Kevin Beaver's Security Blog

A look at Charles Cresson Wood’s Internal Policies for Artificial Intelligence Risk Management

I’ve known Charles Cresson Wood for a long time, both as a trusted business colleague and a friend. You may know him as the creator of the original masterpiece on information security policies over two decades ago: Information Security Policies Made Easy. Charles and I have worked together on a few projects over the years, and what’s always stood out to me is his ability to tie together security, legal, and business strategy. His latest book, Internal Policies for Artificial Intelligence Risk Management, is a great example of that mix coming together. And it couldn’t be more timely with all that’s going on in/around AI.

Over the past year, I’ve had many clients ask what they should be doing about AI. These are businesses of all sizes who are starting to see real risks, i.e. data exposure, ethical blind spots, compliance concerns, and more. Many people don’t even know where to start with AI. Still, everyone’s talking about it in some fashion…rightly so, as the business risks of AI are real. That’s where Charles’ new book comes in.

At 541 pages, it’s a substantial resource, but it’s packed with practical value. It gives you a working definition of AI, then breaks down what organizations need to consider when it comes to things like:

1. Board-level oversight through the risk subcommittee
2. Policy guidance for AI system owners
3. IT and legal department responsibilities
4. AI lifecycle processes and acceptable use

Each policy includes a clear policy statement, a rationale for why it matters, and references. One of the most useful parts is the appendix that lists all the policies by title and policy number, which makes it easy to find what you need.

Charles also suggests asking yourself a few important questions as you review each policy including:

• How would this work in our environment?
• Would our leadership team get behind it?
• And in the big picture, is this the right thing to do?

These questions help you focus on the things that matter for AI oversight. It’s not just about plugging in generic policies but actually making sure they work for your organization.

One of the things I’ve always appreciated about Charles is that he’s not just a security expert. He also has a law degree and decades of business experience. That kind of well-rounded background shows up throughout the book and keeps the content practical.

This isn’t an inexpensive book, but it’s more than worth the investment. The time and thought that went into the book is clear on every page. It seems to me that Charles spent untold hours pulling this together. The books content is a massive head start for anyone serious about addressing AI risks the right way.

If your team is asking what to do about AI, and you’re looking for direction, this book is the place to begin. I highly recommend it.

If you want to check out my review of Charles’s previous book, you’ll find it here: Review of Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy.