Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Is AI an Intelligent Option in Security and Compliance Software?
Quick Take
On this episode of Compliance Unfiltered, the CU guys tackle the challenging discussion of A.I. and its role in Security and Compliance Arena.
Not only does Adam tee up this fast-moving topic for the listeners, but he also makes the important distinction between A.I. and Automated Intelligence.
Finally, the CU guys will cover those tough topics organizations should be asking about the A.I. Systems out there in the security and compliance marketplace. Answers to all this questions and more on this week’s Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin. Well, welcome in to another edition of Compliance Unfiltered.
I’m Todd Coshow alongside the sous -chef to your compliance feast, Mr. Adam Goslin. How the heck are you, sir? I am doing fantabulous today, Todd. How about yourself? Man, I cannot complain. Hard to beat fantabulous, but we’re going to give it a shot, as today we’re going to have a conversation about whether or not AI is an intelligent option in the security and compliance software space. Now, artificial intelligence, AI, is dominating headlines all over the place. So tee this one up for us, Adam. Well,
For about the last 18 months or so, and it continues to gain steam, artificial intelligence has just been, it seems like a never -ending stream of wonderment about artificial intelligence in all of the hype and hysteria that’s going on. There’s an increasing tendency for companies to label their software as leveraging AI when it really isn’t. I’ve seen it across a broad scope of software platforms and compliance management systems aren’t any exception. So it’s important for users to… You know question whether you know compliance management systems are truly leveraging AI or not Because the you know the implications have the capability to be significant which we’ll chat through here today.
Well, what’s the difference between AI and like automated intelligence? Well, if I if I go in and I click on a button and the system automates some task, right? It’s not AI Despite all of the freaking it actually drives me somewhat nuts Some of the some of the BS that’s out there right now Is it that’s not AI?
I don’t want to tell you, you know, there’s a big difference between artificial intelligence and what TCT would call automated intelligence and actually I need to give props to James on our team who was kind of coin that expression as we were kind of collectively talking through the whole, you know, it’s not really AI, you know, type of thing. What do we want to call it, you know, and he was the one that coined it, at least within the TCT realm is automated intelligence. Yeah, exactly. So artificial intelligence really means it’s a system or a program that it’s thinking for itself, it’s making decisions in an autonomous fashion, has the capability to learn. You know, there’s a huge difference between that and something that I coded to perform a step or a series of steps based on, you know, certain inputs or whatever it may be, whatever built in logic, you know, it doesn’t matter how complex that the task may appear. But if it’s just, you know, if then else, you know, style coding, you know, then it’s not artificial intelligence. You know, if we were to call that kind of technology AI, well, then shit, the TCT portal had artificial intelligence back in 2015 when we launched.
I mean, you know, the that’s the part that it’s that’s the part that just drives me crazy is that, you know, we built the system, we built it to improve efficiency, eliminate waste, optimize time and take the best advantage we could of automation. And we’ve been delivering that since 2015. You know, but we used automated intelligence, not artificial intelligence to do it. You know, the portal can perform functions, anticipate actions based on parameters and values within the system, but it doesn’t mean that it’s artificial intelligence.
It’s all coded, you know. Some of these compliance management systems will they’re performing tasks on behalf of the users, such as analyzing or summarizing the current state of the engagement. They will come in. It’s artificial intelligence, you know, It’s just coding. I don’t know what to tell people. Other systems provide a pre -configured guide that walks you through a set of tasks and tell you what’s done and what still needs to be done. That’s automation, not artificial intelligence. Artificial intelligence exists when the system has that built -in capability to make independent decisions. For example, maybe a log inspection system that’s observing patterns it’s never seen before and somehow making the call as to whether or not this particular logging pattern is something that we should notice as informational or should it be a critical alert, that type of thing. There are systems that are using true artificial intelligence for doing dispensation of these various long entries. That exists out there, but it is a murky, murky world out there in the AI space, shall we say.
It certainly sounds that way. What kind of question should folks ask about AI systems? There’s a lot of questions that you should get asked. There are more than a handful of snake oil salespeople in the compliance management marketplace that are lauding their AI wonderment. It behooves the organization that’s noggin -thought through this thing, asking the vendors some questions rather than just taking their word for it. The system is using artificial intelligence. Is it really artificial intelligence, or is it just program coding?
Start by taking a look at what is the software actually doing. Is it making real -time, intelligent, autonomous decisions without human input, or is it just running through a series of rules and coded if -then -else’s, etc. It’s relatively straightforward to be able to tell the difference. If you’re walking in with the right mindset to evaluate the vendor’s claims, what I’m seeing a lot out there is that somebody splashes AI into the mix, and everybody just goes, ooh, it’s got AI, and they don’t ask any questions. They just take it for granted, all this thing’s using AI, this is wonderful, type of deal. If the criteria is simply that something has been done, something’s been attached here, so now we can assume it’s good and move it forward, again, we’re in that automated intelligence.
If you’re sitting there and you’ve asked the right questions and you have the right headspace as you’re walking into it, etc., and if they’re really using artificial intelligence, that should open up a myriad of follow -up questions that should come into play.
