In this episode of the Future Proof HR podcast, Jim sits down with Lindsay Castro, General Counsel and Vice President of Human Resources at HCM Unlocked, to talk about how organizations can build AI governance that employees can understand and use in practice.
Lindsay explains why AI tools will continue moving faster than policies, regulations, and legal precedent. Instead of freezing or banning every new tool, she recommends starting with an inventory of how AI is already being used, assessing the data and platform risks, and giving employees clear examples of what is and is not allowed.
The conversation covers confidential information, human review, discoverability, vendor contracts, embedded AI features, biometric data, and the risks of allowing AI-generated recommendations to influence people's decisions without proper oversight. Lindsay also shares how HCM Unlocked uses cross-functional ownership, tiered risk assessments, approved-platform controls, and employee feedback to govern new AI tools.
The central takeaway is that a policy alone is not governance. Organizations need clear ownership, a repeatable approval process, employee education, and a living playbook that can change as technology, business needs, and legal requirements evolve.
Topics Discussed:
If you are an HR, legal, compliance, or technology leader trying to support responsible AI use without stopping experimentation, this episode offers a practical framework for creating guardrails people can actually follow.
Additional Resources:
It's still a computer right?
2
:So it may give you an answer that
sounds authoritative but it could
3
:be the wrong information isn't it?
4
:It could be outdated, right?
5
:The tools don't wait
for the policy, right?
6
:The tools are not waiting for
the precedent or the case law
7
:if it shouldn't be shared publicly,
it shouldn't go into AI, right?
8
:Speaker 3: The pace of change
when it comes to AI is at a level
9
:where it's very difficult for a
lot of organizations to keep up.
10
:And When you're looking at the pace
of change being at that level, it's
11
:gonna be even more challenging to
establish guardrails and establish a
12
:foundation that you can operate from.
13
:So how do you actually tackle that?
14
:How do you build a compliance
environment when the technology
15
:is new, the pace is fast, and
there are a lot of open questions?
16
:That's what we're gonna actually
tackle in today's conversation.
17
:We're gonna examine what you need to
consider when you're thinking about
18
:your AI initiatives from a platform
perspective, from a legal perspective,
19
:from a compliance perspective, and from
an ownership and governance perspective.
20
:And we're gonna dig into all of it
and share some best practices on how
21
:you can set your organization up for
success even in the face of rapid change.
22
:So who's gonna guide us
through that conversation?
23
:Today we have Lindsey Castro,
24
:who is the General Counsel and the
VP of Human Resources at HCM Unlockd.
25
:Lindsey holds the dual executive role,
and she oversees both the legal and people
26
:functions of a high-growth consulting
firm with over 170 remote employees
27
:across the US and internationally.
28
:She's a Buffalo native and
earned her JD from the University
29
:of Buffalo School of Law,
30
:where she was recognized for academic
excellence She's built her career advising
31
:C-suite leaders on everything from
corporate governance and M&A transactions
32
:to employment law and SEC filings.
33
:She's a member of the GC Collective, an
invitation-only peer community elevating
34
:general counsels, as executive leaders.
35
:And outside of her day job, Lindsay gives
back to her community that she calls home,
36
:Serving on the boards of Literacy Buffalo
Niagara, the Canisius University Alumni
37
:Board, and the UB Law Alumni Gold Group.
38
:Jim: Lindsay, welcome to the show
39
:Lindsay Castro: Thank you for having me
40
:Jim: So this is gonna be a pretty fun
conversation and, depending on who
41
:you are, it may or may not be fun,
but you're an attorney and a CHRO,
42
:so you have two hats that you wear.
43
:So I'm looking forward to a really
interesting conversation, both from a
44
:people lens and also a compliance lens,
which your JD background falls into.
45
:So I think one of the key things
that we'll be talking about is
46
:you set up, a strong foundation of
compliance, as you think through
47
:your AI launches and AI initiatives.
48
:But before we get into all of that,
I think it's important for you to
49
:set the stage and tell us a little
bit about the landscape of the
50
:organization and your background and
how all of those things fit together
51
:Lindsay Castro: Yeah.
52
:Okay.
53
:let's see.
