How do you handle AI tools in your organization?
Hi everyone,
---organization and my job context---
I work for a company that provides support services for large clients. We have many different projects, different client requirements, network segmentation, project-based access, and quite a lot of security tooling such as XDR, SIEM, WAFs, etc.
The organization is split across multiple countries. At group level, there is a CISO and a security team responsible for the overall security strategy. However, the country I work in operates fairly independently. Our local infrastructure is mostly separated from the group. There are some external admin accesses and traffic flows, but the group IT team does not really handle our local operational work, such as servers, updates, firewall changes, or day-to-day access decisions.
In my country, I am the only security person. My role is a mix of compliance, GRC, technical security, alert analysis, and log review. Basically, I am the “security person for everything.” I have around 3 years of experience in cybersecurity, and I am starting to feel that the lack of support and specialization is pushing me into bad habits.
--current problem--
The current issue is AI tools.
Because we work with many clients and projects, internet access is heavily restricted. In general, we only unblock specific websites that users actually need for their work.
Recently, the business came up with the idea of using an AI tool that joins meetings, takes notes, creates summaries, and prepares action plans. From a business perspective, it sounds great. From the perspective of being the only local security person, it is a nightmare to assess properly.
I am not sure what requirements I should define before allowing tools like this, or when it is reasonable to approve or block them.
I tried to get support from our CISO or group security team, but the answers are mostly vague. I get redirected to other security people in the group, they redirect me somewhere else, and in the end nobody wants to take responsibility for a clear recommendation.
So my question to people working in security, compliance, or GRC is:
How do you handle approval of AI tools like this in your organization?
Do you have a checklist, policy, risk assessment process, or standard requirements for vendors?
Who makes the final decision in your company: security, compliance, business, CISO, or someone else(maybe even directors?)
Do you treat these tools like regular SaaS products, or do you have a separate AI governance process?
I would really appreciate practical advice, because right now I feel like a local “mini-CISO” without the proper authority, experience, or support, and everybody wants me to perform so i'm quite lost.
TLDR:
I am the only security person in my country within a larger organization. The business wants to use AI meeting note-taking tools, but I do not have clear guidance from group security or CISO. How do your organizations assess and approve tools like this?