12
Navigating AI Governance with RexCommand
In this episode of FILED, host Anthony Woodward and RecordPoint’s very own Head of Product Joe Pearce discuss the launch of RecordPoint's new solution, RexCommand, a free tool to operationalize AI policy, enforce governance across the AI lifecycle, and prove compliance, all from one platform.
They explore the challenges and opportunities of AI adoption, the importance of having a robust AI policy, the challenges posed by shadow AI, and how RecordPoint’s new solution helps.
They also discuss:
00:00:02: Introduction to FILED and AI Governance
00:01:44: Launch of Rex Command
00:03:04: Challenges in AI Adoption
00:05:11: Rex Command's Role in AI Governance
00:09:47: Future of AI Governance and Compliance
Resources
Transcript
Anthony: Welcome to FILED a monthly conversation for those of the convergence of data privacy, data security, data regulation, records, and governance. I'm Anthony Woodward, the CEO of RecordPoint, and with me today is our head of product, Joe Pearce. How are you, Joe?
Joe: Yeah, I'm doing great, Anthony. Always excited to be on and have just some great, you know, edge of industry conversations, so I’m definitely looking forward to today.
Anthony: And we are here to talk about one of my favorite topics that I know in a lot of our conversations day to day, your favorite topics, AI. You know, and probably more specifically AI governance, but I was listening to a podcast today and the great Dr. Russell Crow was having a conversation with Scott Goop. The marketing folk and Russell Crow made what I thought was actually an awesome point. That AI is the existential but greatest economic impact of our time, and we should all be turning our attention to it. And you know, wasn't what I was expecting listening to Russell Crowe on a [00:01:00] podcast, but the zeitgeist and the reality of that statement is so true that AI is changing everything and, and there's so many issues to unpack. So, I’m really looking forward to today's conversation.
Joe: Yeah, absolutely. I mean, I completely unsanctioned non verified research, but the other day I was analyzing companies in the public sector that have adopted AI versus those that haven't, and those that have adopted AI are moving about 1.5 points faster in growth than those that haven't. So, it's. It's creating a class system. Even now when we're pretty early on in the adoption cycle.
Anthony: And look. This is more than just a regular FILED podcast today is our official launch of the RexCommand product. And look, this isn't just another product drop, this is a step towards how organizations are changing, how they interact with data, how they interact with records in our traditional domain. But how, how ultimately. They become amazing corporate citizens in this challenging world of ai. And, and there's so many things there to unpack and understand and go through, but it is a really, I think, [00:02:00] momentous day for, for RecordPoint.
Joe: Yeah. I mean, we're, you know, about a year in the making here. We've talked with hundreds of folks that are dealing with all the, the toils and troubles and risk of ai. And, and we're looking to really jump into the market and release something in RexCommand that allows folks just to figure out where to get started. You know, 'cause that's the journey we're all on. And you know, we're very much, I personally embrace the, it's gonna take a community to get AI off the ground. And I'm really excited that RecordPoint is jumping both feet forward into becoming part of that community and helping to really drive us towards safe AI adoption so that we can have long-term AI use in our enterprises.
Anthony: Look, and it's a great point, but let's, let's step back a little bit. Let's rewind. You know, I'd love to probably talk to the audience about why we built RexCommand and look, we'll talk a little bit about what RexCommand is, but RexCommand is a free product for anybody to take advantage of to help them be AI ready, AI compliant, and AI safe. You know, for us, I think that the problem's being clear, organizations are [00:03:00] drowning in data. Cloud, on-premises collaboration, you name it. Information support across systems. We've been doing that for a long time with traditional governance. But what does RexCommand bring to that conversation and what was our driver around building it, Joe?
Joe: Yeah. So, early in the year, we launched our Rex Pipeline product, which is our data governance product for AI. So, we're able to connect to any data source out there structured, unstructured. Put good governance in the middle, have safe segmentation of data and any AI out, and we realize we're a little bit ahead of the market. Most folks are, they're not there. Most folks are, I need a policy, and I need an inventory of my AI. I need to know what shadow AI is used in my organization. And that's both from the, it's being integrated into basically every SaaS platform on the market that's out there, as well as folks are using AI in every corner of the organization. You know, marketing teams are building software now. This is a concept that didn't exist even six months ago using AI tools. And so how do we get to this point where [00:04:00] we can have safe rollouts of AI and still incorporate all of our privacy and our security, and then this deluge of AI regulation that's coming out of both industry and the governments around the world.
