WEBVTT 00:00.031 --> 00:06.424 [SPEAKER_01]: So unless you understand that documentation piece around it, you really have to really die. 00:06.645 --> 00:15.623 [SPEAKER_01]: There needs to be some type of truth to where the AI was trained to do X, Y, and so it spits out, X, Y, and Z. 00:15.964 --> 00:16.926 [SPEAKER_03]: The organizations. 00:17.564 --> 00:39.403 [SPEAKER_01]: Um, I would say the biggest issues are people don't know how to use the AI and then in general people don't know enough about AI and then I would also say, you know, we are the biggest threats to AI in general the biggest risk to AI in general. 00:42.758 --> 00:50.953 [SPEAKER_03]: looking probably never security plus maybe even a security clearance and nobody taught you how to write poems or how to test a security control or submit a T.O. 00:50.973 --> 00:51.394 [SPEAKER_03]: package. 00:51.634 --> 00:52.556 [SPEAKER_03]: I'm Chris Akpala. 00:52.696 --> 00:58.827 [SPEAKER_03]: I fear years ago I was in your shoes all the five on paper but completely lost when it came to our max. 00:58.807 --> 01:06.814 [SPEAKER_03]: I had a degree, I had to serve, so I had to drive, and what somebody said, how to test the AT2 control, or got a date to stick by this. 01:06.914 --> 01:08.796 [SPEAKER_03]: I had no clue what that actually looked like. 01:09.116 --> 01:16.782 [SPEAKER_03]: Fast 4 or 5 years, I worked across DOD and federal agencies, led control assessments, ring ATO package, and pass orders. 01:17.183 --> 01:21.346 [SPEAKER_03]: That's why I built our North Academy to teach you the real-world execution. 01:21.666 --> 01:24.269 [SPEAKER_03]: They don't cover in certification books. 01:24.289 --> 01:26.290 [SPEAKER_03]: Inside, I'll show you how to write a poem. 01:26.591 --> 01:28.172 [SPEAKER_03]: And don't get bad as bad. 01:28.152 --> 01:36.106 [SPEAKER_03]: Testungality Security Controls, Translate Tech Jardin, Navigating this 853 and horror map with confidence. 01:36.467 --> 01:41.276 [SPEAKER_03]: If you're in IT support in the government systems or stuck on the edge of the sub security, this is your way. 01:41.697 --> 01:48.288 [SPEAKER_03]: The people who go through my training don't just get hired, they hit the ground running, because they practice the work before they win. 01:48.729 --> 01:51.915 [SPEAKER_03]: Go to horror mapercatemy.io and let's get the work. 01:52.638 --> 01:55.981 [SPEAKER_03]: Welcome everybody to another edition of the Tech World Podcast. 01:56.001 --> 02:00.945 [SPEAKER_03]: I am your host Chris, an information assistant security officer inside the Gov Tech space. 02:01.606 --> 02:05.950 [SPEAKER_03]: And in today's podcast, we're going to bring back a main state that we always have. 02:06.390 --> 02:10.954 [SPEAKER_03]: We're going to bring in Marquishus Snape, Marquishus, always on the podcast at this point. 02:10.995 --> 02:12.756 [SPEAKER_03]: She's probably been there three or four times. 02:13.717 --> 02:15.238 [SPEAKER_03]: She's a GRC specialist. 02:15.739 --> 02:18.541 [SPEAKER_03]: She has a specialist in AI, AI governance. 02:18.882 --> 02:22.645 [SPEAKER_03]: And without further ado, we're going to bring on 02:22.625 --> 02:23.306 [SPEAKER_00]: I'm doing well. 02:23.366 --> 02:24.328 [SPEAKER_00]: Thank you. 02:24.348 --> 02:25.670 [SPEAKER_03]: I know we've done this. 02:25.970 --> 02:27.492 [SPEAKER_03]: What have you told us you've been on here? 02:27.513 --> 02:30.137 [SPEAKER_00]: What have you told us is the third or fourth time? 02:30.237 --> 02:31.318 [SPEAKER_03]: You only lies within here. 02:31.839 --> 02:32.160 [SPEAKER_00]: Yeah. 02:32.600 --> 02:35.445 [SPEAKER_03]: Yeah, so we've been building a good rapport all the time. 02:35.585 --> 02:40.853 [SPEAKER_01]: And people have nothing but great things to say about these sessions that we have. 02:40.985 --> 02:43.790 [SPEAKER_03]: Yeah, I know we're going to do some numbers like we always do. 02:43.950 --> 02:45.773 [SPEAKER_03]: I know, it's a great topic today. 02:45.833 --> 02:47.536 [SPEAKER_03]: Yeah, we're going to do a great topic. 02:47.556 --> 02:53.265 [SPEAKER_03]: You know, what's going on right now is AI, AI is taking over everything. 02:53.506 --> 02:57.492 [SPEAKER_03]: You know, and a lot of people they think AI is 02:57.472 --> 03:01.638 [SPEAKER_03]: Set all be all meaning like you know AI as there's no issues. 03:01.938 --> 03:12.312 [SPEAKER_03]: No nothing, but we both know AI and those hallucinates AI and some instances can be used to steal your passwords, getting to your systems through your information. 03:12.372 --> 03:20.763 [SPEAKER_03]: So what's going on right now is AI governance is a new dayness that we have to do to protect AI systems. 03:21.303 --> 03:24.728 [SPEAKER_03]: How you feel about what's going on 03:25.231 --> 03:40.153 [SPEAKER_01]: I mean, AI and my opinion is bringing a lot of opportunities, but it is also forcing people to really tap into a certain skill set that maybe they haven't really needed to in the past. 03:40.454 --> 03:42.156 [SPEAKER_01]: It's becoming a lot more technical. 03:42.637 --> 03:46.523 [SPEAKER_01]: You do have to understand how fast the landscape is changing. 03:46.563 --> 03:51.390 [SPEAKER_01]: You really do need to stay on top of just everything that's going on. 03:51.370 --> 04:01.270 [SPEAKER_01]: So I think it's exciting, but I think at the same time because it's so exciting and it's very new to a lot of people that have never experienced AI from the past. 04:02.192 --> 04:03.936 [SPEAKER_01]: It is also causing friction. 04:05.038 --> 04:10.830 [SPEAKER_01]: But again, a lot of job opportunities in the AI space, and that makes me excited. 04:10.945 --> 04:24.577 [SPEAKER_03]: Yeah, it makes me excited too because I've been utilizing AI to even enhance these podcasts with the audio, we're getting clips, we're getting all these things, but a lot of the times I think about where is my data going to? 04:24.637 --> 04:26.358 [SPEAKER_03]: Like where is all these clips I'm sending to? 04:26.418 --> 04:28.080 [SPEAKER_03]: Where is it getting to a star? 04:28.140 --> 04:32.724 [SPEAKER_03]: So, so I know AI governance is what's going to take that. 04:33.024 --> 04:35.927 [SPEAKER_03]: It's going to help put a regulation on how we use it. 04:35.947 --> 04:39.990 [SPEAKER_03]: Of course, we can still use it, but can you explain what is AI governance? 04:40.223 --> 04:49.013 [SPEAKER_01]: Yeah, um, so AI governance, I think a lot of people kind of get stuck into this idea that AI governance is more so around just ethics. 04:49.694 --> 05:07.075 [SPEAKER_01]: Um, responsible AI and yes, it does absolutely hit those things, but I guess the easiest way to explain AI governance is think of it like being the rulebook with guardrails that, um, speak to how you actually secure. 05:07.055 --> 05:11.840 [SPEAKER_01]: and keep your system safe so like an operation's an operating system, right? 05:12.320 --> 05:24.432 [SPEAKER_01]: It needs to be safe, it needs to be secure, and it needs to have some type of guidelines, some type of guardrails around how it can operationalize within your environment. 05:24.452 --> 05:26.514 [SPEAKER_01]: So that's essentially what AI governance is. 05:26.554 --> 05:34.041 [SPEAKER_01]: It's just that extra piece that's saying, hey, we need to come in and we need to understand what exactly this AI is. 05:34.021 --> 05:36.083 [SPEAKER_01]: doing the input, the output. 05:36.103 --> 05:37.124 [SPEAKER_01]: That's simply what it is. 05:37.304 --> 05:41.488 [SPEAKER_01]: It's just understanding the risk in the input and the risk in the output. 05:42.048 --> 05:48.794 [SPEAKER_03]: Yeah, and that's needed because I don't even know sometimes, like again, I brought it up like, I don't know where it's in for data as you can go into. 05:48.914 --> 05:51.256 [SPEAKER_03]: Oh, I don't even know the risk of using the AI. 05:51.937 --> 05:56.901 [SPEAKER_03]: So like when AI governance, I know we have the NIS AI framework. 05:57.742 --> 06:02.526 [SPEAKER_03]: Are there any frameworks that we should look at to kind of understand how to secure systems? 