Kitecast
Kitecast
Diane Janosek: When AI Outruns the Law
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Dr. Diane Janosek is a nationally recognized cybersecurity leader and CEO of Janos LLC who advises organizations at the intersection of technology, law, compliance, and policy. With a rare résumé that spans a PhD in cyber leadership, a JD, practice before the U.S. Supreme Court, and senior leadership roles at the National Security Agency, Janosek brings a perspective that neither a pure technologist nor a pure attorney could offer. She describes today as an exciting moment in history precisely because artificial intelligence keeps producing what lawyers call "cases of first impression" -- novel questions the courts have never decided before -- and her dual background lets her see both the legal framework and the technical challenge at once.
Much of the conversation centers on a deceptively simple question: Who owns what? Janosek illustrates how AI scrambles traditional notions of ownership and liability. When an AI tool rewrites your content, clones a narrator’s voice, or blends your proprietary idea into its own output, the lines of ownership blur, and liability and profitability follow close behind. Her practical warning to enterprises is blunt: Be careful what you feed into public models, because anything put "out into the ether" may no longer be protected or controllable. That risk is amplified by shadow AI, and she notes that while larger businesses are getting smarter about controlling what employees push into outside tools, policing those edicts across multiple personal devices remains a genuine challenge.
From ownership, the discussion turns to human oversight and the limits of regulation. Janosek explains her "risk-proportional approach" to keeping a human in the loop -- the greater the sensitivity of the data or the potential for harm, the more deliberately organizations should require human approval before autonomous AI acts. She frames the recurring theme of innovation’s pendulum, from Meta smart glasses that can covertly record strangers to Ring doorbell surveillance, where capabilities race ahead until something egregious forces a pull back toward the middle. She predicts AI regulation will likely follow the trajectory of cybersecurity law: voluntary guidance first, then state-by-state action led by places like New York and California, and eventually federal mandates -- though the hard questions of who enforces the rules and whether fines are proportionate to actual harm remain unresolved.
The episode closes on the international dimension and practical advice for leaders. Janosek argues that AI and data governance demand cross-border harmonization, citing her West Point Cyber Defense Review piece on cyber threat intelligence sharing and the persistent uncertainty over whether the EU AI Act will drive global standardization. Her counsel to CEOs who assume they are more prepared than they are foundational and concrete: Know where your data physically resides, understand your cloud agreements and supply chain, catalog your data, and apply protection proportionate to the sensitivity of your "crown jewels." It’s a fitting through-line for a Kitecast conversation that repeatedly returns to a human question beneath the legal and technical ones -- What do we want to keep for ourselves as humans, and how do we embrace innovation responsibly without slowing the people pushing it forward?
LinkedIn Profile: https://www.linkedin.com/in/diane-janosek-abc/
JANOS LLC: https://janosllc.com/
Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.
Patrick Spencer (00:01.912)
Hey everyone, welcome back to another Kitecast episode. I'm your host for today's show, Patrick Spencer. Joining me today is Dr. Diane Janicek. I am really excited to speak with her and I'm sure our audience is going to find her insights particularly interesting and thought provoking. Today's session we've titled AI meets the law, which Diane and I came up with before today's conversation, which is certainly
a nice tickler, think it's going to get everyone interested in what we're actually going to dive into today. And AI is a top of mind for just about everyone in virtually every department and virtually every organization in the world today, I think. So Diane, thanks for joining me.
Dr. Diane M Janosek (00:40.74)
Yeah. thank you for having me. I'm excited to join KiteCast.
Patrick Spencer (00:45.912)
Thank you. So before we do dive into some of our questions, let's talk about her background here briefly. She is a nationally recognized cybersecurity leader and CEO of Janos LLC, where she advises organizations at the intersection of technology, law, compliance and policy. She has, as you heard, I called her doctor, a PhD in cyber leadership, a JD.
a master's of strategic intelligence and is CISSP and LPEC certified. Among other things, she's a 12 year member of the US Defense Intelligence Senior Executive Services. She's held the senior leadership roles of the National Security Agency. She's a prolific author and speaker has published a plethora of different academic and peer reviewed articles, including a few that we'll be referencing during today's conversation.
She's practiced at the US Supreme Court, multiple federal and state bars. She brings a rare combination as our audience is going to discover of legal authority, hands-on cybersecurity operations experience to all of her different legal and cybersecurity engagements. She holds top secret clearance featured in the Dawn of Cyber Warfare and Women Know Cyber Documentaries. I'm have to give that one to my daughter. She'll enjoy it. She loves documentaries. She'll like that last one.
Finally, she serves on the board of advisors for the Military Cyber Professionals Association. She's available at the end of today's podcast and we'll have some links at the bottom of the actual text as well. Telling you how you can get in touch with her on different corporate advisory engagements, leadership seminars, speaking events on topics that include things like AI governance, IP ownership, cyber law, executive risk management. So Diane.
Dr. Diane M Janosek (02:23.738)
you
Patrick Spencer (02:36.17)
impressive background. You make me look diminutive, I think, when I go through a bio like that.
Dr. Diane M Janosek (02:43.844)
Thank you so much. appreciate being here and sharing my little bit of knowledge. know your listeners are also very well versed and have their own areas of expertise. So it's always nice to hear where everyone else is going as well. So, and as part of the team.
Patrick Spencer (02:58.434)
Well, thank you. Well, our general counsel has written a number of different articles over the past year on the topic of AI and law. So this topic is of particular interest to me because I've worked with them on some of those different pieces. Let's start off. You practice a lot at Supreme Court level, as we mentioned, led cyber security operations at the same time at the NSA. How does this very dual background shape the way you see
AI's challenges differently than a pure technologist or a pure legal professional would.
