Back to Resources
HITT Series Videos

HITT- AI governance and risk management strategies- April 8, 2025

April 15, 2025

The video discusses the transformative impact of AI on government operations and risk management, emphasizing the importance of Governance, Risk Management, and Compliance (GRC) strategies. It highlights the need for organizations to establish effective governance frameworks to manage risks and ensure compliance with regulations, particularly in light of new standards like CMMC. The panel features experts who share best practices for AI governance and the significance of continuous monitoring and employee training. As organizations increasingly prioritize AI strategies, the conversation around GRC becomes crucial for maintaining compliance and managing third-party risks. The session concludes with a call for collaboration and engagement in navigating the complexities of compliance.

Transcript is auto-generated.

It is a detailed examination of how AI is transforming the world of governments, governance, risk management. You think this is easy at this time of the war? I’m in Hawaii. It’s four AM.

No. I’m not. And compliance, governance, risk management, and compliance. Oh my. Collectively known as GRC.

It’s an organizational strategy that aligns IT with business goals, manages risks effectively, and ensures compliance with regulations and industry standards.

This is serious stuff. You’ll walk away today with key strategies and best practices for navigating the AI governance landscape.

Telarus VP of cybersecurity, Jason Stein, joins us today along with cybersecurity solution architect, Jason Kaufman. Yes. It’s a tale of two Jasons.

And industry experts, Tyler Smith, VP of channel sales, and Cypher, some say also of the United States. Take a look at Jason here. Oh, I’m sorry. Tyler here. And Chris Rose, who is founder and CEO at Ariento.

They all join us to uncover the key strategies and the best practices for navigating the AI governance landscape.

Jason and Jason, welcome to you and your panelists. How are you doing today?

Doing amazing. Thanks, Doug. Appreciate it.

We’re gonna need some coffee to get you to the here while we’re talking.

Fantastic. Well, thank you to the panelists for joining us today. Excited to hear from, Tyler and Chris.

So what we wanted to do thanks for the amazing definition of GRC. Wanted to break each one of them up. So let’s go to the next slide for me, Chandler. Let’s break down each one of these components. So first off, what is governance?

Governance refers to policies, procedures, processes that organizations need to actually follow from a guideline perspective in order to make sure that it operates ethically, effectively, puts good frameworks in place to make sure that their organization has a sound, strategy to follow. You know, Jason Kaufman, let’s talk a little bit more about the governance aspect. I feel like sometimes it’s just RC. We just go into the risk and compliance, and and a lot of organizations are skipping over the g. Is that is that true when you’re having conversations?

I feel like they they think it’s invisible as part of the GRC component, part of the whole conversation. But governance is probably one of the most important because it establishes that framework and aligns business objectives with or cybersecurity with business objectives and the continuous innovation and monitoring and accountability of all the risk and and everything that goes into risk and compliance.

So to answer your question, I I think it’s something that is is lessly viewed there, but is obviously more important because it’s continuous compared to everything else.

There’s a lot of statistics. And if you’ve listened to any of our calls in the past, you know I love to throw stats, and next slide’s gonna be full of them. But, you know, it was showing that organizations that don’t have a governance framework actually go out of business in in the SMB market just from one all you you know, one bad ransomware attack, one breach of so of sorts. So it’s very tough. Now when we get into the risk, you start to look at what board of directors are. Risk really is about identifying risks to the organization.

You know, are there internal risks, external risks? Do we have third party risks, employee risks, customer risks? Who is ask accessing the data? And right now, it’s being driven down from the board of directors to leadership and then put on IT. And if you listen to any of our calls in the past, you know, one of the great strategies is actually to go and have a conversation with leadership to see if they have a board of directors because still you’re gonna see a lot of organizations are putting together a cybersecurity committee to advise the board, which is huge. And then we get into compliance.

Now compliance, it and is adhering to all these laws and regulations and policies, and you hear things like HIPAA and HITRUST for health care, PCI for anybody doing point of sale, FERPA for the education, and then you’re gonna hear Chris talk a lot about CMMC, which is huge. We have AI strategies and compliances that are coming out. GDPR is the international one. We have ISO.

You know, there’s so many different ones. You know, Jason, when we think about compliance, all these changes came came out. Are organizations starting to gear back up towards focusing on the compliance? Are they still rolling the roulette wheel and hoping that it just doesn’t fall on double green, double zero?