54
:So HCM Unlocked is the organization
that I am lucky enough to work with
55
:as their GC and their VP of HR.
56
:we are a managed services and consulting
firm, so we handle payroll, HR, benefits,
57
:compliance, data governance, all of it.
58
:we sit inside of our clients' payroll,
their HR, their benefits, and their
59
:compliance environments, and we run those
operations for them or alongside them.
60
:So in addition to having our
own proprietary kind of data
61
:validation processes, we clean
data, we do system migrations.
62
:we're very engaged when it comes
to not only our own systems,
63
:but those of our clients.
64
:it's a very unique and interesting
space in which to operate, right?
65
:In both of those roles.
66
:And what's really interesting is that
in managing the HR operations, for
67
:this company and assisting others who
are navigating outside entities' HR
68
:operations, we really have to make sure
that our policies, including those for
69
:AI, will work across every organization
for every client that we support.
70
:So that's really the basis of a lot
of what we do and how we frame it
71
:Jim: So it's interesting, the spaces
that you occupy in managed services
72
:and consulting, and you have to balance
not only your internal compliance
73
:and policies, but you also have
to do that for external clients.
74
:the thing that I'm curious about is what
happens when you encounter conflict,
75
:between your internal policy and a
client's internal policy and you're
76
:trying to set up the common ground,
for moving forward on an engagement
77
:Lindsay Castro: That's
an interesting question.
78
:So it's tricky because while I can
provide direct guidance internally
79
:to our employees and the consultants
navigating our client relationships,
80
:we have to be respectful to a degree
of the client's own policies and the
81
:way that they are navigating, all sorts
of compliance matters in their world.
82
:So we offer up enough training.
83
:We really work diligently to,
to offer up training to our
84
:internal employees to equip them.
85
:but we also, as a part of that
training, help them understand that
86
:sometimes the answer will be, "Here
is what we would recommend," right?
87
:Or, "Here is how we have seen this occur."
88
:but not necessarily to demand it, right?
89
:And certainly never to step into,
providing financial or legal
90
:advice that, would be perceived
as giving them that direction.
91
:So a lot of times it's giving them
the option of best practices, giving
92
:them information, and allowing the
client to decide how best to proceed
93
:Jim: So I like what you said in
terms of not offering legal advice,
94
:but giving best practices or sharing
best practices and recommendations.
95
:that's a good frame of reference.
96
:I guess the area that I'm thinking
about, especially with our show being,
97
:an AI and HR show, is everything about
AI is new, so best practices haven't
98
:necessarily been defined well enough
for you to offer those recommendations.
99
:And when you're thinking about advising
clients or even thinking about your
100
:own internal HR, and AI policies,
what are some of the considerations
101
:that you have high on your list that
other HR leaders should be thinking
102
:about when-- before they even start
launching a formal AI initiative?
103
:Lindsay Castro: It's a very layered
question, and I completely agree with you.
104
:the tools-- what we've come to find is,
to your point, with everything developing
105
:in real time, on both the legal side
and the HR side when it comes to AI, the
106
:tools don't wait for the policy, right?
107
:The tools are not waiting for
the precedent or the case law.
108
:So it requires a formal inventory, right?
109
:Of going in and saying,
"What are we using?
110
:What do we want to use?"
111
:the regulatory pace is
getting a little bit faster.
112
:It's picking up steam, but
we're still learning as we go.
113
:So I think not only did we
have to ask internally, "Are
114
:we using AI in our processes?
115
:Where are we using them, and
what protections are in place?"
116
:But because we operate inside those
client environments I'd mentioned,
117
:it, it became also looking at, how
are they using that as well, right?
118
:And how can we ensure that
they are also protected.
119
:So I think it's based upon knowing
the AI, platforms and software that
120
:are out there that you're potentially
navigating, trying to gain a pretty
121
:solid understanding of which, in some
cases is easy, in some it's not, right?
122
:You wanna understand how they're
using that data, if they're using
123
:that data to train their systems,
if it's private, if it's encrypted.
124
:and then, if we really wanted to take
a deep dive, you have to start paying
125
:attention not only to the federal,
regs that are coming out related to
126
:AI, but also state-specific, right?
127
:So there's no real map, there's
no real playbook, but it's a
128
:matter of kind of understanding.