Dr. Diane M Janosek (03:32.122)
Yeah, well thanks Patrick for the question. Like I said, I'm excited to share a little bit of my insights with your listeners. I started off with a law degree, as you mentioned. When I started, I went right from college and I went to law school in Washington, DC. And when I was going through school after my first year, a position opened up at the Department of Justice for the Associate Attorney General working as part of that team. So I took that job and then I switched to going to school four times a night.
four times a week. And I'm so glad I did because I'm glad I got the law degree. I'm glad I took the experience at the Department of Justice. And it kind of set me up in a way to start thinking a little bit differently and how the law really gets embedded to every single thing that we do. I was able to then work at the federal courts. And that was really exciting. And I think the interesting part about the judiciary system is as you go higher up, especially with the Supreme Court,
It's cases of first impression, right? It's never been decided upon. Maybe two circuits are undecided on different things and somebody has to make a decision. So in the law, there's a lot of this gray space and as a lawyer, you're zealously advocating for one way or the other and then you're wanting to get some definitive decision at the top in terms of these cases. So the law helped me in a way kind of...
you know, look at all these technical issues in a little bit of a different way and a little bit different light. So you come forward, fast forward, you know, 30 years later for me anyway, and you get into AI and there's all these issues of first impression. So it's kind of nice having a law degree, like 20 years after that is when I got my PhD in cybersecurity leadership and then my ethics and compliance certifications and information security certifications. The reason why that was helpful was because it had the backdrop of
understanding what are the what's the legal framework and then how can you navigate that fairly quickly and safely but then also what should we be concerned about right where are the issues what are the challenges where are we going and it's just so it makes it exciting i mean i think we're at exciting time in our history right we're exciting time in the law we're exciting time in technology advancements and now that the whole world's kind of getting involved it's a it's a good place to be because it's just so it's such an exciting time
Patrick Spencer (05:51.842)
Yeah. You have a fascinating background that you started off on the legal track and then 20 years later you just say, I'm to do this PhD in cybersecurity. for anyone who's done a PhD, it's a heavy lift. can guarantee it because I've done it as well. There's a lot of late nights as you referenced, know, four nights a week, two o'clock, three o'clock in the morning, working on papers, preparing for exams. You know, what prompted you to go back to school to, to tackle this additional degree?
Dr. Diane M Janosek (06:12.932)
Yeah.
Dr. Diane M Janosek (06:19.45)
It's a great question. I was the commandant of the National Cryptologic University and I was looking into partnering with schools to
upscale some of our workforce in areas that we didn't teach at the school where we focused on a lot of the operational side on cybersecurity, on cryptology, on languages, writing, analysis skills. So I asked an assistant to research a couple of different programs that were out there. And I said, there anything on cybersecurity leadership? And they came back and they said, no. And so I mentioned it to two different.
university professors, hey, do you realize that there's no advanced degrees in cybersecurity leadership? There's a void there. And I think the agency as well as other member other entities would like to get their people up skilled in terms of that in that area, and the technology and kind of what are the issues that are out there. And so essentially, that the school, capital technology university said, they called me about, you know, months later and said, Hey, you're right.
We actually applied, got the approval by the middle states to go forward with the degree and we'd love for you to be part of the program. So I ended up doing that. I worked every weekend for years. I felt like 12 hours a day and to finish it. But it is definitely as hard as a law degree. But the reason why I did that was because I thought, well, OK, well, I identified this opportunity to continue to learn for our own people. And we ended up sending a number of people through that program at the agency. So I'm like, if I'm telling people the
keep learning, you know, it's good for the goose, good for the gander. I said, okay, well, I'm going to go forward and do it. And I'm really glad I did. And I focused actually on space security, which was something that was not really out there. And that's one of the examples I wanted to mention to you about where AI and the law gets tricky is with publications and especially in my area of space security.
Patrick Spencer (08:14.067)
I bet it's going to get even trickier with all the stuff I in the news around space warfare and so forth.
Dr. Diane M Janosek (08:16.122)
Yeah, right, right. It was so exciting to learn. Like I just invested so much of my time learning about, you know, all the different nanosatellites, the K abilities and what country is doing what and why and where the implications for, you know, sovereignty and things like that. So it was just I love researching and understanding space governance. So it was a great opportunity for me to really just, you know, pique my curiosity and just keep learning. And now it's so relevant.
Patrick Spencer (08:45.23)
Yeah, yeah, absolutely. And there some articles that she's published on the topic for our audience. You can check them out. Some are gated because they're peer reviewed and others are not gated. And they dive into some of the research she did for for a doctorate. Now you've written, switching back to the topic of, know, AI and the law, you know, legal frameworks, you argue, always lag behind technology, you know, with AI moving as fast as it does, you know, every week, seems like
you know, there's a new advancement that takes us, you know, miles ahead of where we're at today. Now, how wide is this gap now and what are the consequences for businesses that are trying to operate within these guardrails?
Dr. Diane M Janosek (09:28.238)
Yeah. Well, if you think about it, to me, to me anyway, the older days is, know, business had a business line and another company had a business line and they may want to partner and share and they come together and maybe do a consolidated shared product or piggyback off each other and offer it as, know, joint offerings. But today it's the two companies want to come together, right? How do you really merge
the critical thinking that's necessary and keep two distinct products so you can't. So if you and I were going to partner on things, it's really how our minds would come together and how we're creating and coming up where we the gaps are, where the solutions might be, where the challenges are, and then how would we go about implementing it.