06:02.759 --> 06:03.380 [SPEAKER_01]: Yeah, sure. 06:03.400 --> 06:12.690 [SPEAKER_01]: So I think that you can continue using the frameworks that you have that you have using the past, but when we start talking about AI specifically, there's nothing that's set in stone. 06:12.710 --> 06:13.491 [SPEAKER_01]: So keep them in mind. 06:13.511 --> 06:17.255 [SPEAKER_01]: There's no AI specific government regulation that's out there. 06:17.295 --> 06:21.539 [SPEAKER_01]: The trumpet administration is working towards that, but absolutely nothing. 06:21.740 --> 06:26.825 [SPEAKER_01]: And so a lot of organizations are just referencing, as you mentioned, this AI are math. 06:26.845 --> 06:28.547 [SPEAKER_01]: That's a great framework to start. 06:28.527 --> 06:44.851 [SPEAKER_01]: Also there are some other types of frameworks out there, so there's the EU AI Act, which is more specific to Europe, and then there's also ISO 4201 that is going to be more specific to AI systems, but that's global. 06:45.552 --> 06:52.662 [SPEAKER_01]: There's also NISTAD 153, we can't ever forget that, just because there's no AI in the world, doesn't mean that it's not a framework. 06:52.642 --> 07:19.392 [SPEAKER_01]: that you need to reference, that's where you're going to find all of your controls specific to any type of system at the end of the day and then you know other people too are referencing some other types of acts out there so it was like the Colorado AI acts which you don't have to use but they're always you know there's always frameworks and you know cert certification bodies that you should reference to be able to know how to secure your systems. 07:19.625 --> 07:20.767 [SPEAKER_02]: Okay, so that's a lot. 07:20.787 --> 07:22.068 [SPEAKER_02]: So it's a lot. 07:22.108 --> 07:23.270 [SPEAKER_03]: Yeah, a lot out there. 07:23.290 --> 07:23.710 [SPEAKER_03]: It's a lot. 07:23.730 --> 07:27.095 [SPEAKER_03]: So so basically like you're looking at different frameworks. 07:27.115 --> 07:27.896 [SPEAKER_03]: You got this. 07:27.976 --> 07:34.585 [SPEAKER_03]: You got the Colorado like he was brought up ISO and you're just kind of putting these together. 07:34.645 --> 07:42.055 [SPEAKER_03]: Yeah, can you kind of and I know we talked about it like for you can kind of build a friend what was in this C to F what is it called a 07:42.035 --> 07:45.240 [SPEAKER_01]: on this CSF 2.0. 07:45.641 --> 07:50.649 [SPEAKER_01]: So what organizations are doing or taking like the more hybrid approach to building up their frameworks. 07:50.950 --> 07:55.778 [SPEAKER_01]: So they're just pulling from different types of frameworks to build an AI governance framework. 07:56.038 --> 07:58.963 [SPEAKER_01]: That's what I did at least at my organization to build up 07:58.943 --> 08:14.679 [SPEAKER_01]: the governance program, we took pieces from NIS AIRMF, which will be focuses on a few different functions, has about five functions, but then we also mapped them back to NIS 853 controls and then NIS CSF 2.0 controls. 08:15.000 --> 08:16.463 [SPEAKER_01]: And that's how we got our framework. 08:16.493 --> 08:20.482 [SPEAKER_03]: Okay, is it it's a way like you could kind of just give me a small example. 08:20.522 --> 08:32.089 [SPEAKER_03]: How would you put that together like what I like say for example is I was just hypothetical say it's open AI I would how would you or you you can name another company, but you know this kind of give me like a brief example and how that goes like 08:32.069 --> 08:33.751 [SPEAKER_01]: Yeah, like of how you put the framework to that. 08:33.771 --> 08:34.553 [SPEAKER_03]: Yeah, how do you put that? 08:34.573 --> 08:46.409 [SPEAKER_01]: Or, okay, so yeah, so for us, because the framework is across the entire organization in terms of how we are able to secure these types of AI systems, right? 08:46.770 --> 08:50.435 [SPEAKER_01]: And so for us, we really start with what is our AI usage. 08:50.455 --> 08:54.361 [SPEAKER_01]: So that was a project that I took on to understand who's using AI. 08:54.701 --> 08:56.223 [SPEAKER_01]: What type of AI is going to use? 08:56.784 --> 09:00.810 [SPEAKER_01]: And a lot of it, of course, that's where you come to find out that there's a lot of shadow 09:00.790 --> 09:05.036 [SPEAKER_01]: you know, people are utilizing systems that have not been approved. 09:05.056 --> 09:06.659 [SPEAKER_01]: That's what shadow AI means. 09:06.759 --> 09:11.887 [SPEAKER_01]: And so from our AI usage, we then determine, okay, who's using more of what? 09:12.167 --> 09:17.295 [SPEAKER_01]: So open AI in your example, opening AI was being used a lot, which is, you know, chat GPT. 09:17.735 --> 09:29.413 [SPEAKER_01]: And so that started us thinking, okay, if people are utilizing those types of specific AI, that means they want it as a part of their 09:29.393 --> 09:51.378 [SPEAKER_01]: And so for us, we ended up taking what we already do when it comes to assessing any type of systems because me as a security architect, I'm always looking at solutions, understanding the types of controls that are in place, what controls need to be in place, some asking, you know, who's using those systems, who needs access to the systems, what's the business use case, things of that sort. 09:51.679 --> 09:53.360 [SPEAKER_01]: And so we're doing the same thing, right? 09:53.861 --> 09:56.464 [SPEAKER_01]: Why would somebody want to use 09:56.444 --> 09:57.887 [SPEAKER_01]: how can we justify it? 09:58.228 --> 10:01.154 [SPEAKER_01]: What types of like where does open AI sit? 10:01.515 --> 10:01.796 [SPEAKER_01]: Right? 10:02.136 --> 10:08.430 [SPEAKER_01]: And now from there, we're understanding the types of particular controls that we need to implement. 10:08.450 --> 10:10.134 [SPEAKER_01]: And so we're looking at the requirements. 10:10.575 --> 10:15.145 [SPEAKER_01]: So we're setting the standard because people don't know, especially, 10:15.125 --> 10:20.315 [SPEAKER_01]: if they're developing these AI's or they're wanting to use the AI's, they don't know the requirements around it. 10:20.596 --> 10:21.878 [SPEAKER_01]: You know, what can you put into it? 10:21.939 --> 10:23.081 [SPEAKER_01]: What can't you put into it? 10:23.983 --> 10:30.055 [SPEAKER_01]: Can you also utilize your current data within your organization to put into that model? 10:30.496 --> 10:33.201 [SPEAKER_01]: And so we come up with the requirements for that. 10:33.181 --> 10:35.887 [SPEAKER_01]: So that's kind of like a good start in point. 10:35.927 --> 10:50.177 [SPEAKER_01]: I mean, it's a lot more in depth, but I don't want to bore you, but essentially just understanding who's using what types of guard rails it'll be in place applying those controls and then ensuring that everybody in your organization knows. 10:50.157 --> 10:54.783 [SPEAKER_01]: that there's a framework that is to be used, that there's a framework that you have to reference. 10:55.143 --> 11:03.253 [SPEAKER_01]: That's the thing I'm finding with a lot of companies is that they're pushing for this AI use, but the people within the organization, they're not catching up. 11:03.353 --> 11:11.963 [SPEAKER_01]: They're not understanding what AI they can use, what AI has been approved, what AI is supposed to do, like the features and things of that sort. 11:12.179 --> 11:37.449 [SPEAKER_03]: Yeah, and a lot of companies are just bringing it in, like in the cybersecurity space I've been studying over on this shout out to Hacker Valley, I'm watching a podcast, but AI agents, a lot of people use AI agents for cybersecurity, when he was explaining in one of his videos, you have to put, if you want them to do things for you, you're going to have to put some type of authentication that they authenticate every time, just to make sure that they're doing the job properties. 11:37.469 --> 11:38.710 [SPEAKER_03]: So even that issue, 11:38.690 --> 11:43.301 [SPEAKER_03]: can be an agent because a lot of agents or agetic AI is what they're trying to get into currently. 11:44.023 --> 11:44.845 [SPEAKER_01]: Yeah, absolutely. 11:45.787 --> 11:50.719 [SPEAKER_01]: You know, you can't just kind of leave the AI off to it's, you know, to be with itself. 