IBM’s Legal Chief on What Successful AI Strategy Looks Like

Steve Odland: Welcome to C-Suite Perspectives, a signature series by The Conference Board.

I'm Steve Odland from The Conference Board and the host of this podcast series. And in today's conversation, we're going to discuss AI at scale, how to build governance into the future of AI so that it's trustworthy. Joining me today for the conversation is Anne Robinson, the SVP and chief legal officer at IBM.

Anne, welcome.

Anne Robinson: It's great to be here. Thank you for having me.

Steve Odland: So, you know, Anne, every company has deployed AI in various ways. Can you give us just generally, how is IBM implementing AI across the organization?

Anne Robinson: Sure. Well, we are implementing it internally very similarly to the way that we work with our clients. And that is to build AI-enabled systems that are specific to our data, our processes, and our competitive needs.

We leverage smaller, more efficient models like our Granite model. And we work internally with our teams in consulting and then technology the same way we do with our clients. So we leverage watsonx, our agentic platform Orchestrate, and Red Hat AI to make improvements to both back-office functionality, as well as the workflows that come across your desk.

Steve Odland: Yeah, so lots and lots of flavors of AI implementation, and that creates a challenge, of course, in governance. And you want your AI to be trustworthy. Talk about what that means to IBM and to you as you try to govern this.

Anne Robinson: Yeah, well, it's an incredibly important question. As you note, in the rapidly evolving landscape, having trustworthy AI is critical to the successful deployment of AI. And the way I think about it is that trustworthy AI is basically AI that people can understand, that they can rely on, and that they can control. So it has to be transparent, which means that it must be explainable. Not just disclosed, but explainable. And it has to be well-governed.

If you can't explain how AI works, if you can't explain how data is used or who's accountable for it, then it's not ready for use within your enterprise or across the public domain.

Steve Odland: Yeah, and it's got to do what you intend it to do, right? I mean, you read a lot of stories about hallucination, of AI agents canceling things, and others going rogue. And you can't have that happen when you're trying to make it trustworthy.

Anne Robinson: That's right. That's right. And there's, frankly, quite a bit of fear in the ecosystem around adopting AI. There's apprehension. There are folks who are concerned that AI is going to displace them. There are concerns by those who would use AI that AI is not reliable. And so there's a lot of fear. Fear of the unknown. Fear of change. And so, having a trustworthy AI is actually the remedy.

Steve Odland: Yeah. So trustworthy is not just, you trust the output, but it's, do you trust that it's engaging in the right way, it's doing what you want to do, that it's enough to make your constituents relax, right?

And you're dealing with customers, employees, owners. I mean, it's broad number, multi-constituent world and multi-stakeholder world. So it really crosses all of those folks, right?

Anne Robinson: Absolutely. And you know, one of the things that the technology community has acknowledged is the challenge associated with scaling AI, getting it really well-adopted within different enterprises.

And I think the way, again, I look at it is quite simple. And that's just that people don't use what they don't trust. So if you don't understand it, if you don't know how it works, if you think it will operate differently than intended, it's not solving your problem, then you're not going to use it.

And so, in order to drive scale, you have to have adoption. In order to have adoption, people have to understand and trust the technology that they're working with.

Steve Odland: Right, and so it's not only just trustworthiness, but it's trustworthiness at that scale, yeah?

Anne Robinson: Yeah. You won't get to the scale if you don't have trustworthiness. Not enough people will use it in order to get to that scale if they don't trust it, if they don't understand it, if they're still fearful and reluctant. You just can't generate that scale.

And you don't get that kind of experimentation that says, I've got this problem on my desk, right? We can talk about the back-office functions, but I've got this problem on my desk. You're not going to immediately think to an AI solution to help you solve that problem on your desktop if you don't trust it, or if you don't understand it, or if you don't understand its benefits and its limitations so that you know how to use it appropriately.

Steve Odland: Yeah. So, really important stuff. You are the chief legal officer at one of the largest companies in the world, a technology company. IBM's been at the forefront of technology forever. As you think about governing this new frontier, AI, how are you doing that? I mean, there's the whole enterprise risk management processes, or the board audit processes, heat maps. Everybody's got all these tools.

How are you thinking about it, and how do you govern it in the context of internal and external constituents?

Anne Robinson: Right. A couple of really critical elements to a good governance program. And the first is by sort of taking a step back and identifying, what are the key principles that you would like to, or that your enterprise thinks, are required to manage the deployment of AI in a responsible way?