A lot of that is joint. Well, think about in the area of AI, it's no longer joint, it's tertiary, it's how many people are involved, how many different systems or companies are involved. So who owns what has gotten more more complicated because you're no longer just dealing with one widget and combining with another widget.
It's, know, in this world that we're living in, it's so interconnected. So who owns what? And then the reason why ownership matters is liability often, you know, liability and profitability then, you know, come up behind, right? Like something goes wrong, they want to know if something goes really well, who gets the benefits. So the interconnected world that we're in in terms of joint solutions and just truly brainstorming and coming up with novel concepts and then
partnering with others because we can't do it ourselves creates issues of, know, just it comes, just creates its own issues. And it's usually when something goes wrong or something goes really, really well that you end up having these, you see these things in the news about the different court cases of so-and-so is going after so-and-so because they lost a lot of money or they didn't get all the money that they thought they should have got.
Patrick Spencer (11:27.15)
Now, we're going to talk about liabilities here in a moment. Before we do so, it might be useful for our audience to hear your perspective around, know, content ownership. Who owns what when it comes to AI generated IP, specifically, you know, if we look at companies that everyone's doing it now where they're using AI to generate code, designs, marking copy, you know, there's all these third party libraries that are tapping into. And now we have all these new apps like Replet and so forth that
create their own applications that plug into some of your larger technologies that you have in place. And who knows what's going to happen with the SaaS marketplace today with organizations and individuals for that matter beginning to use Replet and other applications along those lines to develop these applications using AI. What's your perspective there? Who owns what? And then I think the next question is, what do those liabilities look like in terms of who's liable based on who created what and who owns what?
Dr. Diane M Janosek (12:25.486)
Yeah. Well, you're asking the very pointed question, right, of who owns what. And it seems like it should be simple, right, but it's not. And let me give you an example. Somebody asked me to review one of their cyber education courses before it went online. I reviewed it, and I was talking to the gentleman that asked me to do it. And I said, wow.
you know so-and-so this female did a great job I mean I really loved how she narrated it he goes no that that wasn't her I don't I don't know her that was an AI generated voice and I said there's no like the whole entire time I was like to me it was like she was there and did the whole narration and I was like well then who owns that narration like I'm thinking myself like and this person does a lot of
of online cyber education. So I thought, well, it could have very well been an AI picking up her tool, a big up her voice, right? And so we've seen that now with just who owns the voice, who owns a creation. Well, and then who owns the content. So maybe the script was proprietary, but is the voice proprietary of that company? Does it go over the product? Like, how do you divide who owns what?
And that, think, is the challenge, right? And so one of the questions that are coming up, and we've seen this in the news, and I'm sure your listeners are aware of this, when you ask one of your, AI product you want to use, browser, whatever app you want to use, and you ask it to, hey, can you clarify this or modify this or enhance it or make it sound better? Let me know. And they do. Who owns that?
And so that's part of the concern. saying, well, if you don't own that, which is true unless it's your LLM, if you don't own that.
Dr. Diane M Janosek (14:24.068)
then why do you want to put it out there in the ether to put out there in the ether is not protected. So a lot of companies are telling their employees, please don't put intellectual property information or ideas into the AI models because we may lose control of that concept of that product, of that idea. And so you have to like step back from it and be like, okay, this is a whole new world in terms of
using a tool because you could use Google as you're doing something and you'd find them different sources and you come up with different ideas. your Google search was essentially, Google gave you the results, but you took with it what you needed to take with it. But when AI creates something with part of your product, it gets blended. then who, know, so that's part of the concern is they're saying, hey,
Patrick Spencer (15:15.694)
Hmm.
Dr. Diane M Janosek (15:20.43)
big businesses, you can imagine pharmaceutical companies, things like that. Be careful what you put into those AI models and ask questions of it because if you don't own it, at the end, who owns it?
Patrick Spencer (15:35.886)
Yeah, you lose control. Well, in your, in your opinion, you know, how many organizations are mature enough? You talk to a lot of business leaders all the time, boards, CEOs, and so forth, CISOs. How many are mature enough to actually one control what's being put into those public algorithms to your point. So they're not losing control, their intellectual capital, and then how many can actually verify that it's not happening, and, you know, demonstrating that they have logs that
Dr. Diane M Janosek (15:37.732)
You lose control. Yeah.
Dr. Diane M Janosek (15:55.482)
Mm-hmm. Yep.
Patrick Spencer (16:05.548)
that show things were blocked from being put into the public gallery.
Dr. Diane M Janosek (16:10.074)
Yeah, so the larger businesses obviously have picked up on this and they're selling, you know, you can't, you know, add apps to your to your business laptop or whatever, you know, that will compete with what our internal AI system may be. So some of them are getting smart enough in terms of that. Other ones have just put out like these edicts saying, you know, thou shall not. But then, you know, of course, how do you police that really? Right. We all have multiple devices and words.
Patrick Spencer (16:38.68)
Shadow AI now, right, is prevalent.
Dr. Diane M Janosek (16:40.438)
Yeah, yeah, right. So it's gonna be hard to police. So that's the million dollar question, right? Until a case of first impression really comes up through the press and people start picking up on it and really change, I don't think we're gonna know how it's gonna be handled out, worked out in the workplace, honestly.
Patrick Spencer (16:51.17)
You
Dr. Diane M Janosek (17:08.354)
I don't know how that's going to work out because you can't rely upon patent lawyers and intellectual property lawyers to handle all your internal matters. mean, usually a large company has one or two of those. You don't want to have that be part of your daily business is making sure you don't have a copyright violation or that your intellectual property is being siphoned off because of how your employees are working.