11:51.060 --> 11:52.243 [SPEAKER_01]: You also, you always need to have them. 11:52.263 --> 11:54.368 [SPEAKER_01]: I'm sure you heard human in the loop, right? 11:54.388 --> 11:55.872 [SPEAKER_01]: So it has to be that checkpoint. 11:55.852 --> 12:01.941 [SPEAKER_01]: So when people are talking about, oh, X, Y, Z company is laying people off because they're being replaced with AI. 12:02.282 --> 12:07.109 [SPEAKER_01]: Just so you know, there still has to be humans that are there to oversee the AI. 12:08.331 --> 12:13.118 [SPEAKER_01]: Humans that are there to actually do retesting and retraining of the AI. 12:13.233 --> 12:17.297 [SPEAKER_03]: So you think, so basically, humans are almost always have to be in there. 12:17.357 --> 12:19.118 [SPEAKER_03]: You can't fully rely on it currently. 12:19.138 --> 12:19.679 [SPEAKER_00]: Absolutely. 12:20.139 --> 12:26.905 [SPEAKER_03]: And that's the thing I wanted you to stress out because a lot of people keep saying, oh, yeah, AI, it's not stupid right now, like it's really stupid. 12:27.166 --> 12:28.106 [SPEAKER_01]: It is, it is. 12:28.126 --> 12:43.240 [SPEAKER_01]: I mean, I get it from like a business standpoint when you have a lot of your investors and a lot of your board of directors come from the top, really pressuring you to develop some type of AI to be able to keep up with your competition that's out there 12:43.220 --> 13:04.198 [SPEAKER_01]: saying that we have a huge use for this AI and everybody wants it and so we have to get it, but you still have to understand how to be responsible with it, which is where the whole AI governance piece comes in to play because it is specifically telling you what standards you need to meet, what guard rules you need to adhere to. 13:04.448 --> 13:09.458 [SPEAKER_03]: So from what you're telling me, there's there's not a set framework. 13:09.618 --> 13:14.007 [SPEAKER_03]: A lot of companies are are don't even know what to do with it right now. 13:14.047 --> 13:15.731 [SPEAKER_03]: And they're just kind of pushing the AI there. 13:16.172 --> 13:21.242 [SPEAKER_03]: And it seems like they're bringing a lot of people that are doing AI governance to kind of do the job. 13:21.222 --> 13:25.227 [SPEAKER_03]: Do you think they need to get a AR framework for this? 13:25.447 --> 13:29.411 [SPEAKER_01]: Well, I'll be honest, a lot of companies are not bringing a lot of AI governance people in. 13:29.571 --> 13:33.236 [SPEAKER_01]: The companies who are doing that, they're the ones that are going to be ahead, right? 13:33.776 --> 13:37.841 [SPEAKER_01]: Majority of companies right now are just focusing on developing their own AI. 13:38.141 --> 13:45.930 [SPEAKER_01]: So they're bringing in a lot of developers, they're bringing in the software engineers, the security engineers, and they're forgetting about the governance piece. 13:45.910 --> 13:48.293 [SPEAKER_01]: So you're seeing a lot of job openings for that. 13:48.313 --> 13:50.315 [SPEAKER_01]: You're seeing a lot of job openings for sales. 13:50.715 --> 13:55.160 [SPEAKER_01]: You're seeing a lot of job openings for product owners, product managers, product designers. 13:55.560 --> 13:58.503 [SPEAKER_01]: It's because companies are just focused on building building building. 13:59.264 --> 14:07.733 [SPEAKER_01]: I am personally looking forward to 2026, 2027, where I feel that's where the government regulation will come out around AI governance. 14:07.954 --> 14:15.782 [SPEAKER_01]: And then companies will start knocking at my door saying, 14:15.762 --> 14:21.288 [SPEAKER_01]: But when you don't have to adhere to something, a lot of companies are just going to just not do it. 14:22.049 --> 14:27.896 [SPEAKER_03]: Same thing with CMMC, that needed to happen, but people didn't do it. 14:28.016 --> 14:34.123 [SPEAKER_03]: And now they're running to get it in place, like, you know, same thing with this. 14:34.143 --> 14:38.108 [SPEAKER_03]: This is kind of a way for people to get in this opportunity. 14:38.273 --> 14:59.519 [SPEAKER_01]: It is, to be honest with you, you'll see them see back when I think I was talking about seeing them see in 2020, 2021, I think, and you're right, nobody knew about it, just like with AI, but we knew that it was coming to where it was going to be mandated, and if you weren't on top of seeing them see, you were going to get left behind. 14:59.840 --> 15:06.728 [SPEAKER_01]: So like you're saying, like I'm not in that CMMC world right now, but what you're saying is that you're now seeing a lot of companies like rushing, 15:06.708 --> 15:07.088 [SPEAKER_01]: Right. 15:07.128 --> 15:16.198 [SPEAKER_01]: I am seeing CMMC jobs pop up not as much, but I guess a lot of people just missed, you know, getting on board at that particular time. 15:16.379 --> 15:35.179 [SPEAKER_03]: Yeah, because the people I know personally, I know a lot of people that that that seeing them seeing got the certifications and they they was they was able to get on it before a lot of those people, they they're multi they're millionaires, you know, literally just off of learning that framework because they were like 15:35.159 --> 15:42.775 [SPEAKER_03]: And the biggest thing I took from what you just said, like you said that when they create these AI software, they're not even making sure it's property governed. 15:42.896 --> 15:53.218 [SPEAKER_01]: Oh my gosh, I have a conversation out of kindness with a company who was developing an AI chatbot within the organization and they reached out to me on LinkedIn and I said, sure I'll have. 15:53.198 --> 16:02.731 [SPEAKER_01]: They're asking so many questions around just like, you know, the governance piece and trying to also understand what's being sold out there. 16:03.432 --> 16:07.578 [SPEAKER_01]: What would make somebody want to buy a chatbot like that if they made it externally. 16:08.019 --> 16:11.724 [SPEAKER_01]: And it just goes to show a lot of these, a lot of these questions were coming from the board of directors. 16:12.084 --> 16:16.050 [SPEAKER_01]: It just goes to show that people just don't know, but they're so quick to build. 16:16.030 --> 16:23.631 [SPEAKER_01]: And something I learned from an advisor was don't start building or developing a product until you know that there's a customer need for it. 16:24.032 --> 16:31.052 [SPEAKER_01]: When you don't even have a customer base, you're kind of just shooting in the dark and another thing that I think is going to happen is 16:31.032 --> 16:41.224 [SPEAKER_01]: Maybe a few years from now, I'm not going to say it's going to be next year, but maybe three, five years from now, companies are going to be rather upset because there's no return on their investment, right? 16:41.244 --> 16:47.011 [SPEAKER_01]: They may have been probably going to spend $500 million just to find out that it was a flop, right? 16:47.071 --> 16:49.834 [SPEAKER_01]: They thought too soon, same with the agente AI. 16:50.235 --> 16:57.023 [SPEAKER_01]: We had seen a lot of people moving in that direction, open AI came out and said, oh, we're going to be having their own agente AI. 16:57.343 --> 17:00.567 [SPEAKER_01]: People are going to get on board with that. 17:00.547 --> 17:03.972 [SPEAKER_01]: open AI's for competition, you may have to go back to the drawing board. 17:04.433 --> 17:08.158 [SPEAKER_03]: You know, the funny thing too, most of these companies are wrapped in open AI. 17:08.579 --> 17:17.191 [SPEAKER_01]: I know, so many, so many, when you think about the type of LLM that a lot of you've organizations are using, using the same type of thing, you know. 17:17.231 --> 17:19.855 [SPEAKER_01]: So, I really think, 17:19.835 --> 17:28.284 [SPEAKER_01]: You know, the people at the top, yeah, they're going to be the ones that's consistently selling and the smaller companies, they may end up falling behind. 17:29.125 --> 17:34.651 [SPEAKER_01]: So I get it wanting to keep up, but you know, you really have to think about who's your audience. 