Blog

RCR 161: AI and Financial Security: The New Frontier - Vendor Focus (NextPeak.net)

Apr 30, 2025
 

The rapid evolution of artificial intelligence and machine learning has created a pivotal moment for financial institutions. As these organizations race to implement AI solutions, they face both transformative opportunities and significant cybersecurity challenges that demand immediate attention.

Sean Gerber draws from over 20 years of cybersecurity experience to demystify the complex intersection of AI, machine learning, and financial security. With his straightforward approach, Sean breaks down the fundamental differences between AI (the broader field) and ML (the subset that enables systems to learn from data without explicit programming), making these concepts accessible even to those without technical backgrounds.

The central message resonates clearly throughout: AI must be developed and employed with a secure design approach from day one. Financial institutions that implement security as an afterthought rather than a foundation will inevitably face costly remediation down the road. Sean outlines practical security considerations including data anonymization, network segmentation, intellectual property protection, and AI-specific policies that organizations should implement immediately.

Through real-world examples from JP Morgan, Bank of America, and Capital One, we see how leading financial institutions are already leveraging AI for legal contract reviews, fraud detection, customer engagement, and risk assessment—all while implementing varying degrees of security controls to protect their systems and data.

Looking toward the future, Sean previews emerging trends including generative AI for threat analysis, federated learning approaches, and quantum-aware AI security that will reshape financial cybersecurity within the next five years. His practical action items emphasize building multidisciplinary teams spanning AI, cybersecurity, legal and business domains to ensure comprehensive implementation.

Whether you're a CISO at a major bank or a security professional preparing for emerging challenges, this episode provides the strategic framework needed to navigate AI implementation securely. The message is clear: investing time and resources in proper security foundations now will determine whether AI becomes your competitive advantage or your greatest vulnerability.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Speaker 1:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.

Speaker 2:  

Good morning, good afternoon and good evening. This is Sean Gerber with CISSP, Cyber Training, reduce Cyber Risk and NextPeak. This presentation is a presentation related to AI and cybersecurity as it relates to financial institutions. So, as a background on all of this, the reason I'm bringing this up is that I've been a consultant now for about a bit of a year, but I've been in the cybersecurity space for going on 20 plus years and one of the things that I have realized over the past 23 years in cybersecurity things have changed and things have changed a lot. And as I'm seeing this change in as it relates to AI and ML, I wanted to record this just so that you all have some basis to understand. What is the differences? What is AI, how does it deal with ML, how does it deal in financial institutions? And so that was the kind of the overall plan around it, because I've seen the gaps and I've seen it growing so quickly. If you are in a financial institution and then realistically, even if you're not, if you're just considering use of AI and ML within your organization, you really truly need to start understanding the foundational aspects of it. And the reason I say that is because in the next year two, maybe three, but probably not much more than three. From the time that you have implemented AI and ML within your organization, you're going to wish that you actually would have paid attention to it and maybe made some changes at the beginning. It's a big, big deal and I think it's really important that, if anything you just take away from this, is that a new education related around AI and ML. So let's go ahead and get started.

Speaker 2:  

A little bit of background about myself. I'm currently a partner with Nextpeak and we are a boutique type of cybersecurity company where we will provide how to set up SOCs within different sectors. We're big in the financial industry. We help do the uplifts in the case after breaches. We have virtual CISO capabilities as well, so there's a very large plethora of opportunities within NextPeak and how we can help you and your organization. We focus real strongly right now on the financial industry is where we're part of our bread and butter, but we also are in the manufacturing space and M&A, so a lot of great things we can provide with NextPeak. If it's not just myself, we have lots of individuals that we have in our stable that we can bring to bear any needs you may have. I'm also the owner of Reduce Cyber Risk, a consulting company, as well as CISSP Cyber Training, which is where I'm teaching students how to pass the CISSP exam, but not just pass the test but actually get the content they need to be able to understand it and then take that information once they pass the exam and use it in their cybersecurity world. So it's a different approach than many that just go out and try to pass the exam and get that done. It's more for self-study students, people that don't have the time to go spend a week or maybe the financial resources to do so. They can go take my CISSP training courses and have all that they would need to be successful.