No. They’re definitely focusing on compliance as the driving factor because they have customers that are requiring specific compliance for them to be able to bid or continue continuing managing their their internal data and stuff like that. So they have to follow you know, if they’re doing payment processing, they have to follow PCI, which is, it’s a self governance standard by the by the industry or CMMC now, which Chris is gonna get into.

But the the customers are requiring that in order to keep doing business with them. So compliance is a driving factor. But one thing we always wanna make sure they understand is compliance and cyber and cybersecurity and overall security are are two different things. Compliance is a minimum set of standards at a certain point in time. You know, certain compliances do over a certain certain time parameter, but cybersecurity is continuous that governance piece of it, that that continuous innovation and monitoring and management of the entire practice. So there there’s multiple components here that are super super important where compliance is the driving factor for customer. But and but governance itself is making sure that you follow, parameters consistently.

So I just wanna make sure that everybody knows that when they’re having that conversation is to make sure once you hit compliance, your job’s not done. You still need to follow-up you still need to do other things to continue on that journey.

Love it. Thanks. Alright, Chandler. Let’s get into some stats. So, you know, a lot of these are Gartner.

I try to look at Gartner, Forbes, Deloitte, you know, what are they saying? So forty two percent of organizations, you know, are looking to actually outsource their risk. They’re looking at not just relying internally, and so risk is a huge conversation piece. You’re gonna see that, a lot of organizations are actually getting more comfortable relying on TAs to come in and have a risk conversation.

The board really needs to understand and identify those risks and put dollar amounts to those risks and then align them with their cyber insurance policy to see where are the gaps, where are the biggest risks that could be detrimental to an organization, how much could they cost, and what does the coverage look like for their cyber insurance policy? Do they either need to up their policy, or do they either need to put more technology in place to protect their organization?

You know, then you look at GRC in general, governance, risk, and compliance, and the market cap’s forty five billion dollars. So, you know, out of the two hundred and twelve billion dollars that people are spending on cybersecurity this year, forty five billion of that is going towards GRC.

Jason Kaufman, how often are you in conversations with companies that come up and say, hey. We would love to discuss GRC. We need some guidance. We need some help. Can you help us get to where we need to be?

It’s definitely most of the calls. A lot of it actually a driving factor is third party risk risk mitigation and, you know, the GRC component of third party risk to where you’re monitoring everybody that touches your data or has access to your systems. You wanna make sure that they’re following some form of of risk management, GRC themselves. And, you know, it’s a very tedious task.

So they’re saying, hey. We’ve already done a lot of this stuff to make sure we are aligned. We need help managing this for external parties that have access to our systems. So that’s part of how a lot of these conversations start.

And whether the company is trying to do this stuff self-service or have somebody help them out with certain pieces or a whole compliance as a service package, the GRC component is very important because it has a a specific alignment to exactly what they’re looking to do across these different frameworks. And you don’t have to start from ground zero if you need to go across multiple frameworks. It takes all the artifacts and all the inputs that you put in aligning with, for instance, in this framework, and it will pull all that data and align it with CMMC or, you know, if there’s things that match from, like, HIPAA or over privacy laws.

It’ll take all of that and put it under one single platform. So it helps management through this very, you know, much more simple.

So then you look at twenty three billion dollars is gonna be the size of compliance market this year, and a lot of those are starting to shift their focus to AI and cloud compliance tools as as their priority for this year. So, you know, AI, according to our trends report, according to everybody you look at, is the number one priority. Seventy five percent over seventy five percent of organizations are prioritizing putting together some type of AI strategy in place. Cloud, as you see with Kobi Phillips, is absolutely becoming monstrous. And then the the AI space itself, according to Deloitte, is gonna be a seven hundred and fifty billion dollar conversation this year. But what’s interesting is AI governance.

AI governance is putting together that framework, that strategy around artificial intelligence, and only twelve percent of organizations are even following that. You know, Jason, as companies are coming to you, is AI important? Are we having an AI conversation? And then is AI governance becoming part of that conversation because they they’re not following that framework? Is that consistent to what you’re seeing?

Yeah. Just PSOs and directors of IT infrastructure and all of them are trying to get ahead of the employees that are that found AI through the market texture. You know, as soon as chat g p t hit the mainstream media, you know, now everybody’s trying to use this stuff to become more efficient and augment a lot of their day to day task. So how do you get in front of that to make sure that that employee isn’t putting confidential or identifiable information into these, you know, foundational models that are now being trained for somebody else to be able to pull that data publicly?