129
:And I think it's exciting in this
way, that you have the opportunity to
130
:look at things as they're developing
and to develop, those best practices
131
:that we mentioned and offer "Here
is how we see the safest way to
132
:operate in this space," right?
133
:Or the most compliant way to operate in
this space based on what we know, right?
134
:So that's the approach that we took
was starting with that inventory, which
135
:is what I would always recommend no
matter the business, and looking at,
136
:who is using AI, how it's being used,
and the protections that are in place.
137
:Jim: One of the things that I really
liked about what you answer is that you
138
:mentioned that the tools are moving faster
than organizations and individuals can
139
:adjust, from a compliance perspective.
140
:you look at the pace of change, it's
pretty easy for internal stakeholders
141
:and also external clients to, to freeze
up because they're overloaded with all
142
:the different paths that they can go.
143
:whether we're talking about platforms
or use cases or just simply where
144
:do we start, a lot to take in.
145
:So when you're looking at that environment
where you have high pace of change,
146
:emerging technology, so much that can be
done, what are the things that you have
147
:suggested or recommended to help people
get unstuck from that overload paralysis?
148
:Lindsay Castro: It's a great question.
149
:So I think that, yeah, I completely agree.
150
:I've seen in many instances, and
even in professionally, right?
151
:That people not only freeze, they
just completely write it off.
152
:AI, it's too overwhelming.
153
:Forget it.
154
:We're not gonna incorporate it.
155
:We're not even gonna look at it.
156
:No one's allowed to use it.
157
:And I get it from the place of
wanting to be as cautious as possible,
158
:especially in certain industries,
but I also believe it's so invaluable
159
:if you use it the right way, right?
160
:So I think it's looking at your business,
what it's doing, the goals that you
161
:have, the way in which you would want
to use that tool to empower your people
162
:to be more productive, to be more
knowledgeable, and then to offer…
163
:step into it yourself first, right?
164
:you can't, demonstrate or provide guidance
on a platform or a system or, a use case
165
:if you're not familiar with it, right?
166
:So I think it's really important that
leadership becomes familiar with it first,
167
:and then roll it out in a way where, and
this is what we made a point to do, where
168
:you are, not just saying "Hey, this is
what this is, and this is how it works."
169
:You're saying, "Let me support you
by offering case-specific scenarios
170
:that you might find yourself in,
and what you can and cannot do, what
171
:the yes and the no would be here.
172
:And not only that, but let
me tell you why," right?
173
:And then I think when people understand,
like when our employees, we had
174
:a very, lovely like interactive
meeting with them to walk through
175
:slides and say, "Here is what it is.
176
:Here is how it can be used.
177
:Here's how it cannot be used.
178
:Let us walk through some
scenarios together, give you the
179
:opportunity to ask questions."
180
:But what we really stressed was,
this isn't scary, and we don't wanna
181
:tell you, no, you can't use it.
182
:We need to just tell you the parameters
within which you can use it, right?
183
:No confidential information, no
client information, nothing that
184
:you wouldn't, you wouldn't wanna
leave out on your desk, right?
185
:If you were in an office or that
you wouldn't w- you know, want
186
:someone else to have easy access to.
187
:So I think we tried to make
it as friendly as possible.
188
:And when you do that, it
takes away from the freeze.
189
:People understand, oh, like this could
actually be a really helpful tool.
190
:And honestly, as a lawyer, it can
also give you real insight into how
191
:people are navigating things like
revisions on contracts or, policies
192
:that they're sending back and forth.
193
:and sometimes you'll witness occasions in
which people may not be utilizing it in a
194
:way that's beneficial to them, but could
be using it in a way that's detrimental.
195
:They're not paying attention.
196
:They're letting things go.
197
:And, I think, again, I hate to say
that, but it can also be advantageous
198
:to, then understand who's paying
attention and who's not, right?
199
:so yeah, I just see it as being
so beneficial, but there are a
200
:lot of organizations and business
structures afraid to use it.
201
:If you approach it from a space of
providing boundaries and education,
202
:I think it's incredibly useful
203
:Jim: So I wanna dig in, a little
bit more on some of the rules of the
204
:road stuff that you were referencing,
when we're talking about guidelines
205
:or, what you can and can't do.