Anthony: Look, I guess what I describe that as, and I think you and I have talked about this is, and we heard it over and over again from folk, was they don't know what they don't know. And I think, you know, RexCommand, what we are trying to invest into and provide out to the market is an ability to really eliminate that blind spot. I mean, is that how you see it?
Joe: Yeah, exactly. So, I see AI right now as kind of a forest. Most enterprises are on the edge of a deep dark, and for some people scary forest right behind them, they have their management team saying, go quickly into that forest, ignore all the scary monsters and whatever may be in there. And RexCommand is providing a safe path into that forest. It walks you through the ability to, how do we actually stand up a policy that will pass muster? What conversations do we need to have to make sure that we as an [00:05:00] organization are ready for ai? It walks you through ensuring that your organization gets properly trained. The training that goes to your engineering team is not the training that goes to your human resources team. And then it gets into the world of real shadow, AI discovery, shadow data discovery. How do we build this in our continuous risk assessments into the workflows that we have today? And again, it services those things that we've, we've never done before. Like everyone's done privacy impact assessments at this point, but who has ever done a bias and fairness assessment against anything? What is bias in your organization? These are the sort of conversations that RexCommand lead you through so that you can incorporate them, not just point in time, but continuously throughout your organization. And then on the flip side, as you do discover this new AI risk with all these new security and privacy and compliance vectors that come out of it, how do we handle those? How do we overcome those? 'cause I think the worst situation enterprise could be in is they're having success with AI, but then all of a sudden regulations or laws come into place. [00:06:00] And like you get your, get your toys ripped away from you, you have your business cases collapse. And so, we wanna enable that ongoing healthy AI rollout throughout the organizations with RexCommand,
Anthony: There's a bigger picture here as you say. Regulators are really tightening their expectations as well. So, when we think about RexCommand and really helping generate a policy, think about the AI you have in your organ organization, and we've automated that to order, discover that, to look at the terms and conditions that are associated with that ai, which is really difficult for most organizations. They're really, at the moment, a little flatfooted, right? Applications are new, the technology's new. There's some difficulty in doing that, you know, with. RexCommand, we're really reacting so that they can stay ahead of the curve.
Joe: Yeah, absolutely. And I can tell you already, as somebody who reads way too many AI governance and AI regulations out there. It's overwhelming, especially if you're operating in multiple jurisdictions or anyone that's working at a national scale here in the US because [00:07:00] we have a state by state regulated market. So, California has their laws, Colorado has their laws out there. But then we also have the industry regulations. You know, FINRA and SEC are putting down their regulations, the OCC for healthcare and HIPAA is pushing down AI regulations. And this is all on top of our privacy and our security and our broad compliance regulations that we need to do today. And so, it's a great balancing act. And I describe it. We basically have a regulatory tidal wave heading towards most industries today. And so, this is the time to really get ahead of that, start to focus on some really good AI practices. I personally prefer frameworks like the NIST AI, RMF, but there's other great ones out there like the EU AI Act, or you have the AI technical standards down in Australia. ISO has a framework but to just start following good AI governance. There is a subset of the community out there that I'm a little worried about, and those are the folks that are just saying AI is just another SaaS tool, and I think that's gonna leave them. You use the word flatfooted, [00:08:00] that's gonna leave them very much so flatfooted. As an organization because things are just a little bit different than the security and privacy implementations that we've been doing over the last several decades.
Anthony: You've been talking to a lot of customers and about these problems as we've been moving into the early phases of some beta testing and now into the, to the full launch. What, what are they telling you? Is there concerns and driving them to look at this kind of tooling to help them out?
