Name: Your GRC AI just made a decision. Can you verify it?
Uploaded: 2026-05-21T16:30:10.143Z
Duration: 54 min 38 s
Description: Your GRC AI just made a decision. Can you verify it?

Transcript for "Your GRC AI just made a decision. Can you verify it?": Hello. Welcome, everyone. This is the Mitratech, webinar on the GRC AI. Imagine your GRC AI just made a decision. Do you know how, actually? This is what we're going to discuss today. And today, we have two speakers out of three already joined, both from Hitratech, myself, and my colleague, Jared. There seem to be some technical issues with our guest speaker, but we don't want to have you waiting in the cold like we say in The Netherlands. So we decided to move forward with the webinar and make this an exchange between me and Jared because he's, of course, also speaking with a lot of customers. Meanwhile, I see a note that, our guest is here. So, let's continue as and visit. Luis, Carlos, do you hear us well, please? I do. I apologize. There was an outage of Internet at my, in the area that I am at but it's come back. So Perfect. I also did best. I age about ten years in the last fifteen minutes, so I, do apologize that you started. at such good that you started at such a young age, so you have the margin still. Would you, mind to start with introducing yourself to the audience, please? I will be delighted to do that. Thank you very much. My name is Luis Carlos Nino. I am the principal analyst for the risk management practice at Verdantix. I would like to start by again, apologize for being late. The Internet connection failed where I was, trying to get it back online. But I'm here now, through my personal phone connection. So, hopefully, it'll work out well. If I do drop again again, I'll try to come back online immediately. Thank you very much, for, for the invitation. John, Jared, it's it's lovely to see you. Thank you so much. Jared, would you mind introducing yourself, please? You'll come back to the audience with a demo later on, but maybe you can already introduce yourself. Absolutely. Yes. I'm Jared Howe. I'm a senior solutions consultant here at Mitratech. So trying to bring my, ten years in GRC and fifteen years in in legal and compliance more broadly, to to bear to help bring the solutions to life and and how it applies to that sort of the actual day to day practice within risk and compliance. So we'll do that later, specifically in the context of AI. But first, I wanna make sure that we leave you you all a chance to talk about some of the concepts that you guys are gonna be discussing. Yeah. Thank you so much. Jared, we catch up with you later. My name is Jan Stoppers. I'm a lawyer from The Netherlands. I've been in the GRC space for almost fifteen years now. And one of the main tasks here at Mitratech is to share insights what is happening in the market, what are trends, what are challenges, and how to tackle those. And that's why we have Luis, with us today. Let's start with the first topic. The general thought is imagine, this happens with some organizations already thousands of more times, an hour even, AI produced a certain output. How do you explain it? Luis, some initial thoughts on that topic. Why is this important topic? Why should the audience care about this, please? It's very simple, really. You cannot outsource accountability. You cannot turn around and say, oh, it's just the AI made that decision and we missed an opportunity or we breached a particular, requirement or regulation that are that the authorities, upon, ablest us. But, well, it was the fault of the AI. You it cannot be done. So, you need to understand exactly what your, algorithm is doing because it's the responsible thing to do, and it's in many places, it's required by law that you understand what the algorithm is doing. Yeah. So so that for an introduction, indeed we see that in more and more regulations it's the accountability principle that we already knew from different regulations is coming back and keeps coming back and it seems that the trend of the regulators that they demand explainability, accountability, an audit trail, basically, a possibility to explain how you got to a certain conclusion because eventually, you as an organization slash individual are responsible for it is really, really important. Can you explain to the audience how we reach this point and why is it such a challenge to actually show what, the trail looks like towards the outcome. Right. So the the biggest accountability issue the biggest accountability gaps that you have right now is, around the level the issue from from my perspective, the devil is in the detail. The the there is a need to be able to have enough information or provide enough information to authorities, that there is a human the look that there is a proper governance stance around an AI framework. There are accountability gaps, if you want to call it. Let's call them like that, around areas of, the extreme case is, autopilot illusion, the delegation completely without any oversight. There is the fragmentation by, committee ownership. Right? So imagine, as a second case, a model, that that triggers compliance failure or there's a hallucination output. And then there's a series of the issue is affecting a series of teams, and there is no one person responsible for the entire flow or the entire AI algorithm in this particular case, and therefore, no one can be held accountable to what is what is going on. There's a third element you mentioned before is the poor explainability of the models, the black box, component. And another issue is the the compliance and governance dichotomy. This is, relevant to the risk management industry as a whole. Compliance by checkbox clashes with compliance