Turning Governance Into the "Yes" Guys ft. Cindy Tu | Data Science Leaders

That's the era that I worry about that keeps me up at night is really the third party risk management because it was not designed for the J era and now we really need to revamp it otherwise we're going to get in big bubble. That's Cindy too, director of IT and data audit. Cindy has a long career as an auditor in finance and she has a unique vantage point on the industry's evolution of risk management and data governance. A vantage point that has evolved alongside finding her voice on the main stage. She joined me to discuss the misunderstood world of governance and the importance of standing up and speaking your mind. I'm Thomas Bean and this is data science leaders. In her early days of finance audits, Cindy saw her primary role as focused on data integrity concerns under an IT risk framework. And though governance was often seen as something of a negative word, Cinei was quick to remind me. — I mean governance still a negative word nowadays because when people talk about governance, right, they are thinking, "Oh no, these are the guys who going to slow us down, right? These are the no guys. " — But Cindy doesn't think that's actually the case. Instead, she sees governance as an undervalued asset. — How do I say it? Like maybe innovate more responsibly, right? Not the no guys. like how can we turn that no into a yes or maybe? — Now that take might seem like an unpopular opinion, but Cinei isn't shy by sharing her opinions. At least not anymore. — So, uh I was born in China, right? I

grew up in China and then I started working here, right? Obviously got an LA like degree and then working here. But I think that Asian culture, the upbringing is still very rooted like in my DNA, right? So I mean mom absolutely you're right like she's very she has a strong character, right? She have worked in her entire life in China. She have very specific philosophy about working is that I I'll tell you the mandaring what it sounds like, right? she will say and that translate into don't speak up just work hard right so that is you know everyone is um informed by their life experience and that's what her life's experience telling her is that just work hard you know don't draw attention to yourself right that's how she lived her life and worked her entire career right but that's not you know as I'm finding out like in the past two decades I work right like that's not how it works here right so it's very like it's very interesting kind of have the upbringing but finding out how do you actually live in the American culture right the work experience here is it was a big culture shock to be honest — as an expert who has lived in the United States for some time I can tell you how big this American culture shock talk really is. And so the first half of Cindy's care was defined by her drive to succeed by showing up by listening and learning. She's attending every conference she can get to. Thinking all along — the voices or the leaders who dominate these sessions, there's really not many people who look like me. I'm the first generation immigrant, right? English is not my native language. I never really, you know, kind of like picture, oh, that could be me. That's how it was back in the days. I was just there attending the conference, listening to what they had to share. — So Cindy goes to countless conferences and one day she hears a speaker that particularly resonates with her. She reaches out to say, "Hi, you know, I really enjoyed your session. " And the speaker, — she actually responded and invited me to speak at a local event. And I remember it was a local event for women in data. I was surprised and after I thought it for a little bit like well why not? It was very scary but I thought to myself well why not? Let's just try it out see how it goes. It was amazing how many people approached me after the session and um a lot of them like made a comments about that my story actually inspired them a lot which is very surprising given that the very first session I did. — What did you realize about yourself? You were in a zone. The story your story made an impact. Your speech made an impact. What did you realize about yourself? So what I realized is that I really deep down enjoyed the overall experience right before during and after right it was not the fact that I shared my perspective is was able to engage and connect with the audience — and it looks like as you were going through this realization on stage it also changed the way you saw your place in the uh audit and risk and AI governance conversation. So can you tell us a bit more like did it feel like shifting from reviewing the system to helping shaping it or uh taking a more active role? I think um is

