, Arsen, all I could think about is, oh, he’s talking about NIST AI, RMF, but what you’re really saying is risk, the NIST AI framework, as well as the the AEC, those principles are infused in the laws, and I assume that’s why you’re saying those frameworks are so helpful.

Arsen Kourinian 19:02

Yeah, I mean, just to give you an example, when we’re talking about the EU AI act, one of the mandatory requirements for providers implement the risk management system and so mapping to one of these major risk management frameworks, but address that. But also a framework like the ISO, it’s a lot more prescriptive and broader in scope, and it’s even touches on, like the conformity assessments you would need to do, and other components. And also on the business side, not just the legal side, about securing the right resources to develop an AI system, among other things. So that’s why, the reason why all of this sounded familiar is because I didn’t come up with something novel. These are all written in plain text, and all of these guidelines and laws, what I try to do is harmonize all of these into these components so that it’s a. Bit more easier to view it and sync your practices within that to demonstrate accountability on a global level.

Justin Daniels 20:08

So speaking of something that may not be novel, but we have to harmonize, it is Jodi and I, both in our respective day to day with clients, get this question a lot, and that is, who should own AI governance. I see it a lot by committee, but committee, somebody has to be accountable. So what are you seeing with companies, and what is your recommended approach? Well,

Arsen Kourinian 20:32

I mean, the correct answer is committee, because, of course, it touches on diverse skill sets. Do you need AI? Touches on data, privacy, IP, antitrust, litigation, employment, but you know, ultimately, as part of the committee, somebody needs to move the ball. And oftentimes what I’m seeing is AI governance sits sometimes in different groups. The most common scenario is it sits within the Office of the Chief Privacy Officer. So that’s one area I’ve seen. And of course, privacy is taking ownership of AI, as we saw with the IAPP’s announcement. And practically speaking, I think I just see a lot more data privacy professionals getting involved on the legal side with AI governance, but I’ve also seen AI governance sit within IP, the chief IP officer of a company, and that makes sense too, because you want to protect the patentability of any types of inventions derived from AI. And also there’s copyright considerations with the input prompt. Those are the most common ones I’ve seen. But I do advise companies that when you’re forming this committee, it is multi stakeholder. And in fact, at our law firm Mayer Brown, we formed an AI steering committee that has all of these stakeholders involved, so that we are in sync together and coordinate our efforts together. And it’s been fruitful. We’ve been able to deploy teams to help clients. And I think we’re sort of seeing companies take that approach too internally.

Jodi Daniels 22:15

You mentioned earlier about AI assessments, and I wanted to come back to that which they’re really important piece of an AI Governance Program. What tips can you offer to help companies actually complete these in a timely fashion that make them meaningful? Yeah, you

Arsen Kourinian 22:33

know what? What AI impact assessments? I think a good starting point is to develop the template that you’re going to use as the end product, not filled in yet, but just the template for the template AI impact assessment. I am going to include one in my book that’s coming out, so hopefully they’ll be out in September, and people can take a look. But with the template, what you want to do is you want to weave in some data protection impact assessment requirements which are already present under Data privacy laws. But there, you know it’s article 35 for GDPR, and also the US laws that also require this. So you incorporate that, you’ll also incorporate some AI specific requirements, because the data privacy laws are focused on personal data, while an AI impact assessment is not just focused on data, rather, it’s also focused on the practical harms, like more of a product liability standpoint of an AI system being used, and the potential harms it can have on the population As part of that development of that AI Impact Assessment template, I think you take all these components, put them together, but what’s also important is to really understand the Probability And Severity of the harm that can arise from an AI system. And also think of your mitigation measures, like, what steps have you taken to take that raw risk that’s unmitigated and then apply mitigation to reduce the risk score. Once you put together the template, the next thing you need to do is, I don’t recommend sending that template, AI Impact Assessment, around to different groups yet to fill it in individually. I do think that there should be a quarterback or a captain responsible for the end product, because oftentimes, when you send these forms and it has questions about, you know, what personal information do you collect? Etc. You know, day to day employees who are not knee deep in privacy and AI may not understand that B to B, contact information is personal information. A device ID is personal information. And they may answer that question as, oh, we’re fine. We don’t collect any personal data in our AI system. And so what you want to do is you want to set up have a stakeholders, an individual who’s responsible for the practice, and for that person to engage different stakeholders in. The company, gather the information that they need, and then ultimately prepare the AI impact assessment, also for the AI impact assessment. One final note is your all there’s two objectives with it. One objective is to genuinely assess risk, identify mitigation, measures and come to a conclusion as to whether should I launch this AI product or not? The other objective is, of course, is the regulatory side, which is you want to demonstrate accountability and compliance, and so when you’re drafting this, be very mindful that you may need to produce this to a regulator when you’re subject to an investigation, whether it’s under AI laws or data privacy laws. And so when you’re drafting it, be very careful make sure that any statements you put in there are in fact truthful and comport to actual practices. And also think about, you know, if you want to have guardrails around it, about, you know, having enough information for that, for that impact assessment to be useful, but also not putting strenuous information that, frankly, doesn’t answer the question that is not needed.

