n today’s fast-paced business environment, regulatory compliance has become both more critical and more complex. Organizations are expected to maintain rigorous internal controls, ensure transparency, and respond swiftly to audits all while managing sprawling IT ecosystems and evolving risk landscapes.

Regulations like the Sarbanes-Oxley Act (SOX) demand companies adhere to strict financial reporting, information security, and auditing requirements. Yet many businesses still rely on manual processes and fragmented systems to meet these requirements. This approach is not only inefficient but also increases the risk of errors, omissions, and non-compliance.

As digital transformation accelerates, compliance teams are being asked to do more with less and the result is a widening gap between compliance obligations and operational capacity.

AI and Automation: Driving a Transformation

Artificial intelligence and automation technologies are emerging as powerful allies in the quest for smarter, more scalable compliance. These tools can streamline routine tasks while enhancing accuracy and provide real-time insights into control effectiveness.

Automation is particularly effective in handling repetitive, rules-based activities such as data collection and report generation. By reducing manual effort, it frees up compliance professionals to focus on strategic oversight and risk mitigation.

AI, on the other hand, brings intelligence into the equation. Machine learning algorithms can analyze vast datasets to detect anomalies, flag potential risks, and even predict future compliance issues. Natural language processing can extract insights from unstructured data, such as emails or policy documents, enabling more comprehensive monitoring.

Together, AI and automation are transforming compliance from a reactive, checklist-driven function into a proactive, intelligence-led discipline.

Continuous Compliance and Adaptive Controls

One of the most transformative shifts enabled by AI and automation is the move toward continuous compliance. Rather than relying on periodic audits or static control reviews, organizations can now monitor their control environments in real time.

This approach allows for faster detection of issues, quicker remediation, and more reliable assurance for stakeholders. It also aligns better with the dynamic nature of modern business, where risks can emerge and evolve rapidly.

Adaptive controls, powered by AI, take this a step further. These controls can adjust dynamically based on context, user behavior, or risk signals. For instance, if a user accesses sensitive financial data from an unfamiliar location, the system might require multi-factor authentication or temporarily restrict access until the activity is verified.

Such intelligent controls enhance security while maintaining operational flexibility, helping organizations strike the right balance between risk management and business agility.

Implementation Challenges and Considerations

While the benefits of AI and automation are clear, successful implementation requires thoughtful planning and execution. Organizations must ensure that these technologies are properly integrated into existing systems and workflows, and that they align with broader compliance strategies.

Data quality is a critical factor. AI models rely heavily on accurate, comprehensive inputs to deliver meaningful insights. Poor data hygiene can lead to false positives, missed risks, or misleading recommendations.

Regulatory alignment is another key consideration. As AI becomes more embedded in compliance processes, regulators are beginning to scrutinize its use. Companies must ensure that their AI-driven practices are transparent, explainable, and auditable. This includes documenting how models are trained, how decisions are made, and how outputs are validated.

Cultural change is also essential. Compliance teams may need to develop new skills as they adopt new tools and embrace new ways of working. Collaboration—with IT, cybersecurity, and business units—is vital to ensure that AI and automation initiatives are successful and sustainable.

Solutions for Cybersecurity and Compliance Leaders

To navigate this transformation effectively, organizations should focus on a few foundational strategies:

• Adopt AI-Integrated Platforms. Start with tools that work seamlessly with your ERP and IT systems to automate tasks and track regulatory change
• Automate Repetitive Tasks. Free up your compliance team by automating routine activities like data entry and control testing
• Stay Ahead of Regulatory Shifts. Use AI to anticipate changes and adjust your compliance strategies before an issue arises
• Build Transparent Audit Trails. Leverage AI to document compliance activities clearly, making audits smoother and more defensible
• Centralize Data for Collaboration. Ensure all departments work from the same source of truth to improve coordination and decision-making.

Cybersecurity vendors have a unique opportunity to support these efforts by offering solutions that combine automation, AI, and robust control frameworks. By helping clients modernize their compliance environments, vendors can deliver measurable value while strengthening trust and resilience.

AI is a Business Imperative

AI and automation are no longer emerging trends, they are strategic imperatives for organizations seeking to modernize compliance and internal control management. These technologies offer a path to greater efficiency, accuracy, and agility, enabling companies to meet regulatory demands while staying ahead of risk.