by algorithm, for example, and this is basically when the risk management team remains in 1995 mode, but the operations are in the 2026 AI, driven frenzy. So that is speed of light versus nine to five approach, indeed, as a big risk. We we we took out for most organizations, the honest answer is, well, we don't really know how we got there. Is it I mean, you are a third party. You work with many organizations. We do as well. But, I mean, I don't want the audience just to take this from me. Can you confirm that indeed this is the honest answer for most organizations that you work with? That they cannot 100% trace how the AI got there. Yes. And this is a look. When companies open up, they they share things with you that they wouldn't admit in ever in a paper, but there is pressure to put AI on top of everything. In some cases, they want to integrate it in any way they can, so they just kinda put a duct tape around an algorithm, and they just glue it to the size of whatever process and procedures that they they got going on. As a result of that, they cannot replicate one single decision. So they they cannot come and say, there was a decision in this particular not in the process. It went north and not south. We cannot replicate that. We cannot explain that. And as a result of that, they just go and say, well, that's what the AI algorithm did. And the question here is, where do you draw the line? Where do you put the human in the loop? And how does the human human in the loop review and validate that output? And where is it that you actually then redo an entire thing if you cannot trust the beginning of the process? So, ultimately, I think, Jan, what we're talking about here is, is trust is the asset that makes or breaks companies in the AI space. If you cannot trust the output that comes from there, then you got nowhere else to do that. You might as well pack and go. And some companies are just not there yet. Right? Yeah. Yeah. That's what we keep seeing as well. So that is basically the framework of today. Let's start with engaging the audience. We have a poll question, and the question is, you can read it for yourself, but I'll still read it out. When AI produces a risk score or a compliance flag, how confident are you that you could explain the reasoning to your board or a regulator? And if you could do the poll, we will look into the results in a little bit. What what do you expect to come out from this poll, Luis? I would say I would say 60% are gonna go between, three and four, and 20%, 30% around someone confident, and I think there's gonna be a minority of very confident. That's what I think it's gonna be. Okay. That is the bet. Let's see what the results are, please. 10% very confident. 27% somewhat confident, and the remaining in the other two. What do you think compared to what you expected? The somewhat what does. this say about the audience? Because, of of course, the audience is a, by default, consists of individuals interested in this topic. Otherwise, they would not join this webinar. So how how does this compare to what you expected? The very confident is bang on exactly what I wanted it what I thought it would be. It's it's a little bit lower. I thought it would be 10%. Somewhat confident, they said it was about 20%. It's 34%. That surprises me a little bit. The other two are well, they're for a little bit lower than what I had anticipated, but not that far. I think the someone confident is the one that is just, I was not expecting. It means that, there's some that those folks that are somewhat confident, means that they have they probably have a very strong AI solution that is ticking the boxes of the explainability that we are looking for. Right? Yeah. For for me, I think, of course, it depends on how many people voted, but I think this is a typical representation that we see when there's a relatively new topic that is quite equally distributed across categories. If we could back to, move back to the slides, please, this is the poll. And then on the next slide, we wanted to discuss what's actually happening with AI and GRC programmes. Could you please walk us through these numbers, Luis? Right. So, Thomas, so let's take a look at this this this data. We conduct a global corporate survey. It, inter this survey, we go and interview over around 400 corporate readers worldwide, and we're asking a series of questions related to the different views. And, the first number, the 56% of the firms will deploy AI and risk management over the next two years. We asked them what are the priorities for the next twenty four mores and where the investment is going to go. And the bulk of the respondents said that 56% said they are going to be bringing AI as part of, their risk management program in the in the first in the mid short to midterm, right, to next two years' time. So that is telling us that there is a strong drive and a strong motivation to bring AI. What is fueling it? Well, 48% of the corporate leaders see that well, before I jump into that, what is fueling it is the need or this frenzy that we've seen in the market around the topic of AI. Right? People see the opportunity to reduce some cost. People see the opportunity to automate, to improve, to enhance efficiency. They want to go for it. Right? But, for many of those leaders, for nearly half of those leaders, there are still hesitations and concerns, about the lack of trust in the, in in in the in the AI, and that is holding a little bit the, the adoption of the technology in the decision making process. So they're happy to look at it and entertain the idea, which is like the two numbers are almost showing you a a a struggle around the concept of AI. There are those who say, like, yeah, let's do it in the next