The title of this text is the phrase I heard that most struck me at a large cybersecurity event I recently attended, where I had the opportunity to spend an evening, a whole day, and another evening listening to, discussing, and reflecting on artificial intelligence.
There were many experts, many business leaders who are already using AI intelligently, but even more so, there were hundreds of professionals thirsty for clarification, insights, an exchange of ideas, and something that no one can offer: the silver bullet of AI. They can't offer it because it simply doesn't exist.
So what can be done? Define AI governance – how to use it, why to use it, and which AI to use, according to the pillars of the strategy adopted by the organization.
Have we seen this movie before?
Five years ago, when the General Data Protection Law came into effect, most companies that started to adapt to comply with the law were looking for the same thing that is now being sought with AI: a quick, low-cost, and painless solution. However, in that case, the need was for compliance with the legislation; now, the needs vary as much as the solutions that AI offers.
And then comes one of the risks that AI has brought, and that every new market innovation brings: the so-called "magicians," the saviors of the nation, those who offer solutions without even knowing the business. They offer everything from tools to quick training courses, usually very expensive, with the promise that everything will be resolved when the project is finished.
But what was demonstrated at that prestigious forum was that the use of AI will only have value and be safe when the company understands its own (and oft-repeated) triad of people, processes, and technology.
From popularity to fear.
AI entered the conversation at the company coffee break when generative artificial intelligence, IAGen, began to make people's lives easier through texts written with (supposed) fluency, revised with agility, images that materialize as if in thoughts, answers that come quickly and accurately – or so it seems? All this just over two years ago.
After the initial euphoria (“I can’t believe you’re still racking your brain writing texts! Put AI to work for you!”), concerns began to emerge about employment (“company replaces 100% of human capital with AI in Level 1”), fear about the data that AI uses to be trained, visible and punished errors (in Brazil, the courts rejected a defense appeal prepared with artificial intelligence that invented 43 non-existent legal precedents), and the thousands of cyberattacks created daily by AI.
And then people began to fear AI when, finally, images and news of agentive AI making non-human decisions surfaced online, showing that AI does, in fact, have its own will and makes decisions and takes actions that often contradict the given command.
Governance should guide
Finally, the point that became very clear to me at that meeting is that AI is not something to be feared, but something to be used wisely and managed as a resource that can help businesses strategically and innovatively, provided it adheres to a specific policy and is managed with transparency and responsibility.
Governance should be guiding; companies need to have policies for the use of AI because users will use it and are already using it—that's a fact—but it's crucial to provide these users with direction. This policy must be understandable because, if it isn't, it will be circumvented, and employees won't stop using AI simply because they didn't understand the policy; they will use it without understanding the risks.
It is urgent, and should have happened immediately, to change the information security culture of companies and transform people into the first line of defense against attack vectors.
If the IT department is fulfilling its role, operating with firewalls, DLP, and frequent penetration tests, and monitoring and mitigating cyber risks, who is managing human risk in your company? Who is mapping, modeling, and optimizing processes so that they can be supported by AI?
We should think of AI as an ally to organizational development, with all the baggage it requires for maintaining a secure ecosystem – with confidentiality, integrity, and availability as transversal vectors within the organization.