Patrick Spencer (17:30.678)
Yeah. And we would add, you know, we're a perspective in the conversation we have of our customers, you know, almost all of them are using AI to varying extents, some in a more mature manner than others, but they're concerned about that private data, the PHI and PII, beyond just intellectual property being leaked out into those public LMS or being hacked as part of the process because you don't have the right security controls in place.
Dr. Diane M Janosek (17:38.522)
you
Dr. Diane M Janosek (17:48.824)
Yeah, so.
Dr. Diane M Janosek (17:55.202)
Yeah, right. And there was also an article that came out talking about privacy there, Patrick. There was an article that I just read about, you know, the meta glasses, right? Have you tried them yet?
Patrick Spencer (18:06.806)
I have not. I've been intrigued, however.
Dr. Diane M Janosek (18:10.362)
They were crazy. So we went in and we looked at them and I was like, this is really nutty. And they are tremendous because, a friend of mine has some blindness issues and it will actually tell her what she's looking at. So it's really, really amazing in terms of the advantages there. But the article that I was reading was saying how they can serotypically videotape. And so they could...
The example was somebody was on a beach and came up and said, I liked your bikini. And the person told them a little bit of information about herself. And then that person then went and posted that on a social media web page without that person's knowledge. And it had her personal information there. Like she mentioned where she worked or where she lived. And then all of a sudden, they started getting these calls. like, you know.
And she was like, I didn't even know this person was videotaping me, let alone going to be sharing this information. And what's my personal privacy in terms of how do I protect myself? I mean, that's what I talking about this case of first impression.
until these things really get out there and something egregious happens. And then usually that's when you start backing up on the controls or saying, we got to pull back. Like the pendulum always swings with innovation. And then sometimes you come back to the middle, which is why I think, I mean, it's why I like the legal aspect and ethics and compliance piece of it is how do you then temper all of this energy and there's passion to embrace innovation, but do so responsibly and safely?
And that's like a real question today. I think that's why like having a law background. just at least helps me understand. that's part of my articles that people will see on my website is there's a number of the deep dives in terms of where the law is, is a whole world in and of itself. But then how do you apply that to our daily life? Is a whole different ball game, right?
Dr. Diane M Janosek (20:10.094)
I mean, you're going to use the ring camera. And we saw that with the ring camera with the commercials during Super Bowl and saying, find your pet. And then they were like, wait a minute. I don't want my whole neighborhood knowing all this about me. What is Ring Doorbell doing with all my information? So that's where the temper comes back. But it had to take a Super Bowl commercial to get people to realize, my gosh, those capabilities exist out there. It existed previously.
went to the other and then the pendulum came back to the middle and that ring was like, we better, you know, we don't want, you know, domestic surveillance of your whole neighborhood and your neighbors knowing everything that you're doing. So it's a weird catch 22, like where do we fall back into the middle? Yeah.
Patrick Spencer (20:51.564)
Hmm. Well, in our one of our previous podcasts, in fact, I think the one preceding this with Brian Cassidy, he and I spoke about AI and the need for humans to be involved on that note, you know, to your point, you stress in some of the articles you've written that there's a need for clear documentation trials that show human involvement with AI when AI assisted content is created. What is that? What should that look like within an organization that is sensitive to
Dr. Diane M Janosek (21:10.426)
Yeah. Yes, that's correct. Right.
Patrick Spencer (21:21.57)
those legal issues as well as even ethical issues that are associated.
Dr. Diane M Janosek (21:28.122)
So I think before somebody runs something through an LLM, they should make sure they have it documented that it was their product to begin with. Right? mean...
If there's something proprietary in terms of formulation, in terms of pharmaceuticals, if there's something in proprietary in terms of software development, something proprietary in terms of just your analysis on something, or even maybe even it could even be your business strategy, have that document that is yours. Make sure that you have that traceability in terms of ownership so that...
you maintain that right, essentially. In the old days, and we still do it today, but you'll get documents that are marked proprietary, do not release, sensitive, for your eyes only, just in the business world, not mentioning in the government side. And where does that marking go when you're in this ubiquitous world online? I mean, it's...
you can lose control. that's one thing. Like, for example, I've stopped using, giving out my PowerPoint presentations after I do my speaking engagements, because I found that they were just being essentially just, you know, taken and used and I didn't get any, it claimed to other people's. I didn't get any credit. And I was like,
Patrick Spencer (22:51.758)
You don't need any credit for it.
Dr. Diane M Janosek (22:56.45)
Even if I marked it as my own, was marked as mine, it's gone onto the ether and then it's somebody else's. And so I like to operate in the space where what is on the horizon? What should we be worried about? Where have things gotten to this point? So I like to be predictive and forecasting. So if that information is just out there for anybody, what value do I have? My insights are worth nothing.
So that's where I agree with you is that be thoughtful about, know, marking information, protecting your information. When you have partners with other entities, make sure that that's clarified, you know, when your partnership documents, make sure that your employees are given the appropriate guidance so they understand what due diligence means in terms of protecting the work product, protecting the sensitive information of the company. It just goes.
We're going to see so many these issues escalate before they start to normalize in terms of, what's acceptable or not acceptable.
Patrick Spencer (24:01.962)
I know one podcaster who's relatively famous who has all this stuff that you've done just like this. No one ever replicates me because I'm not famous. No one cares about me, but other people they actually do care about and they've taken their videos and they've turned it into an AI and they're producing podcasts of that particular individual. And he's saying things he never said, but they're still published them and he's getting contacted. You said X, I never said that. What are you talking about?
Dr. Diane M Janosek (24:09.678)
Yeah.
Dr. Diane M Janosek (24:17.498)
Yeah.