two years, but there are those say, well, maybe not. Maybe at the end of the next two years, maybe not this year. Maybe we need to wait and see what, is going to happen, how things are going to evolve. And, they're just going to see what new what how it performs or how things evolve for other companies that are embracing it. They might not be the first ones to jump into the water. Right? So different companies, different organizations have different strategies around these topics. Now the next number, the 33% of leaders have increased spending in risk management to keep up with digital innovation such as AI. This is when we're looking at the questions around the budget that, corporate leaders have for their, for for the risk management team, where the money is going to go for. A third of them say, we just need to invest in the technology, because it is essential. So this is I think this one backs up the 48% quite a lot. If there was higher confidence in the technology to be able to, be explainable, to allow companies to have certainty that they can replicate and exercise, or they can go again through the entire, technology and get to that solution that they need to demonstrate to an auditor or to regulator why a decision was made. If that if that trust was higher, there would be a significant larger percentage of companies willing to, adopt the invest heavy in, in AI. So does that make sense, John? Yeah. I I little bit tension in the in the industry. Right? I understand. Yeah. And and I think, I recognize the tension a lot, now also, speaking at with organizations at conferences. On the one hand, in the in the frenzy to do something with AI, on the other hand, the reluctance to fully embrace it because of the unknowns, in these systems. If we look at what vendors claim, and and maybe it's also important for the audience what Verdantix exactly does. So maybe you could share a little bit of background, from that perspective. You see different vendors on the inside. What actually happens regarding the dynamics between what vendors claim and what that actually means to the market? Well, that's thank you for that. So yeah. But I sure maybe said this when I introduced myself. Verdantix is a company that specializes on risk, on on on market research. We look at technologies on a series of areas starting with, sustainability net zero and, obviously, risk management. The company provides an insight into what is, the latest technology. We look at vendors, we analyze them and compare them and go and provide an a a view of who are the leaders in the market and what are the topics and what is the innovation. That means that we get to speak to a lot of vendors. And when we have these conversations with them, it's not a simple kick on the tires and maybe measure the oil. We look under the hood, under the bonnet of the, we look at the engine that they've got. We look, continue the metaphor of the car. We take it for a good test drive. We ask uncomfortable questions, and we read between the lines. So we discern or we split apart the entire marketing, lingo that comes from, that you normally would encounter when you're looking into a website for a AI solution. And it's and and and the thing is it could be a little bit tricky sometimes because, the vendors could very easily bamboozle, the user with terminologies and and expressions that might not necessarily, be of, every everybody would use. Right? So it is important to take time to slow down the conversation, and to take a look at what how can I read between these lines, and and identify, what is marketing and what is a factor? And there are series of questions that you could ask that can be asked around that topic. The first one is, for example, you want to be able to see a structured JSON, a login, of the decisions that are being made. So you can ask, can your system explore a tamper proof log, showing the exact state, intent, and tool invocation for every autonomous decision that is being taken. Right? You can also, for example, try to determine, look, we what kind of deterministic policies are being implemented. So agentic loops must be bound by programmatic constraints. If an agent scans the database, you don't want that agent to be able to modify the database. So it's important to ask what, how to ask for those guardrails or those instructions, prove all those instructions that the platform, blocks unauthorized access or actions, from the from an a from an agent because you're talking about potentially changing records, and that's something that could be could be particularly difficult. You also want, for example, to understand the state of machine visibility. True agentic systems use frameworks like state machines or directed, acidic graphs to plan the task. You want to be able to visualize the map of the agent's decision tree. I mentioned it before. At what point in the chain, there's a decision made. At what point in the north, the decision is made. What is north or south? And how do you how do you can you justify that? And so you want to see if the agent changes a risk a risk score or if it explicitly tags, and what node was in the machine process that how it trigger. So it's a conversation of understanding that kind of, that kind of disability. You want to be able to reproduce the results. Part of the problem, and you mentioned this before, Jan, is that large language models are inherently probabilistic. Right? So they don't help in an audit process because you might ask something and the probability the probability of giving you answer x is one. And then when you try it again, that probability doesn't add. It goes on a different response. You cannot verify you cannot show that to an auditor or regulator verifying that the