RMG Consulting

Category: Uncategorized

  • Harvest Now, Decrypt Later: A Quiet Risk with Loud Executive Consequences

    “Harvest now, decrypt later” is one of the most important information governance risks most organizations are not yet treating as a board-level issue. The concept is simple: adversaries collect encrypted data today, then wait until future computing capabilities, especially quantum computing, make it easier to decrypt that information later. For executives, the risk is not theoretical or distant; it affects how long sensitive information remains valuable, how long it must remain protected, and how much confidence the organization can place in its current security and records practices.

    The implication is broader than cybersecurity. It reaches records management, legal defensibility, privacy compliance, vendor oversight, business continuity, and enterprise risk management. If your organization assumes that encryption alone is a permanent shield, or that retention schedules can be designed without considering future decryptability, you may already be exposing high-value information to a long-tail breach scenario.

    Why this matters now

    The “harvest now, decrypt later” threat is often misunderstood as a future problem for future technology teams. In reality, it is a current risk created by today’s data practices. Sensitive records are being created, transmitted, stored, backed up, replicated, archived, and shared across expanding digital ecosystems. Attackers do not need to decrypt the data immediately to create damage later; they only need to capture it once.

    This matters because many records have a useful life far longer than the security assumptions applied to them at the time of creation. M&A records, intellectual property, employee records, customer identity files, regulatory evidence, contract archives, medical data, and financial documentation can retain sensitivity for decades. That mismatch between retention horizon and cryptographic horizon is where the governance problem emerges.

    Executives should view this as an information lifecycle issue, not just a technical control issue. The organization is being asked to protect data not only against current threats, but against foreseeable future breakthroughs that may outlast current defenses.

    What records managers must reconsider

    Records managers are at the center of this risk because they govern the enterprise’s most durable information assets. Their traditional focus has been on retention, disposition, legal hold, and defensible destruction. Those responsibilities remain essential, but “harvest now, decrypt later” adds a new dimension: records classification must now consider long-term confidentiality exposure.

    The first impact is on record value assessment. Not all records deserve the same level of enduring protection. Records managers will need to work with legal, privacy, security, and business teams to identify which record classes remain sensitive for ten, twenty, or thirty years. Examples include board materials, strategic plans, customer identity data, employee health or compensation records, and confidential deal files. If these records are retained for business, legal, or regulatory reasons, they must also be protected for the full duration of their sensitivity.

    The second impact is on retention strategy. In some cases, the safest record is the one you do not keep. If an organization retains data “just in case” without a legitimate business or legal purpose, it expands the pool of information that could one day be decrypted and exploited. Records managers should become more assertive about data minimization, especially for duplicate copies, legacy archives, and unstructured repositories.

    The third impact is on destruction discipline. Defensible deletion becomes even more important when future decryption is a credible threat. If a record no longer has a business or legal purpose, retaining it only increases exposure. For records managers, this strengthens the case for disciplined disposition programs, stronger approval workflows, and periodic audits of dormant content repositories.

    What business owners must understand

    Business process owners often see information governance as a compliance function, but this threat changes that equation. They own the workflows that create, move, use, and store the data, so they influence exposure more than they may realize.

    The first business impact is process design. Many processes are built for convenience rather than enduring confidentiality. For example, customer onboarding, claims handling, procurement, HR case management, and contract execution often involve multiple systems, email exchanges, file transfers, and backup copies. Each step creates another opportunity for sensitive information to be harvested. Process owners need to ask a new question: if this data were decrypted years from now, what would the impact be?

    The second business impact is sensitivity awareness. Process owners often do not fully appreciate which data elements create long-term risk. A single workflow may include identity documents, bank account numbers, trade secrets, medical details, or contract pricing. Those data elements may not look extraordinary in the moment, but together they can create significant future harm. Executive messaging should make clear that confidentiality is not just an IT concern; it is embedded in everyday operations.

    The third business impact is third-party dependence. Many business processes rely on external platforms, service providers, cloud storage, and managed services. That means the organization’s exposure is only as strong as its weakest supplier and data-sharing relationship. Process owners must ensure vendors are aligned with the organization’s long-term cryptographic roadmap, contractual security expectations, and retention controls.

    The executive risk profile

    For executive teams, the real issue is not whether quantum computers will break today’s encryption tomorrow. It is whether the organization is prepared for the period in which data captured today may still matter when the security model has changed. This is a strategic governance issue because it affects trust, regulatory posture, and operational resilience.

    There are at least four executive concerns.