For cybersecurity companies, the opportunity lies in guiding clients through this transformation with scalable, transparent, and vendor-neutral solutions. By doing so, they can help build a future where compliance is not just a requirement, but a competitive advantage. 

Chris Radkowski is an SAP GRC expert at Pathlock, an identity security and governance platform. A recognized leader in access governance with over 20 years of experience driving innovation in enterprise security and compliance solutions, he brings deep expertise in application access governance, risk management and regulatory compliance.

The post Modernizing Compliance: How AI and Automation Are Reshaping Internal Controls appeared first on Compliance Chief 360.

ith the rise of AI and regulatory uncertainty, Chief Audit Executives (CAEs) are expected to face mounting pressure from the Board to address emerging risks and strengthen mitigation efforts. According to Gartner, a technological research and consulting firm, as AI has emerged as both a valuable business asset and a potential threat, CAEs are pressured by the board to provide assurance over risk management.

“2025 brings more high-profile risks and opportunities that are driving growing board focus on risk management, so CAEs need to be sure they are effective in helping the audit committee (AC) discharge its risk oversight responsibilities,” said Margaret Porter, Chief of Research in the Gartner Assurance Practice.

Most of the time CAEs only get less than 30 minutes with audit committees and are therefore forced to maximize their limited time. During these meetings, CAEs should prioritize highlighting risk trends, root causes, and systemic governance issues. Meanwhile, they can hand out supplemental materials in order to provide an understanding of the background information.

AI Risks

According to Gartner, AI risks can take on many forms, including behavioral risks, transparency risks, and security and data risks:

• Behavioral risks are related to the ways algorithms and IT systems can misbehave in their performance, such as by creating inaccurate or biased results, providing outdated information or not complying with scoping requirements.
• Transparency risks are related to model explainability and disclosure of AI involvement.
• Security and data risks are related to the ways in which accidental or intentional leakage or misuse of personal or confidential information can impact the enterprise.

“While most audit leaders accept it is important to cover key AI risks in the next 12 months, less than a quarter feel confident in their ability to do so,” said Porter. “To increase their confidence in providing assurance over complex AI risks, audit should collaborate with assurance partners to assess and prioritize AI risk coverage needs.”

To better support the organization in managing and assessing AI risks, Gartner experts recommend internal audit work with legal, compliance, and risk teams to:

• Get organized for AI accountability and define enterprise practices
• Discover and inventory all AI used in the organization
• Revisit and implement AI data classification, protection and access management
• Implement technical controls to support and enforce policies
• Conduct ongoing governance, monitoring, validation, testing and compliance throughout the whole process.  

The post CAEs to Face Rising Pressure with the Emergence of AI appeared first on Compliance Chief 360.

new report predicts that compliance and assurance functions could double the amount they spend on new technology by 2027. According to the research, issued by Gartner Inc., generative AI, machine learning, and large language models will fuel a surge in spending by compliance, risk management, and assurance functions.

The news isn’t all good. The report also predicts a wave of disillusionment with advanced technologies as expectations are exceeding capabilities in many cases. Accordingly, Gartner experts have placed AI at the “peak of inflated expectations” in the 2024 “Hype Cycle” for legal, risk, compliance and audit technologies.

“Some assurance leaders are prematurely expecting AI technology to greatly enhance productivity,” said Weston Wicks, senior director analyst in the Gartner Legal & Compliance Practice. “While these technologies show promise, in the near-term Gartner recommends assurance leaders identify where they can pilot and experiment with them while maintaining healthy skepticism as they are implemented.”

Gartner experts believe that GenAI will have a foreseeable impact on adjacent innovations in the analytics space, and therefore certain innovations, such as data and analytics governance, audit analytics, legal analytics, and advanced contract analytics, have moved further toward the trough as the te to plateau for these innovations becomes nearer-term — two-to-five years.

“Certain notable movements on the 2024 Hype Cycle are driven by assurance leaders convinced that incorporating new technology and generative AI (GenAI) tools is necessary to manage the growing burden of new rules and regulations imposed on executives and enterprises globally,” said Wicks. “Select emerging innovations, such as compliance monitoring solutions, have been directly impacted by GenAI and have seen substantial movement along the Hype Cycle as a result.”