not the fact that I'm uh like just a good speaker right I really have kind of like finding out I have a unique angle to share because as I have told you in the earlier conversation right like I'm often time one of the only auditors in the room right in these data conference AI conference right and that means I actually could see from a big picture view because of my unique background around the intersection between IT cyber data and AI risk because as you know that the AI risk is very it's very much a top level enterprise level risk is not just related to IT data or third party or model right it's all everything right so um it requires a lot of different stakeholders and parties to collaborate together to sit on the steering committee or whatever the organization that is providing the oversight for IRS to be able to ensure that you are consider all the aspect of the IRS. So it started this whole journey about making sure that I can actually you know engage with the right leader at the enterprise especially like financial services it's like surprisingly small world everyone kind of know everyone right data leaders AI leaders like you know audit leaders and risk professionals so we're actually a very tight-knit community right we all share perspective about what works what doesn't and then through that sharing you kind of understand the leaders at the personal level and build a connection that lasts lifetime as well. — But at this same time, you took a way more active role in kind of shaping um the AI governance frameworks of the financial institutions you were working at. So um when did that switch happen in terms of I'm just not evaluating I'm now influencing you spoke about the audience and your speaking uh activities but in the context of the organization you were working at how did this shift happen in terms of hey I'm taking the wheel and now we're going to drive and define because I have this unique perspective — that also happened like slowly and gradually right so uh because of my role and you know there's not really a lot of the risk professions and other profession that has that you know like big picture view across different risk type right and at the time was like it cyber data and AI right so which is why we were invited in and sits on the JI council that's our honestly our first iteration of JI like governance framework right and how it came about is really like through our engagement and you know the effective challenge that we were performing at the time with all the JI cases that we were finding through from you know inception honestly to proof of concept to write a roll out and implementation and because of our input and we were able to shape the second iteration of the JI you know like governance framework right defining what is acceptable AI use cases and defining what the risk assessment should be involved and defining what level the approval that would need based on the Ji cases you know the classification piece right through the triaging process deciding which path it should take and what management level committee's approval would be required before it can go to proof of concept before can go to general wider roll out and implementation all of that is really through the gradual effort and that you became that opinion leader I became that influencer and you get invited to the sit at the table and you have a voice that then you become more from a participant standpoint to more of a influencer and stakeholder at that point. So it also happen slowly and gradually just like a trust it doesn't build overnight. It's through the gradual influencing and connection and relationship building. — I love what you just mentioned about uh about trust. Can you give us an example of the type of problem of risk that only your unique perspective could highlight because that's also part of these this moment? — What I was able to bring to the table is

because I have extensive background in IT cyber and data and AI and also because I have experience designing and implementing IT and data audit framework at uh various like financial institution. I'm also specializ in data governance. So I understand that like through implementation of a governance framework is not just like technology and process is also people right so with any change management is people technology and process and often time the most important part and the most difficult part guess what it's people right because it involves more of a culture shift it involves often time organization changes as well. So which is why it's hard right like our human nature the first instinct is to get comfort to routine and resist change right so it requires a lot of people a lot of effort a lot of influencing right so my perspective is that I have experience implementing the framework and know how hard it is and know and understand it's not an overnight effort it requires a lot of people a lot of buyings a lot of influence influencing right it's not just the technology has to be right the process but the people has to buy in on it and that's number one and the number two part is that because I have experience in all these different risk I understand that if there's a specific risk that we're considering about ji cases if they are multiple control breakdowns related to the same area that risk tend to be also compounding right which increase the likelihood of a specific attack or specific thing that could go wrong to happen with a much higher likelihood because a two breakdown in the same area and because the fact that we often time do a lot of like trend analysis and root cause analysis on a lot of issue that we see across the board. Not a single like lines of business but across the board looking at the quarter overquarter trend in terms of the issue in a specific area. We understand right if you get a collection of five different issues it talks about not just a single control breakdown because especially if it's across different lines of business that's telling us that maybe we didn't fix the right root cause in the first place and is a widespread breakdown in this very specific control in the same area then it tells us maybe the root cause is in governance is in training is in guidance right So there's a lot of these like big picture view that the audit have the luxury of seeing from 3,000 ft above the sky, right? Not just looking at one issue in isolation, but looking across the board. So that's why there's a lot of different things that we can offer to be having a seat at the table is because of these experience that I have had in this field specifically. — Yeah. the risk just like the solutions you were talking about are compounding themselves as well and you're open to a little bit of risk that might be acceptable but we take it at the group level then you might have something much more significant. — Yeah. Um you mentioned earlier you governance is still being figured across the industry but that was especially true as you were seeing geni arrive and such and um what were you starting to see in these early conversations that others were not talking about. — So I definitely see you know because I