    First, privacy exposure. Personal information captured now may be revealed later, long after the individual expected it to remain confidential. That creates reputational and regulatory risk, especially for organizations handling sensitive personal, financial, or health information.

    Second, legal and evidentiary risk. Records that support litigation, investigations, or regulatory inquiries must remain authentic, accessible, and protected. If the confidentiality of those records is compromised in the future, the organization could face serious consequences even if the original breach was not immediately apparent.

    Third, strategic intelligence loss. Intellectual property, pricing strategies, merger discussions, and product roadmaps are valuable precisely because they remain confidential. A future decryption event could expose strategic plans long after they were operationally relevant, creating competitive harm that is difficult to reverse.

    Fourth, board accountability. As with other enterprise risks, executives cannot treat this as a niche technical issue. Boards will increasingly expect to hear whether the organization has identified sensitive records with long retention lives, mapped cryptographic dependencies, and developed a transition plan toward more resilient protections.

    What should be done now

    The right response is not panic. It is prioritization. Organizations should begin with a targeted inventory of data and record classes that are both highly sensitive and long-lived. This should include legal, compliance, privacy, HR, finance, customer, and strategic records.

    Next, organizations should assess where encryption is used, what algorithms support critical systems, and which data stores depend on legacy protections. This is where security and information governance must work together. The organization needs to know not only what it stores, but how it protects it over time.

    Then, organizations should define a migration path toward crypto-agility and post-quantum readiness. Even if the full transition takes years, the planning cannot start too late. That includes updating procurement language, vendor expectations, architecture standards, and records retention policies so they all reflect long-term confidentiality risk.

    Finally, executive teams should insist on clear ownership. Records managers cannot solve this alone, and neither can security teams. Business process owners, legal, privacy, risk, and IT leaders all need defined accountabilities. Without ownership, the organization will default to fragmented action, and fragmented action is exactly what long-horizon threats exploit.

    The executive message

    “Harvest now, decrypt later” is a governance problem disguised as a technical one. It forces organizations to rethink a basic assumption: that data protection only needs to be strong at the moment of collection and storage. In reality, some records must remain protected far beyond the life of current cryptographic standards.

    For records managers, the message is clear: retention, classification, and defensible destruction must now be informed by future decryptability. For business process owners, the message is equally clear: process design, vendor selection, and data handling practices can create or reduce long-term exposure. For executives, the question is whether the organization can identify which information must survive the next decade, the next regulation cycle, and the next generation of technology.

    The organizations that act now will not just reduce cyber risk. They will improve governance discipline, strengthen trust, and build a more durable information strategy. The ones that wait may discover that yesterday’s encrypted record became tomorrow’s public liability.

  • The Crucial Connection Between Content and Context in AI Success

    Artificial intelligence isn’t just fueled by data; it’s shaped by meaning. Behind every smart recommendation, accurate prediction, or fluent conversation lies a delicate interplay between content — the data AI learns from — and context — the environment or situation in which that data is interpreted. When either falters, trust and effectiveness collapse.

    Why Content Matters

    AI systems learn from the content they consume: words, numbers, images, videos, and interactions. This content can be structured data (spreadsheets, databases, sensor readings) or unstructured data (emails, documents, social media posts).
    Structured data offers clarity and consistency, making it ideal for pattern recognition and analytics. Unstructured data, by contrast, captures real-world nuance, emotion, and cultural tone — but is messy and prone to ambiguity. AI models depend on learning meaningful structure from this chaos.

    When content is incomplete, inaccurate, or biased, the resulting models inherit those flaws. An AI model trained on unbalanced datasets or poorly cleaned text may build distorted worldviews, misinterpret user intent, or make inaccurate predictions. Garbage in, as the old saying goes, means garbage out — but in AI, it also means misleading context.

    Context: The Invisible Compass

    Context transforms raw content into insight. It helps AI understand why something matters, not just what it is. For instance, the phrase “cold” can describe weather, an illness, or emotional detachment — the meaning depends on contextual signals.
    Effective AI captures these signals from time, location, intent, and prior interactions. Context makes an assistant conversationally fluent, a recommendation engine personally relevant, and an autonomous system situationally aware.

    However, poor or missing content erodes this ability. An AI model lacking diverse examples may misread cultural references. Insufficient metadata can strip away temporal or geographic cues. When content fails, context becomes guesswork — and that’s where trust breaks down.

    Risks and Challenges in AI Training Data

    Building robust AI means navigating several content-level challenges:

    • Bias and imbalance: Overrepresentation of certain viewpoints or demographics leads to unfair outputs.
    • Noise and inconsistency: Unstructured data often contains contradictions, slang, and errors that obscure meaning.
    • Data fragmentation: Disconnected silos make it hard to encode context consistently across models.
    • Privacy and ethics: Extracting context from user data must respect consent and confidentiality.

