Leveraging AI to Enhance Regulatory Compliance in Multi-Cloud Environments
IBM's Volkmar Uhlig and Elpida Tzortzatos explain how AI can aid in compliance through streamlining, automation and data analysis
Every piece of data that a business collects and analyzes provides valuable information. However, much—if not most—of that data is subject to compliance, which organizations are increasingly prioritizing because of the high stakes. Accounting firm PwC’s “Global Risk Survey 2023” found that 40% of organizations had improved their compliance approach in the previous 12 months. However, when researchers looked at the top 5% performing organizations, the percentage doubled to 81%.
AI is increasingly being utilized to streamline regulatory compliance in multi-cloud environments, enabling businesses to adhere to ever-evolving regulations efficiently. By leveraging AI-driven solutions for governance and compliance automation, organizations can enhance their compliance posture while reducing the burden on their legal and IT teams.
Volkmar Uhlig, the vice president of AI Infrastructure at IBM, says that when you create a storage device on IBM cloud, one of the questions you must answer pertains to the laws where the device is located. He explains that every time you access or move data between storage buckets, that data is subject to regulatory requirements.
“A big question is, ‘Can you take the data out of the EU and bring it into the US?’ IBM Cloud attaches legal regulatory requirements to each specific data object stored in the system,” says Uhlig. “IBM Cloud then ensures that you cannot access data from the wrong legal region or move the data between legal regions. With access controls on every level, you cannot accidentally make a compliance mistake.”
To effectively manage these complexities, organizations realized they had to change how they approach compliance. In the past, many businesses simply viewed compliance as a check-the-box task. However, the “2023 Thompson Reuters Risk & Compliance Survey Report” found that 70% of corporate risk and compliance professionals had noticed a shift from check-the-box compliance to a more strategic approach over the past two to three years.
Creating Policies for Compliance
By using policies in the reference architectures, you can build even more compliance controls into the data through rules to ensure compliance for specific pieces of data. The reference architectures that are deployed in the cloud include the policy documents that are built accounting for U.S. National Institute of Standards and Technology (NIST) standards, EU regulations and any other applicable regulations. When you deploy the reference architectures, you inherit the certification to that standard, which can help ensure that when using AI, you are not violating local requirements.
For example, you are trying to spot early warning signs of chronic conditions by using AI technology to analyze patient data subject to HIPAA, the U.S. Health Insurance Portability and Accountability Act. You must first ensure that the model is HIPAA-compliant by attaching it to regulatory constraints. If you use a model that’s trained on EU data to analyze and then annotate the data into another model, the annotated data is subjected to the EU regulations. However, to know this level of detail about each specific piece of data, you must effectively trace the lineage of the data through the system and models, says Uhlig.
Using AI to Improve Compliance
Organizations can more effectively and efficiently build the story of the data’s journey using automated data discovery and classification. Elpida Tzortzatos, CTO of AI for IBM Z & LinuxONE, says IBM’s portfolio includes an efficient AI model that can quickly detect hateful, abusive and profane text in LLM training data.
“IBM Z will be releasing a new product in the next year that leverages large language models to discover sensitive data in IBM Z data set files and Db2 data,” says Tzortzatos. “We are leveraging large language models to auto-discover sensitive and PII [personally identifiable information] data, then mark the files with tags noting whether sensitive or not. Clients can then make sure the right protection and auditing policies are applied to the data based on classification results leveraged by other IBM security products or their own applications.”
“If you look solely at the technical level, if you think about a model, the model is the sum of its training data,” says Uhlig. “This is where IBM comes in, as we build our own. We are carefully controlling what training data goes into the model.”
For example, Uhlig explains that with its family of Granite foundational models, IBM takes a conservative approach on the training data. When IBM produces a model, we make sure that all outputs of the model are completely copyright free. This means you can use it in your product—even code produced under the models is not under copyright. Additionally, IBM creates a score card or model card to attach all the training data to the data in the system, which tells you what the model can do, what it cannot do and in which legal system it works.
Lifecycle Management and Guaranteed Compliance
The more accurate and clean your model, the more accurate the results. AI can also help with compliance through a more effective data model by automating complex processes like data classification, monitoring and important reporting, referred to as lifecycle management of the model. Take, for example, detecting profanity in the model. By using automation, you can tag all the data that uses the model more efficiently. Because it is all integrated, this method improves the security and safety controls and management, which is the main reason for using a platform such as IBM Cloud.
“As long as you are staying within the platform, IBM can guarantee that you are compliant. The moment you move out of the platform, you lose visibility and control. IBM makes sure that the whole life cycle is covered, all the way to archiving the training data and models,” says Uhlig. “If someone returns two years later with questions, you can run the software and provide proof.”