process is is identical. So the vendor has to support, the model and prop versioning. You must be able to log the agents from templates and understand, the versions that are being edited. So in six months' time, when there's an audit, you can show this is the version that we have, and this is what we're working on. Does that does that help you? Yes. It does. And and I also hope that the audience, realized that we're actually adding topics ourselves or or or or, insights, angles ourselves. As you see on the last bullet point, we wanted to make this a dynamic conversation, not just reading out the bullet points. So from my perspective, indeed, what I'm hearing, when speaking with organizations is that challenge that, indeed, you cannot every time again have the same result if you do AI powered queries. And it's so important organizations realize that increasingly to make sure not just to explain why you use AI, but also indeed those guardrails that exist to keep the outputs and the influence of AI within reasonable proportions, if it comes to compliance, risk management, etcetera, etcetera. So this this really, totally reflects what I'm seeing in the market, but you always formulate it much better than I do because you've seen more and you're more of an expert on this topic, of course, from a technological perspective. Yeah. Dan, if I can if I can if I can just. Please. add one more statement in here, maybe these things are difficult to spot in a conversation. Right? Maybe my help red flags that can, alert. The first red flag is the black box defense. If they just use a black box and they are not willing to share anything, that should different definitely trigger an alarm. The other one is the overreliance of self, correction of the model. So the model is correcting itself in a very high frequency way that, that should be something of concern. And the other one is a legal one, is the vagueness in a liability clause. So the verb the vendor terms of service disclaim all liability for actions taken by the autonomous agents. Their platform is an operational tool, not an enterprise grade grade solution. Yeah. Those are really good, indications indeed to look out for. If we go to the second poll, please, the audience already has some, seconds to look through it. What we would love to know what is your biggest concern. And, of course, in practice, this is most likely a combination of various of those. But if you would say, this is the absolute number one, which one is that? We would love to hear from you. The poll is open. Luis, I'm going to, do the same thing. What do you expect to be the number one, result from the poll? John, this is difficult because this one, they're all I will spare a relatively even distribution around those answers. There's not a single maybe maybe the first three ones are slightly heavier than the fourth one, but I would say it's it's gonna be relatively close because they're all incredibly I understand. And still, I expect that number one will score highest, but let's see if we can get the results, please. important. There you, go. accuracy is very, very high. How how could we explain this? Well, you said it. Jan, you put it in the title of the you put it on the title of the of the entire webinar. Can you trust it? If you can trust it, it's because it's right. So they want to see that accuracy. And, yeah, I think, I I get it. I get it. If it's right, if it's explainable or you got good governance setups or adoption, who cares if it's wrong? No? This is a very practical approach indeed. It might be like that. Yes, dear audience, this is, of course, a challenge to choose the number one concern, but maybe indeed that is the ratio behind it. I'm cautious of time. We're more or less halfway the webinar. So if we could move to the next I'm going to do that to the next slide, the transparency. Of course, keyword in this topic, auditability, another keyword in this topic. You already mentioned a couple of red flags regarding the contracting, the liability, etcetera, etcetera. But if we move from best practice to requirement, I can say that indeed the regulations are very much turning towards, a requirement, which is the explainability, the accountability, whatever you want to call it. You must, as an organization, go beyond checking the box and basically explain why you have a certain setup, what the result is, how it's, the system reached that result. So that is definitely a regulatory development. But if we look at the other boxes, Luis, could you talk the audience through those? The regulatory drive, I'll show you how with that. Yeah. Please. I mean, Yeah. if you want to add anything to that, please please do. Okay. So right. In 2026, the level of expectations have shifted fundamentally, from a an AI experiment to now looking at a strictly fiduciary and almost evidentiary, proof, when you're talking about, when you when you're when you're talking about the regulatory environment around AI. Right? So that's that this is not this is no longer experimental. This is now serious business. And there is a strong wave of, regulations coming around the world on this topic. But, the challenge here is that some organizations must navigate, or let me just put it this this way. The regulatory environment is moving at different paces in different jurisdictions, and the technology is moving at the speed of light. We have that gap. Right? We have that issue. We have that, for example, there is in The United States almost zero interest in putting at the federal level some sort of regulatory framework around, around AI. But this is not the case when we're looking at, at the state level. In California, there is, there is interest in building, or setting up a a regulatory framework