Joe: So, everyone is very much at the basement level of a maturity scale right now. You know, when I look at the data, if 20% of companies in regulated industries even have an AI use policy today, I would be surprised. If you know, maybe a fraction, 2 or 3% of those are actually enforcing it at the moment. So, everyone's very much so at the, how do I even talk to my organization about what I am able to roll out from an AI perspective? How do I create that AI policy? Most orgs are really there today at this moment. The next place that everyone immediately [00:09:00] goes to is great. I've got this awesome policy, but what AIs do I have what AIs are incorporated into my SaaS systems. We were talking with Gartner the other day and they said that 98% of all SaaS will have AI incorporated within the next two years. Basically, a hundred percent of SaaS has it. What does it do? Is it safe? How does it access my organization's data? I don't even know what AI is in my organization. And so that's the other big problem we're looking to address. And then once you address it, how do I treat it safely? What do I actually need to do to ensure that my AI is. Safe, and how do I incorporate concepts like the bias assessment or if you're following NIST, your environmental impact assessments. How do I ensure that I'm collecting the correct evidence for drift detection or for hallucination prevention? What do I do if a hallucination pops up in my organization? These are all the sorts of levels that you go through from a maturity scale. And then what we found is for organizations, we're talking about, you know, small percentage of enterprises at this point who [00:10:00] have a good AI governance program in place. They know what AI they have; they have their risk under control. That's when they start to pivot to, great, let's automate the controls on our data. Let's automate those controls on the AI themselves. And that's where we hope to take everyone on a maturity journey eventually. And RecordPoint has great tools for that. But today most folks are, need a policy. I need an inventory. I need to figure out where to get started.
Anthony: Yeah, look, I was reading one study, like we're really seeing that movement to people that are looking at larger scale, scale deployment. You know, a lot of our conversations revolve around things like co-pilot or chat, GPT, the open AI offering, co-pilot being from Microsoft. But there was one particular study I dived into which said that, I mean, 6% of the businesses. That were moving air trialing, Copilot actually moved to a large-scale deployment. Have you had that conversation and some of those things you talked about, are those blockers to that process?
Joe: Yeah, we did some market research the other day. And that that matches, I mean, keep in [00:11:00] mind now, 70 odd percent of regulated industries, so finance and government, that their official policy is don't use AI, and they put this policy in place because they don't have their data governed, they don't have the policies on their AIs. They don't understand the risk of using those AIs, and so their position is, whether it's Copilot or any other AIs. Don't use it 'cause we don't know what to do. Now the problem with this is everyone, and you know, somewhere around 40 odd percent of employees are basically ignoring this. They're going out and promptly using the AI systems, so they're firing up chat, GPT personal that nobody knows about. They're certainly not turning off the, "don't train on my data". And so, we're putting tons and tons of enterprise data, possibly up to 20% of prompts that contain sensitive proprietary or regulated data. Because we don't have AI governance in the enterprise, we could very well be in the largest data leak in enterprise history right now. So, the sooner we get ahead of this, the fewer Wall Street Journal [00:12:00] headlines we're gonna see in the coming months and years.
Anthony: I guess what we're seeing although you say 78 odd percent of government entities are saying no AI, yet the usage is exploding, so something's not correlating. Is there a lot of shadow AI going on? A lot of people kind of skirting around those rules and what's the risk of that?
Joe: I mean, there, there's massive amounts of shadow AI. I would say right now the majority, vast majority of shadow AI in the enterprise right now, and we know this because, I mean, we were at GRC conference the other day and the first question everyone had, and the first comment everyone made is, sure, maybe we've even taken the time to write the policy, but I have no clue what AI is out there. I have no clue what SaaS systems have deployed AI. I mean, this is where tools like RexCommand come into play because if you don't know, you can't govern it. And so, your risk is completely out of control. And these are the sort of problems that we're looking to fix with RexCommand.
Anthony: So, it's a pretty interesting marketplace. The opportunity is to turn all of this into productive outcome. [00:13:00] And there's a lot of concern, I think, in the community about what that means. But in the conversations I've had with you outside of the podcast, we really see this as a massive upscale opportunity for everybody, don't we? The productivity benefits, the outcome of using AI is really gonna outweigh these risks.
Joe: Yeah, I mean, I know I'm personally a lot more productive since we launched ChatGPT internally, we started tracking the risk against RexCommand internally, you know, all the AI tools that are rolling out. We have a good, we have a pretty good process here at RecordPoint. We have our procurement system, which connects out to RexCommand. We're immediately governing the risk, we're quickly getting these tools into our employees' hands, and we're doing so in a safe way so that we know exactly what we're rolling out. And this is both for internally developed as well as our third-party tools that we're acquiring at the company. And I, I see it everywhere in the org. Marketing's moving faster, our product team's moving faster. Our engineering team is moving faster, and this is a real competitive advantage. And if you're not doing these things and you're not rolling out [00:14:00] AI safely, you're getting left behind, is the pure truth of this.