Proceed with Caution

While there are some expectations that the advancements in GenAI will be transformative in assurance, Gartner experts caution that early adopters must acknowledge the risks of these new advancements and their impact on teams’ ability to manage them.

“Early lessons learned by assurance leaders include understanding the importance of information management and data governance, and the importance of intentionally including humans in the loop to mitigate bias and other risks,” said Wicks. “For these reasons, Gartner estimates the innovations will achieve high benefit ratings across the next five years.” 

The post Report: Compliance Functions Could Double Tech Spend by 2027 appeared first on Compliance Chief 360.

A forensic post-mortem investigation into the cause of any corporate scandal or failure will identify a number (or perhaps all) of these deficiencies and weaknesses. But what if we could do a “pre-mortem” investigation? What if we could predict the scandal in advance and head it off by considering all the ways things could go wrong?

Artificial Intelligence is the latest buzz among compliance departments, and for good reason: It has the potential to completely transform compliance as it does for many corporate functions. But there is also a downside in the potential for massive risks that stem from the use of AI. It’s not hard to imagine that these AI risks will come to pass at one or more organizations and blow up into the latest scandal of epic proportions.

Artificial Intelligence technology as it evolves is certain to contribute to the creation, preservation, and destruction of stakeholder value in the coming weeks, months, and years. In terms of value creation, digital and smart technologies are already pervasive and AI in its many forms, such as machine learning, natural language processing, and computer vision, has the potential to leverage from this in order to add significant value, to make enormous contributions, and to create long-term positive impacts for society, the economy, and the environment.

It has the potential to solve complex problems and create opportunities that benefit all human beings and their ecosystems. Unfortunately, AI systems also have the potential for tremendous value destruction, and to cause an unimaginable level of harm and damage to human ecosystems, including business, society, and the planet.

Given the deficiencies and weaknesses described above in relation to everyday corporate scandals, one does not have to be a rocket scientist to predict that these same issues are also likely to arise in relation to AI technology. It is therefore incumbent upon our leaders to consider the potential serious impact, consequences, and repercussions which could emerge in relation to the development, deployment, use, and management of AI systems.

Anticipation of Future AI Hazards

An AI defense cycle can be viewed in terms of the corporate defense cycle, with the same unifying defense objectives representing the four cornerstones of a robust AI defense program.

Prudence and common-sense would suggest that it is therefore considered both logical and rational to anticipate the following deficiencies and weaknesses in relation to AI technology and to fully consider their potential for value destruction.

1. Failures in AI Governance
The current lack of a single comprehensive global AI governance framework has already led to inconsistencies and differences in approaches across various jurisdictions and regions. This is likely to result in potential conflicts between stakeholder groups with different priorities. The lack of a unified approach to AI governance can result in a lack of transparency, responsibility, and accountability which raises serious concerns about the social, moral, and ethical development and use of AI technologies. The ever-increasing lack of human oversight due to the development of autonomous AI systems simply reinforces these growing concerns. Prevailing planet governance issues are also likely to negatively impact on AI governance.

2. Poor AI Risk Management
Currently there appears to also be a fragmented global approach to AI risk management. Some suggest that this approach seems to overemphasize a focus on risk detection and reaction and underemphasize a focus on risk anticipation and prevention. It can tend to focus on addressing very specific risks (such as bias, privacy, security, and others) without giving due consideration to the broader systemic implications of AI development and its use.

Such a narrow focus on AI risks also fails to address the broader societal and economic impacts of AI and overlooks the interconnectedness of AI risks and their potential long-term consequences. Such short-sightedness is potentially very dangerous as it fails to address and keep pace with the potential damage of emerging risks while also failing to prepare for already flagged longer-term risks such as those posed by superintelligence or autonomous weapons systems and other potentially catastrophic outcomes.

3. AI Compliance Failures
AI compliance consists of a patchwork of AI laws, regulations, standards, and guidelines at national and international levels. This lack of harmonization of laws and regulations means that they are not in clear alignment, meaning they can be inconsistent in nature. This makes them both confusing and ineffective, making it difficult for stakeholders to comply with, and for regulators to supervise and enforce, especially across borders.

