Andrew Burt is a lawyer, entrepreneur, and former national security official widely recognized as one of the world’s leading experts in the intersection of law and artificial intelligence.
Over the last decade, he has built companies, law firms, and software systems that have revolutionized how AI is managed for legal risks, and his work has impacted hundreds of millions of people around the world.
As a pioneer in the field of legal engineering, he founded and led the world’s first legal engineering team focused on automating data governance in 2016. In 2019, he co-founded and later sold the first-ever law firm run by lawyers and data scientists solely focused on artificial intelligence.
He is co-founder and CEO of Luminos.AI, the first AI governance company focused on legal risk, where he currently serves as CEO.
Here’s a glimpse of what you’ll learn:
- Andrew Burt’s career journey as a lawyer, entrepreneur, and former national security official recognized as a world-leading expert at the intersection of law and artificial intelligence
- The challenge of scaling AI governance effectively
- The benefits of evaluating AI risk by use case
- Overview of the NIST AI Risk Management Framework and Andrew’s role co-authoring it
- Common missteps companies make when AI governance committees lack authority
- The risks of “governance debt” and the need for accountable leadership in AI governance
- Factors that push companies to prioritize AI governance
- Emerging governance risks associated with AI agents
- Andrew’s prediction about the future of AI regulation in the United States
- Steps companies can take to strengthen AI governance
- Andrew’s personal privacy and security tip
In this episode…
Companies are adopting AI faster than they can set guardrails around it. Privacy and legal teams can review an AI model or approve a vendor contract, but AI governance doesn’t stop there. Risk varies by use case, including whether the system is internal or customer-facing and the level of human oversight involved. As organizations connect new AI tools, chatbots, and agents to more business processes and systems, AI governance has to move from policy to a scalable structure.
One of the biggest challenges companies face is making governance work at the same speed as AI adoption. Andrew Burt knows this well as a co-author of the NIST AI Risk Management Framework, where he helped shape how companies identify, document, and manage AI risk. Turning frameworks into action is where organizations often get stuck. Implementing AI guardrails requires involvement from legal, privacy, security, compliance, engineering, and other business teams. Yet when too many people share responsibility without a lead decision-maker, it can create what Andrew calls “governance debt.” Effective governance starts with accountable leadership and a working connection between the teams writing the rules and the teams building the AI systems. This means moving beyond policy-heavy approaches so governance can scale with the business and the technology.
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Andrew Burt, Co-founder and CEO of Luminos.AI, about the challenges of scaling AI governance. Andrew explains why traditional governance models struggle to keep up with how quickly AI systems are built and deployed. He breaks down the differences between managing risk at the model level and at the use-case level, including why the same AI tool can carry different risks depending on its use. Andrew also shares his prediction for the future of AI regulation in the United States and offers practical steps companies can take to strengthen AI governance.
Resources mentioned in this episode:
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors’ website
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: info@redcloveradvisors.com
- Data Reimagined: Building Trust One Byte at a Time by Jodi and Justin Daniels
- Andrew Burt: Website | LinkedIn | Email
- Luminos.AI
- NIST AI Risk Management Framework
- AI Incident Database
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media.
To learn more, and to check out their Wall Street Journal best-selling book, Data Reimagined: Building Trust One Byte At a Time, visit www.redcloveradvisors.com.
Powered by Rise25 Podcast Production Company
Intro 0:01
Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:21
Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.
Justin Daniels 0:36
Hello, I am Justin Daniels. I am a shareholder and corporate M and A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.
Jodi Daniels 1:02
And this episode is brought to you by No One Can Hear You and Your Claw on My Head, Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust, so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers. To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com Hi, you may not steal the smoothie that no one can see on my desk.
Justin Daniels 1:43
Well, I have to look at the crumb cake on your screen while we do this over lunch.
Jodi Daniels 1:48
Exactly.
Justin Daniels 1:49
Do you see the unfairness of that?
Jodi Daniels 1:51
You could have gotten a snack. It’s not my fault you didn’t.