Speaker 2:  

I'm also I was corporate security for information security within Koch Industries, a very large multinational here based out of Wichita, kansas. I worked in there from security architecture to managing their SOC, and then I was a virtual not a virtual I was a CISO for one of the large multinational companies that's tied to it, so that I dealt with manufacturing, chemical manufacturing, intellectual property protection all of those different pieces within Koch Industries. I was an adjunct professor at Wichita State University, teaching cyber physical systems as well as cyber risk. I did that for a couple of years and then I stood up and kind of basically designed, built and stood up the Air Force Red Team for the Air National Guard here in Wichita, kansas, the Air Force Red Team for the Air National Guard here in Wichita, kansas did that from around 2002 to 2010, 2011, and had a great opportunity doing that. So learned a lot from the adversary perspective. And this again, this is still a few years ago, but we were in the throes of trying to understand how cybersecurity was going to affect many companies. And I was in aviation. I actually went to school to be an airline pilot and ended up flying B-1 bombers and I was a weapons systems officer on B-1 bombers as well as a commercial pilot in the aviation space.

Speaker 2:  

So, as you can tell, I've got a little bit of a different background than many that are in computer security and so forth. But that's cool, because what the bottom line is is it's just designed to try to help you understand that it doesn't really matter where your background is. This whole cybersecurity space is changing so much and it's up to all of us to really kind of try to stay ahead of it. So what are we going to talk about? I'm going to kind of just break this down into artificial intelligence and machine learning, one of the key aspects that I struggle with. And again, I was born on a pig farm. That's where I come from in Iowa. So, yeah, my background is not one of a blue blood. I don't understand real complex concepts.

Speaker 2:  

So the ultimate point was to put out there what is this? Because I see the terms AI and ML thrown around like candy. They just kind of people don't really even know what they're saying. And so I did that and I wanted to make sure I understood what I was getting at and what I was trying to explain and trying to understand. So therefore, this is kind of what this slide's talking about. So AI, again, this is a computer science broad field, right, it's big. If you look at the buckets to the right, you have the big green bucket. That's AI. That is everything out there, that where it can reach, and this deals with typical requiring human intelligence intelligence such as learning, problem solving and even decision making. So all of that is there, it's all in this AI bucket.

Speaker 2:  

Ml is a subset. It's a subset of AI that enables the systems to learn from the data without being explicitly programmed to do so. So it's learning on its own, based on the algorithms that are there. Now, the types of learning that's available to you are three specific types. They're supervised, unsupervised and reinforcement. Now supervised learning this the model will learn from labeled data with input output pairs right to protect in outcomes, based on new and unseen data. So that's but it's looked. It's maintained in its supervised state. There's also an unsupervised, where your model learns patterns and structures from unlabeled data without guidance, without explicit guidance on what to do, so it's thinking on its own a little bit. Then there's the reinforcement learning, where they learn through trial and error and it interacts with the environment, makes a mistake, receives benefits and there's penalties for making the mistakes, but the ultimate goal in all of this is to get down to.

Speaker 2:  

If you look at these LLMs, they're that small little dot in the middle of all of this piece of this, and the goal is that utilizing these capabilities through AI and ML to help enhance your daily activities and make it much more productive, make it more financially sound, do all these different things that are really rudimentary tasks that employees, people, have to do that one that could be done by a machine and then allowing you to be able to use your creative juices to be able to do more and better than actually the more rudimentary type activities let's start off with. We'll talk about rpas in a little bit, but it kind of start off in that space as well. So the goal that's AI and ML in a nutshell and again breaking it down to the third grade level. That's the point. So early adopters of AI and ML, especially as you're getting into this space, is cybersecurity, healthcare, retail, financial services and manufacturing. Those are some of the big, big people that are trying to get into AI and ML and they all have different reasons behind it.

Speaker 2:  

But just to kind of go over some of the key things, and as we go through this presentation, I'm going to highlight some key points that I'll get into. I'm not going to read from the slides, because you all are way smarter than me listening to this. So the point is that I don't want it to take too long to get through all the content, because there's so much content. You are going to need to figure out in here what is something that is important to you and maybe you can drill deeper into it or you can reach back out to me and I'm happy to kind of go into some different aspects with you. So again, cybersecurity this is the AI-powered stuff Now in this world I've dealt with in a security operations center, got to deal with people, analysts from all over the globe that are trying to deal with these alerts. How do I deal with them, what do I do with them? And having AI that can go triage that first tier of alerts would be extremely valuable and this helps reduce the cyber risk. It also helps deal with all of the aspects that are manually being done by people. So cybersecurity is a big win.

