Should Your SaaS Solution Get AI Certified?

Welcome to the Wild West of the AI era. Like the days of the dot-com bubble, AI software developers are having a heyday as customers are quick to adopt anything labeled “AI.” I have long referred to this as the “AI Zombie Walk,” since AI adoption often happens with very little consideration about policies to protect customers’ data. 

But that’s soon to change. And if your company integrates artificial intelligence into its products, you should take note now — before your competition does.

It is critical to control the use of artificial intelligence within your company. If you care about protecting your customers’ data — or protecting your brand reputation — then consider very carefully how you’re using artificial intelligence and whether you’re taking on new vulnerabilities as you adopt AI technologies.

It’s one thing to have an AI policy for your internal use, but it’s another thing to assure your customers that their data is safe in your hands — or, more specifically, in the hands of the AI technology you’re using.

New AI Security Standards

New AI security standards have been released, which allow you to ensure that you’re doing your due diligence as it comes to AI data security. Not only does this give you peace of mind about brand protection, it gives your customers peace of mind that they can trust your AI technology choices with their data.

As AI security awareness grows, customers will begin pressuring their vendors to prove that their AI-integrated products are doing so securely. The time is coming when your competition will be compliant with AI security standards — and they’ll use that compliance certification as a competitive differentiator. If you aren’t already compliant, you may start losing customers to your competitors.

The vast majority of vendors don’t take their AI security seriously enough, which is to say that they don’t take their customers’ trust seriously enough. But if you violate that trust and your AI software leaks sensitive data, it could ruin your business. No amount of cyber liability insurance will completely protect you.

Do You Need to Get AI Compliance Certification?

You may or may not need to get certified under an AI standard. It depends on the extent of your integration with AI as an organization. 

If your personnel are simply using publicly available AI engines to supplement their work, and they’re doing it through a browser or through a company-approved app, and it’s not integrated into a product or service that your company is selling, then that falls within the coverage of an internal AI Use Policy. There’s no need to seek compliance with an AI security standard.

However, if you’ve integrated artificial intelligence into a particular service or product that you are producing and selling to others, the need for validating and vetting comes into play. This applies whether it’s your own AI that you’ve built, or a third-party AI engine that’s been integrated into your product. In either of those scenarios, you’ve stepped into the arena of needing to validate that you’re protecting your customers’ data, and doing so properly. 

Currently, AI certifications aren’t necessarily “required” by a specific industry in the way the PCI DSS governs payments. Even for government contractors, there isn’t a direct requirement for standardized AI certifications yet, but it is starting to come in from the sides. The biggest driver will be the customers, and the requirements those customers include in their legal agreements. More and more companies are developing their own contract requirements for their vendors to provide AI security validation. 

I expect we’ll also see increased oversight through existing standards like ISO 27001, SOC 2, PCI, and NIST CSF. These standards already have provisions for monitoring approved software, protecting data in transit (also at rest) and documenting data flows.

The Strategic Benefits of Certification

If there isn’t an industry requirement that your organization takes the trouble of adding yet another compliance certification to your existing list of standards, why bother becoming compliant with an AI cert?

I already mentioned the sales benefit. Assuring your customers that their data is safe with your AI software can be a great competitive advantage, and eventually will become the norm. While the demand isn’t strong yet, it is already beginning to grow. Just as entire industries require compliance certifications such as PCI DSS, and NIST, your customers will soon require an AI certification before doing business with you.

An AI certification also provides you with the reassurance that your company is better protected against the sudden surprise of an AI-based data breach. The last thing you want is to wake up one morning to a flood of text messages asking why your company is making national headlines for an AI vulnerability that you never saw coming (but should have).

While many customers are only just realizing the need to ask questions about AI software, vendors that have already proven themselves against a standard are in a solid position to respond to inquiries. It provides forward acceleration, allowing you to have solid responses and reassurances to a client base that is increasingly asking, “What are you doing with our data?” 

Leading AI Standards: NIST vs. ISO

If you decide to move forward, there are a couple of leading standards or certifications to choose from today. NIST has released the Artificial Intelligence Risk Management Framework (NIST AI 100-1),focusing on protecting controlled unclassified information in non-federal systems and organizations. There is also ISO 42001, which surrounds the responsible development, provisioning and use of artificial intelligence. And, of course, we’ll soon see an increased oversight of AI among existing standards like PCI DSS and SOC 2.

With either standard, your organization needs to validate numerous things regarding your integration of AI: 

• How it’s happening
• How data is passing back and forth
• What specific information is being pushed to various systems
• Where information is stored and secured

There isn’t a major difference between the two primary standards, and both are structured similarly. Typically, organizations gravitate toward NIST because it is an openly available standard, or if they’re already using NIST CSF. If your company is in the financial sector or you’re already using an ISO standard, it might make more sense to look into ISO 42001 first. 

The NIST standard came out first, while ISO has had more opportunity to develop their version and create sections for specific aspects of AI governance. The ISO standard has more specifics for those who go deep in the path, but the choice of standard is entirely up to your organization. 

Whether you choose to adopt NIST AI 100-1 or ISO 42001, TCT Portal is already set up to automate your compliance engagement. Both standards are fully supported in the platform, and we’ll add any new AI standards that are developed in the future, as well.

How to Get Started with AI Compliance Certification

When it’s time to start the process of using an AI standard, the very first thing to do is to analytically understand exactly what your situation looks like:

• What are you doing with artificial intelligence?
• What AI technologies do you have? 
• Where is your data arriving or going? 
• Where is data stored?
• How is your system structured?  

Get your arms around your current AI data landscape first. These analytics of your existing implementation will be critical to properly organize your venture into certification.

Up until a relatively short time ago, there’s never been an AI standard before, so you’ll be walking in cold to a brand-new arena. It is going to take time and a decent amount of research. You’ll need to take one element at a time, do a lot of Googling, and seek the advice of other professionals. Not many people have expertise in these certifications, so expect a bit of feeling your way through the dark. 

One possibility is to rely on trustworthy Consultants and experts, but be cautious when looking for guidance in this arena. Since the technology is so new, many people are faking it till they make it. Thorough vetting is required. Don’t just trust any Consultant with a shingle on their door — ask folks you trust for recommendations or see if your Assessor has a trusted resource. 

Protect Your Brand and Your Customers

If you’re a vendor who integrates artificial intelligence into your product or service, AI security is your inherent duty — to your own brand and especially to your customers. You can be proactive about getting certified in an AI security standard and show your customers that you really do value their trust, or you can wait until your company is forced to do it. 

If you start now, you’ll gain a competitive advantage that your sales team can leverage ahead of your competition. TCT Portal makes AI certification as easy as possible, and we can get you started immediately.