AI Governance: The Politics of Guardrails

The ongoing dispute between the Department of Defense and Anthropic over the military’s desire to use its Claude LLM in ways that the company finds unacceptable illustrates an uncomfortable truth about AI governance – CIOs may find themselves facing significant outside pressure when it comes to the guardrails they and their companies want to set up for the AI tools they develop or use.  This Information Week article points out the challenges that raises for CIOs, who must navigate a path that maximizes the value of a tool to potential users while still protecting the company. The article says that although CIOs can’t dictate the environment in which they operate, they can make critical choices within it:

Caught between competing restrictions and changing mandates at the federal level, CIOs may feel powerless to influence much change — but the experts reject this impotence. [Wendy Turner-Williams, chief data architecture and intelligence officer at SymphraAI] described the CIO’s influence as “significant, but not unilateral. The CIO acts as orchestrator and trust agent.”

This is especially true for CIOs working across multiple jurisdictions, making them accountable not only to U.S. law, but also to the EU AI Act, GDPR and other international frameworks. Several experts recommend reframing the governance approach from setting overarching policy to shaping the environment in which that policy is executed. As always, the earlier this is done, the better.

“Most influence comes from the CIO at the initial stage of adoption,” [Chris Hutchins, founder and CEO of Hutchins Data Strategy Consulting] said. “A CIO may not dictate how a vendor designs their product, but can influence the environment where AI is implemented, regulated and expanded.”

The article says that CIOs also have the chance to leave their mark through the establishment of their own company’s ethical standards. While a vendor’s guardrails may be nonnegotiable, they are also not the limit. Ultimately, the question that must be addressed is “could the organization explain and defend its deployment choices if challenged by regulators, customers or employees?”