Patrick Spencer (24:30.22)
and they'll actually send him the link. So I assume there's going to be some, there are legal liabilities associated with that and we're going to see some lawsuits occur on that front. that your opinion?
Dr. Diane M Janosek (24:40.57)
Without a doubt, because it's like I mentioned in the very beginning of this, Supreme Court takes cases, know, case of first impressions. Well, there's so many cases of first impression, and usually it comes down to liability or money. So one of these things, know, this gentleman could, maybe that's more like, you know, reputation or integrity. So that's usually a third area of why would you take it, know, to bring a lawsuit, usually for the morality of it.
Patrick Spencer (25:06.476)
deformation.
Dr. Diane M Janosek (25:09.046)
No, this is this principle because of this principle. So it's because of the principle of it. Lots of money involved or good and bad, you loss or gain money. So it's I think without a doubt, Patrick, this world is going to change. And I don't like having lawyers involved with everything. And I can say that, you know, I mean, there was a reason why I
know, vacillated into the policy and the technology side and into the decision making side was because the legal lawyers are supposed to give you advice like, you know, consider this or consider that they're not supposed to be making the business decision. So we have lawyers making business decisions on how to really, you know, embrace AI and use it in the right way. We might be tempered.
And at the same time, you don't want to be tempered, right? We want people in the United States to really push the envelope, push them as much as they possibly can, and not be tempered. So you really don't want a lawyer in the loop all the time, because it's going to slow everything down, maybe because they're not, you know.
not good or bad, just naturally happens because they like to understand what the facts are before they make a decision or a recommendation. So the CEOs, the business leaders have to take the advice that they receive and then move forward as quickly as they possibly can. So I think we're going to be seeing a more pause. And we saw that with the open AI and the anthropic decision, right? Yeah.
Patrick Spencer (26:27.502)
Hmm.
Patrick Spencer (26:32.353)
Interesting.
Yeah, I was about to ask you that about the, you know, autonomous AI issue, there's liabilities and issues, ethical concerns that one must consider with that as well. And that's been in the news. It'll be a few weeks old by the time we publish this podcast, but right now is in the news just this past weekend.
Dr. Diane M Janosek (26:41.615)
Yeah.
Yes. Yes.
Dr. Diane M Janosek (26:49.881)
Yes.
Yeah, so I was back in 2013, 2014, I was the chief legal officer for presidential commission statutory called the Privacy and Civil Liberties Oversight Board. So it was concerned about the privacy and civil liberties of Americans during the course of counterterrorism investigations and what's appropriate and what's not appropriate. We move fast forward into today, that was almost 12 years ago now.
you fast forward into today and you see the same issues about clod, anthropics clod and should it be used or not be used for mass surveillance and domestic surveillance. And so it's, the more things change, the more things stay the same. And there was a concern in terms of where does it, where the pendulum keeps swinging, where is it going to end up? So without a doubt.
We are in a brave new world and it's interesting to see the response of Americans, right? They were saying how some people then said, you know, I'm gonna drop my open AI. I'm gonna delete my app I don't want to be using it anymore my chat GPT app because of if they're gonna cooperate with the government that I don't want to cooperate with them So you march with your feet Americans march with their feet or march with their pocketbooks or purses, you know, we're wallets and so I think
The fact that people are at this point now where they're paying attention is phenomenal. mean, phenomenal. It's phenomenal that we can have this conversation and it's normal, right? I went so many places, like, did you hear about that? you hear about that? thing that anyone's coming up to me saying, did you hear about that? Did you hear about that? Consistently like that shows it's on everyone's mind. So that just shows you we're in a brave new world. And whenever, whenever that happens,
Patrick Spencer (28:21.356)
is a good thing.
Dr. Diane M Janosek (28:44.034)
It takes time to really start getting it into our mindset and then coming back to, maybe we should be coming here. We're not, a pendulum has not quite come back yet because there's so much at this point, you know, everything's going forward. But just to have that conversation, it's impressive that so many people are saying, what happened? Why are we doing this? Tell me again. Yeah.
Patrick Spencer (28:51.918)
Hmm.
Patrick Spencer (29:08.406)
Yep. Now it took, so many people signed up for Anthropic Claude, but two nights ago they took the system down. I had to go read a book. couldn't do any work.
Dr. Diane M Janosek (29:18.426)
Yeah, yeah, right. And then everyone else was deleting their or the other app. and then of course, then now they came out and said, we got to rethink this. But opening, did. But it was the whole thing is just it just shows you that, you know, Americans do, you know, get involved when they're passionate about it. So the fact that we are passionate as a country about it.
Patrick Spencer (29:24.204)
No.
Dr. Diane M Janosek (29:43.61)
is spectacular, right? And that's phenomenal. I'm glad that we have American citizenry that actually cares about what's going on with our country and where technology is taking us and where ethics comes in and where principles need to be focused on. And just going back to the sunglasses, I think it's going to be a brave new world for some time.
Patrick Spencer (30:07.554)
This, something that you can't even control. You don't even know you're being videotaped at the time, right? So now on the note of the liabilities we've been discussing AI, you advocate in some of the writing that you've done, you call a risk proportional approach to human oversight. Can you tell our audience what you mean by that?
Dr. Diane M Janosek (30:13.743)
Yeah.
Dr. Diane M Janosek (30:30.126)
That's a great question. So I just had a meeting this morning about a particular AI product that helps with information security remediation. And part one of the questions that someone asked was, does it take the remediation automatically or not? And the designer of the particular tool said, it could take it automatically, but we conscientiously.
put a stop in there for human in the loop to say, yes, take that remediation and take that course of action to secure this particular network. so why does that matter and how does that relate to your question? Because
AI can do a lot of things and the Gentic AI obviously can do a lot of things, a lot of things, but where are the guardrails and where do you conscientiously put them in at certain points? And that's due diligence piece and the proportionality. So where the risk is the greatest is where you want to have a human in the loop, right? And you want to make sure that there's somebody involved with, you know, is overseeing it, approving it.