Speaker 2:  

Healthcare diagnosis, drug discovery, personal medicine those are big things. I was reading a book, or actually listening to it, related to AI and ML, and the book was talking about how oncologists were having to look at different types of tests to be able to determine what is going on with this person. Well, now they have this. The AI and ML are able to do this. They have a program that can do this. It is just effective as a very expensive oncologist, but it can do it in milliseconds compared to the oncologist taking 10, 15 minutes looking at each one. So it's imperative to know that healthcare is a big deal Retail, e-commerce, obviously, training, pricing, the need for personal shopping.

Speaker 2:  

You see that with Amazon all the time. Financial services, which really we're going to talk about a little bit here today. Again insider threat, the anti-money laundering. There's all of these different areas in the financial sector where AI and ML are being ingested and being used because of the financial gain that they can get out of it. And then manufacturing especially dealt with this in the manufacturing space around predictive analysis Systems that are going to go down because they're about ready to their mean time.

Speaker 2:  

To failure is a certain period of time and if you're dealt with a manufacturing space, they can't just go turn a machine down, especially if this thing is running at a plant. There's a process by which they would turn equipment down and a lot of times when they do what they call a turnaround, they'll go in and they'll replace a lot of different equipment. Well, if they know that equipment is going to fail or it looks like it might fail, before you go into the turnaround, the best time to do it is during the turnaround. The worst time it could happen is right after the turnaround is done. You've shut everything down, you're now bringing everything back up and then all of a sudden a part fails and forces you to shut back down again. That's extremely expensive. So what can you do? If you have an idea of what is failing before the turnaround, you can preemptively replace it and save you a ton of money. And that's just one area within the manufacturing space.

Speaker 2:  

So lots of different adopters of AI and ML, and this is only going to improve over time. So how's AI's impact on banking and cybersecurity? Well, obviously, we talked a little bit about it earlier, where there's key financial innovation automating tasks, increasing customer engagement, reducing operational costs. I'll use myself as an example. Perfect thing I was communicating with the bank and they tell you it's a chatbot. You know that going into it, but it has the ability to communicate with you in a way that you don't really even think it's a chatbot. I was talking also to a company on the phone. I called them asking about some HVAC work on a property that we have, and I called them and asked a specific question. But I get a robot that comes up, basically because it's a chatbot, but at first I did not know that it was a chatbot. It sounded like a person completely, and so you therefore real quickly realize going, this is pretty crazy cool and it also kind of crazy scary, but the point of it was was that it's available right now and it is good. It's not perfect, it doesn't it doesn't meet all the needs, but it's pretty good and it helped me through this entire process in many different ways. So it does help in in helping your organization become more effective and more productive. Real-time decision-making, again, obviously we we talked about that where it'll help you in that case.

Speaker 2:  

Now, as you're dealing with cybersecurity, how does this work? Well, from an AI standpoint, it's both a defensive tool and an attack surface. Ai can be used to attack you, and they're seeing more of that increasing. That's going on. It also can help with financial data models, and the pipelines are attractive targets from bad guys going and girls going after those. So there's an intersection between what cybersecurity and AI can do. It can help your company immensely, but it also is going to be the target of attackers against your company.

Speaker 2:  

If there's one thing you can take away from this presentation, it's this bang box. Ai must be developed and employed with a secure design approach. Okay, if you develop these things by a secure design at the beginning, this is going to make your life so much easier. All the books, I've been reading all the podcasts and different types of video. I've been seeing the same concept Secure by design. Develop it at the beginning in a secure manner, and this is going to take some people to help you do this. But if you do this right, if you do the security right by designing it well, you are going to be in a much better position a year, two years down the road. So there's a lot of bullets you can see in the secure by design, but I'm going to focus on these four main ones, but they're all important. Every, every one of these is important, but let's just focus on these four so we don't lose our mind because there's so many bullets.