You know, how do you make sure you’re keeping that sensitive data protected and training that employee to know how much risk that they’re inherently putting to the company by leveraging these tools without proper training? So it’s it’s twofold. One is how do you protect it and get visibility into what AI tools are being are being used and what what inputs are being put in by employees? But then also, how do you enable employees with stuff that is company controlled to where it’ll pull out that data or keep it a hundred percent private?

So that that conversation is massive right now because Shadow AI is probably one of the biggest fears, you know, line you know, besides ransomware of the CISOs and directors of ITs and CIOs and all the above.

I love it. Now you heard me allude to this. Gartner says that forty percent of board of directors are putting together a cybersecurity committee to advise the board. So if you’re not doing that, if you’re not having conversations with boards, they’re putting together a committee to advise them because they’re tired of being three letter acronym to death by their CIO.

They want somebody to help explain that. You can do a team of yourself plus Telarus resources to help advise the board. You know? So, Jason, let’s talk about this.

This was surprising to me. When I went and looked, according to last year, only four percent of organizations are actually CMMC ready. They’re not even compliant, so they’re gonna lose those third party contracts to deal with government, public sector. You know?

So let’s talk a little bit about are you hearing about CMMC come up in conversations more? And then if you don’t mind introducing our first presenter, I’m very excited to hear what Chris has to say around CMMC.

Yeah. So as of and in in the world of compliance right now, CMMC is probably the the hot topic. You know, we talked about shadow AI as being overall cybersecurity, but for compliance, TeamMC right now is is the biggest one because it’s a different talk track to where if you’re looking for alignment of, like, hip the HIPAA framework or HITRUST because you wanna go get a contract or you wanna you wanna get into a specific industry, TeamMC is kinda the first one to where, hey. You wanna keep those contracts that you already have with with the government entity.

You’re gonna lose those unless you follow this framework and get an attestation that you’re following these controls. And depending on, you know, which level, you know, one through three, most of them align with level two, which I’ll turn over to Chris here. I don’t wanna steal his thunder. But I honestly, I think that four percent is probably pretty generous.

Because most of the people that we talk to, they’re just starting on their cybersecurity journey. And they’re like, we never even thought about this until it became a government mandate to be able to do business that you need to follow these controls.

So that leads us into the the next piece that we wanna talk to a TeamMC specialist. And I’d like to introduce Ariento who, I don’t wanna take away from the thunder, but if you’ll heard the term c three p a o, which is not a Star Wars term. It is actually a cybersecurity industry term. And we’ll hear from somebody who actually does these attestations live. And, you know, that’s a different level of expertise than where you would normally, you know, be able to get here. So, Chris, I wanna turn it over to you here and, you know, tell us a little bit about Oriento.

Sure. Thanks, Jason. Jason. Yeah. And, I mean, on that four percent note, I will say that we we operate kind of on our two sides of the business, which we’ll talk about in a second.

We operate from Fortune five hundred all the way down to I saw in the chat somebody asking about a five person company, and we kinda see it all. Right? When you talk about the defense industrial base, it’s it’s it’s you know, small businesses are very much encouraged, and that four percent is is aligns with our experience, I will say, because this is a new thing. And and even in the Fortune five hundred companies that we’re going into just not knowing that, you know, this is kind of a different flavor of compliance, and it’s the first time, like you said, Jason.

Can we go to the next slide?

So real quick, just to step back on CMMC, just to kinda level set, make sure that everybody is is on the same page, and this is a very high, quick quick intro.

But if you if you haven’t been following, like Jason said, CMMC has been about a five year journey, for the Department of Defense.

And, really, it started because, the Department of Defense was contractually obligating. Right? So the federal regulation saying, hey. You wanna do business with us?

You have to be compliant with this standard, and the standard is called NIST, National Institute of National Institute of Standard Technology eight hundred one seventy one. And this dates back to two thousand eighteen. And so they rolled this out and they said, hey. We know cybersecurity is important.

You guys are gonna have to do this. We’re we’re passing this regulation. We’re gonna put in the contract. And but what they did is they said, you’re you’re you’re just gonna self attest to it.