This lack of clear regulation and the lack of appropriate enforcement mechanisms makes it difficult to hold actors to account for their actions and can encourage non-compliance, violations, and serious misconduct leading to the potential unsafe, unethical, and illegal use of AI technology. The existence of algorithmic bias can result in a lack of fairness and lead to an exacerbation of existing inequality, prejudice, and discrimination. A major concern is that the current voluntary nature of AI compliance and an over reliance on self-regulation is not sufficient to address these potentially systemic issues.

4. Unreliable AI Intelligence
Unreliable intelligence can ultimately result in poor decision making in its many forms. Many AI algorithms can be opaque in nature and are often referred to in terms of a “Black Box,” which hinders the clarity and transparency of the development and deployment of AI systems. Their complexity makes it difficult to interpret or fully comprehend their algorithmic decision-making and other outputs.

It is therefore difficult for stakeholders to understand and mitigate their limitations, potential risks, and the existence of biases. This can further contribute to accountability gaps and make it difficult to hold AI developers and users accountable for their actions. AI development can also lack the necessary stakeholder engagement and public participation which can mean a lack of the required diversity of thought needed for the necessary alignment with social, moral, and ethical values. This lack of transparency and understanding can expose the AI industry to the threat of clandestine influence.

5. Inadequate AI Security
The global approach to AI security also appears to be somewhat disjointed. Data is one of the primary resources of the AI industry and AI systems collect and process vast amounts of data. AI technologies can be vulnerable to cyberattacks which can compromise assets (including sensitive data), disrupt operations, or even cause physical harm. If AI systems are not properly protected and secured, they could be infiltrated or hacked, resulting in unauthorized access to data and this could be used for malicious purposes such as data manipulation, identity theft, or fraud. This raises concerns about data breaches, data security, and personal privacy.

Indeed, AI powered malware could help malicious actors to evade existing cyber defenses thereby enabling them to inflict significant destruction to supply chains and critical infrastructure. Examples include damage to power grids, disruption of financial systems, and others.

6. Insufficient AI Resilience
The global approach to AI resilience is naturally impacted by the chaotic approach to some of the other areas noted above. Where AI systems are vulnerable to cyberattacks, this can allow hackers to disrupt operations leading to possible unforeseen circumstances which are difficult (if not impossible) to prepare for. This can impact on the reliability and robustness of the AI system and its ability to perform as intended in real-world conditions and to withstand, rebound, or recover from a shock, disturbance or disruption. AI systems can of course also make errors, incorrect diagnoses, faulty predictions, or other mistakes, sometimes termed “hallucinations.”

Where an AI system malfunctions or fails for whatever reason, this can lead to unintended consequences or safety hazards that could negatively impact on individuals, society, and the environment. This may be of particular concern in critical domains such as power, transportation, health, and finance.

7. Ineffective AI Controls
The global approach to AI controls also seems to be somewhat disorganized. Once AI systems are deployed, it can be difficult to change them. This can make it difficult to adapt to new circumstances or to correct mistakes. There are therefore some concerns that an overemphasis on automated technical controls (such as bias detection and mitigation) and not enough attention given to the importance of human control can create a false sense of security and mask the need for human control mechanisms.

As AI systems become more sophisticated, there is a real risk that humans will lose control over AI leading to situations where AI may make decisions that have unintended consequences that can significantly impact on individuals’ lives with potentially harmful consequences. Increasing the autonomy of AI systems without the appropriate safeguards and controls in place raises valid concerns about issues such as ethics, responsibility, accountability, and potential misuse.

8. Failures by AI Assurance Providers
There is currently no single, universally accepted framework or methodology for AI assurance. Different organizations and countries have varying approaches, leading to potential inconsistencies. The opaque nature and increasing complexity of AI can make it difficult to competently assess AI systems, creating gaps in assurance practices, and thus hindering the provision of comprehensive assurance.

The expertise required for effective AI assurance is often a scarce commodity and may be unevenly distributed which in turn can create accessibility challenges for disadvantaged areas and groups. The lack of transparency, ethical concerns, and the lack of comprehensive AI assurance can lead to an erosion of public trust and confidence in AI technologies which can hinder its adoption and potentially create resistance to its potential benefits. Given all of the above, the provision of AI assurance can be a potential minefield for assurance providers.