Justin Daniels 1:55
I see,
Jodi Daniels 1:55
and I’m not sharing, even though sharing is caring, as your mom says.
Justin Daniels 2:00
Wow,
Jodi Daniels 2:01
actually, that was a, it was a kid’s book with the shark.
Justin Daniels 2:05
Indeed,
Jodi Daniels 2:06
how sharks are caring and sharing, but anyway,
Justin Daniels 2:08
wasn’t he like Hank the shark? I forget,
Jodi Daniels 2:10
Clark the shark.
Justin Daniels 2:11
There you go,
Jodi Daniels 2:12
brings back memories. Okay, but we’re going to come back to AI today. It’s
Justin Daniels 2:17
AI day. It seems like every day is AI day. It is. It
Jodi Daniels 2:20
It is so. Today we have Andrew Burt, who is a lawyer, entrepreneur, and former national security official, widely recognized as one of the world’s leading experts in the intersection of law and AI. He is co-founder and CEO of Luminos.AI, the first AI governance company focused on legal risk, where he currently serves as CEO, and he has a fascinating background that we’re going to get into soon. So, Andrew, welcome to the party.
Andrew Burt 2:50
Thank you so much. It’s good to be with you. It feels like a party, and I’m hungry. I want some coffee and smoothie already.
Jodi Daniels 2:59
Everyone wondering, yes, we are recording during lunch time. This is what we do for you people. Okay, we love it.
Justin Daniels 3:06
So, Andrew, why don’t you tell us a little bit about your career journey?
Andrew Burt 3:11
Okay, so thank you very much again for having me, and thanks for that intro. So, in a nutshell, I have been the only lawyer in a room full of data scientists for a very long time, so after law school, FBI Cyber Division helped build a company called Immuta, which is an awesome data governance company. Left, I built Luminos.Law, the co-founder, first and only law firm focused on AI risk, and then that ended me up here as CEO and accidental CEO and co-founder of Luminos.AI and what I’ve been focused on again for over a decade is, how do we take lawyers who live in Microsoft Word and write memos, Google Docs, if we’re lucky, and then technologists and data scientists and engineers who build code and train algorithms, and how do we connect them, and so the real question that I’m focused on solving every day is, how do we take legal rules and automate them in a way where they can actually be embedded into AI systems, and so that’s my focus, the focus of Luminos, and it’s what I’ve been thinking about for a very long time.
Jodi Daniels 4:15
I feel like you were going to say something,
Justin Daniels 4:18
I know better than to try to than you do,
Jodi Daniels 4:21
I know this next topic, Justin, you have a lot of thoughts on, so I’m, and we kind of started on the pre-shast, so Justin, I think you should, you should kick us off here.
Justin Daniels 4:32
I will, that so in my legal work, I’m a huge fan of the NIST AI Risk Management Framework, and so, as it would happen, Andrew, you helped co-author the NIST AI Risk Management Framework. So, looking back, what do organizations still misunderstand about AI governance?
Andrew Burt 4:56
Yeah, so all right, AI governance, I would say it’s actually a term that. Means everything and nothing at the same time, so we could talk about this for the rest of the show, and frankly, for many more shows. I would say the biggest pain point, the places where I’m going to use AI governance, for lack of a better word, where AI governance efforts really fall apart is scale, and so, like, I talked about before, lawyers, risk professionals, privacy professionals, we like to write memos, and then those memos, those policy frameworks, you know, heaven forbid, the ethical principles, which really have a hard time getting translated, it’s the engineering, it’s the automation, it’s what happens once you throw these rules over the fence to the engineers and the data scientists, and so that’s really what I’m focused on every day, and I think that is where I see companies in trouble, and as kind of simplistic as it sounds, the way that I’ve started framing this is it’s just a math problem, it’s a math problem, it’s a multiplication problem. You just have a few attorneys who are in charge of helping these data scientists make sure that dozens or hundreds or 1000s of AI systems and chat bots and agents are complying with these rules in the memos, and fundamentally that system just doesn’t work. Just literally, the math doesn’t add up. We don’t have the time, and so the real question is, How do you take what’s in these frameworks and then make sure it actually gets applied to these models as they’re running about?