Right? So you’ve gotta do a few things every year, and then you’ve gotta tell us, and you’re gonna sign on the dotted line saying, hey. I’m doing this cybersecurity.

Two thousand nineteen, DOD went and did an inspector general, investigation and basically found out that cybersecurity is no better. People are saying they’re doing this. They’re not, and they’re actually charging the government more money. And so that’s when kind of the the the DOD took a step back and said, alright.

We we need a we need a stick here, and that’s where CMMC was born. So see what CMMC is, and it and it just went into effect if you’ve been following this, December sixteenth of last year. The the regulation passed and went into effect. And what it is is it’s still that same NIST eight hundred one seventy one that’s been around for seven years, in terms of of con our contractual obligation.

But now they’re standing up an entire industry like us to come in and do a third party independent assessment every three years. In order to do business with the DOD, you have to get assessed and certified and provide that when you get awarded the contract.

And and the justification for all of this really is, hey. The the DOD budget, if you looked at the most recent one, I think I think they’re proposing the the highest of all time, a trillion dollars. But the justification is is that they were losing six hundred billion dollars a year to our adversaries, and the example they always give us the f thirty five, which you see in this picture. So when the f thirty five came out after, you know, decade plus of of planning, you know, China had it essentially the next week.

Right? And it was like, well, how does that happen? Well, that happens because of this diverse supply chain, and and they’re they’re stealing information from the smallest all the way up to the biggest and putting it together, and all of a sudden you have the the f thirty five plans. So the final point on this slide just from a CMMC standpoint is, this compliance, if I were to take this into a private context, to compare it to some of the other compliance standards, it’s about two types of information.

And these are two types of information that the federal government considers proprietary.

And when they label them and give them to their contractors, they are now contractually obligating that they put these hundred and ten security controls in this state, hundred and one seventy one on them and that they actually get certified to say that they’re doing it. So just like, you know, HIPAA and and PHI and and, you know, at the end of the day, it really is about the information and the people, the systems, and the facilities that process, transmit, or store this type of information.

Hey, Chris. Can you can you go to get a little bit into FCI and CUI and what that is Sure. And why that’s important?

Yeah. So so CUI is called is controlled unclassified information, and it’s it if you’re familiar with the government space, it replaced, what used to be the FOUO for official use only program back in the Obama White House days. And what it is, it’s just proprietary information of the government. So it’s not classified, but it’s information that they want control, unclassified, you know, and and and it it comes up as part of this contract. So think of it as proprietary information, no different than if Telarus, you know, in in our Intuitant contract, and we were like, hey. Whenever we send you this stuff and we label it sensitive or proprietary, we want you to protect it in this way, and we have a contractual obligation to you. It’s just got the weight and the power of the federal government behind it.

And then FCI is kind of a catchall. That’s federal contract information, and that’s basically anything gleaned in the contracting process that’s not public information. So it’s it’s like I said, it’s kind of a catch all. The the requirements on on securing that are a little bit lower than than than CUI, but but those those two types of information.

So real quick about us, you know, as as I as Jason said, so we actually hit this from both sides. We were fortunate to have a board member that that was the CISO of NASA JPL, sat on the same committees as John Hopkins and Carnegie Mellon who created the CMMC standard and walked us in the door early back in two thousand nineteen.

But we we’ve kind of approached this from two sides. We have our our authorized, CMMC third party assessor organization side of the business, advisory and consulting, more traditional project work that can do those audits. We’re we’re authorized. The DOD has assessed us authorized us to be able to do those. One of sixty six, I think.

And then on the other side, we’re a managed service provider. So we help people, you know, on the other side of the audit table pass these audits, whether it be outsourced from a managed security standpoint, managed security and IT, whatever that might look, like.

We are a Microsoft partner. I get this question a lot from from Telarus folks. So the the whole GCC GCC high thing, we can get into that. We are authorized to resell that. It’s a different level of partnership with Microsoft.

And and and like I said, we’ve just we’ve been doing this for for quite a while, you know, since the beginning and and and and kind of both sides of our business serve different markets. So the the c three p o side serves kind of that mid to enterprise, advisory consulting. And then on on our side, we’re more the the mid to small, who really have no choice but to outsource this in order to pass these audits. Next slide.

In terms of our services, and I and I’ll go through these quick. So this is our advisory consulting. So that side of the business I mentioned, that’s kinda more the project work, also authorized as an auditor.