206
:I think that's an important
discussion to have.
207
:And when we're talking about
parameters, let's look at it from,
208
:a platform-agnostic perspective.
209
:When you think about establishing a
baseline level of do's and don'ts from
210
:an AI strategy or execution perspective
within an organization, what are
211
:those baseline considerations that
people should have in front of their
212
:minds that's consistent with whatever
state, local, federal privacy policy
213
:that they might be a- adhering to?
214
:For example, if you're a SOC 2
compliant company, should that type
215
:of organization be looking at their
AI strategy as they implement whatever
216
:strategy initiative platform that
they're thinking about implementing?
217
:Lindsay Castro: Think you have to work
very closely with your IT and technology
218
:team to accomplish that properly.
219
:I think at a very basic rudimentary
level, if it shouldn't be shared
220
:publicly, it shouldn't go into AI, right?
221
:That's the baseline, expectation.
222
:So the way that we had framed it is,
if you need to outline a project plan,
223
:if you, need to draft an email and kind
of get past a blank page, that's okay.
224
:Use it to structure those things.
225
:Give it a hypothetical, "Hey,
what if I'm dealing with this?"
226
:But don't feed it the confidential
information from internal resources
227
:or on behalf of our clients, right?
228
:That would then jeopardize,
the confidentiality of those
229
:materials or of that information.
230
:I think that's incredibly important
and, again, I think there's a way
231
:to approach it in a friendly manner
that doesn't scare people off.
232
:But you're also allowed to say to
them, at least in our business,
233
:we're an HDM business, so the
clients trust us to get this right.
234
:And AI doesn't necessarily
understand multiple employment
235
:laws at a time, or maybe a leave
policy or a termination risk.
236
:it's still a computer, right?
237
:So it, it may give you an answer that
sounds authoritative, but it could
238
:be the wrong information, isn't it?
239
:It could be outdated, right?
240
:It still requires human review
and ensuring that you're providing
241
:the proper information, right?
242
:So use it where it can help you work
faster and think more clearly or create
243
:a better draft, maybe give you some
insights, but don't use it as a default.
244
:And I think with our technology team,
where I am personally, they're incredible.
245
:They're very good at, looking at kind of
the activity that's happening internally
246
:at a generic level, understanding
how high the usage is, and then
247
:supporting legal and HR and really the
organization at large in saying, "Here
248
:are the platforms we've approved,"
because we are SOC 2 compliant, right?
249
:So we have to make sure
that we can attest to that.
250
:and here are the ones that we cannot have
you use, and we're gonna specify those.
251
:We're gonna make it clear.
252
:We'll facilitate the use of those
we've approved, and here's a policy.
253
:Please sign this policy acknowledging
that you understand the parameters
254
:within which we're working.
255
:Jim: that's a good foundation.
256
:So let's dig in a little bit deeper
and talk about some of the things
257
:that you have to consider, from a
compliance perspective, when we're
258
:looking at all the different dimensions
of how an initiative gets rolled out.
259
:So if an organization is rolling out an
AI initiative, and part of that initiative
260
:involves implementing a piece of
technology, what are those platform-level
261
:considerations from a compliance
perspective that an organization needs
262
:to into place before, put into place that
informs how they select the appropriate
263
:platform for their environment?
264
:Lindsay Castro: So I think that
may be industry-specific at times.
265
:and again, the AI kind of
compliance space is moving so fast.
266
:So I would say if you're going to
be rolling out an AI initiative
267
:and you have to look at how each
platform would be utilizing the
268
:data that you're putting into it.
269
:for example, there's ChatGPT.
270
:Everyone's fairly familiar with ChatGPT.
271
:That's gonna be something you're
copying and pasting, right?
272
:So that's where the guidelines
really come into place, and you say
273
:"Okay, here are the do's and don'ts."
274
:There are other AI platforms like
Fathom or recording platforms, right?
275
:And in sales or in a lot of industries,
you'll see that people are using
276
:those to record the phone calls
and the conversations happening
277
:between them and clients or others.
278
:You have to look at, who has
access to those conversations,
279
:where are they stored, right?
