DataGrail Product Spotlight: AI-Powered Risk Management

Hello everyone.
My name is Eric Brinkman
and I'm the Chief Product officer here at Data Grail.
I'm gonna talk about managing risk in an AI world
and there also might be a few fun
product announcements along the way.
So let's go ahead and dive in.
I thought it might be fun to start with a little bit
of a risk exercise.
If I told you that there is a tire, would you think
that this is a risk?
Maybe you probably put it in the context of driving.
What if I told you that this tire was bald?
Hmm, maybe a little bit more risk.
Ah, what if I told you that this tire is,
this tire is actually hanging from a tree?
Now the context has completely changed for this scenario.
Bear with me just a few more times. As you think about risk.
Now, what if this tree is next to a cliff
but the cliff is actually in a very
remote part of the world?
Ah, but what if this part of the world is actually visited
by children in a very short amount of time during the year
as a popular destination for field trips?
As you can see, we all went
through different risk calculus there In our minds,
as you see, risk is really the likelihood
of something happening, the impact of that thing happening.
And that's completely measured within the context
of the risk object.
And as we're all managing digital privacy risk, I hate
to inform you that your tire is bald, the rope is fraying,
it's over a cliff, and that school bus just arrived.
But here's the thing, privacy is all about managing risk
and it's a little bit messy.
The average company today uses hundreds
of SaaS applications, all collecting, storing,
sharing personal data in different ways.
And if you layer on top of that a constantly shifting set
of global regulations,
you've got a privacy team likely playing whack-a-mole.
Most companies are still managing this pretty
reactively running audits
after the fact, chasing down spreadsheets,
hoping nothing breaks before the next review.
It's not scalable, it's not sustainable,
and it's definitely risky.
And as we've seen recently,
when you get it wrong, it really hurts.
We've all seen the headlines, fines in the millions,
class action lawsuits, loss of customer trust
that takes years to rebuild if it even can.
And even before that, teams are burning hours on audits
manual, um, operations, incident response,
and enormous cost right there from your team,
just hiding in plain sight.
We know that privacy risk hits every
part of the organization.
Finance, legal, marketing, security, engineering.
And just like the tire scenario we just ran through,
the risks are pretty high to our businesses.
And one thing we've talked about consistently
through this summit, we're seeing a pretty
shifting enforcement landscape.
Privacy compliance is actually now publicly provable.
This has always been true, but with the rise of AI
and some, uh, additional tooling created by that,
it's pretty easy to tell if your consent preferences
and opt-out selections are honored.
It's easy to tell if data subject requests are fulfilled
within the required timeline.
One really interesting thing that we're seeing is
that private firms are the new enforcers.
We see state level lawsuits now being driven
by private law firms that build cases
before regulators even get involved.
That creates a new
and unpredictable risk landscape for our businesses.
And lastly, we're seeing a laser focus on high risk areas.
These enforcement actions, not random,
completely targeted at companies that use AI tools,
process sensitive data
and handle data from vulnerable groups like children.
In fact, as you can see from the slide, Gartner predicts
that in 2026 we'll have had a 10 x increase in fines related
to subject rights in just four short years.
So the bottom line is that a reactive weight
and C approach to compliance is no
longer a defensible strategy.
And when privacy fails,
we all know it's not just a a legal privacy issue anymore.
It's a business issue. We don't live in a silo.
We touch every system, every department,
every customer interaction, every piece of data.
It affects your risk, posture and ultimately revenue.
The companies that win this next era will be the ones
that integrate privacy into their overall risk framework.
I feel like we might have a good handle on this,
but just as we're starting to wrap our arms around it, guess
what along comes ai, ai, the double-edged sword,
and it's the biggest technological shift of our generation.
It's rewriting our privacy playbook in real time.
And we've heard from so many great panelists, uh,
throughout this talk on how that's actually helped
and also, uh, brought us considerations to manage.
On one hand, AI introduces entirely new kinds of risk.