17:34.891 --> 17:46.163 [SPEAKER_01]: And what you're actually trying to achieve and for me, I'm always thinking five years ahead, right, what's what's going to flop and what's going to withstand the type of economy that we're in. 17:46.497 --> 17:50.181 [SPEAKER_03]: So to the audience is make sure this is the one thing somebody always taught me. 17:50.201 --> 17:54.084 [SPEAKER_03]: If you're already in the trend, it's pretty much already over. 17:54.985 --> 18:15.205 [SPEAKER_03]: So you may want to think about just even put positioning yourself, like you said with CMMC, you know, you might not get another opportunity. 18:15.185 --> 18:21.153 [SPEAKER_03]: But I didn't want to kind of talk to you about, you know, I don't not sure if you're familiar the deal. 18:21.273 --> 18:25.057 [SPEAKER_03]: Well, the deal, the formerly known as the deal, the use of the Department of War currently. 18:25.418 --> 18:27.340 [SPEAKER_03]: They just released something called Gen AI. 18:27.921 --> 18:36.552 [SPEAKER_03]: So people that's in the contract of space know that everybody got alert letting them know, hey, you can use Gen AI and create workflows, create this and hangstings. 18:38.017 --> 18:42.144 [SPEAKER_03]: What would be your thoughts on people just like taking advantage of it? 18:42.224 --> 18:44.327 [SPEAKER_03]: How would you take advantage of it if you was in a space? 18:45.429 --> 18:46.611 [SPEAKER_00]: Take advantage as a worker. 18:46.731 --> 18:47.433 [SPEAKER_01]: Yes, a worker. 18:47.453 --> 18:48.274 [SPEAKER_01]: Not as a hacker. 18:48.675 --> 18:49.456 [SPEAKER_02]: Yeah, not as a hacker. 18:49.536 --> 18:50.217 [SPEAKER_02]: Not as a hacker. 18:51.339 --> 18:51.660 [SPEAKER_01]: Yeah. 18:51.740 --> 19:02.117 [SPEAKER_01]: I mean, I think that you should definitely utilize AI to be more efficient at work, you know, especially when it comes to email writing for example, I definitely always do use AI. 19:02.137 --> 19:04.581 [SPEAKER_01]: We have co-pilot at work, I hate co-pilot, by the way. 19:04.561 --> 19:07.588 [SPEAKER_01]: We also have open A out, so I'm going to definitely go that route. 19:08.390 --> 19:10.114 [SPEAKER_01]: So using it to write your emails. 19:10.876 --> 19:20.899 [SPEAKER_01]: Now, just to make sure that I'm always staying sharp, I do write out the emails, I want it to be, but I use AI to just make it a lot more clear and concise, right? 19:20.879 --> 19:24.183 [SPEAKER_01]: So don't get too lazy and has AI to write everything for you. 19:24.764 --> 19:28.829 [SPEAKER_01]: I'm also say reporting is going to be a big use of it. 19:28.849 --> 19:33.355 [SPEAKER_01]: So if I were in that space, I would be using it to spit out reports. 19:34.036 --> 19:39.442 [SPEAKER_01]: Also, if you know, especially me, I do a lot of vulnerability scanning. 19:39.883 --> 19:45.710 [SPEAKER_01]: So again, if you do have that type of product within your organization, you can use it. 19:45.770 --> 19:48.574 [SPEAKER_01]: You can use your organization's data. 19:48.554 --> 19:54.521 [SPEAKER_01]: So possibly like having the AI go through the scans and getting a better sense of it. 19:54.541 --> 19:57.304 [SPEAKER_01]: So a lot of analysis I would use the AI for. 19:57.364 --> 20:01.128 [SPEAKER_01]: So those are things that I would take advantage of with the AI. 20:01.148 --> 20:07.276 [SPEAKER_03]: Especially in the service security space, you know, I deal with a lot of vulnerability reports, a lot of the management needs to notice stuff. 20:07.296 --> 20:08.697 [SPEAKER_03]: So just use it to your advantage. 20:09.158 --> 20:12.942 [SPEAKER_03]: It helps you secure your job a little bit more because you know how to use it. 20:12.922 --> 20:13.904 [SPEAKER_03]: take advantage of it. 20:14.204 --> 20:28.310 [SPEAKER_03]: But with AI coming in the government's in space, again, that's another job opportunity because we know with during the system that's sensitive things and you have to know certain things if you're going to bring AI into your environment. 20:28.330 --> 20:30.053 [SPEAKER_03]: So that's another job opportunity also, right? 20:30.033 --> 20:30.454 [SPEAKER_01]: Oh, yeah. 20:30.514 --> 20:30.935 [SPEAKER_01]: For sure. 20:30.975 --> 20:33.119 [SPEAKER_01]: It's a great job opportunity. 20:33.420 --> 20:39.593 [SPEAKER_01]: And even speaking about job opportunities, you know, people are looking to, I guess, get into the space. 20:40.555 --> 20:46.287 [SPEAKER_01]: I would say, at least for AI governance, what's made me a stronger AI governance individual is because I do have. 20:46.267 --> 20:58.386 [SPEAKER_01]: the RMF background, I have the GRC background, I have the security architecture background, and really AI governance is technical and very, you know, compliance governance combined. 20:58.887 --> 21:08.342 [SPEAKER_01]: And so I think that's a really strong skill set to have, but when you are thinking about AI governance, just know it is going to be technical, you have to understand controls. 21:08.322 --> 21:25.065 [SPEAKER_01]: Also, if you again, if you're an ESO, so information system security officer, information system security engineer, even if you're doing RMF analysis or being an analyst, so risk management framework analysts, always try to actually say the acronym. 21:25.045 --> 21:29.432 [SPEAKER_01]: But if you're in that lane, this is perfect for you. 21:29.532 --> 21:40.910 [SPEAKER_01]: Even if you're doing consulting work, you definitely, again, if you want to stay ahead of the curve and I agree, you know, if we're talking like this kind of getting left behind, right, maybe you can look into quantum. 21:41.531 --> 21:42.733 [SPEAKER_01]: It's that's exciting to you. 21:42.913 --> 21:44.195 [SPEAKER_03]: I forgot all about lesson. 21:44.215 --> 21:44.736 [SPEAKER_03]: That's another lesson. 21:44.756 --> 21:45.557 [SPEAKER_01]: That's another one. 21:46.018 --> 21:51.627 [SPEAKER_01]: And I don't think we, that's not as popular right now as AI, but it is a big push for it. 21:51.607 --> 21:53.150 [SPEAKER_03]: It's pushing trust me. 21:53.170 --> 21:54.532 [SPEAKER_03]: Yeah, it's, it's, it's pushing. 21:54.552 --> 21:56.956 [SPEAKER_01]: In data centers, that's a big one. 21:57.116 --> 21:59.440 [SPEAKER_01]: So that's something that people should look into as well. 21:59.861 --> 22:00.722 [SPEAKER_03]: Get ahead of it now. 22:01.243 --> 22:04.990 [SPEAKER_03]: So, so Markisha, um, I know we're getting more in depth into AI. 22:05.010 --> 22:10.679 [SPEAKER_03]: Can you explain how it fits in time like the GLC process, sort of 18, you know, ATOs, RML. 22:10.699 --> 22:12.923 [SPEAKER_03]: How does that all fit in with that? 22:13.527 --> 22:19.195 [SPEAKER_01]: Now it's a great question because I think that they're starting to all kind of running to each other. 22:19.376 --> 22:26.065 [SPEAKER_01]: So when we're talking about AI governance, AI governance is a subset of GRC, right? 22:26.145 --> 22:36.160 [SPEAKER_01]: So again, AI governance is specifically targeting, you know, what actual what an AI model should be. 22:36.140 --> 22:38.684 [SPEAKER_01]: Like what the output should be essentially, right? 22:38.904 --> 22:42.970 [SPEAKER_01]: And what guard wheels you should have in place to ensure that that happens, right? 22:42.990 --> 22:49.539 [SPEAKER_01]: So it's not model drifting or it's not hallucinating or it's not spitting out sensitive data. 22:49.599 --> 22:51.221 [SPEAKER_01]: There's no bias part of it, right? 22:51.241 --> 22:53.024 [SPEAKER_01]: That's essentially what AI governance is doing. 22:53.464 --> 22:55.087 [SPEAKER_01]: I'm only think about how if it's in. 22:55.147 --> 22:58.992 [SPEAKER_01]: So with RMF, you know, being more force, federal. 22:58.972 --> 23:01.315 [SPEAKER_01]: IT systems. 23:01.415 --> 23:03.658 [SPEAKER_01]: So that's like that step by step process. 23:03.738 --> 23:05.480 [SPEAKER_01]: So 1 to 6 steps. 23:06.101 --> 23:15.112 [SPEAKER_01]: The way that you can say that AI governance but sin is at every single step of RMF, you're seeing something within the AI life cycle. 23:15.192 --> 23:27.747 [SPEAKER_01]: So if we're talking about like the preparation step in terms of AI governance, we need to understand that data collection piece. 