Patrick Spencer (31:14.648)
Mm-hmm.
Dr. Diane M Janosek (31:37.306)
understanding what the consequences are before it's approved. So the proportionality is, what is the level of harm or the sensitivity of the data? And depending upon the sensitivity of the data level of harm that could result, that's how often you need to put a human in the loop, literally in the loop.
prior to running these operations. So it was interesting because we've seen, all of us have been reading about different AI agents that almost can self-destruct and not even realizing that the person that was using them, realizing it was able to self-destruct. And so it's...
We need to as a community.
Patrick Spencer (32:21.71)
This past week, saw a bunch of that in the news with Clavotte and everything. You know, the Facebook AI safety director, her story. You're absolutely spot on there.
Dr. Diane M Janosek (32:29.338)
Yeah, yeah, so this due diligence and proportionality, you know, they're legal words usually, but it's all about reasonableness and what do we want to still control as humanity? It really comes down to who are we as humans and what are we going to keep for ourselves so that's human?
Patrick Spencer (32:54.826)
In your opinion, you know, being a lawyer and, you know, having a PhD and having worked in the NSA, can you use regulations from a compliance standpoint to regulate some of these issues? What can be regulated? What can't? And when do you think, well, we're not really beginning to see from a regulatory standpoint, fines and penalties and so forth, public shaming, et cetera, coming to fruition yet on the AI front, but I assume that's coming.
Dr. Diane M Janosek (33:26.1)
It's a good assumption. I mean, I guess we'll really see where things are. So if we just take the analogy of cybersecurity, when, you know, technology really took off and everyone started having more than one computer and everything was more ubiquitous, and then they were starting to have, you know, all of these breaches and personal privacy was getting out there. Then there was calls for cybersecurity regulation. And they first started out with making it voluntary. you should really be doing this, you should be doing this.
And then finally, the states are like, no, I'm having too many people get scammed or identity stolen or hospitals losing money because of fraudulent activities and because the cybersecurity wasn't strong enough. So then the state started saying, no, we're going to impose some type of cybersecurity regulation where there's a bare minimum that you must have on your systems if you're to be operating in this state.
So then you take that up a level and said, is there a federal regulation? It took a long time for there to be some federal regulations. And now, they started off with usually Department of Defense starts off earlier or government starts off earlier because they can impose it to on a large number of people and eventually trickles down to the rest of the country. So now there's, you know, non-discretionary, there are mandatory regulations on the cybersecurity side. So my guess is the AI world is going to probably follow that same trajectory, right?
we're not quite there yet, then it will start and then it will start going forward. But then the real answer, the real question I would say is, who's responsible for issuing those rules? Do you have to follow them? What would be the, if there's no enforcement, then my father.
Patrick Spencer (35:28.514)
Diane, you broke up for some reason.
Patrick Spencer (36:08.044)
Hey, yeah, you just, it's the audio went bad and you froze for some reason. It was odd.
Dr. Diane M Janosek (36:13.876)
Yeah, yeah, I'm not sure. Sorry about that.
Patrick Spencer (36:17.678)
No, no worries. I have a Mac issue with mine where it freezes. I was afraid that was a problem, but it looks like it wasn't because I was going to be to blame that my IT department can't figure out there's something installed on my Mac and we've got, and it like replicates cause you install the instance. And I had, I've had two brand new computers in the last four months. both do the same thing. So, yeah, I think so.
Dr. Diane M Janosek (36:38.808)
my gosh. I say it's the Russians.
Patrick Spencer (36:46.19)
The upside is we don't do this live and Shobh edit this. So let's go back to, maybe go back to that question. I'll ask you a couple more questions, because I want to be sensitive about your time as well. So you want to go back to the beginning of that question. This was related to, can you use regulatory compliance to basically affect AI security and ethics and so forth? So go ahead and redo that answer, I think.
Dr. Diane M Janosek (37:12.8)
Well, thank you, Patrick, for asking the questions about, you know, will we have regulation in the area of AI? And I travel, as you know, internationally, and that has been a common denominator question. how do you regulate AI so that it's ethical as well as
If you do regulate it, is it even going to be enforceable and who would be the enforcing arm? I mentioned earlier about space governance, outer space governance, and the UN has an outer space treaty. And well, how does that get enforced? How does international law get enforced? Who does what and why? So it's very tricky in terms of is there going to be a regulatory body? And if there is going to be a regulatory body, who would be the enforcement body? How would that even work? And so you'd have to have a coalition of the willing.
And if you have one entity that's not going to be part of the coalition of the willing, then why are we all regulating ourselves so that one entity is not going to be included in that coalition of the willing?
So then you have disparate, if you have disparate cooperation and participation, it kind of undercuts the purpose of the people coming together and saying, okay, let's kind of operate on the safe, you know, the common battlefield, so to speak. So that does a little bit of a challenge. So answering your question though about, you know, will there be cybersecurity regulations?
My guess is there, sorry, will there be AI regulations? My guess is it might be similar to what happened in the area of cybersecurity regulations, where it wasn't as is computers got more ubiquitous and people all started having smartphones and apps were out there. And then all of a sudden, there was so many cybersecurity breaches of people's personal information, usually health related information, or they had bank accounts being attacked or credit cards being compromised.
