Category Archives: Technology

Forget Consequence Free. I wanna be Gen-AI Free!

To the tune of Consequence Free by Great Big Sea.

Na na-na, na na na-na na na!
Na na-na, na na na-na na na!

Wouldn’t it be great,
if no one ever was redundant?
Wouldn’t it be great,
if we made all the decisions?

I’ve always said,
All the rules are made for bending.
And if I did the right thing,
What’s wrong with that vision?

I wanna be Gen-AI free!
I wanna be where humans always matter.
I wanna be Gen-AI free!
And say: Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!

I could really use,
To lose my ethical conscience.
Cause I’m getting sick,
Of feeling angry all the time.

I won’t abuse it,
Yeah I’ve got the best intentions.
For a little bit of anarchy,
But not the hurting kind.

I wanna be Gen-AI free!
I wanna be where humans always matter.
I wanna be Gen-AI free!
And say: Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!

Oh! I couldn’t sleep at all last night,
‘Cause I had AI on my mind.
Why can’t we leave it all behind,
You know it could be that easy.

It just takes one person
Wouldn’t it be great,
If the CEO made that call
We could do the work,
And we would never get the slip.

Wouldn’t need to worry about illogic or bad data.
We could slip off the edge,
And never worry about the fall.

I wanna be Gen-AI free!
I wanna be where humans always matter.
I wanna be Gen-AI free!
And say: Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!

the doctor, while an early adopter of SSDO, rule-based RPA, Machine Learning, and other “AI” technologies, is serious here. Gen-AI is garbage at best, bull crap the majority of the time, and toxic waste when it fails. What other technology produces hallucinations, hate speech, and hot (as in stolen) data on a regular basis? What other technology has literally convinced people to commit suicide?

It’s not ready for prime-time, and may never be. Go back to carefully constructed NLP solutions on carefully designed data sets that actually work. We don’t need Artificial Idiocy where you need more training in prompting to have a chance at solving a problem than developers need training in coding to write a reliable deterministic algorithm that actually solves the problem. Sure it seems to work “okay” 90% of the time with normal usage, but what about that 9% of the time it doesn’t or the 1% it fails so drastically it could cost you millions of dollars in direct and indirect damages? Is it worth it? (The answer is NO!)

Some light reading. More can be found by Googling Gen-AI Fails and similar search terms.

An Introduction to TPCM: Third Party Compliance Management

TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )

Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by the Big X and Mid-Sized Consultancies that chimed in during the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)

As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.

And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.

In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.

Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.

That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.

And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.

10 Great Questions to Pre-Qualify a Vendor Before Onboarding for a Deep Dive, Courtesy of Certa

A recent article in the SCMR by Jag Lamba, the CEO of Certa, a Third Party Risk Management (TPRM) vendor headquartered in California and focussed on compliance, risk, and ESG had some very good questions to ask before engaging with a US vendor, but some of them were very US-centric and others took a platform based approach. (You certainly need a platform, but certain areas, like security, go beyond the platform.)

But if we generalize these questions, they are relevant for everyone, and make it clear why you need a Third Party Risk Management (TPRM) platform that goes just beyond key suppliers/vendors, and beyond product and service needs. (And if you’re wondering what you need a TPRM, check out Part 4A and Part 4B of our new Source-to-Pay+ series where we are currently focussing on Risk Management.) They’re also industry independent and can allow you to short circuit a time-consuming industry (product/service) specific diligence because if the third party fails any of these questions, why would you bother going deeper? Just move on to the next contender!

