John Graves is an innovative legal leader and Senior Counsel at Nisos Holdings, Inc. He has a diverse legal background at the intersection of law, highly regulated industry, and technology. John has over two decades of legal experience advising business leaders, global privacy teams, CISOs and security teams, product groups, and compliance functions. He is a graduate of the University of Oklahoma.

AI is fundamentally changing the cybersecurity landscape. Threat actors are using AI to move faster, scale attacks, and create synthetic identities that are difficult for companies to detect. At the same time, defenders rely on AI to sift through large amounts of data and separate the signal from noise to determine whether usernames and email addresses are tied to legitimate users or malicious actors. As businesses rush to adopt AI, how can they do so without creating gaps that leave them vulnerable to risks and cyber threats? 

To stay ahead of evolving cyber risks, organizations should conduct tabletop exercises with security and technical teams. These exercises help business leaders understand risks like prompt injection, poisoned data, and social engineering by walking through how AI systems operate and asking what would happen if certain situations occurred. They are most effective when conducted early in the AI lifecycle, giving companies the chance to simulate attack scenarios and identify risks before systems are deployed. Companies also need to establish AI governance because, without oversight of inputs, processes, and outputs, AI adoption carries significant risk. 

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with John Graves, Senior Counsel at Nisos Holdings, Inc., about how AI is reshaping cyber threats and defenses. John shares how threat actors leverage AI to scale ransomware, impersonate real people, and improve social engineering tactics, while defenders use the technology to analyze data and uncover hidden risks. He explains why public digital footprints of executives and their families are becoming prime targets for attackers and why companies must take human risk management seriously. John also highlights why establishing governance and conducting tabletop exercises are essential for identifying vulnerabilities and preparing leaders to respond to real-world challenges.

Robert S. Jett III (“Bob”) serves as the first Global Chief Data Privacy Officer at Bunge, where he leads global privacy initiatives and supports key projects in digital transformation, AI, and data management. With over 30 years of legal and in-house counsel experience across manufacturing, insurance, and financial services, he has built and managed global programs for compliance, data privacy, and incident response. Bob has worked extensively across IT, cybersecurity, information security, and corporate compliance teams. He holds a BA in international relations and political science from Hobart College and a JD from the University of Baltimore School of Law. Bob is active in the ACC, IAPP, Georgia Bar Privacy & Law Section, and the Maryland State Bar Association.

Managing privacy and security across multiple jurisdictions has never been more challenging for global companies, as regulations evolve and privacy, security, and AI risks accelerate at the same time. The challenge becomes particularly acute for businesses managing supply chains that span dozens of countries, where they must navigate geopolitical shifts and comply with strict employee data regulations that differ by region. These organizations also face the added complexity of governing AI tools to protect sensitive data. Navigating these challenges requires close coordination between privacy, security, and operational teams so risks can be identified quickly and addressed in real time. 

A simple way global companies can address these challenges is by embedding privacy leaders into operational teams. For global companies, like Bunge, regular communication between privacy, IT, and cybersecurity teams keeps threats visible in real time, while cross-collaboration helps identify vulnerabilities and mitigate weak points. The company also incorporates environmental, social, and governance (ESG) principles into its privacy framework, using traceability to validate supply chain data and meet regulatory requirements. When it comes to managing emerging technologies like AI, foundational privacy principles apply. Companies need to establish governance for data quality, prompt management, third-party vendors, and automated tools, such as AI notetakers. These steps build transparency, reduce risk, and strengthen trust across the organization. 

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Robert “Bob” Jett, Global Chief Data Privacy Officer at Bunge, about building and leading a global privacy program. Bob emphasizes the importance of embedding privacy leadership into operational teams, like IT departments, to enable collaboration and build trust. He discusses strategies for adhering to ESG principles, managing global employee data privacy, and applying privacy fundamentals to AI governance. Bob also provides tips for responsible AI use, including the importance of prompt engineering oversight, and explains why relationship-building and transparency are essential for effective global privacy and security programs.

Mason Clutter is a Partner and Privacy Lead at Frost Brown Todd Attorneys, previously serving as Chief Privacy Officer for the US Department of Homeland Security. Mason’s practice is at the intersection of privacy, security, and technology. She works with clients to operationalize privacy and security, helping them achieve their goals and build and maintain trust with their clients.

Companies are facing new challenges trying to build privacy programs that keep up with evolving privacy laws and new AI tools. Laws, like Maryland’s new privacy law, are adding pressure with strict data minimization requirements and expanded protections for sensitive and children’s data. These shifts are driving companies to reconsider how and when privacy is built into operations. So, how can companies effectively design privacy programs that address regulatory, operational, and AI-driven risks? 

