Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

AI Governance Gaps

AI Governance Gaps

Section titled “AI Governance Gaps”

5 automated security scanners

Shadow AI Policy Coverage

Section titled “Shadow AI Policy Coverage”

Purpose: The Shadow AI Policy Coverage Scanner is designed to analyze and assess a company’s internal documentation, including public policy pages and trust center information, with the objective of identifying gaps in AI usage guidelines, approved tools, and data handling requirements. This tool ensures that organizations have robust policies in place to govern the use of AI technologies effectively.

What It Detects:

  • Usage Guidelines Detection: Identifies the presence or absence of specific security policy language related to AI usage, checking for detailed guidelines on how AI should be used within the organization.
  • Approved Tools Verification: Searches for mentions of approved tools and technologies that are sanctioned for use in AI projects, ensuring compliance with only vetted and compliant tools.
  • Data Handling Requirements Compliance: Looks for data protection policies specific to AI data handling, verifying that data privacy and security measures are adequately addressed.
  • Incident Response Procedures: Detects the presence of incident response plans related to AI systems, ensuring clear procedures in place for addressing AI-related incidents.
  • Maturity Indicators Review: Checks for compliance certifications such as SOC 2, ISO 27001, and penetration testing reports, verifying that the company has undergone relevant security assessments and holds necessary certifications.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it ensures that AI usage within a company adheres to stringent security policies, which is essential in mitigating risks associated with unregulated or improperly managed AI applications. Compliance with recommended guidelines and standards can significantly enhance the overall security posture of an organization.

Risk Levels:

  • Critical: Findings that directly impact critical aspects of AI policy compliance, such as missing data protection policies or lack of SOC 2 certification.
  • High: Issues that affect significant parts of the AI governance framework but may be mitigated with additional controls, such as incomplete incident response procedures.
  • Medium: Weaknesses in less critical areas where improvements could enhance overall security posture, like unverified mentions of approved tools.
  • Low: Informal or non-critical findings that do not significantly impact the security landscape but are still recommended for improvement to align with best practices.
  • Info: General informational findings that provide context but do not pose immediate risks.

Example Findings:

  1. The company lacks a detailed data protection policy specifically addressing AI data handling, which could lead to high risk in case of data breaches or unauthorized access.
  2. There are no mentions of approved tools for AI projects within the documentation, posing a critical risk as it may lead to the use of unverified or non-compliant technologies.

AI Usage Monitoring Implementation

Section titled “AI Usage Monitoring Implementation”

Purpose: The AI Usage Monitoring Implementation Scanner is designed to evaluate an organization’s ability to detect, monitor, and ensure compliance with policies related to artificial intelligence (AI) usage. It evaluates the presence of robust security policies, maturity indicators, and certifications that govern effective AI governance within the company.

What It Detects:

  • Security Policy Indicators: The scanner checks for the existence of comprehensive security policy documents that outline incident response procedures, data protection measures, and access control mechanisms.
  • Maturity Indicators: It identifies compliance with standards such as SOC 2 and ISO 27001, as well as documentation of penetration tests or vulnerability assessments.
  • Public Policy Pages: The scanner scans public policy pages for relevant security and AI governance content, ensuring that incident response policies are accessible on public sites, and data protection details are clearly outlined.
  • Trust Center Information: It examines trust center information to validate the presence of relevant compliance certifications and security-related disclosures, including penetration test results or vulnerability assessment reports.
  • Compliance Certifications: The scanner identifies any compliance certifications that pertain directly to AI usage and data protection, verifying the presence of standards like SOC 2 and ISO 27001, as well as documentation of regular security assessments and audits.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps organizations maintain a secure and compliant environment for AI usage, which is increasingly vital in the digital era where AI applications are pervasive across various sectors. Compliance with standards like SOC 2 and ISO 27001 not only mitigates legal risks but also enhances trust among stakeholders by demonstrating commitment to data security and privacy.