    Records and retention: As organizations accumulate vast amounts of data for AI training, the temptation to retain it indefinitely grows. Over-retention increases the likelihood of outdated, irrelevant, or personally identifiable information remaining in datasets, which can degrade performance and raise storage, privacy, and compliance risks. In financial use cases, stale records are especially dangerous: an AI model trained on old account balances, expired credit terms, or prior-market conditions may generate forecasts or recommendations that no longer reflect reality, leading to flawed decisions and loss of trust. Effective governance — including lifecycle management and timely disposal — helps ensure that an AI’s “memory” is fresh, ethical, and aligned with present-day realities.

    Solving these issues requires disciplined data curation, diverse sampling, and transparency throughout the model lifecycle. Increasingly, AI developers combine structured datasets (for precision) with enriched unstructured inputs (for relevance) to balance clarity with depth.

    Building Contextually Aware AI

    AI success now hinges on a dual mandate: content integrity and context competence. Clean, representative data enables learning, but contextual understanding ensures meaningful application. Techniques like multimodal learning, fine-tuning, and prompt engineering are pushing toward models that grasp intent and perspective as well as fact.

    Ultimately, AI that comprehends both content and context doesn’t just process information — it interprets reality. And in that nuance lies the path to reliable, human-centered intelligence.

  • The AI Governance Mirage: Why Standalone Functions Are Doomed to Fail

    AI governance does not belong in its own silo; it must be treated as a core dimension of corporate governance, risk, and strategy, especially in financial services where fragmentation of accountability already amplifies risk.

    Why Standalone AI Governance Will Fail

    Attempts to build separate AI ethics or AI governance teams have already shown how easily they become marginalized, under‑resourced, and politically weak. Studies of tech‑sector ethics teams find they often lack authority, struggle to secure leadership backing, and are consulted too late in the lifecycle to change critical decisions, turning “AI governance” into a veneer rather than a mechanism of control. In financial services, where complex risk and compliance functions already exist, adding a separate AI governance committee typically duplicates effort, confuses who owns which decisions, and diffuses responsibility when something goes wrong. The result is more dashboards and policies, but less clarity about which executive is truly accountable for AI‑driven credit decisions, fraud detection, or AML alerts.

    The Fragmentation Trap in Financial Services

    Financial institutions are already grappling with overlapping regimes for privacy, cybersecurity, AML, KYC, and model risk management, each with its own committee, policy set, and control inventory. Regulators in key markets explicitly place ultimate responsibility for AI and model risk at the level of the board and senior management, not in specialist AI bodies, underscoring that AI risk is a variant of enterprise and model risk, not a new category exempt from existing accountability lines. Guidance such as OSFI’s model risk expectations, MAS proposals, and UK PRA supervisory statements all stress integrated, enterprise‑wide processes for model inventories, validation, and escalation, rather than parallel AI‑only channels. When institutions respond by spinning up standalone AI governance councils with their own taxonomies and policies, they create gaps between AI use in underwriting or trading and the established processes for risk, compliance, and audit.

    Why Tools and Committees Are Not Enough

    Vendors now market AI governance platforms and stress‑testing toolkits that promise to organize models, monitor drift, and automate documentation. Evidence from early adopters shows that while these tools can surface bias, performance issues, and policy gaps, they cannot resolve the fundamental questions of who decides, who pays, and who is held to account when AI systems conflict with strategic, legal, or ethical constraints. Research on failed AI and analytics initiatives repeatedly points to data silos, misaligned incentives, and weak decision rights—not the absence of specialized AI governance software—as the drivers of project failure. In practice, software‑centric and committee‑centric approaches risk becoming another compliance checkbox, disconnected from capital allocation, product design, and frontline behavior.

    Integrating AI into Existing Governance

    The more realistic path is to augment existing data governance, information security, model risk, and corporate governance structures to explicitly encompass AI, rather than founding a pure AI governance function. Boards should fold AI into their existing governance frameworks, asking how AI reshapes strategy, risk appetite, and culture, and then allocating oversight across current committees instead of creating yet another body competing for time and authority. In banking, that means embedding AI considerations into model risk policies under existing SR 11‑7‑style frameworks, aligning AI data use with current privacy and data‑management standards, and extending cybersecurity practices to cover model integrity and adversarial threats. A central coordinating function for AI can and should exist, but as an integrating mechanism that connects risk, compliance, technology, and business lines, not as a separate “AI governance office” with ambiguous power and overlapping mandates.