  1. Does the vendor meet the needs of its customer base?: Any major negative news headlines? Any drops in financial performance? Any grumblings on Glass Door? Any of your counterparts in local groups or associations using them and bad mouthing them?
  2. Does the vendor have the operational capability AND capacity to serve you?: If you need a modern machining process or a vendor who can produce a minimum of a million units, don’t bother with any vendors that don’t have the process or can’t produce a million units.
  3. What financial and sustainability reporting process are they subject to? : The best way to ascertain their ability to stay compliant with financial and other regulatory (like ESG) requirements is to review the government reports. (They may [white] lie in their marketing, and then claim you misinterpreted, but they’re not as likely to lie to the government who could fine them, criminally charge them [in some countries], or shut them down.)
  4. How do they approach security?: Not just cyber security, but facility security, personnel security, and information security. Over half the attacks come from the cloud because it’s easy when you leave a security hole, hackers don’t have to leave their basement, they can attack you half a world away, and face no repercussions because there are no extradition treaties and the local authorities just don’t give a f*ck if they aren’t doing any criminal activity in their country. But when that fails, their local counterparts try to break into the facilities — if the vendor stores unsecured physical copies of critical IP, local backups of sensitive IP on unsecured USB/Zip/Thumb drives, or a lot of money on site — all someone has to do is walk in with a workman’s uniform, enter the backroom to check the wiring when no one’s in it, stuff something in their workbag or pocket, and, buh-bye. If your personnel are not trained to detect social engineering attempts, then someone’s going to have a little chat with them, something like “Hi, what do you do? Oh, is that your doggie in the picture, what’s your doggie’s name? My doggie’s name was Scooter. You know it’s my birthday tomorrow. I’m a Scorpio. What about you? So you were born in 1979 and you’re a goat like me in the Chinese zodiac? Cool! Hey, you know that I was just reading that most people use their birthday and pet’s name as a password. I thought it was only me. What, you do too? Aww, so cute. Well, nice meeting you.” Network access granted! And then if you’re not ensuring all personal, confidential, or sensitive IP is clearly marked, only stored in locked filing cabinets, always encrypted, and those files only on secure, encrypted, network drives, hackers are going to easily find those files accessible from limited access accounts with weak-passwords accessible by brute force.
  5. Do they do business with any entities sanctioned in your country?: If so, they are probably a no-go. You don’t want to be only one degree of separation removed from a sanctioned entity. (And, of course, they shouldn’t be sanctioned — because you shouldn’t be considering them at all if they are!)
  6. Would you have a backup plan if their suppliers or partners they relied on got sanctioned?: i.e. if you need to locate a complete production line in one geography, and there is only supplier of a key raw material or part in that geography, maybe you’re looking in the wrong geography
  7. What is their viewpoint on diversity?: great suppliers encourage diversity and look for good people that represent the entire cross-section of humanity in the area in which they operate; they don’t have arbitrary goals or the one Token black in the C-suite to check a box; they hire all races, cultures, religions, ages, etc., train them all, and then promote the best (and, over time, they build a diverse management team)
  8. Are their objectives aligned with your objectives?: If your objective is quality and distinction for the wealthy, and their objective is cut costs no matter what, they are probably not the supplier for you.
  9. Do they have a sustainability program. And is it sensible?: In some jurisdictions, they not only have to report down to “Scope 3”, but stay within a limit for overall emissions, or get in (financial) trouble (with fines, etc.). And if you have to report as well for doing business with them, or to satisfy the regulatory requirements of a region you operate in, and they can’t report to you, that’s not good. Not good at all.
  10. What level of risk will they add to your business?: If you’re happy with the answers to the first 9 questions, before you dive deep into certifying their products and services, their production lines and capacities, etc., ask this first. If the risk is too great in general, it might be a no-go before you start. And this is why you need a comprehensive TPRM platform to do a preliminary assessment.

And yes, Certa is one platform that might be able to help you, and one you should add to your RFP invite list if you don’t have a TPRM. We will note that they’re not the only one (and this could be relevant if you are in the EU and need a local provider), and that we’ll list others in Part 10 of our Source-to-Pay+ series, but close by stating that you should not overlook Certa. They’ve been around for a decade, have raised over 50M, likely integrate into whatever you’re already using in your Source-to-Pay process (with integrations to 100+ platforms and data feeds), have pre-built solutions for Compliance / Risk / ESG, and have a number of Fortune 500 clients.

An Absolutely Fabulous Article by Cory Doctorow on the (Gen) AI Bubble …

and how it’s going to pop like every other tech bubble since the first dot com bust!

What Kind of Bubble is AI?
  by Cory Doctorow

Cory doesn’t say it, but he makes it pretty clear that when the bubble pops, like every tech bubble that has come before, there may not be much less to salvage when it does (especially since no one is thinking about what happens when it does pop).

So I’ll clarify:

A lot of people are going to lose a lot of money

(and while stupid investors hyping this bandwagon heading for a cliff probably deserve to lose every penny, all of the pensioners in the pension funds they scammed don’t; so if you run a pension fund, please pull out of ridiculously overvalued Gen AI NOW!)

A lot of people are going to lose their jobs

(and it’s going to be more devastating to the tech sector than the Silicon Valley Bank failure this year combined with the recession forecast that resulted in over 250K IT jobs being slashed in the USA alone)

A lot of hardware is going to suddenly go idle

and smaller cloud providers are going to go under when the big name cloud providers all of a sudden drop their prices to the floor just to keep the revenue coming in (resulting in the monopolies of Amazon, Google, and Microsoft controlling most of the servers outside of China and Russia)

The problem is, as Cory clearly lays out, when you take one step back and look at the ridiculous hype from a business/revenue lens, all of the big, exciting use cases for AI are either

a) low dollar [and low-stakes and fault-tolerant] (helping us cheat on our [home]work or generating stock-art for bottom feeders [who won’t pay an artist and don’t mind ripping off the IP from thousands of artists]) or

b) high-dollar but high-stakes and fault-intolerant (self driving cars, radiological cancer detection, worker screening and hiring, etc.)

and when you consider the data center costs of these super-sized models (as these data centers consume MORE energy than a small town), low-dollar AI applications won’t pay the bills and high-dollar AI applications cost MORE to deploy than to just do it the traditional way with an educated and capable human!

