I have the pleasure of working on Advisory Group for CSP2017, the 2017 Cyber Security Practitioners Conference – The Annual York Cyber Security Conference (last year). As such, I get chance to talk with Colin Williamson, the driving force behind the conference, on a regular basis. We have a similar view that as Professionals, we should not be worrying about what is happening today, but what is likely to impact businesses over the next few years. Forewarned and Forearmed.

One recent conversation related to Big Data and Artificial Intelligence.

If you have a self-learning system being used with a large data set to make automatic decisions as part of a business process, then who is liable for the judgements that this AI makes? For example, if it acts in an illegal discriminatory way towards groups of individuals.

• Is it the developer of the AI system?
• Is it those that set the Learning System its objectives?
• Is it the owner of the Big Data set that it has been taught with?
• Is it the company blindly acting on the AI’s conclusions? (“The AI’s Employer.”)
• Is it a particular individual that the AI is acting on behalf of? (“The AI’s line manager.”)

Clarifying the responsibility for Information, and the ownership of the business process that the information upfront, and understanding the risks of using that Information in this way, will save a lot of difficulty, and the cost of legal fees and possible penalties, later on.

Of course, such a system starts to produce challenges for “traditional” IT security methods and controls:

• Inadvertent data leakage – can repeated questioning of an AI give an insight into the Data it was trained on?
• How do you train and test an AI in a test environment without using real data sets? Is synthetic data good enough for the potentially subtle relationships the AI will see?
• How do you define a test for an AI system to demonstrate correct processing?
• How do you validate that the AI is continuing to function correctly and appropriately?

At the moment, standards for Information Management for Artificial Intelligence’s are rather thin on the ground(!).

The conversation with Colin was fascinating because it dealt the AI systems themselves having their own legal existence and rights – something that lawyers are beginning to seriously discuss.