Shared Responsibility & AI: What Should Your Business Be Doing?

When integrating artificial intelligence and other cloud services, issues around the shared responsibility for things like cybersecurity, regulatory compliance, and environmental impact can be confusing.

Addressing this shared responsibility challenge has become imperative for businesses utilising public cloud services. To tackle this issue, major cloud providers have devised specific shared responsibility or shared fate frameworks - you can read more about these here.

These models outline the obligations of both service providers and users. And by keeping to these guidelines, businesses can ensure that every aspect of their cloud environment is standardised and protected. 

But while it’s vital businesses are proactive in understanding and implementing these frameworks, it’s not always straightforward.

What are the main challenges for businesses?

The main challenge is maintaining oversight across the total landscape. And with increasingly fragmented data and services across multiple cloud platforms and providers, this is becoming tricky. 

Transparency is key, while understanding the effects of actions in one domain to other domains is now even more important. 

A business needs to be able to see what is going on, how it evolves and if there are anomalies in certain patterns that require action (manual or automatic). This is in relation to AI, cybersecurity and carbon footprint considerations, but also more straightforward things like costs and usage. 

How to monitor your whole digital landscape

• Draw up a decent KPI-based strategy, so you know what to measure and what ‘good’ looks like 
• Adopt a proper governance model, with clearly listing who is accountable and responsible for what in cloud context
• Use the right tooling, capable of supporting the insights and oversights and then carrying out most of the actions needed automatically

Shared responsibility models are absolutely part of the answer, but also part of the problem. Because clearly defining who is responsible for what in a cloud shared responsibility model is complex.

How can businesses create a responsible cloud strategy?

For proper governance and use of shared services, shared responsibility needs to be clearly defined and well implemented. After all, it can provide a solid foundation upon which to build reliable public cloud-related services. But how?

Well, organisations need to decide on – and communicate – the principles of responsible cloud usage. By defining the metrics of progress, success and failure from the outset, you can effectively measure your progress towards more responsible use of the cloud. 

Firstly set the goals (what do you want to achieve), based on cloud strategy (which can often be lacking) and link this to business goals.

These goals should be easy to understand and focused. For example: we want to reduce IT carbon emissions with 10% every year.

Shared Responsibility: Who’s Really Responsible for What?

With public cloud, who’s really responsible for things like cybersecurity and regulatory compliance, or emissions?

Find out here

The goals must be measurable and you should define metrics to do so. And those metrics should be periodically published to showcase progress. And the results of the metrics should be used to steer/manage to realise the goals.

Metrics might include shutdown times of intermittently-used cloud servers for energy savings, compliance with industry security benchmarks, or privacy review coverage of new AI services – as just three examples. 

Similarly, the risk of public cloud and shared responsibility needs to be explicitly addressed and periodically reviewed. For example, the standardised use of one cloud provider might sound efficient, but this will create a major dependency on one provider. 

This is why financial regulations require a proper exit strategy. By using more than one cloud provider in the first instance, you can protect yourself against the need for that exit strategy in the first place. But that will complicate your initial cloud journey, so you might want to balance out that complication with building CSP-agnostic implementations (which might introduce the disadvantage that you cannot leverage all the advantages of cloud native development).

To then take this beyond an organisational level, it might also be worth questioning the ever-growing dependency on the three hyperscalers. After all, if all the banks were to run their services on just one hyperscaler, you’ve got a single point of failure for an entire society or industry.

How will AI affect cloud services in the future, and what do businesses need to do about it?

As digital landscapes grow increasingly complex, the challenge will be to stay in control, whilst gaining detailed insights the entire time. 

The accelerated use of generative AI might make it seem like a tempting option. But, as with most new, fast-growing technologies, the question to ask is what value it really brings to the business. 

Whereas Open AI is worth playing and experimenting with. Because once you’ve understood its capabilities for your organization, and how to parameterise AI in a proper way, you can create the necessary strategies, policies and guidelines, which will enable you to implement AI in a controlled, structured way – and ultimately improve your operations. 

What to consider when you explore AI

• What data you are allowed to inject
• Whether you want to train the open model with your company data
• How to use the outcome
• Whether you need to create your own AI platform
• How you make sure the outcome is reliable
• How to make sure you will not (accidentally) leak confidential or privacy information
• Whether you can explain to users, customers and authorities how the outcome was generated, i.e. which algorithm was used

What will the future consequences of AI be?

Overall, AI means cloud service providers will continue to scale vertically, which will gradually force them to change their business models. They may even move away from technical implementation and  focus more on MSP territory, in advisory and consultative roles. This could involve connecting business needs to cloud implementations, or using AI for standardised work and human dexterity and empathy to fit that into the organisation. 

Over the next five years, generative AI will appear in most units of most businesses, either via SaaS providers like Microsoft O365 or as internally-built applications. And AI will be capable of processing information (instead of ‘just’ processing data like classical IT services).

OpenAI & Cloud: 2 Use Cases We Built & What We Learned

Check out the two use cases we’ve been working on for AI in the cloud and what we’ve learned.

Read about them here

Which means businesses need to start writing – and communicating – AI usage policies ahead of time, taking into account that AI extends beyond classic IT or current standard public cloud services into the gray area between IT and humans performing tasks for the organisation. The undeniable ease with which new AI services can be adopted should bring this sharply into focus.

So, what does the future hold? Well, over time, much as has happened with public cloud adoption, businesses will eventually have to employ a GenAI ‘centre of excellence’ approach, to help business users with the secure and responsible usage of cloud and AI. 

And responsibility – particularly in security terms – is the key here. 

Need some help with these things?

At Nordcloud, we’ve built our advisory services to partner with organisations and overcome these kinds of challenges. If you’re using cloud, you need to make sure it’s integrated in your business with clear governance, and clear and defined roles and responsibilities. 

This includes our Governance, Risk Management and Compliance (GRC) advisory team, which can support you in setting up and running your cloud governance in an effective way. 

If you have any questions about this article or would like more information about our advisory services, you can contact me, Sander Nieuwenhuis, Nordcloud GRC Advisory Lead, directly below.