Rob: 0:00

Hello and welcome back to the Van Rien Compliance Podcast with your host, Rob.

Dawn: 0:05

And I'm Dawn.

Rob: 0:06

Hey, Dawn. We are here this week to deep dive into the world of compliance, cybersecurity, and the evolving technology landscapes. Isn't that right?

Dawn: 0:15

Ooh, yes, that is right.

Rob: 0:17

Yeah, you're more excited than that, right?

Dawn: 0:20

Yes.

Rob: 0:23

Yes, folks.

Dawn: 0:24

Of course I. Compliance is very exciting. We make it exciting.

Rob: 0:27

It is. It's fun. It's exciting. Well, this week, what are we going to dive into? What's the special topic?

Dawn: 0:34

AI. You may have heard of it. I'm not sure if you have. But why AI matters and how NIST AI compares to ISO 42001.

Rob: 0:45

Yeah. Yeah. We're getting a lot of questions about this. Yes, we are. What are the two differences? And we're going to break each of these down for you this week so that you can make an informed decision on what you uh want for your business or for your organization. So whether, you know, whether you're a you're a tech founder, a compliance professional, or someone trying to just future your business or understand what's going on in the AI industry, this episode is for you guys. So let's go ahead and get going, shall we, Dawn?

Dawn: 1:15

Let's do it.

Rob: 1:16

All right. Well, first of all, we have to kind of set the stage, right? This is kind of take a step back in that 30,000-foot level and take a look down and kind of see what's going on. Um, because you know, AI is no longer merging technology. It's out there, it's around, it's it's in everything we do, everything is trying to use it. Uh, and it's deeply embedded in how businesses operate, you know, everything from service bots to answering phones to clinical decisions to financial fraud detectors and all of that. Um, you know, our phones try to write messages in AI and it's always bad. Then, you know, Alexa tries to order dog food all the time, but I think that's a different AI. What other what other areas do you see AI in your world?

Dawn: 1:59

Oh, just writing a document, writing a Google Doc. There's Gemini right there. Hey, let me help you. It's it's really in everything. It's in uh the Delta app, you know, the servicing. It's in on websites, a bot, a chat bot. It'll say, Do you want to, you know, talk to a bot or do you want to talk to a person? And they give you the option now. So this is something we we all live with now.

Rob: 2:23

Yep, it is. And and but there's four key areas that we need to focus on is bias, security vulnerabilities, privacy breaches, and compliance violations. What I'm finding is is, and I I I have been to a couple AI conferences lately, and it is the new hot topic, as we all know. It is the Wild West, as we all know. But the problem with that is there's no, there's really no governance, there's no guardrails. So even in organizations, because what happens is some execs will say, Oh, I need this. I saw this while I was flying. I talked to a friend that they're doing this or something of that nature. And what we've noticed is that uh nobody has a good idea on what to do for security and and and actual compliance. Now, some of the larger folks, you know, you've mentioned the Geminis and, you know, obviously the Googles and the Microsoft's, the Amazons, you know, there's Dialpad, there's Deep, um, um there's some others out there that have actually done really well and they've dove into compliance, but majority of folks aren't. So today we're gonna kind of unlack, unlock that AI can create religious, uh, reproduction, and financial disasters for your business. We don't we don't want the disasters, those are the bad things. That's we're trying to make sure we don't have. So the the two areas that we're gonna focus on this week is the NIST AI RMF and the ISO 42001. So let's first start with AI auditing. So, Dawn, since you're our certified internal ISO auditor, why don't you go ahead and show us what is what is AI auditing and why does it matter?