Speaker 2:  

So first off is security requirements. From the start, you need to understand security is at the core of this thing and you need to consider that when you're doing your initial AI setup. You can't just go well, hey, I just need AI and I'm going to go throw it in here. You can do that, but you're probably going to pay for it a couple of years down the road. So consider how you want to have security baked into this at the beginning. Deploy it securely. This is a secure infrastructure and environment for your model. You want to make sure that it's in a good, secure place when you build it, because once you build it, like I mentioned before, unpacking it and going back and fixing it again can be very challenging.

Speaker 2:  

Privacy by design Privacy is going to be a huge factor with the AI and ML Anything you put in there. You want to consider privacy from the beginning. Do not ignore it. If you're a small company and you're going well, I don't need. I mean, we don't really have to deal with personal privacy issues, so it's not a big deal that may be the case right now. However, if you see value in this and all of a sudden you're like well, I really like this, let's build upon it. You're going to want privacy because you may use it in an area where you're dealing with customer databases, customer input, anything like that.

Speaker 2:  

Begin at the beginning with your privacy, and then the last one is secure integration with other systems. This ensures that you have interaction between the AI and other IT components, having a strong integration, api integration, saas integration, application integration. All of those things need to be considered when you're deploying this in your environment. But again, start small. Do not go too big into this right away, unless you have a whole team of people that can help you deploy this in the correct fashion. So, as you're looking at these technologies from the financial services standpoint, I mentioned RPA. If you go down to about the third line, third row over, robotic process automation Dealt with RPAs in the past and the RPA is just a robot that is just running more or less a script that keeps running over and over again and it helps with different types of data collections. But this is something that was kind of I feel is the beginning of where I started to see AI baked into different systems and all this talks about is the different use cases that are on the left and the security concerns that you could have on the right.

Speaker 2:  

Take this piece of information, look at it, decide hey, you know what? There's something I'm trying to accomplish. If you look on the right, that'll give you an idea of what are some of the things you need to be concerned about Generative AI and LLMs. Obviously, hallucinations, misalignments and data exfiltration big factor there. Intellectual property protection.

Speaker 2:  

One of the big areas that we were always concerned about was IP theft and if you're putting your IP in an LLM to help you and your scientists. You need to really have a good understanding of how do I get the data. I get the data in, but can I get the data out and do I want to have the employees get the data out? That's a big deal, I mean. And if you are dealing with intellectual property protection and you're using LLMs, think long and hard about how you want to deploy it. It can be done well and it can be done right, but there is risk and you will never, ever be able to reduce the risk to zero unless you just basically don't use it. So you're going to have to understand how much do you want to utilize AI and LLMs within your organization, especially if you have intellectual property. Now, also think about it this way. But your AIP may not be Colonel Sanders' 11 Herbs and Spices. It could just be the fact that you have a certain pricing model with your clients. You know how much your pricing is. You know it in relation to your competitors. That is intellectual property. You have to determine, if you put this in your LLM for maybe your sales consultants, what happens if they get this out? Could it affect your company?

Speaker 2:  

Big things you got to kind of consider before you go jumping into this. So AI-driven use cases in financial institutions there's all kinds of things from fraud detection, customer engagement, credit risk and loan processing. That one's a huge one because if you have dealt with a loan, loans take forever and they can be challenging, especially if you've got credit risk. But if you can have the AI go through and help all this stuff out at the beginning, it's huge. One thing I saw is lawyers are now a lot of the paralegals that no longer were working with companies. They're getting less and less paralegals or moving them on to different kind of opportunities, because the AI and the ML can do a lot of what the paralegals will do. I saw this recent article where Saudi Arabia is looking to draft laws with AI and ML utilizing that capability. So it's amazing where this is all going to go.

Speaker 2:  

One of the key points I wanted to bring up around financial institutions, as it relates to the security piece of this and AI, is security operations Again, ai for cyber defense, incorporating that in with your SIEM and your SOAR platforms SIEM, I should say not SIEM your SIEM, your SOAR platforms. This helps a lot with behavior detection, predictive phishing, malware classification and so forth. So a lot of really good things there. So, yeah, real world use cases. I will just kind of bring up a couple key points here as you look at this. One is JP Morgan's coin.