around this around this particular item. I'm trying to remember the name of the of the regulation that is, that is being adopted in, in that part of the world. It's got a very it's got a name that it rolls off your tongue, and I can't it's I found it here. It's known as the Transparency Frontier Artificial Intelligence Act act, the TFAIA. It's just it's just an absurd name. It's basically, something that came into law not long ago. It was signed by go by by the governor, and is trying to, is trying to enact a landmark that establishes the first the nation's first comprehensive framework for transparency, safety, and accountability in the development and deployment of advanced AI models. Right? So there is that particular aspect. There is also well, we know that in the European Union, the EU AI act is kicking into full force in a couple of months, and there is going to be, requirements for event logging, a human oversight, things that are delayed linked, in articles 12 and articles 14 of that regulation. In The UK, the rules are subject to interpretation, but under the financial conduct authority senior managers and certification regime, a senior manager must be accountable for any material operation which includes agentic AI in compliance functions. And in in terms of, international standards, what we have is that the ISO 42,001 requires top management to assign and communicate accountability for each AI system, that overs the the organization deploys. So what we see in the regulatory in the in the regulatory framework in some countries is, the rules are being laid down, and they're really laid down in different speed and in different ways. In The US, just to go back in the federal level, there's no limit on the AI, but the Security Exchange Commission is cracking down on AI washing in the disclosure as part of the disclosure integrity. So companies that are being publicly listed, they cannot exaggerate or just say things that are not accurate regarding, the narrative of forward looking road map describing AI as a core to operational efficiency or profit margin. In The UK, the going back to UK, the UK Financial Conduct Authority, got in, aligned with the Treasury Committee in parliament and the Bank of England, and, they should join directly the requirement firms to map third party infrastructure dependencies related to AI. This goes again to the AI inventories, and they don't want any shadow AI sneaking in through different processes and procedures. In Singapore, they have, the media development authority launched the first model for AI governance framework for agentic AI. It's still in their in in a in a voluntary compliance stage, but that's where it's going. In Japan, the rules are still dependent and Australia, they haven't really well defined the framework. They're taking a wait and see approach. And in Hong Kong, you got regulators coordinating on a sandbox, especially in the especially now in the financial sector. And as of March of this year, they are the the the watchdogs, the the securities, insurance in authority are working together in this to be able to ensure that, they can monitor how the industry is is moving around. So the regulatory environment is starting to become really intense, really, really interesting. Then, shall I continue with the next box? It's the one on the on the board of directors. Yes. Perfect. Let's do that. Thank you. Okay. So as I was mentioning before, board of directors, are not looking at this as experimentation anymore. They want, they want this to work. They want a return on investment, but they also want this to be strictly fiduciary, and they want evidential proof around the entire deployment of, of AI. So they want what is understood by so many as a longitude longitudinal traceability, of AI. They want to understand the why and the when the board expects an unaltered world history showing exactly how specific, say, a risk score or compliance flag was compounded. If an anti money laundering, flag was, out of dismissed or a vendor score was lower, the organization or the directors would like to see the snapshot of the exact model and version that proper the template and the training data footprint used to, this to that to that degree of cycle. So this is something that we mentioned before, being able to replicate the results and keeping tabs of what version of the AI model was being deployed at that time so you can demonstrate that the logic was there and that this was not in a hallucination or a random decision. If they if somebody turns around and says, well, the system flag it, I think that person's gonna find itself in a in a little bit of trouble. Right? Then they also want to define, they want explicit proof that the compliance things are not simply rubber stamping their outputs. High performance boards demand regular metrics on human engagement rates and documentation of every time a human in the loop overrode an AI calculation. Right? And, last but not least, we mentioned this briefly, the shadow AI and the vendor, footprint mapping directors, I think, are gonna demand that there is a clear inventory of all AI, dependencies across the enterprise infrastructure. And here is the kicker. This is probably is going to include third parties because third parties have a huge impact on an organization. And and and there is not a lot of software solutions out there that are looking at to what third parties are doing with AI and how they're affecting an organization. So this is a space to watch. And, well, we we want to talk about the gap between organizations, the gap most organizations have right now. This we touched briefly. I mentioned a few things briefly at the beginning, of this is how, there is, one of the gaps, I think, is