Justin Daniels 6:36
So, Andrew, I was just curious for your thoughts, kind of emphasizing what you’re saying, so one of the interesting conversations I have is there are a lot of organizations out there, so let’s say they’re using Claude, and they’re gung ho, and they’re connecting Claude to like everything, and they really haven’t had this AI governance conversation, let alone scaling it the way you’re talking about it. What do listeners that we have who are lawyers need to be saying to these companies who are like, “You know what, I just want to connect it all. Look at what Claude does. This is awesome. We’re just full speed, damn the torpedoes.
Andrew Burt 7:20
Okay, so two thoughts. First, is as lawyers we like to do what’s familiar. So first I would say this is not a contract issue. A lot of the first things I see when I hear this question is let’s look at the contract, and contracts are very important, but there’s a lot more here that’s going on, and so, a lot of times, what we see is the legal and privacy folks get bogged down, and they’re only seeing one part of the picture, because there are contractual issues, and it’s what’s familiar, and all the other stuff kind of flies out the window, and then the other thing that I see all the time is companies focus on claw, they focus on the model, and not the use case, and those are two very different things. And so initially the conversation is, okay, everybody wants to use Claude, let’s do a review of Claude, and then they review Claude, and they look at the contract, and they look at the AI governance principles, and all the other stuff, and model cards that come from vendors, Claude or not. So models hold a lot of risk, but at the end of the day, it’s actually, it’s the use cases, the risk profile is going to change depending on how the model is used, and so the bad news is that adds a lot of complexity. The good news is, if you do it right, you can actually manage a huge amount of the risk. So, I think that’s the first thing, so you don’t don’t think about the risk as associated with the model, it’s the use of the model that generates the most risk, so you can use if there’s a human in the loop that changes that changes everything, if it’s customer facing versus internal facing that changes everything, and so there is like a huge difference between using a frontier model for, you know, coding assistance in a sandbox with a developer in the loop versus having an agent write emails on your behalf that end up being sent, you know, outside your organization.
Justin Daniels 9:14
So it’s interesting you say that, because when I think about the AI risk management framework, and we talk about modeling and management. When you think about the modeling component of the RMF, you’re really talking about the use cases, which to me is a very kind of European approach, because their law looks at use cases, and then if you look at the Colorado law that looks at consequential decisions, the RMF does such a great job of lining you up to think about it exactly the way that you’re describing it in your answer.
Andrew Burt 9:49
Yeah, I mean, so yes. Thank you. I could just stop talking there. So that’s wonderful, but yeah, I think, and when we. So there was a wonderful team of folks who wrote and contributed to the RMF, but in the early days, when we were thinking about it, I think, so we came in as, as a law firm that was helping, you know, with our boots on the ground perspective, and we kind of got tagged in as, as researchers, but I think, as I’ve been working in this and thinking about this issue for a very long time, and building out legal engineering teams, there’s really just like one core component that you see in the way that technologies get regulated over and over and over again throughout history, especially revolutionary technologies, is regular. There’s a finite amount of things regulators can tell companies to do, and on top of that, regulators are very resource-constrained, as are lawmakers. So, there’s also a limit to how much they’re going to understand about the technology, especially technologies that move so fast as AI. And so, the best in class, the best thing that I think a very forward-leaning, intelligent, nuanced regulator or lawmaker can do is say pay attention to the risks in a way that’s use case specific, doesn’t have to be all or nothing. Make sure that you are documenting what those risks are and addressing them, and then really leaning on a third party, third party expertise, like we see this with HIPAA and expert determination, we see this in the model risk management framework in finance, we see this in NHTSA, and the way that cars are overseen, and so I think the NIST RMF reflects a lot of that, and I think what we’re seeing from regulators around the world also reflects that, which is just it’s a best practice that has been developed over decades, if not really centuries.
