September 18, 2023

According to Politico it’s unofficial AI week on the Capitol Hill, as lawmakers in the House Oversight cyber subcommittee and the Senate Homeland Security and Governmental Affairs committee are capping off their first few days back by asking federal agencies: what are  you  doing with AI?

A key element of Congressional oversight, as it is for corporate boards are what exactly are the right questions to ask.

Earlier this year the National Association of Corporate Directors and ISA in partnership with the FBI, CISA and the US Secrete Service created precisely that list of key questions which were published on the 4th edition of the Cyber Risk Oversight Handbook for Corporate Directors.

In particular, the handbook provides guidance both as to what those who are overseeing the deployment of AI in their overall operations and separately what are the questions to ask specifically about AI and cybersecurity. Today’s post will showcase the first list of questions and we will deal specifically with AI and cyber security in our next post.


  1. What are the specific goals the organization is seeking to achieve in deploying the AI system?
  2. What is the plan to build and deploy the AI or ML application responsibly?
  3. What type of system is the organization using; process automation, cognitive insight, cognitive engagement, or other/Does management understand how this system works?  
  4. What are the economic benefits of the chosen system?
  5. What are the estimated costs of not implementing the system?
  6. Are there potential alternatives to the AI or ML system in question?
  7. How easy will it be for an adversary to attack the system based on its technical characteristics?
  8. What is the organization’s strategy to validate data and collection practices?
  9. How will the organization prevent inaccuracies that may exist in the data set?
  10. What will be the damage from an attack in the system including the likelihood and ramifications of the attack?
  11. How frequently will the organization update its data policies?
  12. What is the organization’s response plan for cyber-attacks on these systems?
  13. What is the organization’s plan to audit the AI system?
  14. Should the organization create a new team to audit the AI or ML system?
  15. Should the organization build an educational program for the staff to learn about the use and risks of and ML in general?

 Given the speed with which both the AI technologies and the policy issues surrounding them are unfolding it’s important for government to closely monitor what the industry sectors – often with far more experience than the government agencies — have already worked through as they face the mounting AI options and concerns. In our next post we will discuss the specific cybersecurity oversight questions both board and policy makers need to be asking.