CISO Guide: Navigating AI Teams with the CLEAR Framework

Introduction

As CISOs find themselves increasingly involved in AI teams, leading cross-functional efforts and AI strategy, there remains a lack of resources guiding them on their role and what they should bring to these meetings. This article aims to address this gap by introducing the CLEAR framework, a five-step guide to help security leaders succeed in their AI adoption journey.

Understanding the CLEAR Framework

The CLEAR framework, created to push AI teams and committees forward, provides necessary visibility and guardrails for success. It consists of five essential steps:

1. C – Create an AI asset inventory
2. L – Learn what users are doing
3. E – Enforce your AI policy
4. A – Apply AI use cases
5. R – Reuse existing frameworks

Create an AI Asset Inventory

Maintaining an AI asset inventory is a foundational requirement across regulatory and best-practice frameworks, including the EU AI Act, ISO 42001, and NIST AI RMF. However, organizations struggle with manual, unsustainable methods of tracking AI tools.

Key approaches to improve AI asset visibility:

1. Procurement-Based Tracking
2. Manual Log Gathering
3. Cloud Security and DLP
4. Identity and OAuth
5. Extending Existing Inventories
6. Specialized Tooling

Learn: Shift to Proactive Identification of AI Use Cases

Security teams should proactively identify AI applications used by employees instead of blocking them outright. This proactive approach helps recommend safer, compliant alternatives and improves training programs, which will become increasingly important with the rollout of the EU AI Act.

Enforce an AI Policy

Enforcing AI policies remains a challenge, with most organizations issuing policies and hoping for compliance. However, this approach provides little enforcement or visibility, leaving organizations exposed to security and compliance risks.

Typical approaches to enforcing AI policies:

1. Secure Browser Controls
2. DLP or CASB Solutions

Apply AI Use Cases for Security

Most discussions about securing AI focus on protecting it, but implementing AI use cases can demonstrate a commitment to the AI journey. AI use cases for security offer benefits for detection and response, DLP, and email security.

Reuse Existing Frameworks

Instead of creating new governance structures, security teams can integrate AI oversight into existing frameworks like NIST AI RMF and ISO 42001.

Practical example: NIST CSF 2.0 includes the "Govern" function, covering AI-related roles, responsibilities, and policies.

Take a Leading Role in AI Governance

Security teams can demonstrate value by following the CLEAR framework:

1. Creating AI asset inventories
2. Learning user behaviors
3. Enforcing policies through training
4. Applying AI use cases for security
5. Reusing existing frameworks

By following these steps, CISOs can play a crucial role in their organization’s AI strategy.

Conclusion

To learn more about overcoming GenAI adoption barriers, check out Harmonic Security. Stay up-to-date with the latest AI security news and insights by following us on Twitter and LinkedIn.