Jodi Daniels 26:12

I love how you were talking about making sure you know, the data that’s actually being collected. I was talking with a company earlier, and they were speaking with different parts of the company, who all said, Oh, no, we don’t have any personal information. And of course, we all know that that wasn’t true. So very, very important to do data inventories and all these different tools. Why are you laughing at me?

Justin Daniels 26:37

Because I hear the same thing when I’ve handled a data breach. Oh, we don’t have pi there, and then magically, we find it. So it’s just your point of if you don’t do a data inventory on the front end, you’re probably going to pay for it on the back end when the worst happens. But anyway, so Arsen, what is your best personal privacy tip that you might offer at a party when they’re asking you for cool privacy and AI stuff?

Arsen Kourinian 27:05

Well, to the extent the party folks are interested in privacy, I mean, the one tip I’ll say is this, and maybe this is less for partygoers and more for people that are thinking about maybe entering the AI or privacy sphere, and which is like, how to read these laws and how to apply them and and the approach I recommend is, if you just look at the black letter of the law and try to do a textual construction like attorneys are traditionally used to in law school, it’s probably not going to work in in the AI and data privacy world. And the reason why I say that is because these laws the way they’re written, I often see this pitfall where certain attorneys will think more like a litigator of reading the law, trying to find loopholes while the comma was here. Maybe this is where how it should be construed, and I think this is what caused a lot of risk when certain companies were interpreting what the sale mean under CCPA in the ad tech context, and they just had these creative solutions as to it’s not a sale when you put a cookie on the website and it got a lot of companies in trouble. So the tip to mitigate that is to not necessarily read the law textually and try to come up with novel exceptions and loopholes, but to understand what was the context for that provision regarding the AI law or that provision regarding data privacy law. Because when you understand the context and what the legislator was trying to protect against, then you can understand, okay, what is the regulator going to look out for that? My company is not doing that. This law was intended to protect against, um, and so that’s one tip, the interpretation aspect to understand context, rather than a strict textual reading of what these laws mean. The other is how broadly you want to employ it. Um, I think, in the old world where maybe it was just one GDPR and one CCPA that were seen as the major AI data privacy laws. And now with AI, we’re sourcing that new evolution where it’s EU AI act is Colorado companies, when they’re thinking about it, do they want to do a siloed approach of like, this is the one law I’m subject to, I’m only going to comply with this, or do they want to be forward looking? And so some of the tips I give to companies is think forward looking. Maybe you’re not subject to these laws right now at the moment, or maybe you’re subject to this one law and have an exemption you can rely on. But the dominoes are rapidly falling everywhere, on a domestic and global level, do you want to future proof your product? And it would be very costly if you built an AI system train, an AI model using data with some legal argument. I didn’t need to get consent, or I didn’t need to give a transparency notice to use that data as part of that model, and then, lo and behold, down the road, you find out I need to discourage my model. So have you seen with some of the FTC actions? And so those are the two tips I would give, understand context when you interpret the law, and d think about future proofing, it, even if you may not be subject to some of these laws at the moment, very helpful.

Jodi Daniels 30:26

Now, when you’re not advising on privacy and AI, what do you like to do for fun?

Arsen Kourinian 30:33

Well, I do like to read, not only about AI laws and their privacy laws, but I do like to read literature, and I’ve recently actually started to reread some of the books that I loved in undergrad. And early on in high school, I started reading again Mary Shelley’s Frankenstein. So my favorite books, and, you know, it’s funny, a lot of parallels there with with AI, which is sort of like this artificial creation we’re creating. And you know, if you don’t provide it the proper love and care as what happened with Mary Shelley’s Frankenstein’s monster, it could terrorize the population. But if you do, you know, show that love and care like the little child did in in that story. If you’ve read Mary’s Frankenstein, then you sort of see the good side of it, too. So I do like to read literature. I think there’s a lot of good learnings you can take from literature. And I also love playing chess, something I’ve played as a child, just as a hobby, nothing professional, but it’s a good way to sort of concentrate and have a clear thought.

Jodi Daniels 31:41

Amazing. Now, Arsen, if people would like to learn more and grab a copy of your upcoming book, where can they go?

Arsen Kourinian 31:48

Well, the book is going to be released on Bloomberg Law. It’s going to be an ebook. I decided to make it an ebook because it’s good for the environment not to have too much paper around, but also this area of law is evolving so rapidly that I felt that if somebody had a physical copy, it’s probably going to be outdated in a couple of months. And so by having it on the platform of Bloomberg Law, what I’m planning on doing is doing periodic updates to it on a regular cadence, so that it’s always fresh and new and accounts for changes in technology and legislation. You can also learn more about, you know, my bio and some of my other publications on the Mayer Brown website, where I link to some of my publications.

Jodi Daniels 32:36

Well, we’re so grateful that you came by today to share with us how to successfully build AI governance programs and frameworks that we should consider so thank you so very much.

Arsen Kourinian 32:47

No problem, and stay cool.

Jodi Daniels 32:49

We’ll try. All right, take care.

Outro 32:56

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.