AI Value Destruction and Collateral Damage

Should any assurance provider worth their salt undertake to benchmark these eight critical AI defense components to a simple 5 step maturity model ( 1. Dispersed, 2. Centralized, 3. Global (Enterprise-wide), 4. Integrated, 5. Optimized) then each one of them individually and collectively would currently be rated as being only at step 1, Dispersed. This level of immaturity in itself represents a recipe for value destruction.

Each of these eight critical AI defense components are interconnected, intertwined, and interdependent as individually each impacts on, and is impacted by, each of the other components. They represent links in a chain where the chain is only as strong as its weakest link. Collectively they can provide an essential cross-referencing system of checks and balances which helps to preserve AI stakeholder value. Therefore, the existence of deficiencies and weaknesses in more than one of these critical components can collectively result in exponential collateral damage to stakeholder value.

Examples of Potential Value Destruction

Misuse and Abuse:AI technologies can be misused and abused for all sorts of malicious purposes with potentially catastrophic results. They can be used for deception, to shape perceptions, or to spread propaganda. AI generated deepfake videos can be used to spread false or misleading information, or to damage reputations. Other sophisticated techniques could be used to spread misinformation and be used in targeted disinformation campaigns to manipulate public opinion, undermine democratic processes (elections and referendums) and destabilize social cohesion (polarization and radicalization).

Privacy, Criminality, and Discrimination: AI powered surveillance such as facial recognition can be intentionally used to invade people’s privacy. AI technologies can help in the exploitation of vulnerabilities in computer systems and can be applied for criminal purposes such as committing fraud or the theft of sensitive data (including intellectual property). They can be used for harmful purposes such as cyberattacks and to disrupt or damage critical infrastructure. In areas such as healthcare, employment, and the criminal justice system AI bias can lead to discrimination against certain groups of people based on their race, gender, or other protected characteristics. It could even create new forms of discrimination potentially undermining democratic freedoms and human rights.

Job Displacement and Societal Impact: As AI technologies (automobiles, drones, robotics, and others) become more sophisticated, they are increasingly capable of performing tasks that were once thought to require human workers. AI powered automation of tasks raises concerns relating to mass job displacement (typically the most vulnerable), and the potential for widespread unemployment which could impact on labor markets and social welfare, potentially leading to business upheaval, industry collapse, economic disruption, and social unrest. AI also has the potential to amplify and exacerbate existing power imbalances, economic disparities, and social inequalities.

Autonomous Weapons: AI controlled weapons systems could make decisions about when and who to target, or potentially make life-and-death decisions (and kill indiscriminately) without human intervention, raising concerns about ethical implications and potential unintended consequences. Indeed, the development and proliferation of autonomous weapons (including WMDs) and the competition among nations to deploy weapons with advanced AI capabilities raises fears of a new arms race and the increased risk of a nuclear war. This potential for misuse and possible unintended catastrophic consequences could ultimately pose a threat to international security, global safety, and ultimately humanity itself.

The Singularity: The ultimate threat potentially posed by the AI singularity or superintelligence is a complex and uncertain issue which may (or may not) still be on the distant horizon. The potential for AI to surpass human control and pose existential threats to humanity cannot and should not be dismissed and it is imperative that the appropriate safeguards and controls are in place to address this existential risk. The very possibility that AI could play a role in human extinction should at a minimum raise philosophical questions about our ongoing relationship with AI technology and our required duty of care. Existential threats cannot be ignored and addressing them cannot be deferred or postponed.

AI Value Preservation Imperative

Under the prevailing circumstances the occurrence of some or all of the above AI related hazards represent both an unacceptably high probability and impact, with potentially catastrophic outcomes for a large range of stakeholder groups. Serious stewardship, oversight, and regulation concerns have already been publicly expressed by AI experts, researchers, and backers. It represents an urgent issue which requires urgent action. This is one matter where a proactive approach is demanded, as we simply cannot accept a reactive approach to this challenge. In such a situation “prevention is much better than cure,” and it is certainly not a time to “Shut the barn door after the horse has bolted.”

Addressing this matter is by no means an easy task but it is one which needs to be viewed as a compulsory or mandatory obligation. Like many other challenges facing human beings on Planet Earth this is one that will require global engagement and a global solidarity of purpose.

AI value preservation requires a harmonization of global, international, and national frameworks, regulations, and practices to help ensure consistent implementation and the avoidance of fragmentation. This means greater coordination, knowledge sharing, and wider adoption in order to help ensure a robust and equitable global AI defense program.