    A Contrarian Call to the C‑Suite

    For C‑suite and AI leaders, the contrarian move is to dismantle the idea that AI governance is a parallel universe requiring its own institutional layer. Instead, they should: align AI initiatives with corporate strategy and risk appetite at the board level, upgrade existing policies and committees to explicitly cover AI, and charge line executives—rather than AI specialists—with end‑to‑end accountability for AI‑enabled processes. In financial services in particular, the goal is not to stand up yet another steering committee and policy set, but to recognize AI as inseparable from core credit, fraud, AML, and customer‑experience decisions, governed through the same structures that already determine who gets a loan, who is monitored, and what happens when controls fail. Done this way, AI governance stops being a standalone activity and becomes what it must be to succeed: a reframing of corporate governance and strategy for an algorithmic era.

    Like this? Show your support at buymeacoffee.com/RobGerbrandt

  • Minimum Viable Governance: A Lean Blueprint for Integrated Oversight in the Age of AI and Data

    By Robert Gerbrandt

    Why Governance Needs a Reboot

    Governance has long been the backbone of organizational integrity. Yet, as digital transformation accelerates, legacy models—often siloed and process-heavy—struggle to keep pace. The rise of AI introduces new ethical and operational risks, while data proliferation demands tighter controls and clearer ownership. Meanwhile, information governance remains critical for privacy, security, and regulatory compliance. The Minimum Viable Governance (MVG) framework responds to this complexity with a “minimum viable” philosophy: deliver essential governance outcomes with the least possible burden. It’s not about cutting corners—it’s about cutting clutter.

    Intersection and Commonality between MVG, MVD, MVP, and MVE

    The concept of “minimum viable” has been widely adopted across various domains, each with its unique focus but sharing a common philosophy of delivering essential value with minimal resources. This section explores the intersection and commonality between Minimum Viable Governance (MVG), Minimal Viable Design (MVD), Minimal Viable Product (MVP), and Minimal Viable Experience (MVE).

    Minimum Viable Governance (MVG): MVG aims to deliver essential governance outcomes with the least possible burden. It focuses on integrating the foundational elements of Information Governance, Data Governance, and AI Governance into a cohesive, lightweight, and scalable framework.

    Minimal Viable Design (MVD): MVD emphasizes creating the simplest design that meets the core needs of users. It prioritizes functionality and user experience while avoiding unnecessary complexity. The goal is to deliver a design that is both effective and efficient, ensuring that users can achieve their objectives with minimal friction.

    Minimal Viable Product (MVP): MVP is a development strategy that focuses on creating a product with just enough features to satisfy early adopters. The primary objective is to gather feedback and validate the product idea before investing significant resources. MVP allows for iterative improvements based on user feedback, ensuring that the final product meets market demands.

    Minimal Viable Experience (MVE): MVE extends the concept of MVP by emphasizing the overall user experience. It aims to deliver a complete and satisfying experience with the minimum necessary features. MVE ensures that users not only find the product functional but also enjoyable and engaging.

    Commonality and Intersection:

    1. Lean Approach: All four concepts adopt a lean approach, focusing on delivering essential value with minimal resources. They prioritize efficiency and effectiveness, ensuring that the core objectives are met without unnecessary complexity.

    2. User-Centric: Each concept places a strong emphasis on the user. Whether it’s governance, design, product development, or experience, the primary goal is to meet the needs and expectations of the user.

    3. Iterative Improvement: The philosophy of iterative improvement is central to all four concepts. By starting with a minimal viable version, they allow for continuous feedback and refinement, ensuring that the final outcome is aligned with user needs and market demands.

    4. Scalability: Each concept is designed to be scalable. They provide a foundation that can be expanded and enhanced over time, allowing organizations to grow and adapt as needed.

    In summary, MVG, MVD, MVP, and MVE share a common philosophy of delivering essential value with minimal resources. They emphasize a lean, user-centric approach that allows for iterative improvement and scalability. By adopting these principles, organizations can achieve their goals more efficiently and effectively.

    The MVG Framework: Six Core Components

    MVG integrates the foundational elements of Information Governance, Data Governance, and AI Governance into six actionable components. Each is designed to be lightweight, scalable, and easy to implement.

    1. Lightweight Governance Committee

    Rather than multiple governance bodies, MVG proposes a single, cross-functional committee with representatives from each domain. This team meets quarterly and during incident reviews, owning and updating core policy documents. The goal: maintain oversight without over-administration.