Jodi Daniels 11:46
Talking more about those use cases, we have multiple teams that really should be involved: legal, privacy, security, maybe compliance, product, maybe market, all the different people who might be using it. How would you recommend teams work together, and where are you seeing breakdowns?
Andrew Burt 12:04
So this is the hardest question, I guess. I, you already asked me, what’s the hardest question, second hardest question in this world, but it really trips companies up. I have extremely strong feelings about it. They’re just clear failure modes. I think a lot of companies are what’s a good way to put it. They’re playing with fire in the sense that a lot of companies are standing up these AI governance committees that have representatives from every single one of those organizations, and it’s the good old fashioned so many cooks in the kitchen, nothing gets done. I spoke to one company, we were talking about solutions, obviously. We’re talking about Luminos, and he said, “I would love to use you. Give me a little bit of time. 15 people need to sign off on this. And so you have this ingredient, these restaurant ingredients, where you have AI is moving faster than like anything. Agents, for example, so with Gen AI, we had customers and folks we’re talking to said, “Okay, this is moving really fast, but from a privacy perspective, I have – I had six months notice before we were going to use our first AI Gen AI system. I have been talking to folks that now say we have three weeks notice, or our agents are already out the door, so the speed is insane, and then putting these groups together, AI governance groups, AI governance committees with that many people without clear authority is just a recipe for there’s tech debt, let’s call this like governance debt, you’re just not going to move fast enough, and so it’s a real issue, and so I’m seeing it everywhere. I think my advice is don’t elbow people out. Everybody needs to be involved, but pick a decision maker, or pick two decision makers, and make sure they have authority to move fast. Make sure they have authority, make sure they have budget, make sure if they say that, hey, there’s a risk here, other people listen. As another mistake I see a lot is these governance committees will be led by someone that’s very junior, they’ll be composed of pretty junior people, and then when there’s an issue, they’ll go to the head of product and say, hey, we should think about this, and who’s going to win, you know, the person who gets paid to get products out the door quickly, or a smaller AI governance committee that is viewed as a barrier to AI adoption.
Jodi Daniels 14:22
It’s interesting that you’re seeing younger people, or like lower level people on those committees, because I’m typically seeing the senior level people on the committees, but definitely too many people on the committee, and it’s group think and group decision, and nothing, nothing moves forward.
Andrew Burt 14:41
Yeah, it’s more like, so there’s C-suite, and then there’s one level down, and we’ll see it’s like the one level down, it’s folks who report into the general counsel, or the CISO, or the CTO, or and so the breakdown that we see is really it’s like they’re C-suite people who have the most authority, it’s really like the. CTO, and that you know, whoever’s had a product versus these governance folks, and there’s just a fundamental, it’s you know, non-parity, whatever the right word is, and so if you’re structurally, if you’re looking at like how companies are responding, you’re going to have, you’re going to have companies get over their skis, and it’s just I just came up with the term governance debt, but I like it, so I’m just going to say it’s a recipe for governance debt, and it’s not the right way to do things, and so for companies that are approaching this and think about this way, I would advise them to very carefully think about, are they setting themselves up for failure down the road? Is
Jodi Daniels 15:43
there a committee size or a leader with some type of subcommittee? What, what have you seen that is successful?