Speaker 2:  

They automate legal contract reviews. If you've dealt with cybersecurity, you know I've had to go through various cybersecurity legal reviews breach response, what happens to my third parties that provide me information that comes in and what happens if they have a breach, what happens if more of my data is stored? All of those pieces are tied into legal contract reviews. Jp Morgan uses their capabilities to review that and help protect sensitive legal contract data. That's being watched for utilizing AI. So if anything gets slipped in there accidentally, then that could be a factor. I've dealt with this with legal reviews multiple times, where they don't usually come to us until the deal's almost done and then they go well, hey, can you look at this and you're like, oh no, and all of that would be great if it was already baked in with the capability from using AI. It had already seen it dealt with it. That would be a huge factor.

Speaker 2:  

Cyberlens, robust DLP controls. Again, they have strict DLP controls to prevent unauthorized disclosure of confidential data. So having a DLP program utilizing Microsoft tools or other tools out there is great, but now you can throw on another level of protection around AI. Having a DLP program utilizing Microsoft tools or other tools out there is great, but now you can throw on another level of protection around AI and in the case of this, with CyberLens, they're able to do that. Capital One has got some stuff. Bank of America you can see there's a lot of movement in this space, especially in the financial industry.

Speaker 2:  

Now, when you're dealing with setting up AI within your company, you're going to go how do I deal with this? Well, there's basically three different types of frameworks. You need to consider An AI security framework, and this is based a lot on the AI RMF. And if you want to kind of even break it down a little bit more, there's the NIST cybersecurity framework. That is really the foundation of the AI RMF and if you utilize that framework, it's going to give you some great guidance on where to go. The downside is that, because AI is so new, these frameworks are relatively immature and as they're growing, they will become better and better over time, and so when you look at this framework, you may go okay, well, this isn't a whole lot different than the cybersecurity framework and you're not that far off. There are some different nuances to it, but the ultimate goal is to just get you some direction on where to go as it relates to implementing this within your company.

Speaker 2:  

Ai governance frameworks really important part Governance is a huge factor in all of this when you're dealing with AI, and this considers ethical considerations, risk management, compliance and accountability. So you really need to have a good plan when it comes to AI governance. And then ethical frameworks is another one to consider, and this is a foundational element as well. Does it have the ethics? Is it going to be trustworthy? Does it have something that will not give hallucinations and people won't pay attention to it? So really understand these three frameworks when you're deploying AI within your company.

Speaker 2:  

Now there's the risk framework. As you can see, the NIST AI 100-1. Yeah, that's new. If it's 100-1, it's new, it's brand new. It's like a baby. It's just coming out and it's an important part of the framework. It's just something you need to consider Now. It goes into four core functions govern, map, measure and manage. These are designed to help you get this process down the pipe. Something to consider if you're in the financial industry. There is the CRI, which is your Cyber Risk Institute framework and they have a framework that is tied to the cybersecurity framework. If you follow those and then kind of sprinkle in AI where you're at and tie it all together, you're going to be much happier down the road. You'll be much happier as you move this thing down to the end of the conclusion.

Speaker 2:  

So the ultimate goal is pay attention to the frameworks, determine which way you want to go with them and then start implement them within your company. Now here's some of the top LLM risks that you will have to deal with if you're deploying this insecure, insecure output handling. There's lots of different places here, but I'd say what the number nine is, one that I kind of globbed on myself and that is over reliance, and the part of over reliance is over reliance on the models themselves. So you really need to consider is it something that I'm going to have my people? They're going to just take it as truth, as gospel? It's going to happen. You need to really understand and built in some level of protections around that to avoid over-reliance on the overall LLM. So some different considerations I've highlighted again, as you can see, this is an eye chart.

Speaker 2:  

I didn't want to go through all of those, but I wanted to highlight some key points around this as it relates for considerations in cybersecurity, dealing with AI, data anonymization. So if you're going to be dealing with this within your organization, privacy is a big factor. You want to at least bake into it at the beginning. How do I anonymize this data? How, when I store it or when I present it? How do I ensure that the data is anonymized so that privacy standpoints can't come back to bite me? Mentioned this before going through. Data governance is an important part, very important part, of your overall foundation Infrastructure. Kind of struck that chord before.

Speaker 2:  

Network segmentation big factor If you are in manufacturing space, one of the big things we do is we would segregate the manufacturing network from the business network. Again, you want to limit the blast radius. If something were to happen, it doesn't affect your manufacturing and vice versa, your manufacturing doesn't affect your business. Same concept with AI. You want to really truly understand network segmentation and how to isolate your AI components for in the event that something bad were to happen. So think about that ahead of time, before you actually need it.