280
:How long are they stored, right?
281
:then it bleeds into kind of a doc-- or
a, I'm sorry, a retention policy, right?
282
:Making sure your retention policy does
or doesn't reflect that accurately.
283
:I think you also have to consider, since
we've talked a little bit about the
284
:sensitive kind of employee data, you
have to look at if I'm having that-- if
285
:I'm entering that into a platform that
I'm copying and pasting into, or if I'm
286
:having a discussion on the phone with
someone or, in our case, with a client
287
:who has employees and we're discussing
sensitive information, again, that kind
288
:of reclassifies the material that comes
out of that recorded conversation.
289
:So I, I think it's, I think it's
really dependent on the type
290
:of organization and what the
purpose of the materials would be.
291
:So I think that's step one.
292
:And then I think, for us, we had to make
sure that there was a governance framework
293
:and, an accountability framework as well.
294
:we had to make sure that the
vendors and the third parties
295
:that we work with were also being
protected alongside us internally.
296
:so it, it's really-- it's tiered.
297
:there's many levels to that.
298
:and again, what's interesting too is as
you make those decisions, excuse me, as
299
:an organization, you have to look at rules
that, might be specific to individuals
300
:or entities in a specific state, right?
301
:So things you might not even think about,
like biometric data is being defined
302
:in really unique ways across various
states Using a platform, you might think,
303
:yeah, we navigated what, whether this
platform was safe for our industry,
304
:how we want our people to use it.
305
:We gave them instructions."
306
:N- to your point, there's a new law.
307
:The new law comes out and says, "Okay,
if you enter someone's image into
308
:this platform, that's biometric data.
309
:You've now got a whole new list of items
that you need to comply with," right?
310
:So it's just, it's so tiered and
layered, and we're all learning.
311
:but I think even if you map out which
platforms you want to use and your
312
:compliance process for them, you
still have to remain incredibly aware
313
:of the laws, precedents, regulations
that apply, because that might shift.
314
:You might be using something today that
you realize you, you don't have the
315
:controls around and you wanna shift
316
:Thomas Kunjappu: This has been
a fantastic conversation so far.
317
:If you haven't already done so,
make sure to join our community.
318
:We are building a network of the
most forward-thinking, HR and
319
:people, operational professionals
who are defining the future.
320
:I will personally be sharing
news and ideas around how we
321
:can all thrive in the age of AI.
322
:You can find it at go cleary.com/cleary
323
:community.
324
:Now back to the show.
325
:Jim: So I'm not, an attorney, nor do
I play one on TV, but a lot of what
326
:you just, talked about strikes me
as a discoverability conversation,
327
:especially when you were talking about,
call recordings and things like that,
328
:tools that do that sort of stuff.
329
:So when we're t- when we're thinking
about discoverability, th- this
330
:combines both your, general counsel
hat and your chief people officer hat.
331
:are the discoverability considerations
that people need to have, top of
332
:mind, when it comes to implementing
tools or products that consume data?
333
:because theoretically everything
is discoverable depending on what
334
:the situation you're dealing with.
335
:So what are those considerations
that people need to be thinking
336
:about when, they're setting
up the guardrails for usage?
337
:Lindsay Castro: So this is an area
that is currently a really hot topic,
338
:and it's very fascinating for lawyer
nerds like myself, to see the cases
339
:coming out, the precedent coming out.
340
:What's most interesting is
that some of the determinations
341
:thus far, contradict, right?
342
:So some of the states have made decisions
that are different from one another.
343
:what the overall or, the overarching
finding is if there is a system
344
:being utilized that, such as,
again, like a ChatGPT, right?
345
:You can, you can utilize your own account,
you can pay for an account that's gonna
346
:afford you some privacy that maybe you
wouldn't have if you were not a member.
347
:However, it's not necessarily encrypted.
348
:it may be using what you enter
to train its platform, right?
349
:And so it…
350
:there's a concern there, right?
351
:To your point that this
is gonna be discoverable.
352
:In cases like that where there is a
legal matter at play or someone is
353
:digging into a matter that ultimately
becomes ripe for litigation, that's
354
:d- that is, that's discoverable.