Andrew Burt 15:51
So, what I’ve seen is successful is you pick one lead or two leads, and then they can have a committee underneath them manage, and then that lead should be C suite level. So I’m biased because I’m a lawyer, and I think lawyers have a lot of the institutional authority to address these issues. In fact, I actually think we saw the exact same thing with both security, but more importantly, with privacy, we had this new technology, big data, early days as days of real AI adoption, and then suddenly you needed lawyers involved, and lawyers were overwhelmed, and it was super technical, and so we had the rise of this technical lawyer who then got a sweet C-suite position, and so we created this position that was both legal and technical, but I think that’s very informative, because we passed lawyers with it, and we made sure they were technical, and CPOs have authority – almost every organization has a, you know, privacy and a data protection program, and they’re doing it reasonably well, thanks, you know, obviously to your advice, and they could do it better, so they should. They should be talking to you, but that would be my advice. It’s not the only way we’ve seen folks do it with Cisco, the security folks, but I think there needs to be someone who’s in charge. A core part of accountability is that if something goes wrong, you know who to blame, and if something goes right, you know who to give credit to, and so when you have just a dozen people, or six people, or five people, it’s very hard to have an accountable system, and accountability is what leads to effect efficacy, effectiveness, and so that’s my main advice. Just there needs to be a lead, and if there’s not a lead, you can’t move fast. If you can’t move fast, you’re not going to keep up with the pace of AI adoption.
Jodi Daniels 17:44
I totally agree.
Justin Daniels 17:46
So, Andrew, you know, given your background, I think we talked about the FBI and the NIST RMF from the perspective of looking at the incentives or disincentives we have in the system that kind of are causing people to want to go fast, but not think about AI governance. What do you think needs to change when it comes to regulation or other methods of getting companies to say, hey, we want to use these technologies, but why aren’t we putting in this AI governance architecture, because what I see mostly is, you know, you’re some, I suspect you run into these barriers of, hey, you know, we’ll get back to you in a few months, we’ll get back to you, because the need to have something in place overwhelms this architecture, I think, because the system of incentives or disincentives to actually have the architecture in place are broken.
Andrew Burt 18:46
Yeah, so okay, so one is just like, so in terms of what we need in general, I think it’s already there. We have a high-risk technology that companies are betting their future on. We have all of the different types of expertise needed. It’s like we have all the pieces, we just need them to put them together, and the risks are real. I run this super fun thing called Inside the Incident with the AI Incident Database. Check it out if you’re interested. And AI Incident Database is wonderful, and they just catalog AI incidents. They happen all the time. Companies get into trouble, companies hurt consumers, they, you know, harm the reputation because AI is high risk, it’s probabilistic, it will always do a thing you don’t want it to do, because that’s how it works, and so if you are serious about AI, you need to be serious about AI risk, so like that’s already true, but then there’s just human nature, which is we tend not to take risk seriously unless they blow up in our faces, and so I think the sad part of this is even though companies need to be doing this right now, I think it will take some pretty big failures, I think it’ll take some very serious regulatory fines for folks to really get their act together and. We kind of see this, you know, there’s like the AI adoption curve, and the we see is the companies that are consumer facing really care about the reputations that touch anything in a sensitive area, so a lot of employment, a lot of healthcare, wearables, medical devices, we see a lot of that already, but I think just the universe of companies that that care about this are going to expand over time, but I think it is sad to say that we need to wait for people to get hurt more, we need to wait for more bad things to happen for folks to take this seriously, because they should be taking this seriously. Yesterday,
Jodi Daniels 20:39
you talked about the move, and more and more companies are moving to agents. So, what are some of the governance challenges that concern you, or the ones that you’re seeing time and again?
Andrew Burt 20:52
So, speed concerns me. Just companies are adopting this too fast. So, speed concerns me, we can see my, my, my parrot friend is making noise here, so speed concerns me. I think a lot of folks don’t realize the full risks of agents, they think, like, okay, well, I’ve been doing this with traditional machine learning, and he now have chat bots, and now I have agents, and they’re kind of similar, but when you think about agents, like the core word there is agency, you’re giving agency now to this probabilistic system, and that probabilistic system could do many of the things a human can do, and so you are just like drastically expanding the scope of the things that can go wrong, and so I think in the rush to get these things out the door, I think a lot of folks are just kind of forgetting how much they’re opening up the aperture for risk with agents, and then I’ll just go back to what I said before, which is just automation again. There’s a math problem with agents it gets even worse, and so the data mapping best practices and the policies and the memos and the documents and the frameworks are all good and fine, but as the math gets worse, as that ratio of human oversight to AI systems just changes drastically, like the problem we talked about at the outset just gets worse.