Dawn: 3:54

Well, it's basically a health check for your AI systems. Evaluates uh whether your AI is operating ethically, securely, fairly, and in compliance with the standards and regulations of your business. Um it's just gonna look at it, it it's gonna look at lots of different pieces of that. Your your security posture, you know, your AI's decision making, uh, you know, is your personal data, the data that you have that you're utilizing the AI for, is it protected in that AI bot application, whatever you want to call it? Um, and monitoring, uh, you know, monitoring, you know, is it is it monitoring um, you know, issues, issues happening in in the AI, um, you know, app or that type of thing, and then the the quality. Is it actually been trained? Is it actually can answer questions? How many of you, and I'm gonna raise my hand, okay, have asked a bot something and it says, I'm sorry, I can't answer that. I don't know what you're talking about. And you keep doing it and doing it, and it just keeps saying the same thing. That's because that AI bot was not trained. Probably a company, and I can't remember which company it was, probably just threw it out there thinking, we've got one out there. Well, you have to train it. You have to, you have to, you you want it to have, you know, FAQs that are pertinent to your business. And if you just throw something out there and it can't answer a simple question, then that that's not good, obviously. But really, really the AI auditing is really more for the pri the, you know, just uh privacy security is making sure that it is a a secure application and uh that it is you know is uh trustworthy as far as obviously what it's shooting back to you and and that the information you put in there is is staying secure.

Rob: 5:45

Yeah, and trust trustworthiness is key because I a couple of conferences I've been to, I'll I'll talk to people about their compliance postures and they'll try to go to their website and they don't have an ISO or a SOC or NIST AI or anything or even a high trust. They're just sure, whatever. And what's going on is your clients, your partners, your investors, regulatory, regulatories, regulators. There we go. They're the ones that want to make sure that you're actually following the law, right? You're actually doing the best you can to create a great, great AI experience, but also being secure with the data. And don't just throw something into the process thinking that, you know, this is going to fix everything. You need to vet the AI. You need to dive in deeper and make sure it is a world-class solution for the problem that you're trying to solve. Those are the big areas.

Dawn: 6:32

And we also have to take a step back because last year we forgot to mention, you kind of briefly mentioned it, the EU AI Act.

unknown: 6:39

Oh, yeah.

Dawn: 6:39

And it's the world's first comprehensive legal framework for AI, for regulating AI. Of course, the EU is typically first in all this. I mean, GDPR is a very refined, it's it's a very good laws around that framework. 27,001, and um all the ISO standards are European standards um and and um and regulated through those standards. You know, this was this was enforced um just late last year. And um this is this has been really good. We've we've got some EU customers that um that already adhere already adhere to it. But this is something that the United States does not have yet. There is a lot of things that are that have been no um written and discussed, but nothing is as the law yet. Um, and so that's why each state has taken it upon itself to do, you know, different kinds of laws. But I have not seen a state that's done an AI. They're more of privacy, privacy laws and that type of thing. So this is something that we'll we'll keep tabs on and see if our government, our federal government issues something like this. But in the meantime, if you do handle, you know, EU resident data and you have AI, you're an AI company or you use AI, you'll want to, you know, this is something you'll want to look at as well as obviously GDPR. So I just wanted to bring that up really quick as well.

Rob: 8:04

That's a good point. That's a very good point. Now, what we do have here in the States is we do have the NIST AI RMF framework. So the biggest thing right off the bat is there are two, there is one, well, two standards, one certified, certifiable, and one is a framework. So the first one is our own NIST AI RMF, which is a framework. We're gonna go through that, and then ISO 402001, which is the only AI certification. And that did come out of the regulatory need. The regulator the regulatory frameworks came out of the EU for June 1st AI from framework requirement this year. So, first up, the NIST AI RMF is published by the US National, you know, is published by NIST. Now, for the people that don't know NIST, it's the National Institute for Standards and Technology. That's the key. This is voluntary, it is not a certification, right? It is not a law, but it is a framework that we use to audit and you can use to actually make good, solid business decisions, which is key. It's governed and focuses on governance, map, measure, and manage AI risk. These are the four frameworks, if you will, within this AI RMF. And this is what we use to audit because we do perform AI audits for clients that decide, hey, we want to bring AI into the environment. What do we need to do? What do we need to focus on? How what is the risk to the rest of my business? Where is the data housed? Where is it processed? All of those natures. Those that there's that area. They really we really focus more on the risk management, identifying, assessing, and mitigating AI risk. Like what is it going to do the environment? You know, like when you do a remodel to a home or or anything of that nature, what's it gonna look like? And I tear this wall down. Is there plumbing in there? Is there electrical uh you know outlets and stuff we got to do? But those are things and changes to your business. And it's really just a great internal improvement improvement, especially US based companies. So this is a great way to get going. Once again, it's not a certification, which Dawn, you're gonna chat about ISO 42001 here in a second, but it is a great framework that we can actually audit against and get you secure and dialed in. Yep. Now, what about ISO?