This needs to begin with a much greater appreciation and understanding of the nature of AI value dynamics (creation, preservation, and destruction) in order to help foster responsible innovation. Sooner rather than later, the approach to due diligence needs to include adopting a holistic, multi-dimensional and systematic vision that involves an integrated, inter-disciplinary, and cross-functional approach to AI value preservation. Such an approach can help contribute to a more peaceful and secure world, by creating a more trustworthy, responsible, and beneficial AI ecosystem for all.

This pre-mortem simply cannot be allowed to develop into a post-mortem!   

Sean Lyons is a value preservation & corporate defense author, pioneer, and thought leader. He is the author of “Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program.”

The post Anticipating a Scandal: Is AI a Ticking Time Bomb for Companies? appeared first on Compliance Chief 360.

AIA is the world’s first set of regulations designed to oversee the field of AI. “We finally have the world’s first binding law on artificial intelligence, to reduce risks, create opportunities, combat discrimination, and bring transparency,” said Brando Benifei, a European Union lawmaker from Italy. “Thanks to Parliament, unacceptable AI practices will be banned in Europe and the rights of workers and citizens will be protected. The AI Office will now be set up to support companies to start complying with the rules before they enter into force. We ensured that human beings and European values are at the very center of AI’s development.”

The new law comes at a point where many countries have introduced new AI rules. Last year, the Biden administration approved an executive order requiring AI companies to notify the government when developing AI models that may pose serious risk to national security, national economic security, or national public health and safety.

AIA Bans Specific Uses of AI

AIA bans certain AI applications that threaten citizens’ rights, including biometric categorization systems based on sensitive information and real-time and remote biometric identification systems, such as facial recognition. The use of AI to classify people based on behavior, socio-economic status or personal characteristics and to manipulates human behavior or exploits people’s vulnerabilities will also be forbidden.

However, some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval.

AIA also introduces new transparency rules that mainly effect Generative AI. The regulation sets out multiple transparency requirements that this sort of AI will have to satisfy, including compliance with EU copyright law. This entails disclosing when content is generated by AI, implementing measures within the model to prevent the generation of illegal content, and providing summaries of copyrighted data utilized during the model’s training process. Additionally, artificial or manipulated images, audio or video content (“deepfakes”) need to be clearly labelled as such.

AIA is projected to become officially effective by May or June, pending some last procedural steps, including approval from EU member states. Implementation of provisions will occur gradually, with countries require to prohibit banned AI systems six months following the law’s enactment.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post EU Passes World’s First Comprehensive AI Law appeared first on Compliance Chief 360.

The suit could have wide-ranging implications for both AI companies and media and publishing companies that are concerned their content is being used without payment or permission to “teach” artificial intelligence models. The Times wants AI companies to pay for any damages they have caused and for the companies to destroy any AI models that used its copyrighted material without permission.

The Times believes that it is among the largest sources of private information for OpenAI and Microsoft’s AI products. According to the lawsuit, their products redirect traffic away from the Times’ web properties, causing the company to lose out on advertising and subscription revenue. The company believes that because of this a large amount of their work is being used against them.

“Times journalism is the work of thousands of journalists, whose employment costs hundreds of millions of dollars per year,” the Times said in its complaint. “Defendants have effectively avoided spending the billions of dollars that the Times invested in creating that work by taking it without permission or compensation.”

The media company said that it approached Microsoft and OpenAI in April of 2023 to raise concerns about the use of its copyrighted materials. It discussed the possibility of creating a commercial agreement between the companies in order to effectively safeguard its products from copyright infringement however, this discussion did not result in a formal agreement.

In a similar situation, some technology companies working on AI models have argued that they have the right to use any content available on the open internet under the legal provision of “fair use.” Under this provision, individuals or companies are permitted to use copyrighted work in certain circumstances without a license to do so. In this case, The Times argues that such an argument should not apply since the AI products use its content to “steal audiences away from it.”

More AI Content Battles Lie Ahead

The Times’ case may be just the first of many lawsuits against AI companies for copyright infringement. Since “a Supreme Court decision is essentially inevitable,” according to Richard Tofel, a consultant to The Times, tech companies have the opportunity to now reflect on their AI models and consider measuring the choice between potential lawsuits and entering into commercial agreements.

