In today’s fast-paced digital world, technology isn’t just transforming businesses – it’s redefining how we work, connect, and make decisions. Among the most exciting and transformative advancements is AI, reshaping industries and fueling growth. But as AI – especially generative AI – becomes a vital part of business, it introduces new risks, making robust IT governance essential for secure, responsible adoption.
AI is often hailed as a game changer, automating tasks and uncovering insights that once took hours. From customer service to predictive analytics, it has the power to make organisations smarter and more efficient. Yet, without a robust governance framework, AI can pose risks, such as data leaks and regulatory non-compliance, that may impact operations and reputation.
Consider generative AI tools like ChatGPT: They streamline tasks, but when employees share sensitive data with these tools, they may unintentionally expose confidential information. For example, an employee using an AI to refine internal documents, unaware that proprietary information might be retained by the AI, risks data loss or a data breach. Without proactive policies, this valuable information could be vulnerable.
Additionally, the integrity of the information produced cannot always be verified. AI can compromise the integrity of its outputs, pulling data from unknown sources, and potentially infringing on intellectual property. Hence, organisations must be cognisant of the implications of using these tools and ensure comprehensive risk assessments are conducted before adopting them.
Putting policy first: Building a safer digital future
The first line of defence? A solid, thoughtful policy on AI and data use. For organisations, this means creating clear, straightforward guidelines on handling information – what’s public, what’s restricted, and what’s confidential. Employees need to be trained to handle sensitive information effectively, helping to keep data secure and prevent accidental exposure.
2023 was a breakout year for generative AI, with businesses increasingly using it to speed up processes and make decisions faster. Some have already adopted policies around AI use, while many others are still playing catch-up.
Singapore is setting a high bar with initiatives like the Model AI Governance Framework for Generative AI, driven by the AI Verify Foundation and IMDA. Launched in May 2024, this framework represents Singapore’s dedication to responsible AI, balancing innovation with risk management – a comprehensive and robust standard backed by both local and global industry leaders.
Beyond policy: Leveraging technology for data security
Policies are important, but they are not enough to ensure data security. Technology tools like data loss prevention (DLP) solutions add a crucial layer of protection by actively monitoring data flows, preventing unauthorised access, and ensuring compliance with regulatory standards.
For example, DLP tools help organisations control data exposure by blocking sensitive information from being accidentally or maliciously shared outside the organisation. This is especially critical in the event of cyber incidents, where the risk of data loss or corruption sharply increases. For instance, the recent NHS cyberattack in June highlighted these vulnerabilities.
In addition to DLP, several other technology tools can bolster data security and IT governance. Microsoft Office 365 (M365) provides features that help manage specific risks. For example, M365 policies can block access to sensitive content, automatically encrypt documents, or notify users if content is saved to the wrong location. Organisations must classify what data is sensitive — such as confidential agreements, management procedures, or trading practices — and determine who can access it and how it leaves the organisation. Is it shared through email, removable disks, or USB ports? What if it’s shared with generative AI tools like ChatGPT?
Endpoint detection and response (EDR) solutions also play a key role by continuously monitoring endpoints, such as laptops and mobile devices, to detect and respond to threats in real time. Together with the cyber security incident response playbook, EDR helps detect cyberattacks before they escalate, offering a proactive layer of defense against data breaches.
Managed detection and response (MDR) solutions, including AI-powered MDR services, monitor and analyse data from multiple sources across an organisation’s network to identify and respond to potential threats. These services leverage AI to quickly recognise patterns suggesting a security breach, enabling pre-emptive action to safeguard data and reputation.
Other tools to consider include encryption software, mobile device management (MDM) solutions, threat hunting, firewalls, intrusion detection systems (IDS), and access control solutions.
In Singapore, compliance with data protection laws, such as those set by the Personal Data Protection Commission is mandatory. In industries like financial services and healthcare, additional standards must be met, making a comprehensive approach to data security essential.
However, despite the importance of IT governance, many organisations still lack basic cybersecurity frameworks. Basic practices such as regular software updates, data backups, and following frameworks like Cyber Essentials offer foundational protection. With AI-powered MDR continuously monitoring systems for potential threats and taking pre-emptive action, these measures are more critical than ever for safeguarding data and reputation.
AI governance: A work in progress
While cybersecurity frameworks have matured, AI governance is still finding its footing. Established frameworks are few, leaving organisations to rely on guidelines that are more advisory than authoritative. Singapore’s new Model AI Governance Framework is an important and promising foundation that encourages businesses to balance AI innovation with security. Although this framework is still evolving, it is a crucial step toward structured AI governance.
As technology continues to evolve at breakneck speed, organisations must take a proactive approach to IT governance. Regular health checks on IT systems, strong policies, and a cybersecurity-focused culture are essential for staying resilient and ready to thrive in a digital era. And as AI becomes a bigger part of our lives, its governance will be a critical piece of the puzzle.