Do you want think about your models trained on personal con
data without consent employees using un unapproved AI tools,
creating shadow AI sensitive data,
showing up in model outputs, et cetera, et cetera.
But on the other hand,
AI can help us manage those same risks.
It can automatically classify sensitive data,
detect risky patterns,
continuously monitor exposure in ways humans simply can't.
It can process tons of data in ways
that no single human could ever think to cope through.
It can serve as our privacy copilot providing guidance
and answers in a complex landscape.
The question isn't whether AI actually increases our risk.
It's whether we can use it to manage risk better.
And let me show you how the data grail platform holistically
manages privacy risk.
Data Grail is a complete privacy automation platform
with unified risk intelligence At its core,
this makes it uniquely possible for data grail
to detect risks across systems vendors,
data flows surface them all to you in a single unified view
inside of the platform.
And we don't stop there.
Whether you're dealing with noncompliance, shadow IT, misuse
of sensitive data or third party vendor sharing
data Grail will help you quantify
and prioritize privacy risk the same way you'd prioritize
any other risk, whether that's
cybersecurity or financial risks.
You can see exactly where your biggest exposures are,
understand their potential impact
and get context aware recommendations so you can action
before they become incidents.
We believe the future of privacy management is risk-based.
It's measurable, proactive, intelligent,
and it's all powered by responsible ai.
This is what moving from reactive compliance
to proactive risk management looks like.
Because privacy isn't about just following the rules,
it's about protecting trust.
Our vision is to create clarity out of the chaos
to provide a platform that allows you to manage
and mitigate your data privacy risks.
We've been hard at work building this
and to show you how this vision comes to life inside
of the product, I'm going to hand it over
to our senior product manager over our
intelligence suite of products.
Lisa Wang. Lisa, take it away.
Awesome, thank you Eric.
Hi everyone, my name is Lisa
and we are so excited to introduce our new risk
register feature today.
So as Eric mentioned, our goal is
to really move you from reactive compliance
to proactive risk management.
But what does that actually look like?
Well, it all comes together right here in our new risk
register where everything we talked about automated
detection, quantification and action becomes real.
It starts with our AI powered risk detection.
Instead of you hunting down for risks,
your our platform automatically discovers a wide range
of privacy risks, including high risk AI usage,
sensitive data processing, vendor security gaps
before they become incidents.
And by helping you pinpoint your most critical risks,
you can really focus your team's limited time
and efforts on the most high impact areas
of your privacy program.
And finally, it all feeds into a single source of truth.
You'll finally have one central place
where you can confidently track
and manage your most critical privacy risks
and also be able to demonstrate the IROI
of your privacy program to auditors and your executive team.
So rather than hearing me talk more about it, let's jump in
and see it in action.
So I wanna introduce you all to Alex.
He is a privacy manager at Innovate stealth a
fat's growing digital startup.
The company is scaling fast
and with that growth comes just a little bit
of chaos with Alex.
This means she's spending more time chasing status
updates about new vendors.
She's uh, reviewing a lot of new data use cases
that are coming from different parts of the organization
and rather than actually managing risk, she's spending a lot
of her time bogged down in administrative tasks.
And when her CISO asks her for a report on the state
of the privacy program, it always feels like a half day fire
drill to pull together a spreadsheet
that she doesn't even feel confident about.
Now let's see how the risk register transforms Alex Day from
reactive to strategic and impactful.
So like many of us, Alex's day starts with a crucial
question, what needs my attention right now?
So instead of opening a messy spreadsheet
or overflowing inbox,
Alex starts right here on her data grail dashboard
and right away she has a clear view of her privacy program.
She sees her requests her systems, her high risk assets,
but most importantly she will see notifications about newly
detected risks from data grow.
And today something catches her eye.
She sees a new system called Insight AI that was detected
and we flagged a concerning combination of AI usage
and sensitive data for this new tool.
So now we have Alex's attention.