connect regularly with the chief AI officer, chief data officer and um you know CISO and CIO as well right? I'm seeing that these AI governnesses framework is much more mature than before and the rate of innovation now it's definitely speeding up but on the flip side I'm also seeing there's a lot of the stories that they share about what could go wrong or what went wrong already that is also actually pretty scary right so it's you are seeing on one hand you are seeing the AI governance framework more maturing and the other side you'll see because of the fact that we are more on the risk management we're finding out more about the risk exposure now that in turn is making us more cautious also when we are rolling out JI use cases to do more risk assessment or have a way to feed the risk assessment feed these J use cases back to the risk assessment process because as the J model is implementing right or implemented in the production for a while the perform rate if you're not being careful if you don't have continuous monitoring in place right so that's the general trend I do think the governance framework is maturing but the risk we're I think we're finding out more about the risk exposure now and the other case I also want to see is on the horizon is that I'm seeing a lot of gap in the third party risk management framework right now because it was not obviously designed for the JI era that we're in now so now I do see a lot of exposure on third party space because one third party you have less control over what they do with your data even they say well your data it's prem right is not going to get crossed but how do you know right on to you can validate that even verify that especially those bigger players we always had trouble validating ating these third parties environment anyway with a big player like AWS and etc because they're too big for any single client so they care about you right any client just not big enough for them so they don't want to open their book for your audit and all that but then deep down how do you know they're actually doing the right thing they're actually doing what they say they were doing right so and as you see there's a lot of J model out there like chat GPTs and perplexity city anthropics right they already all the public available datas right there's no more data for them to train they're actually using AI to create data for their training so what they're after next is your enterprise confidential and proprietary data and you have to safeguard it because that's what's giving you the competitive advantage right and also you have to safeguard it to comply with relevant laws and rags right it's not a nice to have is the necessity, right? Especially for financial services company. So that's the area that I worry about that keeps me up at night is really the third party risk management because it was not designed for the J era and now we really need to revamp it otherwise we're going to get in big trouble — in such a fast evolving uh domain. I mean I know the regulations are moving slow but the technology is moving super quickly and the businesses I mean business use cases are invented right in front of us. How do you um as a thought leader but also as an executive how do you stay current or actually how do you have a forward-looking perspective in a domain that's evolving so quickly? What I do regularly is I connect with the industry leader because you actually will be able to hear what's happening on the ground because what's reported on the news is not what's happening on the reality on the floor right so you won't actually see behind the scenes story about hey oh this banking company have rolled out AI agent wasn't actually a agent was it simply just automation right so you are through your connection with these industries leader are able to see what's truly happening behind the scenes and what works what doesn't and you know what they have tried out with the gen cases and what could go wrong right that's actually that's the most valuable thing that I gained from being the industry leader is the ability to connect with people at different level and hear their story and share what works and more importantly because these are not just hey you want to hear some funny stories story to tell, you actually bring it back to your daily work to say, hey, because I heard this story, what should we do to better manage risk, right? When we are seeing this use cases so that we can get in front of it and we're not going to get into trouble with the regulator and we're not going to violate any laws and rags, right? because these are we're doing this for a reason is to bring it back to apply to your work so that you can become a better professionals and you can actually look out for the company's best interest as well. Um we spoke about how you came to become a speaker how also the early days of AI and GI governance let's speak about today you spoke a lot about the people uh as being a big part of the solution so um what has changed in terms of how uh AI is governed or how risk is assessed for AI in enterprises today what have you seen — um I do see there's a lot of different