While this is the first instance in which a publisher has brought a lawsuit against AI companies, many other publishers have reached commercial agreements to permit OpenAI to use their content. By doing so, OpenAI can use a publisher’s content without a need to worry about potential copyright infringement; the company only needs to pay a small cut of its revenue towards the publisher.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post NYT Sues Microsoft and OpenAI for Copyright Infringement appeared first on Compliance Chief 360.

The proposed order will require Rite Aid to implement comprehensive safeguards to prevent these types of harm to consumers when deploying automated systems that use biometric information to track them or flag them as security risks. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. To settle charges it violated a 2010 Commission data security order by failing to adequately oversee its service providers, Rite Aid will also be required to implement a robust information security program, which must be overseen by the company’s top executives.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

False Accusations from Facial Recognition Failures

In a complaint filed in federal court, the FTC says that from 2012 to 2020, Rite Aid deployed artificial intelligence-based facial recognition technology in order to identify customers who may have been engaged in shoplifting or other problematic behavior. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were erroneously accused by employees of wrongdoing because facial recognition technology falsely flagged the consumers as matching someone who had previously been identified as a shoplifter or other troublemaker.

Preventing the misuse of biometric information is a high priority for the FTC, which issued a warning earlier this year that the agency would be closely monitoring this sector. Rite Aid did not inform consumers that it was using the technology in its stores and employees were discouraged from revealing such information. In addition, the FTC says Rite Aid’s actions disproportionately impacted people of color.

According to the complaint, Rite Aid contracted with two companies to help create a database of images of individuals—considered to be “persons of interest” because Rite Aid believed they engaged in or attempted to engage in criminal activity at one of its retail locations—along with their names and other information such as any criminal background data.

The system generated thousands of false-positive matches, the FTC says. For example, the technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States, according to the complaint. Specifically, the complaint says Rite Aid failed to:

• Consider and mitigate potential risks to consumers from misidentifying them, including heightened risks to certain consumers because of their race or gender.
• Test, assess, measure, document, or inquire about the accuracy of its facial recognition technology before deploying it, including failing to seek any information from either vendor it used to provide the facial recognition technology about the extent to which the technology had been tested for accuracy;
• Prevent the use of low-quality images in connection with its facial recognition technology, increasing the likelihood of false-positive match alerts;
• Regularly monitor or test the accuracy of the technology after it was deployed, including by failing to implement or enforce any procedure for tracking the rate of false positive matches or actions that were taken based on those false positive matches; and
• Adequately train employees tasked with operating facial recognition technology in its stores and flag that the technology could generate false positives. Even after Rite Aid switched to a technology that enabled employees to report a “bad match” and required employees to use it, the company did not take action to ensure employees followed this policy.

Failure to Safeguard Consumer’s Personal Data

In its complaint, the FTC also says Rite Aid violated its 2010 data security order with the Commission by failing to adequately implement a comprehensive information security program. Among other things, the 2010 order required Rite Aid to ensure its third-party service providers had appropriate safeguards to protect consumers’ personal data. In addition to the ban and required safeguards for automated biometric security or surveillance systems, other provisions of the proposed order prohibit Rite Aid from misrepresenting its data security and privacy practices and also require the company to:

• Delete, and direct third parties to delete, any images or photos they collected because of Rite Aid’s facial recognition system as well as any algorithms or other products that were developed using those images and photos;
• Notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system;
• Investigate and respond in writing to consumer complaints about actions taken against consumers related to an automated biometric security or surveillance system;
• Provide clear and conspicuous notice to consumers about the use of facial recognition or other biometric surveillance technology in its stores;
• Delete any biometric information it collects within five years;
• Implement a data security program to protect and secure personal information it collects, stores, and shares with its vendors;
• Obtain independent third-party assessments of its information security program; and
• Provide the Commission with an annual certification from its CEO documenting Rite Aid’s adherence to the order’s provisions.

The complaint and order were filed in the Eastern District of Pennsylvania. Rite Aid is currently going through bankruptcy proceedings and the order will go into effect after approval from the bankruptcy court and the federal district court as well as modification of the 2010 order by the Commission.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post FTC Bans Rite Aid from Using Facial Recognition for Five Years appeared first on Compliance Chief 360.