So she immediately clicks in to learn more.
Alex is taken directly to the Insight AI system profile
and she sees that our AI agent has done a lot
of the research and heavy lifting for her.
There's a description that flags that this tool uses LLMs
for hyper-personalized marketing
and the system is automatically scored as high risk.
She sees that there's also two detected risks already
flagged in the risk table.
So now she's gonna dig in
and really understand why the system is high risk.
So the platform has flagged two key
risks, AI and automated decision making
and sensitive personal data.
Our AI agent has
provided rich context on each of these risks.
It flags that inside AI is likely a high risk AI system
under the U AI Act based on what it's used for
and the data that it processes
and that this persona building feature processes really
sensitive data like healthcare data, sexual orientation data
and race and ethnicity data.
So immediately alarm bells start going off for Alex.
You'll see that our AI agent even provides a source
where the information was found.
So Alex can validate this information
and do some digging herself.
Hours of research are done in minutes here
and Alex now fully understands why the systems w
with system was flagged as high risk.
And she agrees that a formal AI risk assessment
is necessary here.
And so she accepts the recommended mitigation
of completing an AI risk assessment with one click
and without having to move into a separate tab
or a different tool, she automatically starts an assessment
directly on the detected risk.
Our platform has pre-selected the AI risk assessment
template and we pre-filled AI insight as the system name
and she signs it to Jessica
who she knows is leading the marketing team
and likely the owner of this tool.
She also sets a due date
and in a couple weeks she hears back from Jessica.
Alex gets a notification in her inbox
and reviews what Jessica submitted.
Alright, so Alex is diving into this AI risk assessment.
She learns a lot of rich context around
how this tool is being used
and it is indeed a marketing tool
that the team just onboarded.
Jessica does confirm
that the tool will be processing sensitive information,
but it's written in the contract.
We also have consent from our
customers to process this data.
However, there's no internal procedures in place
to monitor the AI's outputs for bias.
And so armed with all of this rich context, Alex is ready
to formally accept and log a risk.
So she accepts the AI and automated decision making risk
and she also adds a mitigation measure to,
for a bias testing and model oversight.
She assign it to Jessica as the mitigation owner
and she adds a critical note for the audit log, right?
She really flags that the legal requirement to monitor, uh,
the high this high risk AI system under the EU AI act.
And so this rich context will all be available
to other stakeholders within the privacy team that go in
and review this logged risk.
And so with one click,
the risk is logged in the risk register,
the mitigation plan is assigned to the right owner.
The assessment is linked as a resource
and this entire process from risk detection to mitigation
and accountability is captured in a single workflow.
All right, so Alex is wrapping up her day.
She's feeling very, very productive.
Um, but of course the inevitable happens.
An urgent request from her gc.
Alex, I need a summary of her top privacy risks
for the board's audit committee tomorrow.
I'm so sorry for the late notice,
but I'm hoping you can help.
Instead of a moment of panic, Alex simply navigates
to her risk register.
This is her single source of truth for privacy risks.
She sees that the new AI
and automated decision decision making risk from
inside AI has already been captured here
with an assigned owner and a mitigation that's in progress.
She also has a clear view
of other critical risks across her organization,
including a missing DPA for a key vendor, as well
as a consent implementation where a mitigation was, uh,
mitigation measure was recently applied.
So she's feeling confident about all
of the risk captured within the risk register.
Next, Alex moves to the rewarding dashboard
where she can get a visual summary of her risk landscape.
She knows that her GC will wanna see some trends over time.
For example, a month over month view
of risk broken down by risk severity.
And she knows there's another key metric
that her GC is looking for, which is the average amount
of time it's taking for departments
to implement mitigation measures, to assign risks.
And she's really excited to share with her GC that
that time has reduced significantly since last quarter.
So in two clicks,
Alex exports the dashboard charts the detailed risk table,
and she confidently sends this over
to her GC well before her day ends.
And that is the transformation.