Dr. Diane M Janosek (39:05.92)
until it got to a point where the states realized there was enough fraud going on and enough of their citizenry were being impacted, then the state started getting involved. It started first with New York, with the financial regulations there.
New York started first with cybersecurity regulation, followed by California because of the fraud questions there. And then eventually the federal government got involved. But it took little pieces of different states getting, doing things and the federal government got involved. But then who does the enforcement and how does it get enforced? So a lot of it comes down to self-policing in lieu of state regulatory activity or federal regulatory activity. In this area, we're talking about international.
So in lieu of international regulatory framework and enforcement, we're gonna be in this pickle, right? It's just gonna be like, you know, how to operate.
And so that's what we're seeing right now with different countries now saying, OK, we're going to start issuing our own regulations if you operate in our inner country. Well, as we all know, data transits multiple countries, goes through multiple countries, so then whose regulation applies? So the data governance piece is now becoming so important to so many businesses because you could end up violating another country's rule that you don't even live in or work in.
a country's rules on data governance. And then all of a sudden you're liable. So it's very confusing, I think, for some businesses out there because there's not one entity that's responsible for cohesion and harmonization of regulations in the area of AI and data governance.
Patrick Spencer (40:49.986)
Yeah, we completely agree. We just published a data sovereignty report where we surveyed risk management compliance, security professionals in Europe and Canada and the Middle East for that matter. some really good findings there, but it's certainly a pressing concern. And many organizations always is the case when you do these surveys think they're more mature than they actually are. Go ahead.
Dr. Diane M Janosek (40:55.669)
Yeah.
Yeah.
Dr. Diane M Janosek (41:02.75)
Yeah. Yeah.
Dr. Diane M Janosek (41:13.568)
Yeah, well, I think that report was, I mean, I read that report. It was a great report. I think that was one that was like two thirds of companies out there aren't fully aware of all the data sovereignty issues that are out there. So you're not aware, you're certainly not complying with them necessarily. And so all of a sudden your risk exposure has just gone up dramatically. I mean, thought the KiteWorks sovereignty report was very well done. Yeah.
Patrick Spencer (41:41.486)
Oh, thank you. Thank you. We thought it was useful. Hopefully our audience has checked it out. If you haven't, can check it out on our website. you know, want to, you know, a couple more questions. I want to be respectful of your time, but I think it'll be useful for our audience to understand what an engagement with you looks like. You talk to CEOs and boards and security leaders and legal professionals and leaders within organizations. You know, when you talk to them about AI and the law, what does that consulting engagement typically look like?
Dr. Diane M Janosek (41:46.398)
Yeah. Yeah.
Dr. Diane M Janosek (42:11.624)
It could be an international business looking to get a partner in the US.
They may have an AI product that they've developed overseas somewhere and they're looking to partner with the US. And is there a right fit for that company over here in terms of partnering and integrating with them? So that's less on the legal issues, but more on the integration piece and finding a good partner. So I've been helping in that area in terms of the business development piece. But the law is also helpful because you have to be able to tell them, OK, well, this product would probably have to comply with these particular regulations.
As you know, you're looking for a partner, make sure you partner with an entity that has all these compliance frameworks, you know, achieved and accomplished so that you don't have to start from scratch. So partnering companies, there's a trick to it, you know, and a know how to it. So that's part of the part of the work that I do as well is, is that piece of it in terms of the, you know, matching of companies, the other I do multiple different things in terms of my consulting. It just really depends on what level of maturity of Hickler
businesses at and you know they want to go they're looking to go into
know, IPO status, what needs to be done in terms of cyber compliance there, their data governance, what they need to do in terms of ensuring that their company is postured for that. It could also be not even if they don't want to they're pre-sale, they're getting ready for, you know, for potentially an acquisition. What do they need to do to be postured for that acquisition so that they are secure? So it's all within the paradigm, you know, the timeline of...
Dr. Diane M Janosek (43:47.87)
your maturity level, what you need to do to be mature, how can I help you get there, and then how can you really branch off and really accelerate in the marketplace.
Patrick Spencer (43:57.366)
Interesting. Now there's a lot, most of us probably think we're fairly mature. And in reality, as we know, based on that data sovereignty study, just as an example, that's not always the case. No one likes to call their baby ugly, obviously, but for CEOs who, I don't know if we're really prepared from a legal standpoint when it comes to AI, what's like the number one or two concerns that you would cite that they need to be aware of and need to
to begin to tackle today.
Dr. Diane M Janosek (44:28.798)
I would ask them where their data resides. First of all, they should know physical location where their data resides, who they have a partnership with if it's in the cloud, make sure that they understand what their cloud agreements reflect.
really understanding your supply chain, what products that you're putting into, that you're using in terms of opening up some potential vulnerabilities, where you might be exposed to. So checking your third party partners, checking your supply chain, looking at all of your contracts that have partners with cloud providers, service providers, just understanding how your business is physically operating, the digital infrastructure
how it's operating and who's connecting to who, how many devices you have on the network. Just understanding, you know, the way that you'd run, you you'd build your house. You want to know, I got so many phone lines coming in here in the olden days. You want a cable line coming in here. You want this coming in here. And how many keys do you give out to your house for your, how many copies of your keys to your front door do you need? You should know that about your business. Who has access and where and when and how.
Patrick Spencer (45:42.612)
What kinds of data you have and where it resides and what type you can access it.
Dr. Diane M Janosek (45:46.644)
And then being able to catalog then once you know what data you have, catalog it, understanding who might be.
where your crown jewels are, how are they being protected. There's non crown jewels you don't need to have as much protection on, but categorizing the types of data that you have, prioritizing the sensitivity of the data and sensitivity of the harm and making sure that you're proportionate in the amount of protection that you're providing the highest risks, the highest elements of risk.