Dawn: 10:14

And the ISO 42001, that is a it's a standard, it's a certifiable standard. Um, and this is um focused on building a full AI management system across the organization. So it's gonna emphasize governance, accountability, transparency, and continuous improvement. Um, and this is for companies that want obviously a something certified um and want formal proof of you know utilizing AI. So that's you want to be certified, hold that certification there. So you can do either. We can provide either. You know, we would do the the readiness uh for the 42,001 and then have our external auditor do their piece and then put that certification stamp of approval on that if you pass. Um, and then the NIST AIRMF, that is something that we can do. And a lot of times clients start with that because it's something that um is a little bit, it's a framework, so it kind of gives them the idea so they can kind of figure out what best practices based on it are and kind of get things set, and then you can move into ISO 42001 or what whichever you want to do, but you can do either. Um, but yes, there is a big difference. One is a certification, one is just a framework. You know, we adhere to these best practices, that's great. But if someone asks you if you're certified, you can't you can't say you are unless you have the 42001.

Rob: 11:41

You can say you've been audited against, right, or comply with these NIST standards and ISOs and actual certifications. So it depends on what what you know, where do you want your business to be and if you have investors or clients that require certification or just require evidence that you comply to the NIST. Those are the two differences.

Dawn: 11:59

The other thing I want to touch on is uh policies and procedures. And also if you're if you're if you're not ready, you're like, whoa, AI, you know, I've just started to use it in my organization. The best thing you can do out the door, and we've done this for a number of clients already, is create a um, we're we've created AI policies around how you use it. So do you let your staff use it? Is it just a C-level management type of thing? What are you using it for? We do have some clinics that are actually toying with using like ambient listening AI. Those are those are crazy. Those are the HIPAA compliant, those are the the really expensive ones that, you know, because they're you know, ePHI is flowing through there. Obviously, chat GBT, if you're gonna use that, you never put any PII or EPHI in there. It is pretty much just, hey, help me write an email, help me do some research, you know, that type of thing. But it's always best practice for a business or organization to say how they are gonna use whatever AI, Claude, Chat GBT, Gemini, whatever, and to have it in a document, a policy, a procedure. So then the staff also knows can they use it, can they not, what can they use it for, what can't they use it for? So it's very, it's it's a very good idea to set those standards, those guardrails with your organization, because people will go crazy with it. Um, and and we want to make sure that they're utilizing it correctly and how you want them to use it.

Rob: 13:28

Yeah, and and really to to look at both of these, you know, NIST is more flexible, right? Where ISO is extremely rigid. And you've done numerous ISO 27,001 audits here, Dawn. And I've I've been involved as well. But your name has to go on the paperwork because you're the lead auditor and you're certified. So what what what that really brings is structure and a perspective into the environment, and it's a huge competitive advantage differentiator to have that 42,001 certification. Personally, I would just go right to 40,001. But hey, if you're small, you're just starting out, let least start with the NIST pieces. Yep. Yep. So let's kind of let's kind of talk kind of some of the best practices and and I'm gonna go back to the HIPAA a little bit because everything always goes back to the HIPAA because that's kind of what I that's what I stand on, right? You're you're fun and fancy with the ISOs and the socks and stuff, you know. I'll be hanging over here with the healthcare geeks with me, right? I'd recommend do both. Seriously, start with the NIST AI RMF and mature your internal practices. So, what we do a lot of now is we do a HIPAA plus SOC2. Or we've got a couple clients, we'll do HIPAA plus ISO. So HIPAA is also based off of a NIST standards, and then what that does is it gives you a foundation of auditing, it gives you a foundation of policies and procedures and training and all that. And then you build on top of that your ISO or your SOCs, and people start to mature their organization so they know what it's like and can expect the right thing, what to expect and how to do things, and then build towards that 42,001 external certification and validation because it is a vestment, time and money. The people that that complain about it either had the money or not the time, or vice versa. They had the time and not the money. So it's you have to commit that.

