Cutting-Edge Technology: Continuous and Holistic Governance of Cloud and AI

By Vishwas Manral and Andrea Bonime-Blanc


NIST Framework AI Cloud Emerging Technology

As technology continues to evolve at a rapid pace, the governance of exponential technology, such as cloud and generative artificial intelligence (GenAI), must as well. Due to its criticality to companies, exponential technology, which is new or existing technology that continues to develop and change rapidly, is subject to intense security, safety, and other integrity threats.     

Traditional governance processes in companies take a static top-down approach to tech governance. Companies that continue to use static governance processes without adopting a holistic and continuously evolving approach to tech governance risk losing out in these exponential times.    

What’s at risk for companies that don’t take this seriously? Nothing short of a loss of visibility and enterprise context of their tech systems, staleness of their tech processes, inefficient utilization of their tech workforce, long incident response times, and suboptimal usage of their tech tools. These translate into higher risk, cost overruns, and suboptimal operations and processes. This leaves companies susceptible to cyber breaches and other security issues. 

The Ever-Changing Tech Landscape

The business landscape is changing fast. The speed of value delivery is a differentiator in the marketplace and new exponential technology is a key driver of value differentiation. Exponential technologies such as cloud and GenAI are mainly being adopted in a “bottom-up” way by disparate product and engineering teams at a rapid pace. Governance in such environments is mainly an afterthought if not completely missing. Only when usage becomes pervasive and critical risks start manifesting do governance and standardization discussions start, and by then it's often too late to correct. Most of the static bottom-up governance mechanisms then become counterproductive and often ineffective, focusing on tasks that patch problems. 

What is good tech governance from the top down?

Good tech governance from the top down entails having a tech-ready board that keeps a keen eye on and demands proper tech accountability from management with the following in place:

  • Structure. The board needs to have a committee structure, committee charters, agenda preparation, systems of policies, and approval or resolutions oversight that incorporate key relevant tech issues—current and on the horizon—in an adaptable, fluid, and timely manner.
  • Directors. Tech-savvy directors must be part of the board, and tech experts must be called on regularly for an infusion of relevant new expertise.
  • Continuing education. All board members should be continually updated and educated on all current and future tech scenarios relevant to their company and its products and services.

What is good tech governance from the bottom up?

Good tech governance from a bottom-up perspective entails a clear framework by which to achieve and measure technology goals. Such frameworks should adapt to the fast-moving technology landscape.

The modern approach to governance needs to be holistic, looking beyond the silos of individual tools and teams. Individual tools give a narrow picture, and the operationalizing and prioritizing of issues cannot be done without the broader picture. A modern approach should include the people, processes, and tooling to continuously evaluate the governance frameworks. There needs to be a way to evolve governance as a company finds the gaps to achieve outcomes such as reduced risk, optimized cost, and better operations.

There needs to be clear guidance, accountability, and incentive structures that spell out ownership, roles, and responsibilities for various cloud, AI and GenAI assets, and other pertinent technologies.

Governance Needs Are Broad and Deep

The prevailing governance models fail. In the cloud, there are many issues that are never remediated due to a lack of proper governance. According to Flexera’s 2023 State of the Cloud Report, governance of cloud technology is a top challenge for 71 percent of organizations surveyed. Despite abundant funding at many start-ups, security remains a top issue for 79 percent organizations and managing cost is a challenge for 82 percent of those responding. This is a major challenge and very correlated to governance of the cloud. The problem is not the individual tools themselves, but the fact that the tools fail to deliver outcomes.

The industry is beginning to wake up to this serious need for more holistic, continuous, and integrated bottom-up and top-down governance.

The National Institute of Standards and Technology (NIST), for example, is updating its Cybersecurity Framework with a new pillar called “Govern.” According to the NIST, “Govern” covers organizational context; risk management strategy; cybersecurity; supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and oversight. Similar work is now being done in multiple organizations.

A well-governed system has actual benefits. In addition to better security and reduced risk, according to Amazon Web Services, the savings in a well-governed system as realized by adopters are:     

  • 60 percent reduction in downtime,
  • 51 percent efficiency savings,
  • 14-times reduction in time to deliver, and
  • 43 percent reduction in operational costs.

How to Govern Cutting-Edge and Exponential Technology

With the need now clarified, the next step is to create a dynamic model of governance that integrates both the bottom-up and the top-down approach in a seamless and adaptable way. These are some of the key steps to enable exponential technology governance:

  1. Understand the existing state of governance and gaps in the company’s technology adoption by doing a governance risk assessment.
  2. Prioritize the biggest risks and benefits. Organizations need to start with guardrail-level governance as the first step to help run workflows.
  3. Map, monitor, and measure against the guardrail state continuously, and update policies, tools, and personnel based on changes.     
  4. Start automation where gaps can be automatically discovered and fixed.
  5. Have a clearly expressed corporate or organizational technology governance charter that has an integrated top-down approach. This governance approach will require integrating the top objectives with actual low-down metrics. This may require having an integrated view of the various systems, not a siloed view.
  6. Map, monitor, and measure against organization goals and objectives and automate the change process. This requires continuous assessment to move toward organizational goals and the target state.
  7. Produce a management and board dashboard that summarizes the approach to continuous bottom-up and top-down tech governance with qualitative and quantitative measurements that are subject to periodic updating, presentation, and monitoring.

Companies and organizations that do not take a holistic and continuous governance approach will suffer serious consequences relating to cost, competitiveness, efficiency, effectiveness, and security risk. To paraphrase the old saying: an ounce of tech governance prevention and preparedness is worth a pound of tech pain.

Vishwas Manral is the founder at Precize, a cloud and AI governance start-up. He is also a fellow at Cloud Security Alliance and chair of the Silicon Valley Chapter. Manral was the chief technologist at McAfee Enterprise and FireEye and Skyhigh Security. He joined McAfee when his company NanoSec was acquired in 2019. He is an ardent technologist and has authored more than 30 security standards and requests for comments.

Andrea Bonime-Blanc

Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory, a board member and advisor. An NACD 2022 Directorship 100 honoree, she is a global governance, risk, ethics, and technology strategist and counselor to business, government, and nonprofits. An author of multiple books and sought after keynote speaker, she is a life member of the Council on Foreign Relations.