Companies can start by embedding privacy and security measures into their products and services from the start. AI adds another layer of complexity. While organizations are trying to use AI for efficiency, confidential or personal information is often entered into AI tools without knowing how it will be used or where it will go. Vague third-party vendor contract terms and downstream data sharing compound the risk. Staying compliant means understanding each AI use case, reviewing vendor contracts closely, and choosing AI tools that reflect a company’s risk tolerance and privacy and security practices.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Mason Clutter, Partner and Privacy Lead at Frost Brown Todd Attorneys, about how companies can navigate complex privacy, security, and AI challenges. Mason shares practical insights on navigating Maryland’s new privacy law, managing vendor contracts, and downstream AI risks. She explores common privacy misconceptions, including why privacy should not be one-size-fits-all or checkbox compliance exercise. Mason also addresses growing concerns around AI deepfakes and why regulation alone is not enough without broader public education.

Allison Schiff is the Managing Editor at AdExchanger, where she covers mobile, Meta, measurement, privacy, and the app economy. Allison received her MA in journalism from the Dublin Institute of Technology in Ireland (her favorite place) and a BA in history and English from Brandeis University in Waltham, Mass.

Ad tech companies are under increasing pressure to evolve their privacy practices. What was once considered a “wild west,” loosely regulated environment, is now being reshaped by regulatory enforcement actions and shifting consumer expectations. Many companies are becoming more selective about their vendors, implementing privacy by design, and embracing data minimization practices after years of unchecked data collection. While at the same time, many ad tech companies are rushing to position themselves as AI companies, often without a clear understanding of the risks and how these claims align with consumer trust.

To meet rising regulatory and consumer expectations, some ad tech companies are taking concrete steps to improve their privacy posture. This includes auditing third-party tools, removing unnecessary tracking pixels from websites, and gaining more visibility into how data flows through partner systems. On the AI front, research shows that consumer trust drops when AI-generated content is not clearly labeled and that marketing products as AI-powered makes them less appealing. These findings point to the need for greater transparency in company data collection practices and marketing and AI transparency. 

In this episode of the She Said Privacy/He Said Security podcast, Jodi and Justin Daniels speak with Allison Schiff, managing editor at AdExchanger, about how ad tech companies are adapting to regulatory scrutiny and evolving consumer privacy expectations. Allison shares how the ad tech industry’s approach to privacy is maturing, and explains how companies are implementing privacy by design, reassessing vendor relationships, and using consent tools more intentionally. She offers insight into how journalists utilize AI while maintaining editorial judgment and presents concerns about AI’s impact on critical thinking. Allison also describes the disconnect between AI marketing hype and consumer preferences, and the need for companies to disclose the use of AI-generated content to maintain trust.

Heather Kuhn is Privacy, Security, and Technology Counsel at Genuine Parts Company. She is a privacy and technology attorney with nearly two decades of professional cross-industry experience. She teaches at Georgia State College of Law, serves on the Georgia Bar’s AI Committee, and formerly chaired its Privacy & Technology Section, leading conversations at the intersection of law, AI, and innovation.

Embedding privacy and security practices into a large, global business requires more than policies. It takes early collaboration, constant relationship building across teams, and a deep understanding of business goals. Privacy programs are most effective when they build consumer trust, increase operational efficiency, meet privacy requirements, and support strategic business goals, like revenue growth and product development. And as companies continue to adopt AI, the same principles apply to managing AI risk. Teams need to evaluate how data is used, assess risks, and adapt existing privacy and security measures to new technologies.

Managing privacy across a massive global company requires building the right partnerships and embedding privacy-by-design principles from the start of projects. Most companies have small but mighty privacy teams, so the key is finding privacy champions across the business to handle operational functions while the privacy team sets global policies and procedures. Data mapping and privacy impact assessments are critical tools that help identify risks and right-size privacy programs. This also extends to the customer experience, where meaningful consent, clear privacy notices, and giving users control strengthens trust. Privacy training is also essential for internal teams and works best when it’s interactive and relevant to an employee’s daily work rather than abstract compliance requirements. 

In this episode of She Said Privacy/He Said Security, Jodi Daniels and Justin Daniels speak with Heather Kuhn, Privacy and Technology Counsel at Genuine Parts Company, about operationalizing privacy and security across a global enterprise. Heather explains how early engagement, strong internal relationships, and cross-functional collaboration make it possible to scale privacy programs without slowing the business. She shares how her team uses data mapping and privacy impact assessments to right-size privacy programs and privacy requirements and emphasizes the need to embed privacy into customer experiences through clear privacy notices and meaningful consent. Heather also highlights the importance of privacy training tied to employee roles, delivered through in-person sessions and gamified content. And she explains how her department uses generative AI to enhance legal team efficiency, and how she approaches privacy risks associated with AI tools and automation.