Patrick Spencer (46:18.766)
Now, if you look out through the rest of the year, you know, we're two months into 2026, we have a long way to go. A lot's already happened in the first two months of the year. Needless to say, you know, what do you see happening from an AI regulatory compliance legal standpoint? You know, what are some of the things our audience maybe you can expect to see happen based on your perspective?
Dr. Diane M Janosek (46:42.502)
My sense is internationally, there's going to be a number of different countries that say, should we be coming together? We can't have disharmonization with Germany doing its own regulation, then the UK doing its own regulation, then Australia doing its own, Canada doing its own, and US doing its own, and then you have India. mean, and then of course, you have all the countries over in Africa.
At some point, we've got to have some level of common denominators in order to operate effectively and safely in the area of AI. I wrote a piece for West Point up in New York for their cyber institute. Recently, it just came out. And it was talking about the harmonization of data sharing across multiple countries.
So they're saying, so like I'm gonna back up for a minute. So when you have a business that is constantly trying to protect its perimeters and it's being attacked, it's going to characterize what that cyber threat was, right? know, who the attacker was, where it's coming from, where it's originated from, what's the IP address looks like. You wanna be able to share that with others so that you can say, have you seen this? How did you remediate it? You know, where is this coming from?
And you need the ability to share that information outside of your little company, outside of maybe your geographic area, to understand more about the threat. And maybe there's something you don't know. Maybe they also have access to another one of your databases you weren't looking at. How does that particular threat act or operating? So the article that I published on cyber threat intelligence sharing was kind of a framework document of saying, if you want to partner, this is the litmus test of the things that you need to have, like the top eight things you need to have.
look at those common denominators. If you meet those common denominators, you're probably going to be about 90 % compliant, you know, in sharing your data on cyber threat intelligence so that you're better postured. But coming up with those common denominators took a little bit of time, right? You have to go through a lot of different regulations across different countries to understand kind of what those might be. So that article was with the...
Dr. Diane M Janosek (48:56.872)
is on my website, dianjanecek.com, under publications under a cyber threat intelligence sharing published by West Point in the Cyber Defense Review.
Patrick Spencer (49:04.942)
Yeah, I've read it. a great, great piece. I'm definitely worth everyone taking a look at it and reading it. You know, on one last question for you, you you look at the EU AI Act. Do you think that's maybe the mechanism that will begin to drive some of the standardization between countries or you think it'll take something else?
Dr. Diane M Janosek (49:07.188)
Great, thank you.
Dr. Diane M Janosek (49:27.712)
It's a million dollar question, Patrick.
Dr. Diane M Janosek (49:33.594)
I, it depends. It's definitely driving things.
The question is, where is it driving us to? And will the US companies get in line with that or not get in line with that? You to look at India, Asia as well. Will they get in line with it? So there's just a, mean, it just really depends. And I know that's kind of a wishy answer, but it's driving things. I just don't know if it will drive it home.
Patrick Spencer (50:07.202)
Yeah, yeah, guess wait and see. And everyone in every individual country is beginning to push out either as part of some of existing data privacy laws, they're integrating AI into those, or they're coming out with their own standalone AI acts like they did in Europe at the EU. So wait and see, I guess.
Dr. Diane M Janosek (50:23.41)
Right. And then the question, of course, is how they enforce it, know, how they do the fines. Are they enforceable fines? Are the fines proportionate with what they think the harm was? I some of these fines that they're coming out with are kind of egregious, but is that appropriate? So there's so many questions in terms of how do you regulate, who regulates, how do they enforce it? And is the enforcer the right enforcer?
In the United States, we have this thing called standing, right? In lawsuits, you can't bring a lawsuit unless you have standing to bring a lawsuit. And standing means you have to have some type of vested interest in what happened. Usually when we're harmed, it was something that you owned. You have standing in terms of literally being able to stand in a courtroom to say, I was harmed, right? So in the EU AI Act, there's question of standing. So who is the person that, who is the entity that was harmed?
Are they the ones standing in to benefit from the enforcement? And it's like, yeah, money gets paid, they pay a fine, but is the harm, is it actually being remediated to the person that had the original standing in the first place? Yeah.
Patrick Spencer (51:23.468)
interesting. It'll be difficult to prove in many instances.
Patrick Spencer (51:36.866)
All right, you already mentioned your website. I assume that's maybe the best way for folks to get in touch with you.
Dr. Diane M Janosek (51:41.408)
Yep, and I have a contact me on that website as well. Yep.
Patrick Spencer (51:45.198)
And certainly follow you on LinkedIn as I do because she posts content regularly and you can see what she's, Diane is up to on LinkedIn at the same time.
Dr. Diane M Janosek (51:54.688)
Yeah, thank you. And I really appreciate our cyber and AI community, technology community, because we are just all curious. We all want to keep learning and the world keeps changing and we're not afraid to change, which is nice. So this community is a tremendous community in terms of its sharing of its knowledge, sharing of its concerns. They involve, you know, they like to team up on different things and really just talk things through. So this, you know, the KiteCast community is a great community to be a part of. And so thank you for doing what you're doing with KiteWorks and KiteCast.
cast.
Patrick Spencer (52:25.39)
I've been fortunate to interview a great guest like yourself, and that's why there's such useful information available for our podcast series. So, Diane, thanks. It's been a pleasure. Our audience is absolutely going to find this conversation helpful. Make sure to check out other Kitecast episodes at kiteworks.com forward slash kitecast.
Dr. Diane M Janosek (52:28.224)
Great.
Dr. Diane M Janosek (52:44.052)
Great, thanks everybody.