So they kinda have, I’ll say, four main offerings.

The top of this slide is is offerings helping people get ready so that they’ll pass an assessment. So a lot of times people will come to us as an auditor and say, hey. I want you to help us get ready because I know you’re an auditor and you’re you know, if I come out of an engagement with you, I know I’m gonna be ready because it was an actual auditor looking at me as opposed to, you know, any company can help you get ready, right, if they know CMMC.

But, you know, they’re not all auditors and have that lens. So we do a lot of discovery and scoping. We’ll talk about how important that is. At the end of the day, this this whole thing starts with where is that information, you know, people, systems, facilities, that CUI and FCI.

And and the more you can narrow scope, you know, it’s it’s like any other audit. Right? The the less that they’re looking at, the the the better it is and easier it is. So you really wanna do that, and and you don’t necessarily have to have your entire organization, in scope.

And then the readiness and remediation where we’ll do things like gap analysis is things like that will will help supplement capability. Documentation was mentioned in there, you know, technical implementation, that kind of stuff.

The bottom side of this slide is the official, you know, us in our c three p o capacity. So we do both mock assessments and certification assessments. Again, every three years, these companies have to get certified. We’re seeing a lot of folks want mocks now because they’re not sure if they’re ready, and they wanna use this as their c three p o.

And so the big difference between a mock assessment and a gap analysis is a mock assessment, doesn’t provide recommendations. So we can kinda maintain that c three p o status, which is the other difference between this line is if we help you get ready, we cannot be your c three p o because that would be a conflict of interest. So I can’t audit what we help, you know, get ready. So the bottom side is the audit side. The top side is the is the, you know, help you get ready. Next slide.

And then from a managed services side, which I mentioned, you know, we do kind of in that mid to to small space, we have we have really four flavors.

And so the the first is, in this space, I mentioned you don’t have to have your organization kinda get ready. What a lot of companies, even larger companies will do is they’ll say, hey. You know what?

I’m gonna I only have only ten percent of my business is doing DOD and federal government work. I’m gonna take those twenty users, and I’m gonna put them in an enclave. We’re gonna call it, let’s say, you know, riento dot US. Right?

We’re riento dot com, but we’re gonna put riento dot US. They’re gonna have, you know, separate computers or virtual machines, and they’re just gonna do all their DOD work in there with FCI and CUI. So that’s kind of one approach. And EnclaveOne is something where we’ve taken that through assessments and and and, actually, you do not have to pay for an assessment if you join EnclaveOne.

Our next flavor is a more traditional MSP. We call it our turnkey CMMC, and that can be from an organization or enclave approach, but but we’ll we’ll we’ll build you or or take over your your architecture and and and make sure, you know, configure it to to CMMC compliance.

MSSP, more traditional, kind of in the third line there. And then, ultimately, we do have kind of a licensed, like, reference architecture space because sometimes folks just want, hey. If if your technical configurations and documentation has gone through assessments before, I want that. I don’t wanna reinvent the wheel. So those are kind of our flavors of managed services, and and I’ll I’ll stop there. I know we’re gonna do a panel a little bit.

Thanks, Chris. Appreciate it. So you can see how amazing Chris will be if you go approach a board of directors and bring Chris in. The wealth of knowledge that he has around CMMC is absolutely incredible. So, you know, next not to be outdone, Cypher, a Prosegur organization.

Excited to have Tyler in the channel running the the channel over at, Cypher. And, you guys are doing a lot in the space, a little different than what I think Chris was talking about from a CMMC standpoint. Let’s talk about some of the uniqueness and decipher truly have with Prosegur a hundred and forty thousand employees. You guys might be our largest supplier.

Yeah. Yeah. That’s right, Jason. Hey, Chris. Great job. That was really informational. Yeah, Tyler Smith here, manager of Telarus partnership nationally for Cipher.

ProSig are back, so about a five billion dollar revenue company, globally about a hundred and forty five hundred forty five thousand employees, and our Cypher arm that we’re gonna talk about today around GRC, risk advisory, etcetera. And, Chandler, if you wanna go to the next slide.

We’re gonna talk about, you know, how that was born. Right? So Cipher two thousand four, we come into the market as a compliance company. So going on twenty years in and around dedicated technology and physical security compliance, primarily technology if we wanted to silo it into something that would be our expertise.