Alex went from scrambling
and spreadsheets to now a strategic and controlled workflow
and the risk register gave her confidence to manage
and report on her entire privacy program.
So hopefully that gives you guys a, uh, in some insight into
how the risk register can really
transform your privacy program.
And as we, uh, set out to build the risk register,
we knew we couldn't do it alone.
The best products are always built in partnership
with the users who use them every day.
And so we really wanna thank a couple
of our beta users from Commvault, LastPass, HubSpot
and Ping Identity, who jumped into an early beta,
share their challenges, share their honest feedback,
and really help to ensure that we are building something
that solves their real world problems.
And of course, the best way to understand the impact
of our new register is
to hear directly from our beta customers.
So Monique's feedback perfectly captures our goal
to really replace the manual frustrating process
of managing risks with a simple,
repeatable automated workflow.
And when we hear that this feature makes life a lot easier,
we know that we're on the right track.
And so we're so excited to share
that experience with you all.
Now let's take a quick look at the roadmap.
So as a reminder, our goal is
to evolve the risk register from a powerful system of record
to a truly intelligent, proactive system
that automates your entire risk management lifecycle.
And it all starts this quarter
where we're gonna be building on the foundational MVP
by launching two of our most requested features,
automated risk flagging and assessments
and AI powered system risk detection.
Then in Q1, we're gonna be introducing the comprehensive
dashboard and reporting suite to give you
that high level strategic view
so you can communicate your risk posture
to your leadership team.
Then in Q2, we'll be automating risk workflows.
So you'll be able to set up rules
to automatically assign risk scores,
trigger specific actions, and notify the correct owners.
Then heading into Q3,
we're really gonna be focusing on breaking down silos
and improving collaboration by meeting your teams
where they work with integrations, uh, with tools like Jira.
And then looking ahead to next year, our vision is really
to bring everything together
by integrating the risk register with our consent
and request management products
so you can have a truly unified view
of your privacy program.
Thanks, Lisa. That is super exciting stuff
and I'm mostly excited to announce
that the risk register MVP is now available
to all customers starting today in the Data
data grail platform.
Uh, we'll be continuously shipping improvements
to IT based on the roadmap Lisa just shared with you.
Uh, and you can expect the ability to flag risks
and assessments to be available in November.
Uh, I feel like what you see, if you have any feedback
or just have some thoughts, that's amazing,
please reach out to myself or Lisa.
Our emails are right there on the slide
or scan that QR code, read the launch blog,
learn more, get involved.
But before we wrap up, there's one more thing.
Everything we've talked about today, measuring risk,
managing complexity, staying ahead of change,
it's all about helping privacy teams make
better decisions faster.
But what if you had help doing that every day?
Right inside of Data Grill powered by responsible ai,
I'd like to introduce you to Vera,
your new AI privacy agent.
Vera is a generative AI agent built right into
the data grill platform.
Vera helps you understand, automate
and act on privacy risk instantly need
to know your highest risk vendors.
Ask Vera, need to draft A-D-P-I-A summary
or craft a data deletion workflow?
Ask Vera, need to understand the impact
of a new regulation on your business.
Ask Vera. Vera turns privacy management from a process
into a conversation.
We think Vera represents the next evolution of privacy.
A world where managing privacy risk isn't reactive
or manual, it's intelligent,
conversational, and trustworthy.
Vera is more than a feature, it's a partner.
It's every privacy team. Move faster with confidence.
It's built with security
and privacy at its core,
ensuring your data remains private and protected.
If you're a data grill customer,
please join our fireside chat later today
to learn more about our vision for Vera
and talk to your account manager if you'd
like to get an early look.
Thank you all very much for joining our session.
We, uh, appreciate it. Next on the agenda
is a 30 minute break.
Following the break, please join peer led breakouts
to share challenges, swap strategies,
and sharpen your privacy expertise in the age
of AI in evolving compliance.
Enjoy the rest of the event everyone. Thank you so much.