Anthony: So, what does a company that wants to lean into it? Let’s hope they're thinking about using RexCommand to give them the profiling of what they have and create a policy. But what does being AI ready look like, how do you approach it in reality? And I know that some of what we have in the RexCommand tool is to help you through the process, but how could folk out there think about that as they're stepping into that world?
Joe: Yeah, I think it really comes down to where you are in your maturity scale. If you're like most companies out there, the first place you really need to do is start by creating an AI use policy within your organization. So, you know, we have a great guide in RexCommand that'll walk you through all the topics that you need to discuss internally. For example, what does bias look like in your industry if you're processing mortgages? It looks different from, you know, if you're processing cybersecurity data, for example. Once you have your policies in place, that's when you start to move into the world of needing to make sure employees are trained. So, [00:15:00] engineers are trained on using that same concept of bias. What does bias data look like? How do we detect continuous drift and, you know, not creating more bias within the organization. You then need to inventory your AIs, conduct all your risk assessments and your business continuity planning against your AIs, but then to continue down this maturity chain, you need to do the same to your data. You need to make sure you understand what data's in there. You need to make sure you understand the lineage of that data and that that data is up to speed for, for AI. So, we're at a pretty high level in the maturity scale at this point. I do have a term that I've, I've started to use. Within information governance, we've always had the concept of ROT, redundant, obsolete, trivial data. And now I'm trying to push folks to word using the acronym ART. So, accurate, relevant, and trusted data. And this is where the folks that have been doing info gov for a long time are at a much higher maturity level already in their AI rollout. Because they know what data's there. They know that this data can be appropriately sanctioned for [00:16:00] each of the bots. If you want to create an HR bot, if you've already got good information governance in place, you already have all the controls in place to make sure that data's up to date, that data's relevant and then you apply some additional controls to make sure it's trusted. So, that's the controls on the, the data side of things. And then, you know, I keep going into details and all these, but as you go up that maturity scale, basically you govern the output to those, the data, and then eventually you get into governing the actual use and security of the AI systems themselves. And then you have the ability to handle what happens when things go wrong. So, this is an incident, a hallucination is an incident. Now these are the sort of things that you should be tracking. You should be going through proper processes to mitigate. And then similar, we have AI vulnerability scanning tools from the folk. You know, folks like. Tenable and Rapid seven are putting these tools out today. So, you're actually doing AI vulnerability scans against the OWASP AI top 10 and things like this. There are just whole programs that you can put on the respond to the risk on top of this as you go down that maturity scale. All of [00:17:00] which is basically we walk you through in our rec command product and we give you that path through the forest.
Anthony: Great. And, and what do you think, what are we seeing from customers that that pick that up? What's their response been around having that tool set and being able to think about having some dashboarding, understanding where their risk position is, being able to proactively detect and customize those processes. What, what's the key thing you've been hearing as an outcome that they can talk to their executive about and their board's about?
Joe: On an emotional level, it's relief because you could sit there and read through the hundred odd controls within your NIST AI risk management framework, but then to synthesize this into a process and a reality it's a lot of work. I mean, this is months and months of work for any team that's trying to adopt it. You know, so emotional scale, it's really, now I have a path forward. But on the practical scale, it's rolling out AI faster. When you're not trying to reinvent the wheel on privacy, on security, on AI regulation, every time you have [00:18:00] a new tool pop up, either where, whether it's a third party tool or an internally developed tool, when you just know how to get these things through your internal processes quickly and ensure that they're safe and ready for rollout, you're adopting them quicker. And that's exactly what we're doing here at RecordPoint is we're adopting AI very quickly because we have good governance in place and we want other organizations to do exactly the same. So.
Anthony: If we were to think then what's next? How do folk go and use the tool, get involved? It is free. There are paid versions of it at an enterprise level, but you can get started for free, which is our give back to the community here at RecordPoint. But, but how do they get started? How can they get more involved?