Risk Levels:

  • Critical: The scanner identifies a lack of any documented security policy, incident response plan, or clear description of data protection measures.
  • High: The organization lacks specific documentation for compliance with standards like SOC 2 or ISO 27001, or there are no records of recent penetration tests or vulnerability assessments.
  • Medium: There is partial compliance with some aspects of AI governance and security, but significant gaps remain in policy coverage or maturity indicators.
  • Low: The organization shows a good balance between documented policies and practical implementation, with minimal identified deficiencies in AI usage monitoring.
  • Info: Informal findings such as the presence of basic privacy notices or minor discrepancies in documentation completeness that do not significantly impact overall security posture.

Example Findings:

  • A company lacks any mention of a security policy document on their website, indicating a critical risk for lack of foundational governance mechanisms.
  • Another organization has outdated penetration test results from 2019, which are considered risky due to the rapid evolution in cybersecurity threats since then.

AI Tool Approval Process

Section titled “AI Tool Approval Process”

Purpose: The AI_Tool_Approval_Process Scanner is designed to evaluate the security requirements, implementation standards, and evaluation criteria of an AI tool by analyzing company documentation, public policies, trust center information, and compliance certifications. This ensures that the AI tools meet necessary security and governance standards.

What It Detects:

  • Security Policy Indicators: The scanner identifies mentions of “security policy” to ensure comprehensive security guidelines are in place. It also looks for “incident response” plans indicating readiness for handling security incidents, “data protection” measures ensuring data is safeguarded, and “access control” mechanisms to protect sensitive information.
  • Maturity Indicators: The scanner checks for SOC 2 compliance, which assesses the trustworthiness of a service organization, identifies ISO 27001 certification indicating adherence to international standards for information security management, detects mentions of “penetration test” results showing proactive security testing, and verifies “vulnerability scan” or “assessment” activities ensuring regular security evaluations.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it ensures that AI tools are not only implemented but also adhere to stringent security measures, which is critical for maintaining the integrity and confidentiality of sensitive information processed by these tools.

Risk Levels:

  • Critical: The risk level is critical when there is a direct threat to data security or system availability, such as unaddressed vulnerabilities that could lead to unauthorized access or breaches.
  • High: High risks are associated with significant potential impacts on operations and compliance, such as inadequate incident response plans or insufficient data protection measures.
  • Medium: Medium risk findings involve issues that may not directly compromise security but still affect the overall trustworthiness and operational efficiency of the AI tool.
  • Low: Low risk findings include minor non-compliance areas that do not significantly impact security posture but are still recommended to be addressed for continuous improvement.
  • Info: Informational findings provide general insights into compliance status or best practices without immediate security implications.

Example Findings: The scanner might flag a lack of clear security policy statements, insufficient details in incident response plans, or outdated vulnerability scan reports that do not reflect the latest threats and risks faced by the organization.

AI Risk Assessment Completeness

Section titled “AI Risk Assessment Completeness”

Purpose: The AI Risk Assessment Completeness Scanner is designed to evaluate the comprehensiveness of an organization’s threat modeling coverage, risk evaluation scope, and impact consideration by analyzing available security documentation, public policies, trust center information, and compliance certifications.

What It Detects:

  • Security Policy Indicators: Identifies mentions of “security policy” to ensure formalized security guidelines are in place. This includes checks for “incident response” plans indicating preparedness for security incidents, “data protection” measures to safeguard sensitive information, and “access control” mechanisms to manage user permissions.
  • Maturity Indicators: Detects references to SOC 2 compliance, ensuring adherence to service organization controls. It also searches for ISO 27001 certification, indicating comprehensive information security management. Additionally, it identifies penetration testing activities or vulnerability scanning/assessment processes to regularly evaluate the system’s security posture.
  • Threat Modeling Coverage: Evaluates the presence of detailed threat modeling documents that identify potential threats and attack vectors. It checks for risk assessments that quantify and prioritize identified risks and verifies impact analysis sections that detail the consequences of potential breaches.
  • Risk Evaluation Scope: Ensures that the organization’s risk evaluation covers all critical assets and systems. It identifies whether third-party vendors are included in the risk assessment process and checks for regular updates to risk assessments to reflect changes in the threat landscape.
  • Impact Consideration: Evaluates the depth of impact analysis, including financial, reputational, and operational impacts. It verifies that mitigation strategies are outlined for identified risks and ensures that business continuity plans are in place to minimize disruption from security incidents.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This is necessary to search the company’s site for relevant documents such as security policies, trust center information, and compliance certifications.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”). This helps in identifying the specific organization being assessed based on its public statements and documentation.