23:27.727 --> 23:30.811 [SPEAKER_01]: we're trying to understand the authorization boundary within there, right? 23:30.831 --> 23:33.614 [SPEAKER_01]: So that's how it kind of fits in to each of those steps. 23:33.775 --> 23:40.403 [SPEAKER_01]: And then I would say in terms of the ATO process, you really can't ATO an AI system unless you have AI governance. 23:40.703 --> 23:48.553 [SPEAKER_01]: So unless you understand that documentation piece around it, you really have to really, there needs to be 23:48.533 --> 23:56.283 [SPEAKER_01]: some type of truth to where the AI was trained to do x, y, and z, and so it spits out x, y, and z. 23:56.643 --> 23:58.686 [SPEAKER_01]: So that type of like you call it a model card. 23:59.046 --> 24:03.692 [SPEAKER_01]: So model card documentation around your AI systems. 24:03.913 --> 24:11.723 [SPEAKER_01]: I always tell my students when I teach them AI governance is think of it as if it's like a birth certificate for an AI system. 24:12.404 --> 24:15.908 [SPEAKER_01]: So that's essentially how they all kind of loop into each other. 24:16.006 --> 24:17.529 [SPEAKER_03]: OK, so I got you. 24:17.549 --> 24:23.340 [SPEAKER_03]: So what you're going through, like, same when you're doing GRC, same as in the government space, you go to the seven steps. 24:23.741 --> 24:31.095 [SPEAKER_03]: You're seeing a working fit in each step, the same thing with the GRC, whatever framework they're using, you try to insert a little bit in each one, correct? 24:31.075 --> 24:32.138 [SPEAKER_01]: They all overlap. 24:32.278 --> 24:33.762 [SPEAKER_01]: Like you'd be really surprised. 24:33.782 --> 24:42.886 [SPEAKER_01]: Like we're talking about, NISR, MF, whether you wanna say six steps or seven steps, that also correlates to NISTS CSF, right? 24:42.926 --> 24:46.215 [SPEAKER_01]: Where NISTS CSF has functions. 24:46.195 --> 24:52.783 [SPEAKER_01]: And then it also correlates to NIS AI RMF that also has functions, right? 24:53.204 --> 24:59.852 [SPEAKER_01]: And then to go even further in, I mean, it's just like even the AI life cycles, the same thing. 25:00.253 --> 25:00.533 [SPEAKER_01]: Right? 25:00.633 --> 25:10.245 [SPEAKER_01]: You have different stages of the AI life cycle that fits in to the different steps of RMF that also fit into the different categories of NIS CSF. 25:10.225 --> 25:23.813 [SPEAKER_03]: Okay, so, so with AI, what do you think the biggest issues with it, in general, like it's vulnerabilities, to keep you safe vulnerabilities, anything that you think doesn't have big issues with AI, with organizations? 25:24.468 --> 25:43.647 [SPEAKER_01]: Um, I would say the biggest issues are people don't know how to use the AI and then in general people don't know enough about AI and then I would also say, you know, we are the biggest threats to AI in general. 25:43.667 --> 25:54.238 [SPEAKER_01]: The biggest risk to AI in general just simply because it's always like what's so cool about about doing AI governance is you have to assume 25:54.218 --> 25:56.545 [SPEAKER_01]: the AI is always going to be messed up. 25:57.006 --> 25:58.470 [SPEAKER_01]: It's never perfect at all. 25:59.092 --> 26:05.431 [SPEAKER_01]: And because you're always making that assumption, you know that you're always going to have to be assessing it at the end of the day. 26:06.614 --> 26:09.342 [SPEAKER_01]: Some different types of risks that I see a lot, 26:09.322 --> 26:12.567 [SPEAKER_01]: Um, are going to be, I know I spoke about shadow AI earlier. 26:12.607 --> 26:13.549 [SPEAKER_01]: That's a big one. 26:13.589 --> 26:23.345 [SPEAKER_01]: Um, I'd also say, you know, the model drifting is big because you want to make sure that it's not spinning out information that it shouldn't be hallucinating. 26:23.405 --> 26:29.355 [SPEAKER_01]: I think is more like a pain point like it's just frustrating when you're trying to ask it a certain question and it can't get it right. 26:29.335 --> 26:52.423 [SPEAKER_01]: Um, but then I do also think to, um, another big one is going to be jailbreaking, you know, hackers can come in and jailbreak and I will say when we're thinking about the AI life cycle, the biggest, the biggest most important stage in that life cycle, um, one of them at least is going to be that data collection because that's where the strike injection, the jailbreaking, 26:52.403 --> 27:00.113 [SPEAKER_01]: Once you put crappy data in, crappy data out, and it's a repetitive cycle because that's how the life cycle works. 27:00.654 --> 27:04.399 [SPEAKER_01]: Even if you retrain it, let's say you retrain it off of bad data. 27:05.280 --> 27:17.196 [SPEAKER_01]: So somebody, again, the human elope, somebody has to also be very, they got to do their due diligence, and they need to be intelligent about the information that should be coming out of the AI model. 27:17.176 --> 27:40.770 [SPEAKER_03]: that's why you're seeing a lot of jobs popping up saying you need an AI model trainer or like we need somebody who has a law degree or we need a doctor and it's for that reason okay so so okay I'll tell you what you're saying on that so it's a lot it's a lot that goes into that so with ownership of AI and organization who should take ownership of it like to to make sure everything is in place 27:40.818 --> 27:41.740 [SPEAKER_01]: I love this question. 27:42.101 --> 27:43.003 [SPEAKER_01]: So many conferences. 27:43.444 --> 27:45.128 [SPEAKER_01]: We've been, um, we've gone over this. 27:45.589 --> 27:50.761 [SPEAKER_01]: Um, and I always say, you know, everybody takes over ship when it comes to AI. 27:51.182 --> 27:51.343 [SPEAKER_01]: Right. 27:51.383 --> 27:53.227 [SPEAKER_01]: So you have maybe your security team. 27:53.287 --> 27:57.477 [SPEAKER_01]: They're going to take ownership of the controls and the architecture. 27:57.457 --> 28:07.354 [SPEAKER_01]: then you may have your risk and your governance team, they're going to definitely be focused a lot on the governance piece. 28:07.415 --> 28:14.487 [SPEAKER_01]: Then you have your data team or your design team, they're focusing on the model in general on how it's built. 28:14.467 --> 28:18.393 [SPEAKER_01]: But ultimately, there has to be that quarterback, right? 28:18.553 --> 28:22.239 [SPEAKER_01]: And that's going to fall either on definitely leadership. 28:22.259 --> 28:33.537 [SPEAKER_01]: So whether that's your AI committee, or maybe you have a data privacy, owner, AI data privacy owner, or an AI chief individual, you know, that person's going to ultimately take the fall. 28:34.057 --> 28:37.082 [SPEAKER_01]: But everybody's responsible for AI. 28:37.383 --> 28:40.908 [SPEAKER_03]: I don't know that question because everybody wants to put ownership on one person. 28:40.928 --> 28:41.368 [SPEAKER_03]: Of course. 28:41.548 --> 28:42.329 [SPEAKER_03]: But it's everybody. 28:42.570 --> 28:43.411 [SPEAKER_03]: Everybody uses it. 28:43.431 --> 28:44.532 [SPEAKER_03]: Everybody uses it. 28:44.572 --> 28:50.220 [SPEAKER_03]: So you've got to make sure it's secure for everybody to use an entire organization because if it's not, then is it wrong? 28:50.240 --> 28:50.901 [SPEAKER_03]: Is it what they want you? 28:51.221 --> 28:51.842 [SPEAKER_01]: Right. 28:51.862 --> 28:56.768 [SPEAKER_01]: And I think that this whole obviously AI is such like this big craze, right? 28:57.049 --> 28:58.851 [SPEAKER_01]: But it's the same with security. 28:58.831 --> 29:01.835 [SPEAKER_01]: Everybody wants to put the blame on security, right? 29:01.855 --> 29:03.417 [SPEAKER_01]: They're like, oh, there's one team. 29:03.858 --> 29:05.360 [SPEAKER_01]: And that's who we blame at the end of the day. 29:05.400 --> 29:09.886 [SPEAKER_01]: Everybody's responsible for understanding security and doing security, right? 29:10.327 --> 29:11.408 [SPEAKER_01]: Same thing with AI. 29:11.508 --> 29:15.754 [SPEAKER_01]: And AI, in my opinion, is not really different from security. 29:15.774 --> 29:21.442 [SPEAKER_01]: It's just focusing on AI specific systems. 