the autopilot illusion. Right? We we talk about that the the robot is running, and they're just letting it run for the sake of running. The other gap that I think is is gonna happen and this is quite difficult in the sense that the technology moves very quickly, and the governance doesn't necessarily move at the same speed. And governance arrangements go through a process. Companies make these changes following a particular procedure. It's not a it's not a add water and pop in the microwave kind of decision. Right? So the governance arrangements that are governing a particular type of instructions will go through that process, but the technology is probably moving very fast. So that leaves, that, that leaves a gap in what I was referring to earlier as compliance versus governance dichotomy, when I said that, the company is, the risk management team is in 1995 mode, but operations is in 2026, moving on a far far higher speed. That kind of there's a gap in there. So companies probably need to think to have a more flexible or a faster way to adjust the governance arrangements around the use of AI. And, go what good looks like in 2026, I think what good looks like in 2026 is being able to get, sets of results that you know that are correct. When you're looking when you're looking at the accuracy of a model or a particular AI algorithm, you need to ask some questions such as, what is the rate of fair, false positives and false negatives as a ratio of all the observations that are that are training model is throwing out. That number really needs to be, relatively low compare, and it needs to be relatively low compared to the ratio of true positives, true negatives as, as a whole of the all of the observations. Right? They're gonna screw each other. But that means that the model is doing something right. And, the you also want to be able to understand what was it, how did the model come to that decision, what were the steps that it took to that decision, and how you can replicate that. Yeah. This was quite a deep dive on the topic indeed of transparency and auditability. Still, it's just the top of the iceberg, if you will, because there's so much to this topic. What we wanted to look into now is more from a positive tone, what good looks like when GRC data is connected. If we look at, a topic that many front runners in this space have been advocating, including ourselves, for quite some time now, is to try to move towards a single connected view, towards risk intelligence, as some people call it. So beyond siloed approaches to have a connection between the risk, the policies, third parties, and compliance itself. We we can not just a webinar. We can spend a a multi day conference just on this topic. But, Luis, and I'm also conscious of time, we have about twenty minutes left in the webinar. If we look at this topic specifically, can you share with the audience a couple of or maybe one good example of what you've seen in practice, where an organization indeed managed to connect GRC data and what the benefits were of this. I don't want to name names. I don't want to to to to to go down that. But what I can give you is an example, of how the organization broke down. I'll give you two examples. I'll give you an example of a large corporation that works that works in the IT space producing machines, laptops, screens that we probably have at home, and they have six different ERC systems in place. They have large operations. That is a very clear example of a siloed approach to risk management, and they are very vulnerable and very exposed to different changes because they cannot concentrate. There's things that I I mean, I don't I there's there's solutions that can solve this problem by bringing things together. Jared is going to show how, there is under one arch in the on the Intertek platform to bring the data in a very neat way and helps cut off and break down that particular, silo logic. And I was speaking to a a corporation that produces medical devices, like, the valves for heart operations, and they produce quite a lot of equipment for for for for for the for many for medical purposes. And they used to have different types. They have quite a lot of dependencies on third parties and a lot of raw materials that need to come from different parts of the world, and they have to produce everything on very specific features and then send it across the world, because that's the the business. Right? They produce things in Europe, and they have to send it to whatever market where the patience is. So they have to keep an eye on their supply chain. They need to understand the third party environment very well. They need to comply with regulations that are not just in Europe, but, say, in The US or in India, or they have to look at regulations in Latin American jurisdictions, and they need to be able to keep an eye on all that information. And they're collecting things through, through a GRC solution that is picking up risk intelligence data very efficiently. That is keeping an eye on those third parties, that is enable them to understand what are the risks that they are getting, and they're complying with particular regular regulatory in multiple jurisdictions. And they are obviously following their own policies very, very clearly because these are not just minor devices. They might be tiny, but they are quite important because we're talking about life and death in here. So that's it. So this is a very good example of, how they break away from the silos, how under a very interesting solution, they're able to, bring things together, and they make just it just makes sense. Yeah. Perfect. Thank you. If we look indeed, you already, introduced Jared briefly, and Jared introduced himself briefly