Dawn: 15:13

So yep. And you might as well start now. If you're using AI, you might as well start. Let's do an assessment, let's see where you're at, let's see what pieces you're missing, because it's only gonna get more. It's only gonna be utilized more and more, and it's only gonna it's gonna be integrated in all the software you use, whether you want it or not. It's there. Yeah, I mean, you see it. It's like anything you use. Oh, here's an AI, here's this. I mean, even even our accounting software, it it's in there too. It's like, okay, so it, it's, it's, it's, you might as well just get started. You're gonna use it, let's just start. And you can contact us. We're happy to add that on to your your suite of compliance services, if you will, and happy to help you with that to navigate the setup and and what best practices need to be instilled in your organization.

Rob: 15:59

Yeah. Yep, those are those are some key pieces. And and you know, how that how that overlays, how it maps everything out, which is which is important. Now, we know things are moving fast, you know, things are gonna continue to go fast, but here's kind of some of the things that that I'm seeing in the space, and I know Dawn you may see the same, or see things differently, maybe, uh, is really regulatories or regulatory. I did it again. I said regulatories. Regulators. Regulatories. Regulators, okay. There we go. Um, they're gonna demand it. Um, your insurance and companies are going to demand a certification or framework. Your clients, most importantly, are gonna demand what are you doing? They're gonna demand, I need evidence of proof that you're protecting that data, not that you're thinking about it. Do you have a certification or that you have been verified or audited against that NIST AI RMF standard, which is really key. And and you know, the other thing too here is just the brand trust. Um, you know, brand is big, it's big with us here at Van Rien, but your business is is your brand. It's been built. Yeah. And you have an expectation to to maintain that and to be uh to be solid and be and you have integrity on how you handle your clients' data.

Dawn: 17:16

So the other thing too is to remember that AI is something that we're just we have to live with. I mean, it's kind of like we all live with our phones now. Um, you know, it's something that's there, it's not going away. But we also need to be cautious. There's a lot of different AIs out there. There's I know there's a lot of different AIs out there. We need to check, double check.

Rob: 17:39

Yep.

Dawn: 17:40

Remember, if if y'all remember a year ago, I think it I think Chat GBT is like a year old, maybe a little older than that.

Rob: 17:46

It's older than that.

Dawn: 17:47

Remember initially, it had a disclaimer on it that said it was only good up to like 2021 or something like that, with with certain with certain types of uh current events. So we have to remember that these chatbots are learning as well. They're still learning. And so it's amazing to see them evolve, but we also have to be careful. So I wouldn't just use one, I would have a couple if you're using it as a resource, maybe use use that. There's there's Claude out there, but there's a whole bunch. I mean, obviously. And even in the chat GBT, there's a million different chat GBTs and like different things it'll do for you. Creates images. I mean, it it there's so much it can do, and it starts learning when you're asking it questions. It starts learning about you. I think, Rob, you did a test the other day. You went into chat GBT and and asked about, like said, tell me about myself or something, and it like spewed out all this stuff. And you're you know, CEO of An Rien. I mean, it totally it was kind of creepy, actually. Creepy. I say it. I guess it's smart and creepy. Creepy smart? Creepy smart. But you know, and then there's things like Grok in X, you can like have conversations with, and that's super that that one actually is creepier than I I think because it's like it'll have conversations with you, and it's crazy what's out there right now. So again, be mindful of what you're using, what information you're giving it, but also like double check it. Double check it, double check, you know, is it is it saying the right thing? Dawn't just take its word for it, you know. And uh it's it's definitely they're definitely getting smarter, which which is uh is uh kind of scary, but kind of kind of fun too. Scary and creepy. No.