29:21.462 --> 29:22.383 [SPEAKER_03]: OK, now hear you. 29:22.463 --> 29:22.864 [SPEAKER_03]: So 29:23.587 --> 29:34.081 [SPEAKER_03]: Organizations make sure you're all taking accountability when it comes out with training the documentation and the people that you put in place so that's something that we always got to consider. 29:35.022 --> 29:40.910 [SPEAKER_03]: So with this overall because it's starting to get my brain as it wheels are turning. 29:41.811 --> 29:46.597 [SPEAKER_03]: Since this is a high impact, this is a field that is going to grow over time. 29:47.218 --> 29:51.163 [SPEAKER_03]: How would you sit with certifications you think will be best for this type of field? 29:52.072 --> 30:01.037 [SPEAKER_03]: Because if there's actually a asked certification with compliance, but I'm not sure there's like $100, but a lot of people I forgot the name of it, but a lot of people are trying to get into it. 30:01.317 --> 30:07.093 [SPEAKER_01]: Yeah, well there is that start that's coming with contia, like called 30:07.073 --> 30:17.912 [SPEAKER_01]: sick AI plus if I'm not mistaken and so that should be coming in the new year that's going to be a assert that probably organizations are going to see is a good fit. 30:18.994 --> 30:26.567 [SPEAKER_01]: I also do feel that certifications around GRC are going to be important if you want to get into this space. 30:26.547 --> 30:33.434 [SPEAKER_01]: Also, I don't think it's just, you know, certifications in general, but also the types of training that you have. 30:33.855 --> 30:40.802 [SPEAKER_01]: So, doing training around, you know, AIMLs and things like that, that's going to be very, very important to LLMs. 30:41.082 --> 30:45.267 [SPEAKER_01]: Also, I would say to understanding networks, right? 30:45.287 --> 30:49.871 [SPEAKER_01]: So, I think we understand a network to get understand how a hacker maybe thinks or how they like probe. 30:50.032 --> 30:56.098 [SPEAKER_01]: I think penetration testers are going to be great in AI and the AI space, believe it or not. 30:56.078 --> 31:18.694 [SPEAKER_01]: And they're probably just trying to stay in their lane, but I think this will be a great, like if you are in penetration testing, if you want it to kind of veer off into AI governance, you definitely could, because again, it's technical, and if you have that technical understanding, you understand threats, and you know, ultimately AI governance is just being more proactive. 31:18.674 --> 31:24.264 [SPEAKER_01]: versus reactive, you could definitely do well in this particular discipline. 31:24.424 --> 31:25.285 [SPEAKER_03]: So, brooding no search. 31:25.606 --> 31:27.129 [SPEAKER_03]: You're basically saying, brooding no search. 31:27.169 --> 31:28.912 [SPEAKER_01]: Nobody's looking for search right now. 31:29.012 --> 31:30.574 [SPEAKER_01]: Okay, just looking because it's so new. 31:30.655 --> 31:32.177 [SPEAKER_03]: So, it's looking for you to know that not. 31:32.197 --> 31:34.241 [SPEAKER_01]: They're looking for you to have that understanding. 31:34.882 --> 31:39.670 [SPEAKER_01]: When I'm seeing on job descriptions now are kind of what they're looking at, they are looking for people. 31:39.650 --> 31:52.291 [SPEAKER_01]: that have AI, that understand, you know, rag, LLM, AI, ML, individuals who understand engineering, possibly individuals who have some exposure to some type of language. 31:52.391 --> 31:56.578 [SPEAKER_01]: So I would say like Python is big in this space. 31:56.918 --> 32:00.504 [SPEAKER_01]: Also, Kiko with architecture background is really really good. 32:01.005 --> 32:04.290 [SPEAKER_01]: And then GRC, of course, 32:04.270 --> 32:10.927 [SPEAKER_01]: and even better if you've worked in a highly regulated industry, right? 32:11.047 --> 32:15.559 [SPEAKER_01]: So health care and finance, those are very regulated. 32:15.619 --> 32:18.246 [SPEAKER_01]: So they're looking for people with that type of experience as well. 32:18.445 --> 32:22.892 [SPEAKER_03]: Okay, Marquices, so the thing I'm trying to figure out, also, where are the job names? 32:22.912 --> 32:26.919 [SPEAKER_03]: Because when I'm not even typing AI governance, it's no jobs popping up. 32:26.979 --> 32:28.561 [SPEAKER_03]: So where would I have it on a find a job? 32:28.601 --> 32:30.645 [SPEAKER_01]: Yeah, at least not a lot, right? 32:31.125 --> 32:33.730 [SPEAKER_01]: So it's a very good question. 32:33.750 --> 32:38.277 [SPEAKER_01]: A lot of companies are looking for people. 32:38.257 --> 32:43.084 [SPEAKER_01]: still with the type of title that they generally have. 32:43.184 --> 32:51.375 [SPEAKER_01]: So let's say like a GRC analyst, but they're going to sprinkle in the job description that you need to understand AI, right? 32:51.435 --> 32:52.937 [SPEAKER_01]: AI governance. 32:52.997 --> 32:54.520 [SPEAKER_01]: Let's say you're doing it so work. 32:54.540 --> 32:55.140 [SPEAKER_01]: Same thing. 32:56.162 --> 33:01.890 [SPEAKER_01]: Let's say that you are doing data, like anything around data, data analyst, right? 33:02.190 --> 33:03.572 [SPEAKER_01]: They're looking for that as well. 33:03.552 --> 33:07.079 [SPEAKER_01]: And so a lot of the titles are not changing. 33:07.099 --> 33:11.868 [SPEAKER_01]: AI governance will hear somebody said the other data conference. 33:11.888 --> 33:15.115 [SPEAKER_01]: They're like, well, you know, AI governance, it's not really a thing. 33:15.836 --> 33:17.139 [SPEAKER_01]: And I get what they're saying. 33:17.179 --> 33:20.926 [SPEAKER_01]: And it also makes sense because you're not finding that as an actual title. 33:21.006 --> 33:23.451 [SPEAKER_01]: I have found AI governance as a title. 33:23.431 --> 33:40.794 [SPEAKER_01]: But you're not seeing it a lot, so it's really going to be those information security analyst roles, those isso roles, those overall maybe arm F type of roles If they kind of like sprinkle it in there, that can be one as well, but you have to look at the job description. 33:41.215 --> 33:50.147 [SPEAKER_03]: It's really not going to be found through the job title. 33:50.127 --> 33:55.679 [SPEAKER_03]: There's going to be a lot of roles, and they're looking for that, like, purely just knowing R&MF is not going to get you with you. 33:55.859 --> 33:56.340 [SPEAKER_00]: It's not. 33:56.360 --> 33:56.761 [SPEAKER_00]: It's not. 33:57.382 --> 33:57.563 [SPEAKER_03]: It's not. 33:57.583 --> 33:59.066 [SPEAKER_03]: Including myself, it has to adapt. 33:59.086 --> 34:04.116 [SPEAKER_03]: Because I know people that's losing their jobs, and they can't find a job, like literally you can't find a job. 34:04.517 --> 34:05.419 [SPEAKER_03]: So. 34:05.399 --> 34:28.690 [SPEAKER_03]: to the audience like are math specific yeah like literally like so for example like really are not like regular security but you know you got cloud compliance now so you know you got cloud you didn't eventually go on you know AI has a different compliance system yeah I knew it just and then if and if they make it mandatory then you say quantum so it's all these new they didn't like I said they're trying to automate so they don't have to age a young they're trying to automate GRC now 34:28.670 --> 34:33.218 [SPEAKER_03]: So even that, so regularly just doing a job is not going to get you got to learn some Python. 34:33.238 --> 34:35.722 [SPEAKER_03]: You're going to have to do some learn different. 34:35.882 --> 34:37.845 [SPEAKER_01]: And I think we talk about this a lot in this space. 34:37.885 --> 34:44.076 [SPEAKER_01]: The RMF and GRC space do you need to be technical now with modern RMF and GRC. 34:44.196 --> 34:47.742 [SPEAKER_01]: Yes, you have to have some type of technical skill set. 34:47.722 --> 34:51.326 [SPEAKER_01]: And I do think that it's great to understand some type of code. 34:51.706 --> 34:57.293 [SPEAKER_01]: At least how to write, and then at least how to read the codes, you can understand where the vulnerabilities are within that code. 34:57.413 --> 34:58.674 [SPEAKER_01]: I think that would be helpful. 34:59.615 --> 35:05.261 [SPEAKER_01]: And then also, just understanding more in terms of those security controls. 