to the audience. We have about fifteen, little bit less, minutes left to look at how Mitratech actually addresses this topic. We thought for the audience will be valuable to see what this actually looks like in practice. So, Jared, please take it away. Absolutely. Yeah. So I I couldn't help but notice that the the top poll priority for everyone was accuracy. So one thing I'm gonna touch on that we will see an example of in the system, but I don't I wanna make sure I call out what's happening there, is that one of one of the key things we do to ensure accuracy within our solution is a multi agent architecture. So all of us have been using an LLM for a complex problem and had a long discussion with it where we're trying to work through different facets of the problem. And as we go through that sort of back and forth with whatever LLM we're using, later on in the conversation, it starts to say things that contradicts things it said earlier, and then you can get it to kinda break down and totally lose focus. So to avoid any kind of challenges of accuracy and model drift like that, we use a multi agent architecture that has specialized agents that do specialized tasks and then other agents that can orchestrate those those those sort of focused agents. That keeps everything focused and tight. So what I wanted to show today is, one, the transparency piece that that that that's highly important, and then a little bit of an example of of what that multi agent architecture looks like looking at a big picture, but then also looking at at that at the micro agents within there, and and also the transparency kind of all along the ways we're doing there. Of course, we're gonna have to see human in the loop along the way because it's inherent in the way that it all works. So I'm gonna go ahead and stop sharing the deck here and and share my share my screen, Yeah. to be able to show show the system live here today. Thank you. So as we come in, we're gonna land here in Mitratech's, global GRC platform. So this is where I can come in and access whatever parts of, my GRC program are relevant to me. You know, quickly jumping into any depth in there because you still need the depth and richness as you get into looking at these specific areas that were silos. But this is where we're coming in to kinda centralize that information, and, you know, keep track of all the different notifications and feeds that are going on. In this case, actually, aggregated and sort of using an agent experience to help me make make sense of broader trends and more information rather than just the individual task alerts, you know, getting into the alerts and analytics and things like that. But what we're gonna do before we take a look at any of the the AI functionality and the transparent and and sort of the human in the loop piece is that transparency. So when I'm we're operating the different AI in here, I can go through and enable or disable an opt in or opt out of any specific AI feature across my suite. So one of the key pieces for for trustworthiness is the control. Right? So being able to make sure that I can review each AI, agent and and and feature specifically and opt in or out of those as I want to. And then as I go through through and start managing different agents, then I have that transparency to come in and see what's going on with each of these individual agents, getting into the details behind them, and getting down into the specific tasks and and and auto history behind what the agents are doing just like I would a human user. Now in terms of what that looks like in practice, when we wanna come through and start to interact with the agent, it's gonna be kind of the familiar experience that we've we're we're coming to know as we use AI more and more in our our so I can kinda go old school and and click learn more and and drill into sort of interacting with the tools and functions to manage the underlying tasks here, or I can ask Aeries to come through and do an analysis for me. So it'll break out the work that it's doing there, and and then it'll give me insights into what it's finding. So, well, this is a third party risk piece that's coming in. It's noticing that there's impacts from a policy and, enterprise risk perspective as well, and then it's giving me some suggestions about what I can do with that. So this is that human in the loop piece where, you know, the the system isn't just going out and trying to solve the problems that it feels that it found. It's telling you what it believes it found, and then it's letting you see the underlying data behind that. So I still have the option at this point to go out and sort of mainly intervene with any of these things and and take action just like I would historically. But now if I want to, you know, sort of embrace that Ajenti experience, I can choose what I want the agent to help me with. This is where it's gonna start to leverage that multi agent architecture. So I'm not asking, you know, whatever my favorite LLM is to go out and do a complex task and start building those steps on steps where it starts to drift. I'm asking it to engage the correct agents that are focused on this, that follow my configuration and are and aligned with my policy practices so that it unfolds exactly as I would expect it if if a human was doing it. We have some transparency in here. Right? We're gonna schedule these actions where they can be, and that leaves me a chance to undo them if I change my mind. And because I don't fully trust AI yet maybe, I'm gonna avoid doing the one that's irreversible, and I'm gonna reach out to my subject matter expert for that one. So when we go ahead and and run these, it's going to make me confirm first, and then it will go out and