Sign up to save your podcasts
Or
Share EP 28 — National Bank's Andre Boucher on Managing AI without Shadow IT Friction
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
EP 28 — National Bank's Andre Boucher on Managing AI without Shadow IT Friction
André Boucher, SVP Technology and Information Security (CTO/CISO) at National Bank of Canada, managed the transition from commanding Canadian Forces Cyber Command to leading security at a systemically important financial institution by recognizing that governance expertise matters more than technical depth at scale. His approach to shadow AI involves enabling experimentation early with secure platforms that business teams actually prefer, reducing the appeal of unauthorized tools. Rather than aggressive detection that drives behavior underground, they created environments where innovation happens within guardrails. This shifts security from adversarial to collaborative, treating 31,000 employees as team participants rather than risks to manage.
Andre emphasizes that data inventory across structured and unstructured environments remains the hardest unsolved problem, not because organizations lack tools but because they haven't achieved ecosystem maturity around taxonomy and classification. He explains why third-party risk management is reaching crisis levels as major vendors embed AI features without notice or transparency, creating blind spots in supply chains that regulatory frameworks can't yet address.
Topics discussed:
The translation of military governance and strategy frameworks into private sector security at systemically important financial institutions.
Shadow AI management through platform enablement and secure experimentation rather than detection and prevention tactics.
Data inventory and classification as the foundational challenge most organizations underestimate despite its criticality for AI governance.
The board strategy mandate versus grassroots adoption pressure dynamic and how platform teams bridge the gap without creating friction.
Third-party risk amplification as vendors embed AI features without transparency, notice, or updated contractual language.
How awareness training reaches its limits when synthetic actors become indistinguishable from humans in video communications.
AI use cases in security tooling focused on modeling normal behavior and reducing triage burden rather than autonomous response.
Building high-performing security teams around ethics, mission, and non-linear career experience rather than purely technical credentials.
Treating employees as security team participants at scale and how that shifts organizational dynamics from adversarial to collaborative.
View all episodes
By QohashAndré Boucher, SVP Technology and Information Security (CTO/CISO) at National Bank of Canada, managed the transition from commanding Canadian Forces Cyber Command to leading security at a systemically important financial institution by recognizing that governance expertise matters more than technical depth at scale. His approach to shadow AI involves enabling experimentation early with secure platforms that business teams actually prefer, reducing the appeal of unauthorized tools. Rather than aggressive detection that drives behavior underground, they created environments where innovation happens within guardrails. This shifts security from adversarial to collaborative, treating 31,000 employees as team participants rather than risks to manage.
Andre emphasizes that data inventory across structured and unstructured environments remains the hardest unsolved problem, not because organizations lack tools but because they haven't achieved ecosystem maturity around taxonomy and classification. He explains why third-party risk management is reaching crisis levels as major vendors embed AI features without notice or transparency, creating blind spots in supply chains that regulatory frameworks can't yet address.
Topics discussed:
The translation of military governance and strategy frameworks into private sector security at systemically important financial institutions.
Shadow AI management through platform enablement and secure experimentation rather than detection and prevention tactics.
Data inventory and classification as the foundational challenge most organizations underestimate despite its criticality for AI governance.
The board strategy mandate versus grassroots adoption pressure dynamic and how platform teams bridge the gap without creating friction.
Third-party risk amplification as vendors embed AI features without transparency, notice, or updated contractual language.
How awareness training reaches its limits when synthetic actors become indistinguishable from humans in video communications.
AI use cases in security tooling focused on modeling normal behavior and reducing triage burden rather than autonomous response.
Building high-performing security teams around ethics, mission, and non-linear career experience rather than purely technical credentials.
Treating employees as security team participants at scale and how that shifts organizational dynamics from adversarial to collaborative.