So today, we’re gonna put it in the lens of if I’m an adviser and I’m thinking about how to approach customers around GRC, AI governance implementation and adoption, how do we start those conversations? What does that typically lead to? That’s gonna be the threat of what the majority of the the content is. So we’ll go to next slide.

I I want everyone to call to think about, you know, whether it’s a prospect or a customer, who’s adopting GRC and risk advisory at a general level. Most of the time, what you’re gonna see inside of call it a mid market company that has, say, five hundred employees, you’re gonna have an IT director that kind of owns that. But here’s a really key point. The the Jason’s kinda hit on this out of the out of the gates.

Right now, the social pressure across the c suite to understand cybersecurity and associated risk is higher than it’s ever been, and it’s getting higher by the day. Five to ten years ago, we were siloed into a a CIO mentality. Now you’re seeing the CISO role become the forefront of what the board adopts. Therefore, that naturally lends to what CEOs, COOs, CFOs are having to think about within their company.

So here’s our approach to that. We feel like we do it a little bit differently. As an MSSP, organically, we’re an MSSP.

We can take everything from that initial assessment, readiness, and planning all the way through what would be considered recurring services in or around GRC. I’m sure Chris would say the same thing when we say the majority of roles that are managing GRC inside of a company now may be using some flavor of SharePoint or Excel, and everybody’s kinda learning on the fly. That’s your general GRC. What is happening in that adoption curve that you’re seeing in twenty twenty five onward is turning GRC into an impact immediate practice.

Meaning, how do we create ROI to the company around GRC? So don’t have that mentality. If there’s anything that’s a takeaway today about approaching your customers on GRC, do not have the mentality that it has to be a CIO. We’re seeing those buying roles expand across the entire org chart to include everyone that’s responsible for any element of the balance sheet.

That’s really important to understand. So if we go to the next slide, let’s talk about what’s happening in the real world. What is actually taking place inside of the channel ecosystem that we’re seeing? Here’s an example of a use case where a health care system, a twelve site health care system said, we no longer can keep this in house.

We’re intentionally going to turn this into a an impact practice. That’s that’s kind of the key word you’re hearing in the market. Turn GRC into an impact practice. So from the perspective of what did that deal look like.

Right? Everything included was always on GRC, meaning continuous monthly agreements that turn into what scheduled deliverables are. Like Chris said, working with third party auditors, figuring out scheduling around how measurements need to be documented and applied, having a dedicated risk assessment team that’s looking for blind spots that could be occurring in the workflow for anything happening around a compliance measure.

VCISO services that are expert qualified individuals in very specific niche targets to be able to work with those third party auditors that here’s a very, very key piece, have relationships with those third party auditors. Chris touched on that with his group. Having the relationship with a third party auditor and understanding what that mechanism looks like is really important.

That deal that we’re looking at right here turned into a monthly residual for the trusted adviser of a little over three thousand a month just for connecting the dot on finding that customer that said we’re gonna turn this into an impact practice.

So if you go to said we’re gonna turn this into an impact practice. So if we go to the next slide, this is what we look at from a general perspective. And, Chandler, we can go ahead and hammer this out.

All four of these are what’s driving AI governance and adoption. Let’s all be very, very honest with each other.

No one is quite literally an expert in what’s happening with AI in the market. There are so many categories that it touches within a customer that everyone’s kinda learning on the flag. That’s okay. That’s a great thing. Right?

But here’s why companies are adopting this at such a strategic level.

Think about cloud when it came into the market. It took about five years to get an ROI on cloud. No one really understood what cloud was gonna do to an organization. Infrastructure costs, on prem hardware, human capital, all of that was measured.

With AI, what we’re seeing, and, Jason, you touched on this with your research, is there’s an immediate ROI that companies are trying to adopt AI.

They can measure it. They can put it on a balance sheet, and that board of directors or the c suite or anyone responsible for turning that organization into somewhat of a profit center with their productization of AI is happening across the board. Something that I really want everyone to think about is I wouldn’t get wrapped around the axle on running a AI and calling it AI specifically.

What type of projects are AI projects? And if you look at that second bullet point, that’s what companies are actually doing inside on baselining projects. System automation, process improvement, enhanced cybersecurity.

It’s tough to go out of company and say, tell tell us about your AI strategy. What the AI strategy is backed into are projects that are adopting some flavor of AI. That’s a really important ask for us to understand.

