Why IT governance is a coding issue

A study for Capital One bank from Forrester has highlighted the importance of deploying policy as code to streamline software development and artificial intelligence (AI) projects.

According to Forrester, democratising machine learning (ML) by making readily available, ML-powered tools accessible to roles across the organisation – including line-of-business (LOB) and operations – is critical to speeding up and scaling the contributions of data science to business success.

Based on a survey of 180 line data strategy and line of business decision-makers, Forrester reported that 67% say that among the main challenges of being an AI-driven organisation with democratisation workflows is that this may introduce more risk, since less data-savvy roles access ML models and applications. The poll found that 63% believe a lack of governance or security policies that work effectively with external suppliers limits access to ML models and applications, while 64% believe it’s difficult to democratise ML while simultaneously mitigating risk.

Discussing the findings, David Kang, senior vice-president and head of Capital One data insights, said: “Governance and automation are important aspects of a well-managed data ecosystem.”

In Kang’s experience, once machine models are in production, automation can help companies achieve the continuous delivery of a model prediction service. “Automating ML model monitoring and training can ensure a model is performing when it’s pushed to production and help teams make better decisions about when action is required to retrain a model,” he said. This automation, according to Kang, provides engineers with confidence in consistent reproducibility and maintenance.  

He recommended that IT leaders ensure there is human oversight of automated models, for instance, by using a centralised governing body. “A centralised governing body can manage the processes, controls, monitoring and technology infrastructure to help scale ML responsibly while facilitating greater transparency across development efforts.”

A robust governance framework is also required to support the data processes and platforms needed by businesses that want to be AI and data-driven. Forrester warned that some data and IT roles may overcompensate for this with heavy governance that can limit the capabilities of platforms and processes. The analyst firm recommended that governance should be ambient where trust is implicit, and line of business decision-makers are given the freedom to do what they need to without having to think too much about permissions or whether they are following due process.

The recent paper by Forrester, Insights-driven: A foundational principle of customer obsession, reported that cultural challenges are often more pervasive than technical challenges. The report’s authors noted that data teams sometimes deliver dashboards and reports no one uses. This occurs, according to Forrester, because of poor literacy among business users and leaders who use data selectively when it validates a decision. In these cases, Forrester recommends that comprehensive training and communication should be used to close the gaps in data literacy.

“For both business and tech roles, standardising tools, processes and platforms can make it easier to locate, understand and use high-quality data,” said Kang. “Data scientists and machine learning engineers will use these established foundations to build, train and deploy ML models.”

Policy as code for cloud-native management

Forrester’s findings reflect those of The state of policy as code report from Styra. Based on a poll of 285 US developers, the survey found that the conventional approach to authorisation is outdated. Three-quarters of the developers polled believe home-grown authorisation policies are prone to errors, difficult to manage and waste valuable time that they could spend on more meaningful work, such as building innovative products or fine-tuning new features.

Styra’s survey found that 51% of the US developers polled that use policy as code have only adopted it in the past two years. Of those that have implemented policy as code, more than half (52%) say their most common performance challenge is writing efficient policies as code. The survey also reported that 30% of organisations are using policy as code in a significant capacity. Styra said it empowers developers to define, enforce and manage unified authorisation policies seamlessly across the cloud native stack. 

Beyond providing the programmatic guardrails for machine learning and developers building data-driven applications, Styra said policy as code is also an important component of cloud-native infrastructure.

According to Styra, organisations need to address challenges that hold teams back from working together, strengthening security and creating consistent, centralised authorisation policies at scale. With rising cyber attacks, policy as code tools are a valuable part of organisations’ security configuration. The Styra poll reported that 96% of respondents say policy as code is vital to building, securing and maintaining cloud infrastructure.

Styra chief technology officer Tim Hinrichs said: “Policy as code isn’t just a trend; it’s becoming integral to the fabric of cloud development. Developers can’t afford to continue wasting time on practices and technology that confuse teams, muddle visibility and complicate software development.”

Beyond improving efficiency for developers and people working on machine learning using techniques such as policy as code, governed access to well-managed data opens up other opportunities. Once in place, Kang said that no-code/low-code tools can then be made available to help people analyse data for business decisioning. This helps to democratise data access.

“Putting the power of ML into the hands of every employee can turn any company into a data-driven organisation,” he added.