Alexandria “Lexi” Lutz is a privacy attorney and the Founder of Opt-Inspire, Inc., a nonprofit dedicated to helping seniors and youth build digital confidence and avoid online scams. By day, she serves as Senior Corporate Counsel at Nordstrom, advising on privacy, cybersecurity, and AI across the retail and technology landscape.

Online scams are becoming more sophisticated, targeting older adults with devastating financial consequences that often reach tens of thousands of dollars with little recourse. From tech support fraud to AI-driven deepfakes that mimic loved ones’ voices, these scams prey on isolation, fear, and digital inexperience. Many families struggle to protect their aging parents and grandparents, especially when conversations about digital risks are met with resistance from loved ones. How can we bridge the digital literacy gap across generations and empower seniors to navigate these evolving threats?

The urgency is real. In 2024, seniors lost nearly $5 billion to scams, a 43 percent increase from the previous year. Scammers are using voice cloning, fake emergencies, and fear-based messaging to pressure people into giving up money or sensitive personal information. Education can be a powerful defense, and that's why Opt-Inspire delivers engaging, volunteer-led workshops tailored to senior living communities, teaching practical skills like recognizing fake emails and enabling two-factor authentication. Protecting aging loved ones against technology and AI-driven scams requires proactive and hands-on education. Opt-Inspire equips seniors with the tools and knowledge to stay safe online through engaging, community-based seminars. The nonprofit delivers in-person and volunteer-led workshops tailored to senior living communities, addressing both technical literacy and emotional manipulation tactics. Through scripts, visuals, and a "Make It Personal" toolkit with conversation starters, Opt-Inspire also equips families with resources to discuss digital safety with loved ones in a constructive and relatable way. 

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Alexandria (Lexi) Lutz, Senior Corporate Counsel at Nordstrom and Founder of Opt-Inspire, about building digital confidence among seniors. Lexi shares how a personal family experience inspired her to launch a nonprofit focused on preventing elder fraud. She delves into the most common scams targeting older adults today, including government impersonation, romance cons, and AI-generated deepfakes. Lexi emphasizes the importance of proactive education, enabling two-factor authentication, and weekly family check-ins. She also offers practical advice and resources for privacy professionals and family members alike who want to make a positive impact.

Anne Bradley is the Chief Customer Officer at Luminos. Anne helps in-house legal, tech, and data science teams use the Luminos platform to manage the automated AI risk, compliance, and approval processes, statistical testing, and legal documentation. Anne also serves on the Board of Directors of the Future of Privacy Forum, a nonprofit that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies.

AI is being integrated into everyday business functions, from diagnosing cancer to translating conversations and powering customer service chatbots and autonomous vehicles. While these tools deliver value, they also bring privacy, security, and ethical risks. As organizations dive into adopting AI tools, they often do so before performing risk assessments, establishing governance, and implementing privacy and security guardrails. Without safeguards and internal processes in place, companies may not fully understand how the tools function, what data they collect, or the risk they carry. So, how can companies efficiently assess and manage AI risk as they rush to deploy new tools? 

Managing AI risk requires governance and the ability to test AI tools before deploying them. That’s why companies like Luminos provide a platform to help companies manage and automate the AI risk compliance approval processes, model testing, and legal documentation. This platform allows teams to check for toxicity, hallucinations, and AI bias even when an organization uses high-risk tools like customer-facing chatbots. Embedding practical controls, like pre-deployment testing and assessing vendor risk early, can also help organizations implement AI tools safely and ethically.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Anne Bradley, Chief Customer Officer at Luminos, about how companies can assess and mitigate AI risk. Anne explains the impact of deepfakes on public trust and the need for a regulatory framework to reduce harm. She shares why AI governance, AI use-case risk assessments, and statistical tools are essential for helping companies monitor outputs, reduce unintended consequences, and make informed decisions about high-risk AI deployments. Anne also highlights why it’s important for legal and compliance teams to understand business objectives driving an AI tool request before evaluating its risk.

Nick Oldham is the Chief Operations Officer, USIS, and Global Chief Risk, Privacy and Compliance Officer at Equifax Inc. A forward-thinking legal and operations executive, Nick has a proven track record of driving large-scale transformations by integrating legal expertise with strategic operational leadership. He oversees all enterprise-wide second-line functions, leading initiatives to embed AI, enable data-driven decision-making, and deliver innovative, compliant solutions across a $1.9B business unit. His focus is on building efficient, scalable systems that align with both compliance standards and long-term strategic goals.