And then companies are gonna ask themselves, are we gonna build it, or are we gonna buy it? Most of the time, the truth is in the middle. They’re gonna build it from internally what their investment infrastructure is, and then they’re gonna buy the tools that incorporate that. Why does that matter if you’re an advisor thinking about how to find and identify projects?

You’re getting two you’re getting two elements of a project here. You’re getting the professional services on the front end similar to what Chris talked about. Readiness assessments, preparedness, being able to approach what an implementation would look like. On the backside of that, you’re getting what the tools and products and solutions that are gonna accompany and help adopt that AI solution into another scope.

So it’s kind of a two two two threaded project here. You’re getting the front end on the professional services readiness assessment. You’re getting the back end on what tools and solutions that company is gonna adopt and procure in order to implement and drive that AI project. And then our experience in and around AI is being able to take that from soup to nuts beginning to end.

Everything from that readiness assessment, preparedness, being able to create documentation, and then fill filter that into what does that mean from a products and tools perspective, stakeholder assessments, vendor assessments, mitigations, mitigation confirmation, and discussing with that with those stakeholders whether or not this is something that they see in ROI ROI on immediately or something that’s gonna be a little more long term. Again, truth is also is kind of in the middle there. So if we go to the next slide, what we wanna look at from a general perspective is how much can be captured in one SOW or or project solution.

Right? That’s where Cypher comes into play on being able to own that from a to z regardless of how that customer wants to adopt or implement what their project status is. The readiness assessments, that gets into the cyber piece. All the way through the AI and governance, which as we had slowly adopt that, you start poking holes kinda like Swiss cheese into cybersecurity, network gear, firewalls.

They’ve got a SaaSy solution with identity management. All of that comes into play because Jason Kaufman hit the nail on the head. What happened with AI is it got adopted by individual users, the personal email addresses signing up for chat g p t before the company said, we’re gonna adopt this and implement it with policy and, you know, having guardrails along how we want this to operate inside of our company. So So cost companies now, they’re not saying, are we going to adopt GRC?

What they’re asking themselves is which which company are we gonna procure to help us drive GRC AI governance and adoption.

But putting all of that into one solution is more around how the company wins, which has immediate ROI. The market can demonstrate that, but you’re not telling them that they need to rip and replace everything they have in place. CEOs, CFOs, COOs, CIOs, and CISOs are all owning these projects in tandem, which is a great thing for us because we’ve got executive alignment from the entire org chart on how these need to be adopted and implemented.

That was amazing. Who knew JD Vance could be so technical? I I love both presentations. Absolutely great information there.

You know, I think we got so many good questions in the chat. We can probably address it. Let’s let’s talk real quick about a quick, question, then I’ll pass it over to Doug. You know, Chris, Tyler, you know, if if, a government entity that they’re working with is a smaller government entity, then they don’t need the CMMC.

Right? They it it it gets bypassed.

The only, the only allotted gap for CMMC that is that that they have allowed for is if you are a commercial off the shelf reseller. Simple as that. So no no change, no alteration. You sell widgets, you know, sprinklers to the to the government.

That’s the only one where they have, said, okay. In this case, you know, you you wouldn’t have to do that, and you could still self attest. But other than that, and and these you can check your contracts, but but they likely have the clauses that that that say, hey. We’re gonna give you at least FCI, and you need to protect it in this way.

Yeah. It’s really interesting, to see. It doesn’t really matter what size. I think there’s great information.

Both, organizations will make you look really good in front of clients. But if your organization is not CMMC ready and you’re dealing with the government space of the public sector, you need to start putting together that framework or you’re gonna lose those contracts. So make sure you’re doing that. Doug, what kind of good questions did you see in the chat?

I think Chris was doing a good job of of, typing some answers out here.

Kaufman, what have you got while we’re waiting on Doug?

Yeah. So one thing I always like doing is make sure we provide insights to to our partners as they go talk to their customers. Like, it it whenever you guys are brought in for a consultation around GRC, what’s probably one of the biggest gaps if you had one single bullet point you could give to provide that insight that customers have every pretty much every time you guys are brought to the table?

I I could take that one. There’s third and fourth party risk management. What vendors are touching data? Who has exposure to what were hosted transit, resting point data?