You know, not the least of which is, you know, has this vendor, you know, are they using a closed system, aka the information, the data, you know, and whatnot, they’re not being, you know, kind of indirectly exposed to other systems. You know, unfortunately, there have been a number of artificial intelligence system breaches that exposed customer sensitive data, including usernames, passwords. I wondered about that. plus whatever else that they may have had in there. There was a big one. It was a cutout pro that had about 20 million accounts that got breached. That’s just a user account side of it. When we were talking about whatever information was being submitted into the AI system, I’d also heard, who the fuck was it? I think it was Google, had some type of lawsuit coming into play where they were being accused of leveraging Google and Facebook. It was one of the two. One of these big players was using information and data without the user’s knowledge or consent and feeding it into AI engines to try to use it as a training tool, if you will.
There’s a lot of interesting things going on out there in the marketplace, but it’s critical for organizations to know exactly how secure is this AI system and where do vulnerabilities lie. It’s important to know, is this AI system self -contained? Are they connecting to external third party systems? Is this an instance where the AI engine is really just a front for leveraging six other AI engines? It’s not really an AI solution. It’s just a front for using what other people have done.
What external systems will have access to the data you’re feeding into the AI engine itself? Which of those systems will have access to which data? It’s all a tangled web, and not the least, which is… Did they go through and go up against some form of a security and compliance standard that you know that that surrounds you know these you know that these leveraging of artificial intelligence you know and make sure that the platform is actually put an eye towards security you know who did you know who did their security assessment and how did they do it what did that assessment include you know what were the results in findings you know how do how are they confirming the boundary lines of the you know kind of the of the system and its connectivity you know what security controls you know did you know did that organization put into place that you know that they that they bolted in we’ve got a big enough problem with it’s it always seems like it’s the, the I don’t know I’ll call it the cutting edge Cowboys out there right you know back in the day you know as mobile applications were really starting to take form and you know web based applications were kind of starting to blossom if you will you know the, the web based applications started getting more and more and more secure the mobile app the new mobile applications was like the Wild West right there were you know you could you could drive Mac trucks through security and many of these you know many of these applications I have the same feel about a lot of the stuff happening in the AI space because again it’s the Wild West out there as they’re going through the you know going through this process and people are just trying to whip something up that has the letters AI involved and of course everybody just starts drooling you know you know so you know in the security and compliance space I mean you are dealing with some of the most sensitive technical information about an organization you know the information that a compliance management platform is exposed to it is literally the keys to the kingdom for you know for me bad actors.
Have you messed around with like chat GPT? So when you get onto their page and you start pumping things into the go ask chat GPT question, it’s really clearly calling out that under no circumstances do they want any sharing of sensitive data with the platform. Why? Well, they know there’s danger in sharing sensitive information with it. They’re trying to mitigate their security ripple impacts and implications of people submitting things that are super, super sensitive to it.
The other part that I would say about some of the AI style engines is that keep in mind they’re machines. My experience so far is they’re not. Terribly intelligent machines yet. Um, you know, so uh, you know, they’re gonna get they’re gonna salute and go try to do what you told them to do So just for kicks and giggles as an example. I, I went on to chat bot And I told jet chat bot that I wanted it to write a congratulatory letter to um, you know to the owner of a baboon that we had taught to play professional soccer And hey, you know what it did? It’s saluted And it produced the you know, they produce the output, you know You know, so it was uh, it’s kind of I think that in the grand scheme of things Yes, there’s a lot of hoopla about it, but it’s, it’s in its infancies and you know as a consumer of a security and compliance Uh a tool Um, you better be expecting the highest levels of security and compliance from your tooling vendor That’s uh, you know that is asking you to basically load up the keys to the kingdom into it
Yeah, no doubt about that now parting thoughts and shots for the folks this week specifically actually Adam Talk to me about TCT portal Well, uh, this this may not surprise anybody based on you know, kind of what I’ve been saying in this uh, In this in this particular episode, but as of this second, you know, TCT doesn’t have any near -term intention to leverage true ai um, you know, uh True ai of sharing our customers evidence with third -party ai systems anything along those lines. Um, you know the, the Instead TCT portal We have an absolute Ton of automated intelligence that we’ve had, you know built into the platform Um that can be transformative for organizations in terms of their approach, structure, the amount of time that they spend on engagement. This software can fundamentally change a company’s security and compliance world. Since 2015, we’ve remained very client focused on features and functions that we develop regularly. Our clients are telling us what things they want to see to be able to make the TCT portal better. We actually listen. We then turn around and incorporate those requests into our development path, etc. When it comes to artificial intelligence, we continue to openly take our users’ feedback and their desires seriously. I think as artificial intelligence evolves, continues to push into new boundaries, etc., we’ll continue to keep an eye on the development.
At some point in the game, the capabilities of AI as a tool that can be both safe and appropriate to leverage in the TCT portal will come about, I’m sure, at some point in the game. But until then, we’re going to continue to prioritize the security of our customers and their clients’ data, keep our focus squarely in the automated intelligence arena. The reality is that TCT is not willing to roll the dice with any of our clients’ security and compliance. Not right there. That’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