As with any transformative force, though, AI also presents a range of challenges and ethical concerns that demand careful consideration and decisive action. While many technology experts are still debating whether or not AI technologies could present an existential threat to humanity, the dangers of its misuse are clear to many. In the wrong hands of those with mischievous goals, AI can be used to help commit crime, aid terrorism, and circumvent security measures. Already, AI is being used to create audio and video “deep fakes” that impersonate voices or video likenesses to deceive our own eyes and ears.

In recognition of the profound impact of AI, as well as its potential dangers, the Biden Administration issued an Executive Order on Artificial Intelligence last month, outlining a comprehensive framework for the “safe, secure, and trustworthy development and use of artificial intelligence.” The executive order on AI sets new standards for AI safety and security, has new privacy provisions, and more.

“My Administration places the highest urgency on governing the development and use of AI safely and responsibly, and is therefore advancing a coordinated, Federal Government-wide approach to doing so,” President Biden stated in the order. “The rapid speed at which AI capabilities are advancing compels the United States to lead in this moment for the sake of our security, economy, and society.”

The Executive Order’s Pillars of AI Governance

The Executive Order on AI establishes a set of guiding principles for the development and deployment of AI across various sectors of the federal government. These principles emphasize the importance of:

1. Safety and Security: Ensuring that AI systems are designed, developed, and deployed in a manner that protects against potential harms, including safety risks, algorithmic bias, and privacy violations.
2. Reliability and Robustness: Fostering trust in AI systems by ensuring their reliability, accuracy, and resilience against adversarial attacks or manipulation.
3. Equity and Civil Rights: Preventing and mitigating potential harm to civil rights and ensuring that AI systems do not perpetuate or exacerbate societal inequities.
4. Public Trust and Transparency: Promoting transparency and accountability in the development and use of AI systems, allowing individuals to understand how AI is impacting their lives and providing mechanisms for redress in case of harm.

Key Provisions and Initiatives of the Executive Order on AI

To operationalize these principles, the Executive Order on AI outlines a series of concrete actions and initiatives. These include:

1. Establishing AI Governance Structures: Directing federal agencies to establish AI governance structures that align with the principles outlined in the order, including the designation of AI risk officers and the development of AI risk management policies.
2. Advancing Responsible AI Innovation: Promoting responsible AI innovation by funding research and development in AI safety, fairness, and explainability, as well as supporting the development of AI standards and best practices.
3. Protecting Federal Workers: Ensuring that AI systems used in the federal government are designed and deployed in a manner that protects the privacy, equity, and civil rights of federal workers.
4. Managing Risks from Government AI Uses: Establishing a framework for identifying, assessing, and managing risks associated with the use of AI in government decision-making, including the potential for bias, discrimination, and unintended consequences.

Promoting AI for Societal Benefit

While addressing the potential risks of AI is crucial, the Executive Order also recognizes the immense potential of AI to address societal challenges and improve human well-being. The order emphasizes the importance of:

1. Promoting AI for Public Benefit: Encouraging the development and use of AI to address public policy goals, such as improving healthcare, enhancing education, and protecting the environment.
2. Fostering an AI Talent Ecosystem: Investing in programs to develop the AI skills and expertise needed to support the responsible development and use of AI in the United States.
3. Promoting AI Innovation and Competition: Fostering a competitive and innovative AI ecosystem in the United States that encourages the development of groundbreaking AI technologies.
4. Advancing American Leadership in Global AI: Strengthening the United States’ leadership in global AI governance, promoting international cooperation, and ensuring that AI is developed and used in a manner that aligns with democratic values and human rights.

A Roadmap for Responsible AI Development

The Biden Administration’s Executive Order on Artificial Intelligence marks a significant step towards ensuring that AI is developed and used in a manner that aligns with the principles of safety, reliability, equity, and public trust. By establishing a clear framework for AI governance, promoting responsible AI innovation, and fostering an AI talent ecosystem, the order lays the foundation for a future where AI can be harnessed for the benefit of society while mitigating potential risks.

As AI continues to evolve, the implementation of this order will be crucial in navigating the complexities of this transformative technology and ensuring that AI is a force for good in the world.  

Joseph McCafferty is editor & publisher of Compliance Chief 360°.

The post Unpacking the Biden Executive Order on AI appeared first on Compliance Chief 360.