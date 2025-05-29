In this podcast, we talk to Mathieu Gorge, CEO of Vigitrust, about the compliance risks posed by data during artificial intelligence (AI) processing, and training in particular. The key challenges here are that as datasets are trained, more data is created, and it can be difficult to ensure that data is also compliant, especially as it proliferates.

Here, Gorge talks about the need to know what’s being fed into AI, what comes out, where it goes, who has access to it and how it’s stored, and whether it is compliant.

He also deals with the security and compliance frameworks that can be used and the need to build AI compliance into organisational security culture.

What’s the latest on AI and compliance, with reference to storage and backup, that a CIO needs to know about? As you know, AI adoption is really growing everywhere and we’ve seen the EU deploying some AI regulations. We’ve also seen some frameworks adapting to AI, for instance NIST that has an AI framework. We’ve seen some security associations pushing for their own standards. I can think of the Cloud Security Alliance, but also working groups from ISSA, from Isaca, all of them providing guidance. I think that what we need to consider is that we are most likely going to see more AI-related regulation. Some of it will be national, some of it will be federal, some of it will be international, a little bit like what we’ve seen with privacy. And it’s important to draw a comparison between the evolution of cyber security standards and AI standards, governance standards. • Download this podcast • At the beginning, about 25 years ago, there were about 100 standards on network security, IT security and data security. And nowadays we only dial back to about five or six, like HIPAA, PCI, NIST, ISO, CIS and so on. My hope is that we’re going to do the same with AI, but in a faster way, so that we can concentrate on managing AI deployments from a data classification, data privacy and storage perspective. If you look at the fundamentals, what is AI governance really? AI governance as regulated in the US, the EU and other countries is really about saying: “Well, we’ve got this new way of processing data. So, we need to understand where the data is coming from. Do we have the authority to actually use that data and put it into an AI system to treat it for whatever purpose we treat it?” The data comes in in a particular form. [Questions include:] Does it come out [of AI processing] in a different kind of data form, data file or whatever?

Is that putting us out of compliance?

Is that facilitating compliance?

Do we have safeguards around who’s accessing the data?

Do we have safeguards around how we store that data?

How long do we need to keep it?

How long will we need to report on that data, depending on where we’re based?

When we store that data, where is it supposed to be stored? So, the issue with AI is that as we deploy more AI systems, we essentially multiply the data a lot more than we used to. And so, we’re creating a lot more data than we used to and that data needs to be stored somewhere. And it needs to be stored in a way that doesn’t put you out of compliance. So, you need to watch your AI ecosystem and regulate how the data comes in, how it goes out, who’s got access to it and where you store it.