And then, the really critical thing that we've observed is, when you're deploying AI and you want to have good governance, that you have to do it early, you have to do it on day one. It can't be, let's figure out what AI we're going to deploy, let's figure out what data we'll leverage, and then we'll add governance later as an overlay.

And so we design our AI programs and our governance with transparency in mind. And that's so key to usability, operability, but it is also key to governance, is transparency. Having clarity around data ownership. Having clear controls around access and use cases. And making sure that you have auditability. So being able to look back and pressure test. Did the technology and did your governance operate as intended? So having auditability built into the way that the solutions work.

We also think that risk tiering is important, so identifying higher-risk use cases. And for those use cases, ensuring that you have stronger oversight and accountability. All at the same time, you don't want to limit or stifle innovation, but you want to encourage that innovation, and you want to encourage the use cases that are appropriate with the right risk governance and framework.

Steve Odland: You know, that is so important because sometimes, if you're too heavy on the management of it or the regulation of it, you don't get the best out of it, right? So it's really a difficult, or maybe not difficult, but it's a deliberate balancing act.

Anne Robinson: That is the perfect word for it, is balance. The key in all of this is balancing. Those things like innovation and oversight, innovation and creativity and risk management, they are not mutually exclusive. They are not opposing forces. They, in fact, are incredibly complimentary.

And so good governance actually enables that innovation because the teams can create and ideate freely if they know where the guardrails are. When people understand both the opportunity set right, the universe of opportunity to create within, but they also understand what those guardrails and limitations are, they can move more quickly, they can make faster decisions. And I think in general, just to create a much greater capacity for leveraging, in a very innovative way, some of the new technology and capabilities that are out there.

Steve Odland: Yeah. And as the general counsel, you're in an interesting role, cause you're talking not like, you know, the regulator, you're talking like the business person, which is really important.

And for those of our listeners, if you're on the business side, you want to engage with your legal group in this way, in a partnership here. But you can hear it coming out of your comments, Anne, that you got to be viewing this, not as with a heavy hand, but you got to be viewing it from the beginning as a partnership. Build the controls and the trustworthiness, as you say, into the process or into the implementation from the start. That's what you're saying, which is really important.

Anne Robinson: Absolutely. And I come to IBM with 30 years of experience in highly regulated industries. And so understanding both the benefit of guardrails to creation and to innovation, and understanding the underpinnings of a lot of those guardrails has been really important, I think, for technology companies. You don't want to be in a situation where the rules get ahead of the way your company would like to deploy AI responsibly.

And so identifying your responsible technology principles, implementing governance frameworks early and embedding them in the workflows, is a reflection that enterprises and companies that are using and leveraging these really impactful AI tools, understand the role that they can play, understand the risks, and are improving the way their companies operate, with a sense of personal and professional responsibility for how those technologies are used.

So, I think governance is critical to creating a business opportunity, not limiting it.

Steve Odland: Yeah. And, this is against the backdrop of, OK, so what if it goes wrong? Well, what if it's not trustworthy? What if something happens? In this day and age, reputation is everything.

And with the speed of social media and communication, you can really destroy your company's reputation, shareholder value in seconds by letting things get out of control like this. You know, I don't want to call it existential, but it is really important that this is done carefully.

Anne Robinson: So you said something really interesting that I want to pick up on because I think if you're thinking about building a governance framework, I would start exactly where you did. Which is the question, "What if?" But then I would reframe it to, "Well, what happens if?" So that, "What if it happens?" doesn't shape the approach entirely.

But what if this bad thing happens? Am I going to not do it or do it? But "What happens if?" allows you to plan and build in the guardrails so that you can deploy AI in a way that's thoughtful about the potential risks. So as a secondary question to "what if?" ask, "What happens if?" And if it happens, what's our plan, and what are the things that we can embed in the end-to-end workflows and in the deployment of AI that plan for those "what if" moments? And then you can better calibrate, is something high risk, low risk? Is it within your risk appetite?

Steve Odland: Yeah, really important. You've characterized it as an AI governance framework. What would you include as the key elements in that kind of a framework?

Anne Robinson: Yeah, so, accountability. Being really clear on who owns the decisions and making that ownership easy, clear. Transparency and explainability. And that means that real users can understand, again, how tools and technology can benefit, what the limitations are, how they work. That explainability makes for more responsible use. It also helps to make people more comfortable engaging with the technology.

And then, controls around data. So where does the data sit? Who can access it? Access to not just data, but certain systems. So access is key. Life cycle management, and those management protocols that evolve as the technology evolves. So also having a governance framework that has core but has the ability to evolve as technology evolves and as use cases present themselves over time. So those are some of the more critical elements that we think about when we think about good AI governance frameworks.

