AI Program Management: Lessons from Infosec

Tom Papahronis
Tom Papahronis

Strategic Advisor - eGroup Enabling Technologies

The eGroup Enabling Technologies team has been spending a lot of time in the last few months helping clients preparing and deploying Copilot for Microsoft 365 and other AI tools. Through this work, it has become clear that to successfully adopt and maximize the value of these tools, it will require a new program management area that owns the strategy and operations of these technologies.

Interestingly, a great approach to designing an AI program’s requirements already exists in your organization—your information security program. The parallels are numerous, and I’ll try to articulate that comparison here so you can start to leverage structures and lessons learned in security to not only jumpstart an AI program, but also as an example of the level of effort (and budget) required to fully realize the value of AI tools to the organization.

Table of Contents

Policies and Compliance

This is the starting point for both programs. The “Rules of the Road.” Policies define acceptable use, operational requirements, audit requirements, and include regulatory or other compliance requirements like NIST, HIPAA, CIS, etc.

Organizational Oversight

Leaders need to define what they want from both programs.  In the case of security, that means reducing risk to an acceptable level while supporting organizational initiatives. For AI, that means developing business cases that support the organization and driving the ROI. Senior management’s support and ongoing involvement is critical for either of these programs to succeed. Establishing Centers of Excellence or other groups to define success and drive adoption from the top is key.


This one should be obvious, but often it’s more of a struggle than it should be. There are no silver bullets or shortcuts in security, and the same is true for AI. Dollars and time need to be allocated for expertise, tools, oversight, and holding people accountable to results. Security products and practices are far more developed in this regard today, but AI will need the same level of attention to be successful. The CFO needs to be included early and often to get AI off the ground.


Just like security, AI will need an owner who is accountable for the program’s success. Leaving this to an existing (and already overextended) IT group is a mistake. Again, like security, staff with dedicated time will be needed to develop expertise, implement tools, and manage their use (and risks). CISOs exist for a reason. Technical depth will be required to bring well-managed AI solutions to life as well.

Configuration Management

Both programs will need controls and capabilities that are aligned with policies and business needs, including following standard practices that are auditable and flexible. Additionally, both program areas are constantly in a state of flux, so keeping up with changes and the state of the industry is paramount.

Data Governance

This topic is often the thorn in both programs’ sides. From a security standpoint, Data Loss Prevention (DLP) prevents unwanted disclosure, retention policies reduce the amount of data at risk, and encryption protects the data you have. For AI, retention policies help reduce data to what is relevant, encryption protects data from surfacing when it shouldn’t, and DLP again helps prevent disclosure through unexpected AI behavior or exfiltration attacks.

Monitoring and Response

For security, I hope this one is obvious by now. Similarly, AI also needs to be monitored. It is still a nascent technology, and the results aren’t always predictable or consistent. It’s critical to ensure organizational awareness of its strengths and weaknesses to both guide its use and develop a constant improvement methodology. Deploying and managing AI tools that can alter their behavior is both an art and a science, so staying a few steps ahead is important.

Hopefully this comparison gives you some insight and ideas into how to use existing security program framework to help direct the enthusiasm for AI tools into actionable steps to onboard and scale up their usage in an intentional way. The management team may not be thrilled to hear that additional structure might be needed to manage something that isn’t very tangible yet, but they will be glad when that structure is in place to absorb and scale the new benefits and challenges that AI brings. As the ROIs for these tools become apparent, this will allow you to move faster and be more responsive to the organization.

If you’re looking to learn more about incorporating artificial intelligence into your organization, see our AI services here:

Learn More About AI

Interested in learning how to become more efficient with and manage an AI program? Contact our team today to learn more.

Last updated on April 30th, 2024 at 04:03 pm