Business Impact: Understanding the completeness of an organization’s threat modeling coverage, risk evaluation scope, and impact consideration is crucial for assessing overall security posture. It helps in identifying gaps in security practices that could lead to significant risks or breaches, affecting both operational efficiency and reputation.

Risk Levels:

  • Critical: Conditions where there are no mentions of any security policy or related plans such as incident response, data protection, or access control mechanisms. The absence of clear security guidelines can lead to severe vulnerabilities in the system that could be exploited easily by malicious actors.
  • High: Conditions where compliance with standards like SOC 2 is absent and vulnerability scanning/assessment processes are not regularly conducted. This increases the risk of undetected threats and potential data breaches.
  • Medium: Conditions where risk assessments lack detailed threat modeling or impact analysis, indicating a partial understanding of potential risks. Mitigation strategies might be insufficient to handle identified issues effectively.
  • Low: Conditions with minimal information on security practices but clear evidence of ongoing updates and compliance with basic standards like access control mechanisms. These are generally considered less critical unless there are specific indicators of evolving threats.
  • Info: Conditions where the scanner finds minor or informational mentions that do not significantly impact overall risk levels, such as routine updates to risk assessments reflecting changes in technology or regulatory landscapes.

Example Findings:

  • A company does not have a documented security policy mentioning incident response plans. This is critical since it indicates a lack of preparedness for potential security incidents.
  • The organization lacks ISO 27001 certification and has no evidence of penetration testing, which are high risks as they suggest inadequate information security management practices.

AI Security Training Adequacy

Section titled “AI Security Training Adequacy”

Purpose: The AI Security Training Adequacy Scanner is designed to evaluate the awareness level, risk understanding, and best practice knowledge of a company’s employees regarding AI security. It assesses whether the organization has adequate training programs in place to mitigate AI-related risks.

What It Detects:

  • Policy Indicators: Identifies the presence of key security policies such as “security policy,” “incident response,” “data protection,” and “access control.”
  • Maturity Indicators: Checks for compliance certifications and maturity indicators like SOC 2, ISO 27001, penetration testing, and vulnerability scanning.
  • Training Documentation: Searches for references to AI-specific training programs or modules within the company’s security documentation.
  • Employee Awareness Content: Looks for content that demonstrates employee awareness of AI risks and best practices, such as phishing simulations or AI ethics training.
  • Incident Response Plans: Evaluates whether incident response plans specifically address AI-related incidents and include relevant mitigation strategies.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps organizations ensure that their employees are well-equipped to handle the security aspects of AI technologies, which are increasingly prevalent in modern business operations and critical infrastructure. Proper training and awareness can significantly reduce the risk associated with AI-related vulnerabilities and threats.

Risk Levels:

  • Critical: Failures in identifying or addressing key security policies, lack of compliance certifications, and absence of specific AI-related training programs or modules within documentation.
  • High: Inadequate coverage of AI risks in incident response plans or insufficient awareness content related to AI security among employees.
  • Medium: Partial coverage of relevant policies or practices, indicating a need for improvement in the organization’s AI security posture.
  • Low: Minimal presence of specific training and awareness materials but no significant gaps that could lead to critical risks.
  • Info: Presence of general cybersecurity training without explicit focus on AI aspects, which may still contribute positively to overall employee knowledge but does not specifically address AI risks.

Example Findings:

  1. The company’s security policy lacks explicit mention of AI-specific risks and mitigation strategies.
  2. No references to SOC 2 or ISO 27001 compliance certifications within the provided documentation, indicating a gap in formal risk management frameworks for AI security.