Rob: 19:24

Scary and creepy. There's there's Dawn's words of wisdom.

Dawn: 19:28

Yeah, don't sum that now. That's not my sum of the app. Yeah. It's a very good resource, though. It's very helpful. Yeah.

Rob: 19:36

It is. And it, you know, it'll continue to get smarter. Like you just mentioned, it's gotten smarter. They actually expanded the memory so it remembers more about who you are and what you've asked it, and it'll start putting together, you know, it'll get responses that it knows about you. And then you could even do pictures and all kinds of random stuff. You could turn people into pirates, all kinds of fun things, craziness. But but to kind of kind of bring it back. really kind of focus on what are the competitive advantages. You know, right now I would say either one of them is a competitive advantage, uh NIST AI RMF or the ISO 42001. So I would first start with the NIST because it is it it is less time consuming and it also is less cost to just get something going and then say now I'm ready for the ISO. Now I'm ready to take that next step. And our auditors can take you through both of those and see which one gives you the most the best competitive advantage. Because just like SOC and other and 27001 and high trust and everything else, having a certain certification, I said that today to like regulatories, right? Having a certification really is going to set you apart. And it's really going to make you very valuable in the market and in the space. And it's going to become to a point I guarantee in the next couple of years that if you don't have a certification, you're going to you're going to lose probably about 30% more business or 40% more business. Because nobody's going to do business with you if you don't have the right frameworks in place.

unknown: 21:02

Yep.

Dawn: 21:02

There was a key it's all it's all trustworthy trust trustworthiness. And as you can see a lot of the big players they have a trust center at the bottom of their page if you scroll way down to the footer of any Zoom, I mean any of the big players, you're going to see trust centers and you're going to see they will lay out all the certifications that they have and that is becoming very important. And also when you're doing um an ISO or SOC2 audit your vendors need to be also we need to know their certifications. So it's going all it's going down all the lines. It's not just you yourself but you're using vendor XYZ what certifications do they have because your data is flowing through them. So it it's it's all about you know we just got to look at everything here and and and make sure that you're working always working with vendors that are that are trustworthy but but uh this is going to be this is going to be something yes that uh Rob's right that that we're going to start seeing is as people is having these additional certifications as as AI gets bigger and bigger.

Rob: 22:10

Yep. Nope that's what we're seeing. So what are the first what are what are some takeaways Dawn for the listeners? What can they take back to their organizations? What are the first things they need to do?

Dawn: 22:20

Well the first thing if you are using AI, whatever AI it is, identify how you're using it and create a policy and procedure around it for for your staff, for your team, for your whole business is it just part is just a departmental departmental thing make sure everyone knows how they can use it and how they cannot use it. So that would be the first thing policy procedure on on your AI bot software whatever you're using it for. The second thing is if you're if you're using a lot of it and you're kind of unsure about if you're you know with the information and you're kind of unsure how to do it you've got a bot you've got an AI bot on your website you've got different things going on then let's do a NIST AI framework audit for you. Yep. Then after that if you're like whoa I'm really using a lot of AI I really need this to be you know concrete certification then let's go to the 42001. So you do have steps but I would start with policy procedure what are you using? Let's get some policy procedure around it to identify how you're using it, what information's flowing through it.

Rob: 23:28

So bingo there you go that's it. And we're happy to help we are we're here to help yeah I mean if there's any questions you have you can obviously email us at hello at vancompliance.com or put it in the chat section here in the comments section and we'll just have a conversation. That'd be great. Absolutely. And if there's anyone that you know that that's diving into the AI world or trying to figure out how they are going to be secure and compliant for this podcast too. And you know we grow when you grow. So we're excited to just get the information out there for people to learn and go from there. All right Dawn, I think that's the pod this week I think we are AI'd out.

Dawn: 24:07

That's it.

Rob: 24:08

Alrighty well until next week this is Rob.

Dawn: 24:11

And this is Dawn.

Rob: 24:13

Alrighty we'll see y'all next week bye bye bye