Jodi Daniels 22:18
I’m going to flip my question, and I did it before. The companies that you see that are doing this well are doing what
Andrew Burt 22:26
they have, clear authority, responsibility. So there may be like a lot of cooks. I’m going to kill this metaphor, but there’s a head cook or something. So clear accountability, and then I think clear connection between the risk folks and the engineering folks, so the engineers and the data scientists can actually automate what needs to happen, and so I’ll give you, like, a example, and I’m a lawyer, so I keep saying what you shouldn’t do, but I’ll try to, like, reverse it. We see a lot of, like, just say, privacy folks or legal folks who say, “Look, we have this policy, and I asked my data scientists, and they said we’re doing red teaming, and we have safeguards, so we’re fine. That’s terrible, bad, bad, bad. Red teaming is very good, it’s important, but the idea for red teaming is it captures kind of the outer bounds of the way that users are going to interact with the system. A lot of red team is focused on how our malicious actor is going to try to break the system. Way less emphasis is placed on how are you know 80% of interactions in good faith going to actually touch the system. So you need more than red teaming for that. And safeguards are designed for latency, which basically means they’re designed to be as lightweight as possible, so they don’t degrade model performance and slow things down, and so they’re very, very basic, they’re very, very, very, very basic rules that the model can implement in real time, and so those two things are great, but that’s like 90 or 80% coverage, it’s not enough, you’re still leaving huge risks on the table, and so there needs to be a technical discussion with the lawyers and the privacy folks and the engineers and the data scientists. What are we going to actually do to capture the bulk of these risks in real time that are getting worse as we adopt AI more and more and faster and faster? And so I see it everywhere, and it’s a huge mistake, and it is just opening up these companies to liability and creating all these harms that are entirely unnecessary, and like this is the point, completely on a soap box here, but the point is not just let’s stop you from being sued, but really like let’s not do bad things, like you get sued if you do a bad thing, so like let’s not hurt people and hurt our reputation, and so now I’ll make that positive. So the way to do this, like we said, have clear lines of responsibility and accountability, and then make sure there’s some type of connection between the technical folks moving fast and building systems and the lawyers thinking about the rules, and so that involves like talking to folks like me, self. Interest plug, but Luminos, but also just making sure that there’s a line of communication between these different teams, because there needs to be, and if you don’t have that clear connective tissue, you just have two different worlds
Jodi Daniels 25:14
that makes sense. Let me get off my soapbox.
Jodi Daniels 25:17
I appreciate the extra info. I think it’s helpful. People need to continue to hear the same thing.
Justin Daniels 25:25
It’s just the same thing is happening with AI that happened with privacy and security. My thing is, I think the lack of accountability and lack of regulation is getting worse, because I’ll point out the other episode we had where we talked to a Georgia state senator about passing regulation in Georgia that dealt with AI in children, and one of the problems was the executive order from the federal government that they had to contend with that seemed to supersede states trying to pass laws and fill the void, much like what’s happened with privacy.
Andrew Burt 26:00
Yeah, I mean, I would say, like, good luck to the administration trying to do that. I know they’re trying to do it. I know they have an executive order that attempts to do that, but we saw the same game with privacy. I very wholeheartedly expect federal inaction, like the stuff that counts, which is legislation. I expect just like we saw privacy in action and AI, which is bad. I don’t want that, but I think that’s where the tea leaves continue to point, and so there may be some state legislators, legislatures that are hesitant to, you know, conflict with administration policy, but from a legal standpoint, the, I mean, even Texas, you know, which is historically very reticent, I would say, to go against the grain in terms of, you know, a Republican administration priorities, like Texas has an AI act, and so I just, I think we are headed to a patchwork of state level laws, and unless really Congress, not the administration, unless Congress can do something, I think that’s just kind of inevitable.