    2. Role Assignment & Accountability

    MVG emphasizes clear ownership. Each business unit assigns data stewards for information systems, datasets, and AI models. These stewards log decisions in simple formats—spreadsheets suffice—ensuring traceability and accountability.

    3. Risk and Compliance Registry

    A central, living document tracks key assets, associated risks, mitigation strategies, and regulatory requirements. Updates occur only when assets change significantly or incidents arise. This registry becomes the heartbeat of governance visibility.

    4. Policy Checklists

    Forget 50-page manuals. MVG uses three one-page checklists—one each for information, data, and AI. These are reviewed during onboarding and major changes, ensuring consistent policy application without overwhelming staff.

    5. Incident & Issue Response Protocol

    MVG simplifies incident management with a basic form capturing what happened, which asset was affected, actions taken, and ownership. Significant events are reviewed by the committee, and lessons learned are logged for organizational growth.

    6. Lightweight Audit & Training

    Annual self-assessments against the checklists and risk registry replace exhaustive audits. One mandatory awareness session per year ensures staff remain informed and engaged.

    Governance Roles: Lean but Accountable

    MVG’s role structure is designed for clarity and agility. Key roles include:

    ·        Governance Committee: Owns policies, reviews incidents, and ensures compliance.

    ·        CIO (Optional): Provides strategic oversight and escalates issues.

    ·        Domain Stewards: Manage quality, documentation, and ethical use across data, AI, and information.

    ·        Owners: Assign business value, approve changes, and manage lifecycle rules.

    ·        Custodians/Technical Leads: Implement controls and manage infrastructure.

    ·        Compliance Champions: Advise on regulations and support policy development.

    ·        Business Users: Use assets responsibly and participate in training.

    This structure ensures direct accountability while remaining lean enough for rapid deployment.

    Measuring What Matters: MVG KPIs

    Governance without measurement is guesswork. MVG introduces eight practical KPIs to track performance across domains:

    1.      Training Completion: Percentage of staff completing annual governance training.

    2.      Ownership Coverage: Proportion of assets with assigned stewards.

    3.      Checklist Review Rate: Percentage of changes reviewed against policy checklists.

    4.      Governance Incident Rate: Number and severity of reported breaches or risks.

    5.      Audit Readiness: Share of assets with up-to-date documentation.

    6.      Explainability/Fairness: Coverage of ethical assessments for high-impact AI models.

    7.      Value Realization: Governance initiatives delivering measurable business outcomes.

    8.      Time-to-Incident Resolution: Median time from issue detection to resolution.

    These KPIs are outcome-oriented, enabling organizations to assess governance effectiveness without excessive reporting.

    Scaling MVG: Maturity-Based Targets

    MVG is designed to grow with the organization. KPI targets are calibrated across three maturity levels:

    –        Initial/Baseline: Focus on establishing accountability (e.g., 60–70% training completion).

    –        Developing: Push for broader coverage and process closure (e.g., 80–90% asset stewardship).

    –        Advanced/Optimized: Achieve full coverage and emphasize business value (e.g., 100% checklist reviews, <2-week incident resolution).

    Thresholds use red/yellow/green indicators to signal performance, making governance health easy to monitor and communicate.

    Why MVG Works

    MVG succeeds because it aligns governance with organizational agility. It avoids the trap of over-engineering, instead focusing on:

    –        Speed: Rapid deployment with minimal setup.

    –        Clarity: Defined roles and responsibilities.

    –        Flexibility: Scalable across teams and maturity levels.

    –        Value: Direct linkage to business outcomes.

    For startups, MVG offers a governance “starter kit.” For enterprises, it provides a way to streamline and unify fragmented oversight efforts.

    Putting MVG into Practice

    To implement MVG, organizations should:

    1.      Form the Governance Committee: Identify representatives and schedule quarterly meetings.

    2.      Assign Stewards: Map key assets and assign owners.

    3.      Create the Risk Registry: Use a shared document to track risks and controls.

    4.      Develop Checklists: Draft one-pagers for each domain.

    5.      Launch Training: Schedule annual sessions and track completion.

    6.      Monitor KPIs: Set initial targets and review quarterly.

    Tools like spreadsheets, shared drives, and basic forms are sufficient. The emphasis is on function over form.

    Conclusion: Governance for the Real World

    In an era of accelerating innovation and increasing scrutiny, governance must evolve. The MVG framework offers a pragmatic path forward—one that respects the complexity of modern organizations while embracing the simplicity needed for action. By integrating the essentials of information, data, and AI governance into a cohesive, minimum viable model, MVG empowers organizations to govern smarter, not harder.

    Like this? Show your support at buymeacoffee.com/RobGerbrandt