Governing Data from AI/IoT

When the sci-fi movie “A.I.” by Steven Spielberg came out in 2001, the idea of a robot behaving like humans seemed like a distant dream. But machines displaying intelligence have become very mainstream in the last decade to a point where any device that does not offer connectivity or lacks basic intellect is considered obsolete. We want our phones, wearables, appliances, homes, and even cars to be “smart” and “connected”.

Internet of Things or IoT can be described as a network of devices that can collect, analyze and transmit data. Artificial Intelligence or AI is the ability for machines to demonstrate intelligence by performing certain tasks without any human interference.

With AI, IoT devices, can be expected to continue to become more “smart” in their behavior, improve in decision-making interfaces with humans and operate autonomously. The possibilities of what can be done with this are huge, and understandably most companies are already beginning to leverage these capabilities.

As of 2020, there are approximately 11.7 billion IoT devices, and the number is expected to grow to 30 billion by 2025. Not only do such devices generate and collect huge volumes of data, but it is also significantly difficult to monitor what data is being stored and how it is used.

What does this mean for governing the data generated by such large numbers of devices? Should alarm bells around data and privacy be going on?


Intelligent devices are not just limited to personal devices and home appliances; these technologies are gaining widespread recognition across several sectors such as energy, health care, manufacturing, transportation etc.

Along with the potentially game-changing benefits, the combination of IoT and AI bring some challenges around data, privacy and security that need to be carefully considered (see The Internet of Things and Information Governance for broader discussion around key challenges).

It is important to understand how the IoT and AI technology ecosystem will work. The use cases might seem futuristic, but many of these are already happening today. It is critical that companies have robust mechanisms in place to understand and govern IoT and AI data

What should IG Professionals be doing now about IoT and AI?

It is pretty evident that IoT has entered into our lives and is bound to stay here for a very long time. As an Information Governance (IG) professional, you should make sure that your company’s policies and frameworks can handle the risks associated with IoT.

A critical first step is gaining awareness of where and how IoT and AI are currently being used within your organization. You will need to know what data is being collected, how is it being used and the decisions being made based on this data. Risk mitigation is not possible without a full understanding of the data and the context of use. A good place to capture this level of detail would be in your organization’s Data Map.

You will need to ensure your policies and frameworks are adapted to handle IoT data. The most recent NIST guidelines differentiate between typical IT assets and IoT assets. They highlight the fact that IoT devices operate differently and need to be managed differently than regular IT assets.

You need to be able to incorporate the privacy impacts associated with IoT data. These devices can collect more granular data at the point of usage. The privacy policy and disclosures should highlight this to customers, employees, and other stakeholders.

When combined with AI for decision making, ethical aspects might have to be considered. These can include handling biases in the automated decision-making process or navigating the impact of decisions made with inaccurate inputs.