Justin Daniels 27:09
But then it goes to the other point you made, Andrew, which was having some kind of cataclysmic event. So, if you go back to 2008 and you look at what came out of that whole situation with Dodd Frank, the Consumer Protection Board, we can quibble as to how effective they are, but to me that goes to the point of some bad stuff has to happen, and then those types of things may have an opportunity to breathe a little bit in the AI space.
Andrew Burt 27:39
Yeah, I think that’s exactly right. I mean, it’s, it’s not great that we need, I mean, the risks are real, they were real before, you know, 2008 but when you think about risk and compliance, a lot of times you just need that, but it may, it may be that some of these states that are, you know, adopting, adopting, that are, that are enacting these laws early, it may be that one of them, you know, has some huge regulatory action or fine that helps folks wake up, so it may be that, like, already, you know, the everything is in place for that, but I just don’t know, but they’ll need to be a headline, they’ll need to be something probably that is scary for a lot of companies to really take serious action, but many are taking action now. We work a lot with them, so I don’t want folks listening in to get dispirited and think, you know, no one is doing anything, but we just need more action.
Jodi Daniels 28:38
Well, in the absence of some of that regulation, and while some companies are taking good action, What would you offer someone listening here today as a good next step? What could they do to help further and strengthen their AI governance program in their company?
Andrew Burt 28:57
So, assuming the audience is privacy and legal
Jodi Daniels 29:02
good
Andrew Burt 29:03
assumption. Okay, although I hope everyone’s listening, it’s really important stuff. Go find the data scientists and the engineer who are building AI systems, and understand how they’re managing risks. Just sit down, understand what technical safeguards, understand how they’re documenting risks, understand, get a really holistic picture of what they’re doing, because chances are, well, not chances are, this is not their specialty, and so chances are extremely high that they are leaving a lot of risks on the table, and your job, what you are really good at, is understanding risks and understanding values and priorities, and so even just that initial discussion, I think, will help you understand where are the gaps, and then you can work from the bottom up, but just ground AI is moving fast, grounding what you’re doing in the actual facts, I think, will will really help, and I have a question for you guys, when, when, when you’re ready, I feel like. There hasn’t been enough conflict in this discussion, so I feel the need to manufacture conflict, and we actually started with talking about crumb cake, and so it’s the most controversial question I know how to ask, but I would like to know which you prefer, cake or pie?
Jodi Daniels 30:17
Can I change it with a third category and pick cookie, because chocolate chip cookies are my favorite food.
Andrew Burt 30:23
Okay, well, this is a secondary question. Is a cookie a form of pie?
Jodi Daniels 30:30
No,
Andrew Burt 30:31
it’ll be a form of cake.
Jodi Daniels 30:37
Now, if you want to go there, for anyone who is familiar with a some people called a rainbow cookie. I’ve had this debate, is it a rainbow cookie or a rainbow cake? It is often kind of a chocolate layer, and then there’s red or pink, yellow, and green, and some people think it’s cookie or cake. I think it is a cake more than a cookie, not a cookie.
Andrew Burt 31:00
How legal this conversation went. It’s like, well, let’s talk about definitions. What’s a cake? What’s a cookie? Can we footnote it anyways? I’ll accept that answer.
Justin Daniels 31:11
You have to understand, she didn’t go to law school, but you really would think that she did. And then, if you have a disagreement with her, you think you’d be dealing with a trial lawyer.
Jodi Daniels 31:21
The details matter.
Andrew Burt 31:23
I’m impressed. You know what
Justin Daniels 31:25
I’m dealing with here? Huh, that’s
Jodi Daniels 31:28
true. You did sign up for it, and you knew that. Cake or pie?
Justin Daniels 31:31
I’m probably gonna say cake.
Jodi Daniels 31:33
Andrew, hi. Hi, all the way. Flavor pie.
Andrew Burt 31:38
Oh, that’s a good one. I don’t know, I’m gonna have to get back blueberry grape peach peach apples, but apples like saying you like pizza, like everyone likes apple pie, but big pie. I
Jodi Daniels 31:56
know some people don’t like apple pie. I do put them in the category.