E.g. self-driving cars don’t work (and “Cruise” needs to employ 1.5 times as many supervisors as a taxi service would employ drivers to keep their cars, which still hit and critically injure people, relatively safe)

E.g. radiological cancer detection requires a human expert to spend the usual amount of time in diagnosis before consulting the AI, and then, if the AI doesn’t agree, spend that much time again

Not that we’re not stopping you from jumping on the (Gen-)AI bandwagon or selling that silicon snake oil that Open AI and Microsoft AI are selling. We’re just not joining you on the (Gen-)AI bandwagon as the steering algorithm is defective and it’s heading straight for a very high cliff at a very high speed …

Merry Christmas!

Good Questions to Ask If Procuring Tools With AI, Especially If You’ve Answered the First Question Wrong!

Continuing on with our statement that sometimes you have to listen to a lawyer, a recent article over on Bloomberg Law noted that Companies Should Ask These Risk Questions When Procuring AI Tools and gave us four questions in particular that were good:

Do I Understand the Data

The article gets it right when it says that AI tools are only as robust as the data they’re trained on, as well as the need to know what data is collected, how, and if all rights are respected when doing so. But what they didn’t get is that the data determines what models and techniques can be used, and what models won’t be that effective or reliable. A vendor sales rep will tell you that whatever technique it’s using is just right for your problem, but the reality is that the sales rep likely doesn’t have anywhere close to the mathematical knowledge to know if its appropriate or not, especially since that sales person may have barely passed remedial junior math (as not all US states require remedial senior math to graduate High School). Furthermore, there’s no guarantee that even the tech teams know if the model is appropriate or not. If the company just hired a bunch of developers with maybe a year of university math, gave them access to a bunch of libraries, and all they did was test out various machine learning models until one appeared to work to a sufficient degree of accuracy on the test suites they compiled, it doesn’t mean they understand the model, why it worked, or even the appropriate characteristics of the data set that allowed the model to work — it just means that they can say for data sets that look like this, it should work. (But what is look like?) You need to understand the data, and find someone who understands the models that it is appropriate for.

Have I considered Regulatory Scrutiny?

Not only do you have to take note that The Department of Justice, Federal Trade Commission, and other regulators are focused on whether technology companies and their tools create anti-competitive environments or put consumers at a disadvantage, but many jurisdictions are considering or implementing laws against the use of black-box technology where the output — which determines whether or not a person can get a loan, be insured, or even apply for a job or government program — and the logic behind the decisions, and the rules that were applied, cannot be explained. You could also be in trouble if the process is fully automated and there isn’t a human in the loop to validate the decision, if the systems uses (third party) data that it has no right to use, or if the output data is not sufficiently protected if it was generated from input data that must be protected and the output can be reverse engineered.

Have I Mitigated Security Risks?

It’s not just traditional cyber attacks on the system, it’s well calculated queries that can slightly perturb the system over time until the outputs after the 10th, 100th, or 1000th slight, imperceptable, perturbation result in an output the system never should have given in the first place, such as approving a ten million dollar loan to a high-risk foreigner who will take the money and run or denying insurance to all people with a genetic defect likely to result in a specific condition down the road that can only be treated by a single drug owned by a single pharmaceutical who will drive people into bankruptcy for a pill that costs $5 to make.

Did I include Best Practices in the Contract?

More specifically, did you include the best practices you want followed in the contract? Don’t leave best practices up to the vendor to define however they want to define them. Make sure you cover all necessary security measures, compliance with all government and regulatory guidelines on AI in the regions you intend to use it (and open standards if there are none, guidelines from the UN, the Responsible AI Institute, or something similar), and so on.

And these are great questions, but the first question you should always ask is:

Do I Really Need AI?

And only when you choose the wrong answer, and say yes, do you need to ask the questions above. The reality is that you don’t ever need AI. AI means that you, or the vendor, were just unwilling to take the time to understand the problem and design an appropriate solution. Remember that when you try to jump on the AI bandwagon heading off the cliff (for the sixth decade in a row).