35:05.341 --> 35:16.834 [SPEAKER_01]: I think sometimes it's just the base, like some people in these types of roles, they're not really understanding the controls in depth in a very technical controls the end of the day, right? 35:16.814 --> 35:28.225 [SPEAKER_01]: And so if you really understand what that ask is and how you should be like what types of evidence are supposed to be looking for, I think that could be helpful too. 35:28.323 --> 35:33.251 [SPEAKER_03]: Yeah, for me, like in the email to the audience, if you use AI, just to kind of see what controls. 35:33.271 --> 35:40.983 [SPEAKER_03]: Like I use that too, just with AI controls, it tells me a lot of the controls on like you keep saying this apply to Azure AI. 35:41.163 --> 35:42.425 [SPEAKER_01]: Yeah, yeah, absolutely. 35:42.826 --> 35:45.771 [SPEAKER_01]: I'm just, this was the lesson plan I was just doing earlier today. 35:46.071 --> 35:49.116 [SPEAKER_01]: We were going over AI specific controls. 35:49.096 --> 35:54.062 [SPEAKER_01]: You know, and you're going to have least privilege, that's going to relate to AI. 35:54.082 --> 35:59.809 [SPEAKER_01]: You're going to also have, you know, controls around what is the AC4? 36:00.049 --> 36:00.590 [SPEAKER_02]: Yes, definitely. 36:00.650 --> 36:02.872 [SPEAKER_01]: I can't link up access and enforcement. 36:02.953 --> 36:04.835 [SPEAKER_01]: Ask us control or information or enforcement. 36:04.955 --> 36:06.437 [SPEAKER_01]: Access information enforcement. 36:06.837 --> 36:07.798 [SPEAKER_01]: That's one as well. 36:07.818 --> 36:09.981 [SPEAKER_01]: Do you want to have SDLC? 36:10.041 --> 36:11.383 [SPEAKER_01]: That's going to apply to. 36:11.883 --> 36:17.550 [SPEAKER_01]: So, you know, you have a lot of these controls are ready for missing 153 that do apply. 36:17.530 --> 36:20.533 [SPEAKER_01]: but there are more specific AI controls. 36:20.553 --> 36:26.500 [SPEAKER_01]: And I'm looking forward to seeing if Niz is actually going to come out with a new control family. 36:26.940 --> 36:29.483 [SPEAKER_03]: They are, or they're going to run it? 36:29.543 --> 36:30.484 [SPEAKER_03]: They probably are. 36:30.564 --> 36:30.844 [SPEAKER_00]: Yeah. 36:30.884 --> 36:31.885 [SPEAKER_03]: Probably in the rev six. 36:33.047 --> 36:34.708 [SPEAKER_00]: People still haven't even known them. 36:34.728 --> 36:35.309 [SPEAKER_00]: Rev five. 36:36.070 --> 36:37.711 [SPEAKER_00]: The government moves to slow me. 36:39.694 --> 36:40.715 [SPEAKER_00]: That's why I had to get out. 36:40.815 --> 36:43.017 [SPEAKER_00]: I cannot, I'm very innovative. 36:43.037 --> 36:43.858 [SPEAKER_00]: I gotta move put. 36:43.990 --> 36:47.179 [SPEAKER_03]: So, so say I'm just a regular person, right? 36:47.199 --> 36:49.706 [SPEAKER_03]: I'm trying to get into this job with no experience, right? 36:49.746 --> 36:50.850 [SPEAKER_03]: What would I put on my resume? 36:50.890 --> 36:51.471 [SPEAKER_03]: What would I learn? 36:51.491 --> 36:52.073 [SPEAKER_03]: What would you do? 36:52.775 --> 36:54.219 [SPEAKER_01]: I'm to get into the AI space. 36:54.239 --> 36:55.282 [SPEAKER_03]: Yeah, the AI company. 36:55.342 --> 36:56.245 [SPEAKER_03]: Governance space. 36:56.900 --> 37:05.276 [SPEAKER_01]: I would say first and foremost, really understanding what AI governance is, and then I would also also say, understanding your different frameworks. 37:05.296 --> 37:08.843 [SPEAKER_01]: The frameworks that are relevant to AI governance, right? 37:08.923 --> 37:18.621 [SPEAKER_01]: So once again, we went over on this AI RMF, we talked about ISO 4201, which in my opinion is going to 37:18.601 --> 37:24.809 [SPEAKER_01]: Come as fast as ISO 2701 when it came out, just because it's more specific to AI systems. 37:25.830 --> 37:27.973 [SPEAKER_01]: Getting some familiarity, of course. 37:28.113 --> 37:32.058 [SPEAKER_01]: If you already have familiarity with Mist A 100, 53, that's excellent. 37:32.078 --> 37:33.840 [SPEAKER_01]: That's a great starting point for you. 37:34.761 --> 37:39.327 [SPEAKER_01]: But also getting familiar with what the EUA act. 37:39.307 --> 37:55.695 [SPEAKER_01]: EU AI Act is specifically touching on because where companies are still also referencing it at the end of the day So understanding those types of frameworks and then I would say from there, you know, really learning more about 37:55.675 --> 37:56.296 [SPEAKER_01]: A.I. 37:56.356 --> 37:57.558 [SPEAKER_01]: in general, what is the A.I. 37:57.598 --> 37:58.979 [SPEAKER_01]: life cycle, right? 37:59.060 --> 38:08.893 [SPEAKER_01]: You know, starting with your data collection and your training and your, um, you know, deployment and your continuous, um, monitoring and retraining, right? 38:08.913 --> 38:15.962 [SPEAKER_01]: It's really important to understand what that life cycle looks like and understand where the risks are within that life cycle. 38:16.403 --> 38:25.395 [SPEAKER_01]: If you can, if you can, if you can speak that in interviews, I think that's excellent 38:25.375 --> 38:31.049 [SPEAKER_01]: So, threat modeling is going to be like something that you definitely should be focused on. 38:31.992 --> 38:42.979 [SPEAKER_01]: You know, if you don't know about threat modeling now, the biggest types of threat model examples are stride and mitor attack, but when we're talking about AI, there's mitor atlas now. 38:42.959 --> 38:57.101 [SPEAKER_01]: And so what I love about the threat modeling is it's really just a way for you to be very proactive when it comes to understanding the types of threats that can come about for your system overall. 38:57.581 --> 39:02.969 [SPEAKER_01]: So, you know, you're laying out your threats and you're kind of like probing, right, to see what happens. 39:03.610 --> 39:07.877 [SPEAKER_01]: And Aia is all about asking questions, just asking questions, right? 39:07.897 --> 39:08.578 [SPEAKER_01]: You want to get 39:08.558 --> 39:11.742 [SPEAKER_01]: the answer out of the person that's trying to sell the product to you. 39:12.143 --> 39:18.551 [SPEAKER_01]: Just because it's a popular vendor like open AI doesn't mean that they don't have any flaws, right? 39:18.631 --> 39:20.794 [SPEAKER_01]: But you have to ask the right questions. 39:21.315 --> 39:28.765 [SPEAKER_01]: And I would say too, you know, learning more about the different, you know, AI models that are out there too is going to be important. 39:29.766 --> 39:35.173 [SPEAKER_01]: I know in one interview, I wasn't 39:35.153 --> 39:36.175 [SPEAKER_01]: model card. 39:36.215 --> 39:40.822 [SPEAKER_01]: And as I mentioned, model card think of it as like the birth certificate for your AI system. 39:40.862 --> 39:43.767 [SPEAKER_01]: And so you have to have some type of documentation. 39:43.827 --> 39:50.698 [SPEAKER_01]: You know, anybody should be able to go back and look at that model card and be like, this is the intended use for this system. 39:50.678 --> 39:52.922 [SPEAKER_01]: this is what it shouldn't be used for. 39:52.982 --> 39:58.691 [SPEAKER_01]: This is who should be using it and things of that sort, right, how it should be performing. 39:59.132 --> 40:03.419 [SPEAKER_01]: And so understanding that is important and doing projects is going to be helpful. 40:03.479 --> 40:09.910 [SPEAKER_01]: Doing projects and putting it on your LinkedIn and putting it on your resume is really super helpful. 40:09.930 --> 40:11.873 [SPEAKER_01]: Like putting classes not so much projects. 40:12.254 --> 40:12.494 [SPEAKER_01]: Yes. 40:12.635 --> 40:17.142 [SPEAKER_01]: So if you want it to 40:17.122 --> 40:26.776 [SPEAKER_01]: or if you want it to do an assessment and we call AI impact assessment, that could be something that you put on your resume or an AI risk assessment. 40:27.257 --> 40:31.504 [SPEAKER_01]: Anything that gives you that type of exposure is really important. 40:31.604 --> 40:33.246 [SPEAKER_01]: I think that's where people should start. 40:33.366 --> 40:36.311 [SPEAKER_01]: I know I said a lot, but you're going to have to know a lot. 40:36.331 --> 40:37.172 [SPEAKER_01]: It's no like 40:37.152 --> 40:42.020 [SPEAKER_01]: creeping in here and somebody just offering you a job at AI, you have to know your stuff. 