355
:you may have an opposing party who says, I
would like to get in there and see what it
356
:was you were searching relative to this."
357
:there, there has been case law
that said, Claude or ChatGPT,
358
:it's not an attorney, right?
359
:So it's not privileged.
360
:You're not able to say, "Oh, this is
attorney-client privilege," right?
361
:And because you're not an attorney,
if someone's not an attorney doing
362
:this, this isn't work product either.
363
:It's not covered by that privilege
either because they're not an attorney
364
:doing research for this purpose.
365
:so it does become
discoverable in some cases.
366
:But there have been other
cases, so there's three key
367
:cases out there right now.
368
:there-- One of them had an opposite
result where there was a pro se person
369
:who did decide to use ChatGPT to
prepare their litigation materials,
370
:but they were considered to be a
lawyer because they were pro se, right?
371
:So their materials were covered
as protected work product.
372
:So it's really interesting to see
how the analysis comes into play.
373
:in the most recent, decision, there
was a distinction between the two,
374
:where it was that a pro se litigant's
AI, strategies and work product
375
:were protected work product, right?
376
:and just because they were
using a system that maybe wasn't
377
:protected, like it didn't forfeit
their expectation of privacy.
378
:However, the court in that
case said, "Hey, we'll give you
379
:that, but you also have to let
us know which systems you use."
380
:That is certainly discoverable, right?
381
:And it also, I think in that case, they
ended up, issuing, like a protective
382
:order, basically saying, you cannot
upload confidential material."
383
:So I think each state is navigating
this in a different manner.
384
:they're doing it organically, but
then as more precedent comes out and
385
:these cases become more frequent, I
think we're gonna learn a lot more.
386
:I'm sure you've seen, a lit- a little
bit different, but there are also
387
:those cases where, there have been,
pleadings submitted to the court
388
:with hallucinated cases, right?
389
:That didn't even exist, and then you've
got attorneys or law firms that are
390
:being, you know- fined or there are
penalties that exist for that too.
391
:That's an area that's developing.
392
:But to go back to how that would apply
or impact a business like ours or
393
:others, that is again, the importance
of the education piece, is letting
394
:people know part of the reason this
is so significant is because we
395
:work in a high-stakes environment.
396
:We're protecting our
information, but our clients'.
397
:And if something goes askew, which it
always could, this is something that the
398
:court may have in front of them, right?
399
:So if you're comfortable with your search
terms being read, in a court, okay.
400
:But if you wouldn't be, let's
not input it, into the system
401
:Jim: So I like this, lawyer nerd
conversation we're having, so I'm
402
:gonna, I'm gonna throw another bit
out there that I think, it'd be
403
:interesting to get your take on.
404
:a-a-as, as a executive level leader in
HR, you're probably seeing all sorts of
405
:platforms from an HR tech perspective
that have AI branding all over the place.
406
:in fact, every tech platform out
there has some sort of AI wrapper
407
:that they've included in there.
408
:What I'm curious about is when we're
thinking about HR tech platforms, and
409
:particularly those platforms in the
employee engagement space, the performance
410
:management space, it's consuming
employee data that's designed to do some
411
:analysis and then help managers make some
coaching or evaluation decisions on it.
412
:Sticking with that discoverability
conversation and the tendency for some AI
413
:to hallucinate, what's your take on how
those sorts of tools should be used from
414
:a people management perspective, and how
can organizations be conservative in their
415
:usage policies so that they don't end up
in a situation where some employee gets
416
:fired or reprimanded, due to an error in
the AI platform making the wrong analysis?
417
:That's probably an edge case example, but
it's something that we have to consider if
418
:mass amounts of data is being, processed
and a recommendation is being spit out
419
:about an employee or an employee group.
420
:Lindsay Castro: It's tricky.
421
:It's a very tricky area.
422
:And I don't think it's explicitly
been addressed yet, right?
423
:In those cases that we
discussed previously.
424
:so as you mentioned, the vendors are
adding these AI features to their
425
:existing platforms, and yes, to your
point, they can exist in a payroll
426
:system, they could e- exist in a
benefits administration system, leave of
427
:absence, And they're updated oftentimes
through, a routine product update.