Andrew Burt 32:00
Yeah,
Jodi Daniels 32:00
now Andrew, we have to ask two questions, because we ask every guest the same last two questions. One of them is, what do you like to do for fun, and we can certainly talk about cake and pie, but we have to ask, what is your personal privacy or security tip?
Andrew Burt 32:16
Okay, in reverse order. So, I worked at the FBI Cyber Division, so there was a time when my answer would have been just get a bunch of tin foil and just wrap your head on it, you know, wrap your head around it and just, just tin foil, but that’s not particularly practical. So there are some browsers like Brave, which I think do a really, really good job of encrypting web traffic and blocking third parties, so that’s a good easy one. Stuff like that, you know, if you care about something and it’s digital, make sure you have a backup. Inversely, if you don’t have a backup and it’s digital, you don’t care about it, you know. Two-factor authentication, all the good standard stuff, but I would say the thing that people probably don’t think about as much is just really simple web browsers like Brave, and in terms of fun. So I run a startup, and I have a five and an eight year old, so I didn’t even know that was an option. Fun, I thought I had to wait a couple years, but I mean, the first answer is I just like hang out with my kids, and I’d say some percentage of the time it’s fun, and then some other percentage of time they’re hitting me, giving me bruises, and you know, yelling is involved. Aside from that, just reading audio books makes me feel boring, but that’s my answer. A lot of the
Jodi Daniels 33:47
young kid, and the answer is I work in a family, and I work in a family.
Andrew Burt 33:54
I’m going to revise that, and I’m just going to say skydiving. I’ve never done it before, but it just sounds cool. So, let’s just go with that
Jodi Daniels 34:03
way about skydiving. I do not share the same view about skydiving, just so we’re clear.
Justin Daniels 34:08
I’d be willing to try it. Then the
Jodi Daniels 34:09
two of you, off you go, and don’t tell me she was really smart. She goes, “I’m going to do it one day, I’m not going to tell you until afterwards.
Justin Daniels 34:20
But, but Andrew, I do have an idea for you, for like some swag. So I spoke at a client’s conference, and she gave me a Faraday bag.
Andrew Burt 34:32
That’s fantastic.
Justin Daniels 34:33
I thought that was an awesome gift.
Andrew Burt 34:36
Do we need to explain to listeners what a Faraday bag might?
Justin Daniels 34:39
So a Faraday bag is a bag where you put an electronic device in it and no signal gets in and no signal gets out. It’s the modern day version of putting the tin foil on your head.
Jodi Daniels 34:54
Quite awesome.
Justin Daniels 34:54
I’ve read about it in spy books, so I thought it was cool to actually get a real very.
Jodi Daniels 34:59
Cool
Justin Daniels 35:00
thrills come cheap for me,
Jodi Daniels 35:02
Andrew. We are so grateful that you came to join us today. If people would like to connect and learn more, where should they go?
Andrew Burt 35:09
luminos.ai that’s our website. You can learn more, and if you want to reach out to me directly, I’m at andrew@luminos.ai But on the website has all the all the information on what we do, and then if you’re interested, you can email me personally.
Jodi Daniels 35:24
Amazing. Well, thank you so much for joining us. And for anyone who is not familiar, I also highly encourage you to go dig up the NIST AI RMF framework, pay attention to it. It really is an awesome framework. So, thanks for all of your efforts in putting that together amongst all the other co-authors.
Andrew Burt 35:43
Thank you for having me. This has been fun. I’ve learned a lot, and I now know that cookie is, you know, is a separate category.
Jodi Daniels 35:51
That’s where you gotta go. All right, thanks everyone.
Outro 35:58
Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes, and check us out on LinkedIn. See you next time.
Privacy doesn’t have to be complicated.
As privacy experts passionate about trust, we help you define your goals and achieve them. We consider every factor of privacy that impacts your business so you can focus on what you do best.