Speaker 2:  

Ip protection of models this comes down to you're developing these models. You want to make sure that you develop something that is available to your masses, but if you're putting a lot of work and time into it, you want to make sure that it's protected from it being stolen. You may have a model that you grab from off the shelf air quotes and then you tweak it to meet your specific needs and you put in some, you sprinkle it with some salt and pepper to make it work for you and your company. Well, that could be intellectual property not that it could, it is. If that gets stolen, how does that affect your overall company's performance? Can it impact you in a way that's negative and I would be willing to bet in many cases, yes, that is the case.

Speaker 2:  

Ai specific security policies okay. So if you have a cyber security for your organization but it doesn't have really anything to do with AI, you need to have a specific policy tailored to AI ML use. Your broad brush policy could be fine at the beginning, as you're just getting started, but once you start integrating this and people start utilizing it more, you need to have a robust policy schema set up specifically for AI and you need to educate your people around. That and that's one of the big aspects about policies is having a good education program teaching them what can they expect from these policies. And then regulatory compliance for AI. If you're in the financial industry, that is becoming a bigger factor and you're going to have to maintain that. Auditors are going to want to ask questions about that. You have to be prepared. But it's not just the financial industry Many organizations.

Speaker 2:  

When I was in manufacturing, I dealt with governments, different countries, and therefore you had to have a good plan on how you're going to deal with the AI. In our case it was more or less advanced technologies with the governments. But if you're dealing with AI in a government and a different country, they're going to want to have some level of compliance and legality written around it. So what is a current and a future? What does this look like? Obviously, for AI and cybersecurity, there's operational and customer gains. I'm a personal recipient of it. I loved it. It was great. It helped me out immensely and it met my needs. Was it perfect? No, but from a customer standpoint of being satisfied, it was positive. It was very good Security enhancements.

Speaker 2:  

Obviously people cannot see all the risks that you're looking at, or that we can't see them all because we're people. But the computer can see the risks that we can't, and it can pull in feeds from different places and it can help analyze and then potentially block some of these security risks that are to your organization. Analyze and then potentially block some of these security risks that are to your organization Fraud response, intelligent monitoring with SOX and then potentially dynamic risk scoring based on behavior and transactions. So now you're tailoring or profiling people and how their activities are happening. So where are some future trends? You got generative AI for threat analysis. It's basically auto-generating incident response based on malware. Reverse summaries looking at what's going on with that. Federated learning, quantum aware AI, security AI and blockchain. All of these are kind of the future that's coming and you're going to see those not within 10 years. You're going to see them in five years or less, because we all know that we're marching down towards this path. So some key takeaways as we're getting an ending up this presentation.

Speaker 2:  

One of the things around the financial industry is AI in banking is here to stay. It's transformational transformational, but it's not without risk and you need to plan for it. Cybersecurity must be foundational when you're dealing with AI and it should be not reactive. Regulatory alignment and secure frameworks are an essential component and you for trust and compliance passpoints of it. So you really truly need to bake all of that into what you're trying to accomplish Action items. So embed security in every phase, which we talked about.

Speaker 2:  

Build multidisciplinary teams. They understand AI, cyber, legal business. They're all together. One of the things that I ran into with my legal teams is I had to educate them on this tech. They were very smart people. They are very smart people. They're brilliant, right, but they're brilliant in what they do. They're not necessarily brilliant in tech, so I had to help them understand how are all these technologies changing their life. Once they got it, they got it and it was easy, and then it also made that transition much easier to communicate with them. So that way, when I had challenges, the legal team knew that they could trust me, I could trust them, and it was a really great partnership.

Speaker 2:  

You want to invest in explainability, adversarial testing and then also in governance. You got to have a good plan. You're probably looking at this going this all costs money and guess what? You're right, it's going to cost money. It's going to cost money and time, both capital expense and opportunity costs. However, if you spend the time now, you will be much happier down the road when you're having to implement this within your organization. So at a later time it's going to be a big, big deal. Even though it's a big deal at the beginning, it's going to be even bigger at another point in the near future. You, you, you, you.