Global Security Forum

After speaking on stage with @David Kliemann (at the Fast Company Accelerate Conference in San Francisco - Nov 8) I was asked by three audience members (in three different occasions) about my thoughts on the AI Trust, Risk, and Security Management (AI TRiSM) framework.  I had read it in Gartner reports and had no idea how it would be pronounced as an acronym, and still do not because each person vocalized it in a different way.  AI TRiSM refers to a framework and set of practices designed to ensure the responsible and secure development, deployment, and use of artificial intelligence (AI) systems.  In many ways the principles and spirit of AI TRiSM are the same as the work that is being done in the IBM Financial Services Council with their AI Framework, and further points towards the importance of this genre of work.  With Executive Order 14110, "Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence (AI)," signed by President Biden on October 30, 2023, and now the US Cybersecurity and Infrastructure Security Agency (CISA) announcing a roadmap and steps towards playing a "key role in addressing and managing risks at the nexus of AI, cybersecurity, and critical infrastructure" and ongoing efforts by NIST and DHS towards the same, we are officially at a precipice of domestic inconsistencies of standards.

To make this more complicated there are looming potential conflicts and inconsistencies in AI and Security regulations between regions (US, EU, UK, China, Asia, Japan, etc.) that could make it difficult for global financial institutions to comply with multi-jurisdictional security, data privacy and data governance requirements. Details and interpretations of definitions of prohibited practices, risk classification frameworks, and required documentation/testing may also differ across regimes depending upon final legislation. As nothing happens in isolation and too many interconnections and interdependencies ultimately impact businesses in a global digital economy, the challenges over time with continued fragmentation of standards, regulations, and best practices, the security and governance requirements grow with an attack surface that becomes not only broader but also deeper with AI.  And alarmingly all of this is growing as a body of requirements and constraints without the proper taxonomy and risk classification work that is being done in the IBM Financial Services Council by @Aly Farooqui and Asif.

------------------------------
Weiyee In
------------------------------

@Weiyee In

Your observation about the complexities and challenges in AI Trust, Risk, and Security Management is indeed insightful, particularly in light of the varying international regulations and standards.

Introducing the concept of DORA (Digital Operational Resilience Act) into this conversation could provide a valuable perspective.

DORA, primarily focused within the EU, aims to ensure that all participants in the financial system have the necessary safeguards and resilience against cyber threats. It's especially relevant in this context because it illustrates a proactive and comprehensive approach to digital operational resilience, something that is crucial in managing AI-related risks.

The principles of DORA could serve as a template or inspiration for global financial institutions grappling with multi-jurisdictional security, data privacy, and governance requirements. Its emphasis on rigorous risk management, incident reporting, digital operational resilience testing, and third-party risk management aligns well with the goals of AI TRiSM. DORA's framework could potentially offer a more harmonized approach to AI governance and security, aiding in the reduction of the fragmentation of standards and regulations you've highlighted.

Moreover, DORA's approach could be instrumental in establishing a common taxonomy and risk classification system, addressing one of the critical issues you mentioned regarding the lack of such frameworks in current AI TRiSM implementations. This standardization would not only facilitate compliance but also enhance the overall security posture of institutions operating in the AI space.

 This could be particularly beneficial in the financial sector, where cross-border operations are the norm, and the need for a consistent approach to AI governance and cybersecurity is increasingly paramount.

------------------------------
Jose Arias
Mainframe Security Specialist

Mainframe Blog in Spanish: https://mainframeseguro.blogspot.com/

Original Message:
Sent: Wed November 15, 2023 09:09 AM
From: Weiyee In
Subject: Fragmentation & Frameworks

After speaking on stage with @David Kliemann (at the Fast Company Accelerate Conference in San Francisco - Nov 8) I was asked by three audience members (in three different occasions) about my thoughts on the AI Trust, Risk, and Security Management (AI TRiSM) framework.  I had read it in Gartner reports and had no idea how it would be pronounced as an acronym, and still do not because each person vocalized it in a different way.  AI TRiSM refers to a framework and set of practices designed to ensure the responsible and secure development, deployment, and use of artificial intelligence (AI) systems.  In many ways the principles and spirit of AI TRiSM are the same as the work that is being done in the IBM Financial Services Council with their AI Framework, and further points towards the importance of this genre of work.  With Executive Order 14110, "Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence (AI)," signed by President Biden on October 30, 2023, and now the US Cybersecurity and Infrastructure Security Agency (CISA) announcing a roadmap and steps towards playing a "key role in addressing and managing risks at the nexus of AI, cybersecurity, and critical infrastructure" and ongoing efforts by NIST and DHS towards the same, we are officially at a precipice of domestic inconsistencies of standards.

To make this more complicated there are looming potential conflicts and inconsistencies in AI and Security regulations between regions (US, EU, UK, China, Asia, Japan, etc.) that could make it difficult for global financial institutions to comply with multi-jurisdictional security, data privacy and data governance requirements. Details and interpretations of definitions of prohibited practices, risk classification frameworks, and required documentation/testing may also differ across regimes depending upon final legislation. As nothing happens in isolation and too many interconnections and interdependencies ultimately impact businesses in a global digital economy, the challenges over time with continued fragmentation of standards, regulations, and best practices, the security and governance requirements grow with an attack surface that becomes not only broader but also deeper with AI.  And alarmingly all of this is growing as a body of requirements and constraints without the proper taxonomy and risk classification work that is being done in the IBM Financial Services Council by @Aly Farooqui and Asif.

------------------------------
Weiyee In
------------------------------