40:42.040 --> 40:46.889 [SPEAKER_01]: It is very technical and the people who are hiring you, they are extremely technical people. 40:46.929 --> 40:51.938 [SPEAKER_01]: They're engineers, they're developers, usually in these interviews, there's VP's. 40:52.278 --> 40:55.504 [SPEAKER_01]: There's people at a very high level that have great expectations. 40:55.564 --> 40:59.110 [SPEAKER_01]: So that's why I'm laying all of that out for you because 40:59.090 --> 41:07.642 [SPEAKER_01]: It's not one of those things where you can just creep in like maybe you can creep in and help desk or IT supporter sock analyst or GRC. 41:07.964 --> 41:09.690 [SPEAKER_01]: It's not like that with AI 41:09.890 --> 41:21.977 [SPEAKER_03]: Yeah, in general, like with AI and how the cybersecurity space is going now, if you interview with an anthropic or open AI or some of these big companies, they're expecting you to know of the basics now. 41:22.257 --> 41:26.607 [SPEAKER_03]: Like, even if you put a zero trust, they want to know how do you implement zero trust? 41:26.627 --> 41:28.070 [SPEAKER_03]: What is zero trust? 41:28.090 --> 41:29.974 [SPEAKER_03]: So a lot of these companies are changing. 41:29.954 --> 41:32.217 [SPEAKER_03]: how they're hiring going forward. 41:32.337 --> 41:34.379 [SPEAKER_03]: It's not like you got the certification. 41:34.419 --> 41:36.302 [SPEAKER_03]: No, you got to build a personal brand. 41:36.722 --> 41:37.924 [SPEAKER_03]: You got to talk about projects. 41:37.984 --> 41:39.666 [SPEAKER_03]: You know, I'm the king of LinkedIn, you know? 41:40.046 --> 41:41.368 [SPEAKER_03]: Yes. 41:41.428 --> 41:43.591 [SPEAKER_03]: So you got to keep posting these projects. 41:43.891 --> 41:45.573 [SPEAKER_01]: You have to be obsessed with it. 41:45.593 --> 41:47.716 [SPEAKER_01]: You have to look like the expert. 41:48.797 --> 41:51.580 [SPEAKER_03]: So Mark, we want to start closing it out. 41:51.841 --> 41:53.903 [SPEAKER_03]: Can you tell me where the audience can find you? 41:54.119 --> 41:55.961 [SPEAKER_01]: Yes, they can find me on LinkedIn. 41:56.102 --> 42:09.899 [SPEAKER_01]: So, LinkedIn.com, on forward slash, I-A, and forward slash, Mark Ysha-S-A, M-A-R-K-E-I-S-H-A, S-N-A-I-T-H. You could also find me as well. 42:10.400 --> 42:15.807 [SPEAKER_01]: Actually, we're else key find me, because I don't think I try to like make my other types of social media's eye-riven. 42:15.787 --> 42:16.107 [SPEAKER_01]: Yeah. 42:16.127 --> 42:18.050 [SPEAKER_01]: So you can find me at my company's page. 42:18.251 --> 42:18.791 [SPEAKER_01]: I'm sire. 42:18.811 --> 42:21.675 [SPEAKER_01]: So X I R E that I owe. 42:22.457 --> 42:30.047 [SPEAKER_01]: You can also find us on Instagram at we are X I R E. So that's we are sire. 42:30.588 --> 42:33.833 [SPEAKER_01]: You can also find us on LinkedIn at the we are sire as well. 42:34.934 --> 42:37.558 [SPEAKER_01]: Yeah, I mean, if you ever want to connect just reach out. 42:37.538 --> 42:44.652 [SPEAKER_01]: Um, yeah, I'm looking forward to, you know, talking with you about, um, you know, your job search means or your needs in general. 42:45.253 --> 42:48.760 [SPEAKER_01]: Um, we do free consultations with you if that's something you're interested in. 42:49.201 --> 42:57.657 [SPEAKER_01]: So somewhere, throughout our website, we have a few call to actions so you can click any one of those and you can book a discovery call for free. 42:58.497 --> 43:11.617 [SPEAKER_03]: And check her out, you know, you want to learn about sub security, governance, AI governance, GRC, just check her out, you know, even me up, I might have to go book something to figure out what was going on with this AI compliance thing. 43:12.458 --> 43:13.440 [SPEAKER_03]: So you have check her out. 43:13.840 --> 43:20.230 [SPEAKER_03]: And also, Marquilla, what is one thing you want to be the audience with before we come to a hand. 43:20.591 --> 43:22.193 [SPEAKER_03]: This is one thing you want to live the audience with. 43:22.223 --> 43:38.781 [SPEAKER_01]: Yeah, I mean, for me, I think now is not the time to be hiding in the shadows, you know, if you really want the job and you want the job that's going to be able to keep up in the market, you have to be ready to put in the work, you know, your skills can't fall behind you have to stay sharp. 43:38.761 --> 43:41.585 [SPEAKER_01]: your competition is always staying very sharp. 43:42.026 --> 43:46.031 [SPEAKER_01]: So again, that's for the people that want to move up and continue moving up. 43:46.131 --> 43:53.361 [SPEAKER_01]: If you're very comfortable in the world that you're in, that's fine, but just know, you still need to stay on top of your studies, right? 43:53.401 --> 44:07.401 [SPEAKER_01]: Like when they say, when you get older and you start noticing how, like your grandparents have to reach out to you because they don't know how to use their camera, like you never want that to be you and the way that AI is advancing so quickly, it can easily become 44:07.381 --> 44:11.025 [SPEAKER_01]: You, right, even at the age of 30, 40, 50. 44:11.406 --> 44:13.608 [SPEAKER_01]: So it's really important that you get hip with it. 44:13.648 --> 44:15.710 [SPEAKER_01]: Whether you like it or not, it's here. 44:16.691 --> 44:21.136 [SPEAKER_01]: So definitely checking out, you know, chat GBT, Claude, Proplexity. 44:21.477 --> 44:24.040 [SPEAKER_01]: Those are going to be some great starting points for you. 44:24.440 --> 44:25.902 [SPEAKER_01]: Just, you know, use it every single day. 44:25.942 --> 44:28.585 [SPEAKER_01]: Have it right your emails, ask it a question. 44:28.905 --> 44:31.508 [SPEAKER_01]: You know, just play around with it, but you can't ignore it. 44:31.708 --> 44:33.270 [SPEAKER_01]: I will, I will tell you that. 44:33.655 --> 44:43.918 [SPEAKER_03]: Now I agree with everything you said like working in this space right now and this of course I always give a lot of people pressure is either going to turn you into a diamonds, I was going to turn you to dust. 44:44.287 --> 45:03.411 [SPEAKER_03]: You know, is it a one of the two, is this, so if you go survive in this space and this is when I play sports and anything you've got to keep adapting and you've got to you've got to turn to that diamond because it's a lot of pressure and and I'm not in soft security working in our field can be really cut throw very cut. 45:03.451 --> 45:05.974 [SPEAKER_03]: If you're not if you don't perform is gone. 45:07.017 --> 45:09.223 [SPEAKER_03]: So it's like being a fail, you know? 45:09.263 --> 45:11.650 [SPEAKER_01]: That's true, you'll get the one job. 45:11.670 --> 45:12.733 [SPEAKER_01]: You better stay on top of it. 45:12.753 --> 45:16.564 [SPEAKER_01]: You ready to be privacy for eight, nine, 10 hours a day if you want to be sharp. 45:16.745 --> 45:17.687 [SPEAKER_04]: Yeah, I keep shooting. 45:18.169 --> 45:19.733 [SPEAKER_04]: You shoot the free throws, you know? 45:20.255 --> 45:21.839 [SPEAKER_04]: But thank you, Marquilla. 45:21.859 --> 45:22.461 [SPEAKER_01]: Thank you. 45:22.441 --> 45:24.365 [SPEAKER_01]: I really appreciate you having me on here. 45:24.385 --> 45:29.376 [SPEAKER_01]: I mean, this is like one of my favorite toppings right now and the fact that I teach it as well. 45:29.477 --> 45:30.860 [SPEAKER_01]: So it keeps me very sharp. 45:31.461 --> 45:37.735 [SPEAKER_01]: So if you're looking to for somebody to teach GRC or AI governance, you can definitely reach out to me as well. 45:37.815 --> 45:38.436 [SPEAKER_01]: So thank you. 45:38.537 --> 45:39.218 [SPEAKER_01]: No problem. 45:39.620 --> 45:42.164 [SPEAKER_03]: Well, thank you everybody for watching the Tech World Podcast. 45:42.525 --> 45:43.867 [SPEAKER_03]: I'm your host Chris Agpala. 45:44.228 --> 45:53.203 [SPEAKER_03]: Remember to like the video, subscribe to the channel, share the video, comment down below, and also check out our on-method Academy if you're trying to learn on-method. 45:53.264 --> 45:56.249 [SPEAKER_03]: So, thank you everybody, get one percent better every day. 45:56.529 --> 45:58.613 [SPEAKER_03]: Peace out, I'll see you on the next one. 45:58.713 --> 45:58.793 [UNKNOWN]: Bye.