Nearly 40 years ago, Cisco helped build the Internet. Today, much of the Internet is powered by Cisco technology—a testament to the trust customers, partners, and stakeholders place in Cisco to securely connect everything to make anything possible. This trust is not something we take lightly. And, when it comes to AI, we know that trust is on the line.
In my role as Cisco’s chief legal officer, I oversee our privacy organization. In our most recent Consumer Privacy Survey, polling 2,600+ respondents across 12 geographies, consumers shared both their optimism for the power of AI in improving their lives, but also concern about the business use of AI today.
I wasn’t surprised when I read these results; they reflect my conversations with employees, customers, partners, policy makers, and industry peers about this remarkable moment in time. The world is watching with anticipation to see if companies can harness the promise and potential of generative AI in a responsible way.
For Cisco, responsible business practices are core to who we are. We agree AI must be safe and secure. That’s why we were encouraged to see the call for “robust, reliable, repeatable, and standardized evaluations of AI systems” in President Biden’s executive order on October 30. At Cisco, impact assessments have long been an important tool as we work to protect and preserve customer trust.
Impact assessments at Cisco
AI is not new for Cisco. We’ve been incorporating predictive AI across our connected portfolio for over a decade. This encompasses a wide range of use cases, such as better visibility and anomaly detection in networking, threat predictions in security, advanced insights in collaboration, statistical modeling and baselining in observability, and AI powered TAC support in customer experience.
At its core, AI is about data. And if you’re using data, privacy is paramount.
In 2015, we created a dedicated privacy team to embed privacy by design as a core component of our development methodologies. This team is responsible for conducting privacy impact assessments (PIA) as part of the Cisco Secure Development Lifecycle. These PIAs are a mandatory step in our product development lifecycle and our IT and business processes. Unless a product is reviewed through a PIA, this product will not be approved for launch. Similarly, an application will not be approved for deployment in our enterprise IT environment unless it has gone through a PIA. And, after completing a Product PIA, we create a public-facing Privacy Data Sheet to provide transparency to customers and users about product-specific personal data practices.
As the use of AI became more pervasive, and the implications more novel, it became clear that we needed to build upon our foundation of privacy to develop a program to match the specific risks and opportunities associated with this new technology.
Responsible AI at Cisco
In 2018, in accordance with our Human Rights policy, we published our commitment to proactively respect human rights in the design, development, and use of AI. Given the pace at which AI was developing, and the many unknown impacts—both positive and negative—on individuals and communities around the world, it was important to outline our approach to issues of safety, trustworthiness, transparency, fairness, ethics, and equity.
We formalized this commitment in 2022 with Cisco’s Responsible AI Principles, documenting in more detail our position on AI. We also published our Responsible AI Framework, to operationalize our approach. Cisco’s Responsible AI Framework aligns to the NIST AI Risk Management Framework and sets the foundation for our Responsible AI (RAI) assessment process.
We use the assessment in two instances, either when our engineering teams are developing a product or feature powered by AI, or when Cisco engages a third-party vendor to provide AI tools or services for our own, internal operations.
Through the RAI assessment process, modeled on Cisco’s PIA program and developed by a cross-functional team of Cisco subject matter experts, our trained assessors gather information to surface and mitigate risks associated with the intended – and importantly – the unintended use cases for each submission. These assessments look at various aspects of AI and the product development, including the model, training data, fine tuning, prompts, privacy practices, and testing methodologies. The ultimate goal is to identify, understand and mitigate any issues related to Cisco’s RAI Principles – transparency, fairness, accountability, reliability, security and privacy.
And, just as we’ve adapted and evolved our approach to privacy over the years in alignment with the changing technology landscape, we know we will need to do the same for Responsible AI. The novel use cases for, and capabilities of, AI are creating considerations almost daily. Indeed, we already have adapted our RAI assessments to reflect emerging standards, regulations and innovations. And, in many ways, we recognize this is just the beginning. While that requires a certain level of humility and readiness to adapt as we continue to learn, we are steadfast in our position of keeping privacy – and ultimately, trust – at the core of our approach.
Read the Cisco Consumer Privacy Study
Applaud the intent and commitment in approaching AI based on privacy principles of which transparency is a key attribute. hopefully other IT innovators will follow your lead and make AI governance foundational to their business model.