Why AI Governance Should Start With Data, Not Algorithms

by Henry Blakemore • 4 min read
Why AI Governance Should Start With Data, Not Algorithms - According to PYMNTS

According to PYMNTS.com, Billtrust’s Chief Product Officer Sunil Ahuja emphasizes that AI security should follow the same rigorous protocols as financial data protection, stating that “AI doesn’t get a special treatment” and operates under identical audited controls. The company applies existing PCI compliance standards, SOC 1 and SOC 2 requirements, and privacy regulations like GDPR and CCPA uniformly across all data, whether used for AI systems or traditional financial processing. Ahuja notes that Billtrust maintains strict human oversight for financial decisions and extends governance standards to all external partners, requiring transparency about whether customer accounts receivable data is used in training public models. This consistent approach allows teams to innovate with AI while maintaining customer trust through established data stewardship principles that treat security as a competitive advantage rather than a constraint.

Table of Contents

Why Existing Frameworks Outperform AI-Specific Rules

Billtrust’s approach highlights a critical insight many enterprises are missing: decades of investment in data governance provide a stronger foundation for AI security than starting from scratch with AI-specific protocols. Financial services companies like Billtrust have already solved many data protection challenges through PCI compliance, encryption standards, and access controls that translate directly to AI systems. The real innovation isn’t creating new rules but recognizing that existing frameworks already cover most AI security requirements when properly extended.

The Hidden Dangers in AI Supply Chains

Ahuja’s emphasis on vetting external partners reveals a growing concern in enterprise AI adoption: the security risks embedded in third-party AI services. Many companies using cloud-based generative AI tools may unknowingly expose sensitive data through training data practices or model inference leakage. The question “Do you use customer AR data in training foundational public models?” should become standard in vendor due diligence, yet many procurement teams lack the technical understanding to ask these critical questions.

Beyond Policy: Making Governance Work in Practice

While Billtrust’s principles sound straightforward, implementation requires significant organizational discipline. Extending existing controls to AI systems means ensuring that data classification, access management, and monitoring tools work consistently across traditional and AI workflows. Many companies struggle because their data governance was designed for structured databases rather than the dynamic data flows of AI algorithms processing unstructured information. The real challenge isn’t policy creation but operational consistency.

How This Approach Shapes Coming Regulations

Billtrust’s framework anticipates where AI regulation is heading. Rather than treating AI as a special case requiring entirely new legal frameworks, regulators are increasingly looking to extend existing data protection laws to cover AI applications. The EU AI Act, for instance, builds extensively on GDPR principles. Companies that have already integrated AI governance into their data protection programs will face fewer compliance hurdles than those treating AI as a separate regulatory domain.

When Security Becomes a Market Advantage

Ahuja’s observation that “security is a product feature” represents a strategic shift in how companies should approach AI competitiveness. In financial services, where trust is the primary currency, robust data governance may become more valuable than algorithmic sophistication. As AI capabilities become increasingly commoditized, the ability to implement them safely within regulated environments could emerge as the true differentiator in enterprise software markets.

Where This Approach Faces Limitations

While Billtrust’s data-centric governance works well for financial applications, it may not fully address emerging AI-specific risks like model poisoning, adversarial attacks, or the unique properties of vector databases and embedding spaces. The company’s human-in-the-loop policy for financial decisions acknowledges that some AI risks require additional safeguards beyond data protection. As AI systems become more autonomous, even robust data governance may need supplementation with model-specific monitoring and validation protocols.

Related Posts

The Flawed Logic of Banning Superintelligence - According to Forbes, over 65,000 people have signed a statement calling for a
The Flawed Logic of Banning Superintelligence

A provocative Forbes analysis questions why calls to ban artificial superintelligence don’t apply equally to human intelligence. The comparison reveals deeper questions about progress, regulation, and freedom.

NotebookLM's Custom Personas Transform AI Research Workflows - According to ZDNet, Google announced significant upgrades to N
NotebookLM’s Custom Personas Transform AI Research Workflows

Google’s NotebookLM has introduced game-changing customization features that let users define how the AI communicates. The update includes custom personas, expanded context windows, and long-awaited chat history saving capabilities that could revolutionize research workflows.

Leave a Reply

Your email address will not be published. Required fields are marked *