If especially online, any form of online portal, usernames, and passwords, that becomes highly audited and scrutinized immediately right out of the gates. But, Jason, here’s the best thing. Companies around GRC and AI, what we’re seeing is they’re waving the white flag on that. We’re not really fighting that battle of, hey.

We already have everything taken care of back off. It’s almost the opposite. It’s really the first time you’ve seen a category within our space become we’re gonna open our door to everybody that can help us. So equally competitive.

Right? We’re not saying it’s easy. But every every company that we’re talking to is saying, we know we don’t have the awareness we should have around this. We’re happy to partner with someone who can own this at reasonable cost.

Right? We’re not talking about investing a million dollars in NRC so that you can build a data center. That’s not what this is. But reasonable cost and compliance measures, and it’s always touching some flavor of a leader in the business.

Right? Small company could be the president. Mid mid midsize enterprise could be someone on the c suite, multiple individuals on the c suite. But by far, third part So third and fourth party risk management because companies just don’t have documentation around asset control.

Todd, what kind of questions do you have for the panel?

I apologize. I lost video and audio there for a second, but we got it back in the afternoon. I could hear you, and I’m shouting at the screen.

But, I I think a lot of people are still confused as to how this came up relatively suddenly in so many ways. We talk about GRC as if it’s something new for many of our advisers who haven’t really considered this before. What is driving this convergence of these three, policy areas, and why is it so important that our advisers learn how to quickly comply with this and advise their clients?

I mean, I I would say, you know, the the body that rolls it out right has to have the power to actually enforce it. And I think what we’ve seen is you look at something like HITRUST, which I know Tyler, you know, there that was in the one of the early slides. You know, that’s a private industry that has a lot of partnerships in the health care world, and they’ve tried to kinda push that, but it it’s a private model. Right?

PCI is the same thing. Right? That’s the big credit card, you know, Visa is the Mastercards of the world saying, hey. We’re gonna require you if you wanna take our cards to do this.

Right? So they have the power to kind of enforce that contractually. And then now you’re starting to see, you know, with the ISO and and and, obviously, HIPAA, the the governments get involved. And when the governments get involved, obviously, that kinda changes the equation.

And and and, hopefully, you know, a tool like Cypher helps you kinda navigate these different worlds, which is really hard when you’ve got all these these different standards to try and combine into one.

And and but, hopefully, as governments get more involved, there’s there’s some synergies in terms of, hey.

You know, this is gonna be the master standard, and we’re gonna get reciprocity across the board. Right now, that doesn’t that doesn’t exist.

Are are there special considerations for clients that may have an international, component to their business as well? As we set this up primarily for domestic related policies and, industries, if they have an international component, are there particular things or additional consultations they need to be having?

Yeah. Certainly. I mean, GDPR is gonna obviously take precedent if you have a European presence.

What we’ve seen is that silo, Doug. So there would be, say, an HQ in the US, and they’ve got a presence in Canada and France.

Wherever the HQ is is gonna dictate what their general framework and policy is. From there, you’re absolutely pivoting into what is it at a local or regional level outside of the US. That could be anything from guard railing data inside of a cloud environment all the way through making sure that documentation is in another language. Right?

Like, we we’ve had that happen. Like, this has to be in French for us to be able to document policy. That’s okay. We can do that.

But it still comes down to, like, what is what what is the adoption they want around it and how are they measured? But it becomes much more nuanced when you bring in international presences or international influence, but a good problem to have in the grand scheme of things.

No doubt. Guys, I’ve gotta cut this off because we’ve gotta leave a little time. We’ve got another presentation today. But, Jason and Jason and all of our panelists, thank you so much for this today.

Jason Stein, why don’t you wrap it up for us here?

Yeah. Centimeters I’m I’m telling you the GRC governance risk and compliance, super big conversation.

Bring it up. It’s an easier conversation than you think. Is your organization starting to prioritize governance, risk, and compliance? If so, we have a deep bench of really solid providers.

You know, they can come in and and be an extension of your organization and help get you to pass all your audits. Thank you so much to Tyler and Chris for, their time today along with Jason Kaufman. Still throw questions in the chat, and we’ll have Tyler and Chris stick around and answer those questions in the chat. You can also get their contact information.

So with that being said, I’m super excited for the next presenter. Welcome back, Vicky. Doug, go ahead.

Thanks, Jason. And all of our presenters today, we genuinely appreciate it.