Many companies are rushing to adopt AI tools without adequately training their workforce on how to use them responsibly. As AI becomes embedded in daily business operations, the biggest risk isn’t the technology itself, but the lack of human understanding around how AI works and what it can do. When teams struggle to understand the differences between machine learning and generative AI, it creates risks and makes it harder to establish appropriate privacy and security guardrails. Human training is AI's greatest weakness and strength, and closing that gap involves rethinking how companies educate and train employees at every level. 

The responsible use of AI depends on human judgment. Companies need to embed privacy education, critical thinking, and AI risk awareness into training programs from the start. Employees should be taught how to ask questions, evaluate model behavior, and recognize when personal information is being misused. AI literacy should also extend beyond the workplace. Introducing it in high school or even earlier helps prepare future professionals to navigate complex AI tools and make thoughtful, responsible decisions.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Nick Oldham, Chief Operations Officer, USIS, and Global Chief Risk, Privacy and Compliance Officer at Equifax, about the role of human training in AI literacy. Nick breaks down the components of AI literacy, explains why everyone needs a foundational understanding, and emphasizes the importance of prioritizing privacy awareness when using AI tools. He also highlights ways to embed privacy and security into AI governance programs and provides actionable steps organizations can take to strengthen AI literacy across teams.

Andrew Clearwater is a Partner at Dentons’ Privacy and Cybersecurity Team and a recognized authority in privacy and AI governance. Formerly a founding leader at OneTrust, he oversaw privacy and AI initiatives, contributed to key data protection standards, and holds over 20 patents. Andrew advises businesses on responsible tech implementation, helping navigate global regulations in AI, data privacy, and cybersecurity. A frequent speaker, he offers insight into emerging compliance challenges and ethical technology use.

Many companies are diving into AI without first putting governance in place. They often move forward without defined goals, leadership, or alignment across privacy, security, and legal teams. This leads to confusion about how AI is being used, what risks it creates, and how to manage those risks. Without coordination and structure, programs lose momentum, transactions are delayed, and expectations become harder to meet. So how can companies build a responsible AI governance program?

Building effective AI governance programs starts with knowing what’s in use, why it’s in use, what data AI tools and systems collect, the risk it creates, and how to manage it. Standards like ISO 42001 and the NIST AI Risk Management Framework help companies guide this process. ISO 42001 offers the benefit of certification and supports cross-functional consistency, while NIST may be better suited for organizations already using it in related areas. Both frameworks help companies define the scope of AI use cases, understand the risks, and inform policies before jumping into controls. Conducting data inventories and utilizing existing risk management processes are also essential in identifying shadow AI introduced by employees or third-party vendors.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Andrew Clearwater, Partner at Dentons, about how companies can build responsible AI governance programs. Andrew explains how standards and legal frameworks support consistent AI governance implementation and how to encourage alignment between privacy, security, legal, and ethics teams. He also outlines the importance of monitoring shadow AI across third-party vendors and practical steps companies can take to effectively structure their AI governance programs.

Merry Marwig is the VP Global Communications & Advocacy at Privacy4Cars. Merry is a pro-consumer, pro-business privacy advocate who is optimistic about what data privacy rights mean for everyday people — and for the companies they do business with. At Privacy4Cars, she helps protect drivers’ and passengers’ personal data while creating business opportunities for automotive companies.

Modern cars are like computers on wheels, collecting and storing data just like smartphones or laptops. Unlike those devices, however, vehicle data is often left unencrypted and persists long after a car is sold, rented, or reassigned. This is especially problematic for businesses that use corporate cars, rental vehicles, fleet vehicles, or personal vehicles for work purposes. Sensitive information such as contact lists, text messages, navigation history, and even security credentials can remain stored in vehicles long after they change hands, posing significant privacy, security, and even physical safety risks.

To take control of sensitive data, companies need to establish data deletion policies for all vehicles used in a business context. This includes requiring rental agencies and fleet management providers to delete stored data and offer certificates of deletion when cars are returned or decommissioned. Companies should also require automotive providers to provide VIN-specific data disclosures so drivers understand what data the vehicle collects and how it's used and shared. Additionally, companies need to consider how privacy regulations like GDPR and CCPA apply to vehicle data collection and use it to inform their internal policies and third-party contracts.

In today’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Merry Marwig, VP Global Communications & Advocacy at Privacy4Cars, about the privacy and security risks of data collected and stored in vehicles. Merry explains how cars used for work, whether rental, fleet, or personal, retain unencrypted personal and company data that can be exploited when vehicles change ownership or are decommissioned. She shares real-world case studies involving sensitive information left behind in cars, including banking credentials, contact lists, and patient health records. Merry also outlines how data deletion policies and VIN-specific disclosures, required through contracts with automotive providers, help companies reduce privacy and security risks.