AI Control Tower – GRC / IRM Attestation Involvement Across AI Lifecycle

AnireddyS861328 · a week ago

Hi Community,

Recently, while working on AI Control Tower implementations and governance workflows, I came across an interesting discussion point regarding GRC / IRM involvement in the AI lifecycle.

In enterprise AI implementations, attestations and governance reviews are becoming increasingly important for responsible AI adoption. However, I noticed that organizations seem to follow different approaches when involving GRC / IRM teams during the lifecycle.

Some involve them during the assessment phase, some before production deployment, while others include them throughout the complete lifecycle.

I would like to understand how this is generally handled in real-time AI Control Tower implementations within ServiceNow environments.

If anyone has experience working on AI Control Tower, AI governance, IRM, or GRC integrations, please share your insights and best practices.

Looking forward to learning from the community discussions.

Thanks.

Paulsylo · a week ago

HI @AnireddyS861328

With my experience of working various AI Governance leads, GRC/IRM should not be act only in final approval checkpoint, rather they should infuse across the entire lifecycle. Yes, you cannot bolt it on later. I mean in every phase right form ideation, risk classification and assessment, production movement though monitoring, attestation, and periodic review. As you do not know when your AI use cases become a rogue one ( anything may be your AI model, AI prompts, ..), you need to have controls in every stages.

AI governance works best when it is part of operating model, and AI control tower becomes more effective when integrated with IRM/GRC continuously instead of operating as standalone AI operational layer. so i would suggest having your workflow or controls in every stage vetted with GRC/IRM to avoid defects in run time gvernance

Regards,
PaulSylo

To be is to do. To do is to be.