execute those using the the those other agents that are more focused on those specific tasks and give me the updates on there. So we're gonna keep that audit history of all the everything that's happening there sort of at the agent level. And that's sort of that that big picture, the the the big agent. But there's also sort of the the smaller ones. Right? So when people are interacting with AI throughout the process and then I wanna touch on some of that and how that's built in for human in the loop, but also for for transparency. So for that, I'm I'm gonna I'm gonna switch over to, you know, just an one of these assessments that's been sent out, and take a look at what does that look like from the view of someone who's receiving it, and and how how they might leverage artificial intelligence in here. So we can see what I've done is I've got I've got some, evidence and documentation that I've I've applied to this, to this assessment. I've I've got a a document summarization and and relevancy checking enabled in my in my organization. So I'm able to come in and gain some insights into what's in this document that's been provided. But then I can also actually ask Aries to help me assist with this answer. So it's going to analyze the evidence, and if I put an explanation in that as well and give me a suggested response of what it believes my maturity is, It's also going to give me an explanation behind that. So I can actually apply this directly to, the the the answer if I want to and use it as my explanation, but I can also use it to understand what the AI is doing when it's making its suggestion for the response that I should have there. So this is gonna streamline that users that that sort of responders experience while still giving them the human in the loop experience and give them the transparency into what the AI is thinking so they're not just blindly accepting AI suggestions along the way. The reviewer has complete transparency into this as well. So once this has been submitted, I can see the answer they provided. I can see the explanation that they provided. And from here, I can actually go in and and, look at the audit history behind this and see where they accepted suggestions, from Aeries. So the user is still held accountable for the decisions they've made, but I, as the reviewer, have the insight to see that they did leverage AI suggestions when they were doing this. So that human in the loop is reflected as well as that transparency. And if I go through and start leveraging AI along the way, to to kind of look at at my review process, I'm still gonna be able to then go in and have that human in the loop experience. So I'm getting now why it why it thinks I should accept this or reject this answer. Right? It's actually doing a detailed analysis. It's saying, hey. This this document is saying that it confirms annual reviews, and the and our control requires send me annual reviews. So it's suggesting that I I reject that that that suggestion. It's moving in my suggestion in there, and, again, everything I'm doing is audit log with suggestions by Aeries in there. So that's sort of in practice how we take the both the big picture of running true a a true agentic experience across the platform that starts to go through and automate actions for us in a controlled human in the loop way and driving that audit history behind it, but then also sort of enhancing the user experience where we do need to have a human in the loop with AI intelligence and suggestions that are transparent and that you can understand and trust, and then continuing that audit log down. So anything that happens is a human decision with transparency for where AI was supporting it. Perfect. Thank you. Jared, if I may, there's a question from the audience. Where's the data coming from? Sorry. Where's the data coming for analysis from, for the AI agent from the data feed by the company, so within the GRC solution, or does it also check external sources outside the company? So for the majority of the AI features within the Mitratech's platform, it is working off of the off of the company's data. So we're gonna be pulling it directly from the GRC program, which, of course, can use API integrations to pull in data from other systems within the company as well as any external sources if we want news feeds, things like that. We, of course, have vendor threat monitoring that comes in from a variety of partners for sort of threat intelligence from from vendors. There are things that we that can kinda check open web sources. So if we're looking for, like, mitigation suggestions for a risk, we wanna look outside of what the organization already knows or have that option to, or we can choose to just focus internally. That will evolve over time. Right now, the one of the things that we're we're doing is keeping it maintained to the core data within the system for most of the AI suggestions because we wanna make sure we're retain we're retaining that trustworthiness. Right? As we go out and start looking outside of of the known confirmed data that you guys have have signed off on within your organization. We start to get into things that maybe just aren't true, and AI wasn't able to flesh out that these were it was inaccurate data that's coming in and making decisions on. That was a long sentence, that last one. But thank you very much. Luis Carlos Nino, thank you so much for your time. Audience, thank you so much for being with us in so great numbers. There is more to this. If you have any questions, if you'd like to learn, from us, if you'd like to learn about us, what Verdantix might mean for you, please do reach out to us. We're looking forward to hearing from you. Thank you so much. Thank you very much. Bye.