Joe: Yeah, and I, I, I don't think we can stress that enough. You know, at RecordPoint, we sell some very valuable software. The fact that we're giving away something here that just has immense amounts of research and development behind it is a pretty big deal at RecordPoint. So, I'm really excited about that. To get started, you go to recordpoint.com/rexcommand, and you click sign up, and you're in the [00:19:00] application and you're using it in about 30 seconds. Invite your team in, get started writing your policies and having those necessary discussions to get AI off the ground. And like you mentioned, you know, we do have some upgrades that you can pay for, but going out there it's free. Get started and get going today. And then of course, you know, as the head of product, I'd love to hear your feedback. There's a little button at the top click; you know the question mark. Click send feedback. It'll come right to my mailbox, and we will incorporate it. Into RexCommand for our upcoming releases. But I’m really excited to, to help folks get their AI programs off the ground. It's, it's gonna be huge.
Anthony: And what, what's the URL they can hit to get there?
Joe: RecordPoint.com/RexCommand.
Anthony: Yeah. So, straight everything's behind that, which is fantastic. Yeah. So, look, as we're thinking about. The rest of it. And you talked about feedback and, and, and folk getting involved and they jump on the free version today. What do you see is the future of RexCommand and what's that evolution gonna look like?
Joe: It's a lot of automation and it's a lot more connectors to different shadow AI repositories. So, as we're rolling out with launch, as part of [00:20:00] our shadow AI discovery, we're able to look at. Some of our source control systems like GitHub, we're able to look at some of our model ops systems like Google Vertex or Copilot Studio. We're able to connect out to some of our SSO systems like Okta, and then also connect out to our CASB cloud access security broker systems, so we can basically discover AI throughout your organization. But I want us to have a whole lot more connectors to anything you could be using so that we really are able to capture that full corpus of use throughout your organization. And then it's everything inside of our risk assessment and our verification process. I see us automating that. So, automated bias detection—excuse me, automated bias assessment. Automated drift detection, automated security scanning through, you know, coupling of integrations and internal tooling. But take the processes that today you have to go through and, you know, fill out a form and then look up the information and input it on the roadmap. We have complete automation of all of those, so I'm really excited of the future here where everything is fully automated. [00:21:00] We're rolling in more and more of an agentic nature to it. So, you effectively have an agentic AI governance bot that's able to walk you through and take care of these processes for you. And you know, the vision here is we can have small teams of folks managing thousands and thousands of AIs throughout the organization, against hundreds, if not thousands of data sets. And all you have to worry about is when risk bubbles up. That's the future of where we're going today.
Anthony: I'm really proud of the work you've done and, and thank you for everything you've leaned into, into getting this launch and out to customers where, where I'm exceptionally proud that we're able to do this effectively for the community, for free, and then build on the work we've always done in data. But if I was to sum up, I think what RexCommand's really about is that ability to enforce governance from development to deployment. Really looking at your AI policy position and being able to, to audit and understand that and, and really. The beauty of this world is there's going to be a lot of AI for a little while, a lot of agentic capabilities, a lot of integrations that we have inside our [00:22:00] businesses here is a way to coordinate, understand, and manage that in a compliant way. So, I think it's an amazing step forward and as far as we're aware, there are no other products on the market like it. And we've certainly heard that from IDC and Forrester and Gartner who've been giving some great feedback, and I know you've been talking to them a bunch.
Joe: Yeah, I mean, this is unique. Certainly, nobody else can stand up. A program can eventually move you into enforcing controls at your data layer and then enforcing the controls at the AI layer. This is a holistic program. There's lots of piecemeal tools out there. There's lots of tools out there for like model operations and security controls. So, if you know exactly what you're building. But the actual detection of shadow AI and the governance of shadow AI throughout your ecosystem, this is a game changer for those folks in the privacy, security, and compliance space.
Anthony: Great. Look, this is an idea that was born out of frustration. We ourselves, were, we're trying to understand this. We, you know, believe this changes the game around governance. I'm so excited to get this out and get this out in everyone's hands and really looking forward to what's next, but. Thank you [00:23:00] for popping on to, to FILED today to talk about the launch and I hope that everybody out there is gonna go along, log in, sign up and take that position. Thanks all for listening. There is a lot more to come on RexCommand and Rex ai. We'll be continuing this conversation with each of the next launches. But if you've enjoyed today's episode, please leave us a review on your podcast platform of choice. We're on LinkedIn under RecordPoint and when You can please head to RecordPoint.com/RexCommand or RecordPoint.com/filed for the full FILED experience. If you ever want to drop an email or say hi, filed@recordpoint.com and we'll see you next time on FILED.