Steve Odland: We're talking about AI governance and trustworthy AI and companies. We're going to take a short break and be right back.

Welcome back to C-Suite Perspectives. I'm your host, Steve Odland, from The Conference Board, and I'm joined today by Anne Robinson, the SVP and chief legal officer of IBM. So, really interesting conversation before the break. Anne, I want to pivot a little bit because IBM does work with, gosh, everybody in every country. I mean, IBM is ubiquitous. But there's work in the private sector and also in public sectors.

And, as you think about the public sector work, is there any differentiation as it relates to AI in the public sector versus your private sector work?

Anne Robinson: Well, so let me first make an observation about what I'm seeing in the public sector. And the first is that there is a lot of energy, there's a lot of enthusiasm for the different ways in which AI and emerging technology can create resources and positively impact different government programs.

I'm also seeing a healthy amount of skepticism. There's a lot that's unknown. There's a lot of competition in the marketplace, so governments I think are navigating with some degree of skepticism. But most of all, what I see is a sense of urgency. And the sense of urgency is born out of the reality that AI is deployed across the private sector, and as AI is deployed in different government agencies, it is becoming more and more embedded in critical infrastructure.

And so governments are going right back to your original question. Governments are also trying to balance how AI can be leveraged to bring new resources and capabilities to their societies, to create healthy, thriving, vibrant and competitive business communities. But also manage the risk that AI can introduce as it gets more and more embedded in critical infrastructure—so financial services, energy—in their countries.

And so our approach to governments when they are trying to understand how to shape policy, as well as how to deploy AI within their regions, is to engage early. To engage constructively to recognize that balance. And so our goal is to help policymakers understand how AI really works in practice, not just in theory.

And it keeps going back to, I'm going to sound like I'm repeating myself, but it really goes back to that transparency and explainability. Policymakers need to understand how AI works so that they can understand both the benefit and the risks that can be introduced.

So good policy in any region should manage those high-risk use cases. It should absolutely address the risk to business continuity and government efficiency, but it should be able to do so without shutting down innovation. And so that's where it goes back to that balance, and that's one of the things that IBM works closely with governments to try to help them manage.

Steve Odland: But at a high level, I don't hear you saying that managing of a trust framework or a governance framework is any different, depending on your customer base, whether it's the private or public sector. There are different considerations by customer, of course, all the way around. But am I hearing you incorrectly?

Anne Robinson: No, absolutely. I think the private sector and the public sector have very similar interests, and more often than not, those interests are aligned. And so, bringing to each constituent observations, learnings, insights from the other is also one of the things that we do with our clients in both the private and the public sectors.

Steve Odland: OK. That's very helpful. So, you're very advanced in launching enterprise-grade AI tools and the frameworks and everything. I'm sure that not everything went perfectly along the way, and you probably learned some things in the implementation. What would you share with our listeners around those learnings?

Anne Robinson: Well, I think one of the things that we're observing is, the appetite for experimentation starts many places in this sort of, "We're going to experiment" or "We will pilot." And it's going to be important during that pilot phase to Increase excitement and engagement to help deepen understanding and trust about the way AI tools work, but then moving quickly from that pilot phase into leveraging AI solutions in core operations.

And so one lesson is when you improve core everyday processes, when people see AI handle repeatable tasks well, those same people see the benefit right away. They adopt those capabilities, trust builds, and then it compounds. That's when it's scales. And so that's another reason why we say that AI scales better when you build those governance elements in from the very beginning. When people understand the guardrails, they move faster, they move more quickly with confidence, but you can also embed those guardrails into the way AI works from an operational standpoint.

So then it becomes easy. It's not an afterthought. It's embedded. People understand that it's embedded and that they can rely on it. And so making sure that it's embedded early, that it's embedded in everyday processes, helps it scale, helps it grow really quickly.

Steve Odland: So it's really interesting. You've said several times you've got to do this from the start and build it in from the start, which is really helpful. Any other kinds of lessons beyond that? Were there any hiccups that you can have others avoid?

Anne Robinson: So, sure. So one of the things that I think I also mentioned was making sure that you have a framework that can evolve. So I wouldn't necessarily call adjustments that we've made over time hiccups. Certainly, nothing's perfect, but that technology is evolving rapidly, and so you should not expect that everything that you have in place today will be fit for purpose from a governance standpoint, for use cases and technology that will emerge tomorrow.

So you have to anchor yourself again, around your key principles, and then have the framework that ensures that your operations reflect those principles. That framework has to be able to evolve because again, technology will evolve, use cases will evolve, and so it has to be able to grow and adjust as the technology does the same.