flavors of AI governance framework out there and that is for a reason because if you think about the AI like let's say even chief AI officer or co organization right like organizationally every company they sits at different part of the business some of them are report to CFO some report to CIO some report to CEO right so and that is due to the organization culture they're mature ity their level of like scrutiny from a like a regulation perspective also like the their lines of business what kind of product they're selling right what agency will be governing them like all the factor matters right so you are seeing a lot of different flavors of AI governance framework out there that's for a reason and I see a big potential in the AI governance framework field is because it's not a one-sizefits-all solution. Even if let's say we announce in 2026 there's a golden standard out there forance framework the company's not going to be able to adopt it right away and the reason being that it change management is just different story every company right and the governance framework how it works is it centralized model is it decentralized model who have a say in there what kind of level approval risk assessment is needed every company their risk appetite framework is also very different what is acceptable risk for company A may not be B and there's a reason for that right so even if there's a standard let's say today right January 2026 we have a go and that the company's not going to be able to adopt it because you have to figure out what does that look like for your company so I'm seeing a lot of different flavor out there which is okay because every company have a different answer when it comes to what is the right balance between innovation and risk management and That is creating a lot of opportunity for risk professions like me, right? If you think about audit like the risk management skills is very transferable for first and second line as well is that you are able to translate that risk requirement what is acceptable risk into a framework that is designing for that company specifically. So yeah, I'm seeing a lot of different flavor out there, but they're all maturing into more a rigor, a framework, a structure, which is very good trend for the overall industry. We're all trying to figure it out and we're trying to figure out that experimentation because no one have the right answer. So we have to do more of a test and learn so that as an industry we can figure out what are the all the risk exposure out there what could go wrong how can we safeguard it and through these exchange of the insight right sharing with the industry leader we're going to be able to get to the final answer of what is the minimum level of the rigor that should look like right we can come up with what the minimal standard is but to figure out what the individual AI governance framework it requires your company to have the risk profession tailor that and design it for you. So that's what I'm seeing in the industry out there. — Do you think we'll ever have a gold standard or do we even need a gold standard? Because I'm listening to you and I'm thinking actually a gold standard might be a good step forward for the companies that may be a little bit behind, but for the ones that are pushing ahead, it might be actually holding their back. So right there's a tension there. — Yeah. So I think there will be um like a baseline requirement let's say um maybe NIS will like release something that is for financial services industry specifically right so if you think about the category one banks they're already far ahead probably right so but for the midsize bank like maybe there's a few areas that you still need to patch up right that's the baseline requirement that you have to be uh compliance with and then there's a different level of rigor that comes if you're category 1, category 2, category three bank, right? So I do think there will be an industry baseline that would be released but you know to your point if you are far ahead maybe you need to do more because the risk is much more the volume of transaction that's going through is much more the level of data that you have for the customer is much more so you are holding a very different bar and that's what is doing and that's their job right to make sure that these are tailored in a different way so that they are different bars that they have to You were just talking about the importance of figuring it out together as an industry. So what does that community look like to you today from your vantage point and what kind of collaboration that maybe could not happen with other community are happening now? — Yeah, absolutely. So um and there's a lot of community like you know I attended like for example EDM Council and ABA right American Bankers Association. So they all have like a data governance working groups and AI governance working groups right and as a matter of fact EDM council um you know is working on the nextation or ready release the next edition of the CDMC framework that included the AI capability in there as well right so these wouldn't happen without industry professionals coming together and sharing what should be you know what is the bar for data risk management in the cloud environment. environment right in this JI era. So there's a lot of people who are trying to get to into the AI field because they're seeing this as a more of this exponentially it's exploding area right now right it's very hot um so there's a lot of different professions trying to get in and in financial services particularly as well but honestly I see a stronger community coming together there's a lot of people there's a lot of player in there but there's never a dull moment because people are sharing stories about what their work experience is and what their different flavor of AI governance framework is so that we can say hey maybe we should try that right is all about experimentation is all about sharing and that's what's making this community stronger — what's your perspective on the kind of tooling that could be provided to these governance or to these risk teams and are agents going to help actually in that domain what do you expect to happen on this front — I think we have to have trust in the AI agent first before we can actually apply in the AI governance world and the tooling itself honestly and that is also a question for yourself what tool you have already how easy is it to embed the new tooling into your overall ecosystem and what kind of feature are you looking for that your current tool doesn't have and that's also very individual answered as well. — Yeah. Where do you think we're headed with this notion of uh AI governance? And I say AI governance, I I want to go back to the fact that you said it needs to be an all-encompassing encompassing risk management. But um where do you think we're headed? Uh and what excites you? What's the next frontier? What is possible in that

domain that will unlock even more value for financial institutions or any actually enterprise? — Yeah, absolutely. So I would say generally I'm very excited for AI innovation and I attended the Nvidia conference the GTC conference in DC just a few months back right what they have released about the Omniverse uh virtual reality how they are collaborating with different industry into creating like let's say with Johnson they're creating that virtual reality for surgical use right especially they are able to simulate the surgery environment so that the doctor can actually simulate an a surgery before they even perform on a real patient. Right? That in itself excites me and scare me at the same time because one right think about the endless possibility what they could do right with the AI factory with everything with the weather simulations with surgery with everything everyday life right they're going to over all aspect of our life right which is very exciting to me because the endless possibility that it brings the other parts being risk profession that scares me is that how do you know it actually simulate the real world example right because for the surgical use particularly the consequences could be very dire right could be life and death situation right it's not like you know we're managing AI use cases the stake is not that high right but when you are performing surgery on real patient the stake is very high so deep down I worry about like how can we validate it actually similar the real reality with all the physical aspect and all the element of the environment How do we continue to ensure it still similar the real world experience right is what scares me but that also creates job security and opportunity for risk professional so I'm not complaining but yeah it's if you attended and hear Jensen's keynote like it's very exciting the future could bring with AI agent with AI factory with endless possibilities AI could bring But the risk management framework has to catch up as well — or evolve as fast as innovation. That's I totally — hope that that's what we're all working towards. — The way that Sini found herself on stage is a way that all AI leaders need to be thinking of progress. Had she never believed that the spotlight was for her, we would be deprived of her unique and holistic approach to governance. This is especially true for those who see the stage but don't see themselves on it. The thing I particularly appreciated hearing was how every part of Cindy's story on a personal and professional point actually bring together this unique perspective that she uses to assess risk and identify value and enable value in enterprise AI. If you enjoy this episode, please stop to leave us a rating and if you have time, a review. You are the reason we produce this show. This is Data Science Leaders, where we learn from real experiences of those building and governing the intelligence systems shaping our world. A show by AI leaders for AI leaders. This show is brought to you by Domino Data Lab, trusted by the world's most advanced enterprises to operationalize AI responsibly and at scale. I'm Thomas Bean. Thanks for joining us.