AI can strengthen business capabilities, but it can also amplify key issues and potential risks.
Key takeaways
For executives, the question is not whether to adopt AI, but how to govern it responsibly.
Organizations can innovate with confidence and embrace AI with a strategic governance framework.
In today’s digital-first world, data is no longer just a resource—it is a critical asset that fuels decision making, innovation and competitive advantage. Yet with this opportunity comes unprecedented risk. Artificial intelligence can supercharge business capabilities, but it also amplifies the consequences of poor data protection and quality, exposes organizations to complex cybersecurity threats, and creates ethical challenges that can affect brand reputation.
Our previous articles have emphasized the importance for boards and management teams to develop a shared holistic understanding of their business as an enterprise as a system (EAS): the interaction and dependency on a web of elements (applications, servers, databases, hosted solutions) and networks which comprise and enable every organization, including the people who operate them. Why? The EAS concept simplifies complex technical issues and puts them into a business context, enabling boards and management teams to get their arms around the digital risk/opportunity embodied in the AI, data and cybersecurity triad. EAS empowers boards and management teams to prioritize digital investments and understand their potential risks.
For executives, the question is not whether to embrace AI but how to govern it responsibly. With a unified approach to data, cybersecurity and AI governance, organizations can balance risk and opportunity, protect stakeholder trust, and establish long-term resilience. By developing a strategic governance framework that integrates these three critical areas, your organization can innovate with confidence.
Evolving governance: Frameworks, policies and procedures in the AI world
Many enterprises adopt excellent individual governance frameworks for data, cybersecurity and AI. But in today’s digital landscape, this siloed approach is a liability. These domains are no longer independent. They are deeply interconnected, with each influencing the risks, opportunities and resilience of the others. An overarching framework is needed which identifies shared elements, informs governance and management cross-functionality, and helps the board and management contextualize the rapidly evolving complex world of digital risk and opportunity.
The tables below illustrate this point by highlighting recent major changes in frameworks, policies and procedures for data and cybersecurity in a rapidly changing AI world.
Data governance: Before and after AI
Category |
Traditional governance (before AI) |
Modern governance (after AI) |
Frameworks |
Compliance-driven, focused on structured data (e.g., databases, the EU’s General Data Protection Regulation/GDPR, the U.S.’s Health Insurance Portability and Accountability Act/HIPAA) | Purpose-driven, covering data provenance, quality and relevance for AI models |
Policies |
Static, designed to ensure regulatory compliance and data privacy | Dynamic and risk-based, addressing ethical use, fairness and transparency in AI |
Procedures |
Manual and rule-based, focused on access control and data lifecycle management | Automated, incorporating AI-driven data labeling, validation and anomaly detection |
Management/governance roles |
Siloed, with data managed by IT or the chief data officer | Cross-functional, including chief AI officers and boards focused on AI ethics and heightened risk perception |
Cybersecurity: Before and after AI
Category |
Traditional governance (before AI) |
Modern governance (after AI) |
Frameworks |
Defensive, perimeter-based, protecting networks and systems and centered on compliance standards (e.g., NIST CSF, ISO/IEC 27001) | Adaptive, covering AI-specific threats like data poisoning and model attacks |
Policies |
Rule-based, focused on access control, incident response and compliance | Adaptive, covering AI-specific threats like data poisoning and model attacks |
Procedures |
Periodic security audits, manual incident response and recovery plans | Continuous monitoring with AI-driven threat detection and automated response |
Management/governance roles |
Led by IT security (chief information security officer or chief information officer) with limited board involvement (board involvement primarily during audits or breach disclosures) | Expanded to include AI governance, with greater board oversight and cross-functional management |
Look before you leap: Navigating the complexities of AI
Before rushing to deploy AI tools, executives must recognize that AI is not just another digital tool—it is a force multiplier that can amplify both success and failure. Unlike traditional software, which operates within predefined parameters, AI can learn, adapt and influence decisions at scale. If pre-AI digital tools are the nuts and bolts of today’s business operations, AI is a chainsaw.
Despite the eagerness to deploy AI applications, enterprises must first define their purpose and business alignment while rationing investments for optimal economic returns. Couple this process with an AI risk assessment which includes understanding AI’s potential impact on data (required under GDPR) and cybersecurity. It is of paramount importance to strive to understand the unintended consequences of the deployment of powerful AI tools.
A practical call to action
The following four steps present a practical roadmap for how an enterprise might handle this process:
Action |
Steps |
Considerations |
| Combine cybersecurity, AI and data governance into a unified digital risk framework | Management coordinates with the board and outside advisors to present a unified digital risk framework for board approval which integrates the three risk-triad elements |
|
| Conform to data; cybersecurity; and AI frameworks, policies and procedures | Management presents data, cybersecurity and AI frameworks for board approval; these conform with the unified digital-triad framework |
|
| Evaluate potential AI/data use cases | Management presents AI/data use case recommendations for board approval |
|
| Implement cross-functional management of the digital triad | Review authorities and responsibilities and make organizational changes to manage the intersection of the digital triad |
|
The takeaway
From humble beginnings for the protection of personal data, the data protection and integrity field has evolved with AI and cybersecurity and become the third leg of the digital triad. As AI amplifies the scale and consequences of data use, and cybersecurity strives to keep pace, organizations must employ a unified approach to their governance structures, embed integrity by design, and adopt cross-functional management authorities and responsibilities for digital risk.
A unified digital risk/opportunity framework creates greater strategic visibility for boards and senior executives and improves coordination of enterprise actions across the digital triad. Enterprises that succeed in developing a holistic approach to the digital triad will not only be prepared to comply with evolving regulations but will earn the trust needed among all stakeholders to innovate responsibly in a data-driven world and make major strides on the path to enterprise resilience.
RSM contributors
-
Robert SnodgrassPrincipal, Risk Consulting -
Rod HackmanAdvisor, Board Excellence
Related insights
Design, deploy and govern autonomous AI agents with confidence.
RSM's AI advisors meet innovation in action.