Steve Odland: So that means you have to have a process in place that you whereby you revisit them. You can't carve them in stone and run away and leave them out there. You got to use them in an evergreen but continually morphing fashion, right? So it's a management process.

Anne Robinson: That's right. And you have to have the right people involved in that oversight exercise. So IBM has an AI ethics board. It's cross-functional. It has representatives from our control functions. It has representatives from different lines of business. And the point of that board is to consider those things that fall outside of the operationalized governance framework would capture.

So where you can have it embedded, where it's operational, that's great, but if you're again, innovating and creating new use cases, looking at different areas for deployment, there will be things that fall outside of that operationalized set of guardrails. Having an ethics board or a responsible technology board allows us to capture those things, have that human oversight, that personal evaluation, so that we can look at use cases and/or emerging technology that wasn't necessarily contemplated at the outset.

And so we've tried to learn from situations as they have evolved, and we've made modifications to grow and keep the framework healthy as use cases have presented themselves.

Steve Odland: Just thinking about the process and how you manage just even the framework, it goes back to the implementation of any kind of change. And this is huge change. It's change within a company. It's change between a company and its constituents, as we discussed. And change management is a deliberate and strategic process.

In other words, we talk to CIOs, CTOs, and they go, oh yeah, we implemented AI. And you go "Oh, OK, you implemented it. What does that mean?" "Well, we turned it on. The apps are there." Yeah, yeah. There needs to be deliberate user development, training, involvement. And the governance of that is part and parcel to that, cause you can't just throw it out there. You've got to teach people not only how to use it, but how to use it within this framework. So the whole change management process seems, to me, to be super-critical in this.

Anne Robinson: So can I just leverage that to make a point that is actually more broad than just AI governance?

Steve Odland: Yeah.

Anne Robinson: And that is that as enterprises are considering how to leverage AI, responsible AI, the first question to start with is, what problem are you trying to solve? Like, you don't start with what technology do I want to use? You start with, what problem am I trying to solve? And then you move to, what am I doing today, and does what I'm doing today work? And if so, how do I make that thing that works operate more quickly or more efficiently or with more insight? And if it doesn't work, what's broken?

Because if you move to automate or leverage AI against a broken system, it'll just execute that broken system more quickly, and probably with more of those hallucinations and flawed insights. So you have to start with, what problem are you trying to solve? You have to scrutinize your existing processes, your existing workflows, and make sure that you understand where the strengths in those are and where the weaknesses are. And then you translate improvements of those workflows, those controls into an AI-enabled system.

That's where you have to start. Once you decide to deploy AI against that problem, then you embed the governance framework and the responsible principles across the board. But I strongly encourage companies to think about AI as a tool, as a resource, not the end all, be all. You have to start with the problem that you're trying to solve.

Steve Odland: Yeah, and those are words of wisdom. And for some people to say, well, AI is not fixing a problem, it's opportunity. Fine. It's the same thing. What opportunity are we chasing? The whole point is, be deliberate about it, think through it, and implement it in a way that not only just throws the switch on the tool, but implements it in a thoughtful way, a trustworthy way within a framework that trains people on business processes, and all the above. It needs to be more comprehensive than flipping a switch is the point.

So any final thoughts, Anne, on the deployment of trustworthy AI and governance frameworks?

Anne Robinson: Well, I think the one thing I would call out and encourage companies to consider is the extent to which, in the pursuit of AI solutions, that they lose sight of why they are interested in deploying AI. And that they make sure that they really understand the external infrastructure that they might be leveraging, and understand where control sits over that infrastructure.

So often, I think, we assume that AI failures are technology failures. When more often than not, they are failures because the users don't understand the solutions that they're leveraging, why they were there in the first place, because they haven't embedded some of those governance principles into the way that the AI works. And so really starting with understanding what problem that you're trying to solve, but also understanding the external infrastructure that helps support any AI deployments that you leverage.

Steve Odland: Great thoughts, great words of wisdom. It's really interesting. We're in a brave new world here, and you get these leaps in technology, what, once in a generation, and here we are. And so you really do have to think about this holistically. And I think your example suggests that IBM is way ahead of, I won't say everybody else, but way ahead in the game on this.

And we really do appreciate you sharing your thoughts, Anne, with everybody. Anne Robinson, the chief legal officer of IBM. Thanks for being with us.

Anne Robinson: Thank you for having me.

Steve Odland: And thanks to all of you for listening to C-Suite Perspectives. I'm Steve Odland, and this series has been brought to you by The Conference Board.