428
:So it's very difficult to keep up
with where there may be an update that
429
:does allow for there to be sharing
of people information that you maybe
430
:would not have shared otherwise.
431
:so we again try to choose and limit…
432
:You can't even say that because
sometimes you're dealing, at least in
433
:our line of work, sometimes you are
working with systems that a client
434
:has chosen for themselves, right?
435
:So I think it's, I think to be honest
with you, and not to take it away from
436
:the people piece, because I don't know
that you can avoid necessarily those
437
:pieces being included and considered
enhancements to those tools you're using.
438
:I think it really lends itself to the
contract side, which without meaning to
439
:take it, you know, back to that area,
what you're seeing is that contracts
440
:are now very explicit when it comes
to you may or may not use data within
441
:an AI platform, what type of data can
be utilized, what can be audited, as
442
:well as, what the liability or the
indemnification provisions are, right?
443
:So that's how I see people or
companies navigating this right
444
:now, is we-- it's a we recognize we
don't have control over all of these
445
:platforms and their capabilities,
no matter how cautious we are.
446
:and so that's how there's
the protection right now.
447
:But as that continues, I
think you'll see more, right?
448
:I think there will be more information
made available to us about best
449
:practices, and I'm sure that there
will be, preferred platforms, right?
450
:That can guarantee you encryption
or privacy or, the things that
451
:matter most in, in sensitive cases.
452
:Jim: I wanna expand on something that
you mentioned, a little bit earlier,
453
:and that's in the space of ownership
and governance, but particularly, when
454
:we're talking about building fail-safes,
into the process so that you're not
455
:getting, off-the-wall recommendations
or hallucinated recommendations.
456
:So when an organization is thinking
about their AI strategy, whether it's
457
:talking about rolling out a process,
piece of technology, whatever, what
458
:should the ownership, governance, and
review mechanisms look like to, to…
459
:That's the question.
460
:what should the ownership, governance,
and review process look like so
461
:that you can feel reasonably secure
that you're on a solid foundation?
462
:Lindsay Castro: So I think that you
have to, again, kind of work with
463
:your leadership and your tech teams
to understand where the AI risk
464
:assessments need to be conducted,
where the controls need to be in place,
465
:which policies make the most sense,
and who's going to own them, right?
466
:Which is going to mean
updating them along the way.
467
:The data governance obligations I think
it's about being honest with yourself
468
:as an organization and saying, "Here's
the capacity that we have right now.
469
:Here's the bandwidth we have
to navigate and manage this as
470
:something that we are embracing."
471
:and I think it plays…
472
:So a playbook, without
ownership is just a document.
473
:So you can say, "We really want to adopt
this," but unless we have that governance
474
:process in place and we know exactly who's
doing what and how the decisions will be
475
:made going forward, it won't work, right?
476
:So I think what I have found effective
at HCM is that cross-functional
477
:accountability that I was mentioning.
478
:So for us, like legal, I mapped
regulatory requirements, and then
479
:our technology team, they inventoried
the tools and the workflows.
480
:And we actually engaged with, a
lot of our employees, including
481
:consultants, to flag where they were
experiencing kind of client-facing
482
:processes that we needed to be aware
of that kind of intersected with AI.
483
:so each function, had its own piece,
and again, has to remain current.
484
:But it was that shared ownership.
485
:That worked well for us.
486
:And in addition to, once we
established that, I think it
487
:became a gating process naturally,
especially with our policy in place.
488
:So no new AI tool can go live, right?
489
:Whe-whether it's standalone or if
it's embedded, and we have rules
490
:outlining, what we're willing to
accept, at least right now, in
491
:terms of the embedded, without
going through a pretty well-defined
492
:review and approval workflow across
those teams that I mentioned, right?
493
:And we did tier them, too.
494
:We tiered like one through three, w-
how each item would be evaluated based
495
:on the potential risk that it posed.
496
:So that, I have found in my experience,
is a great way to approach it, because
497
:you can't take it on unless you're ready
to really tackle it and be consistent.
498
:But you also can't tackle
it in one department alone.
499
:Because of all of the areas it impacts,
you really have to bring in leadership,
500
:and also, your employees are invaluable
in letting you know what they're seeing
501
:in real time and where they see the risks.
502
:So we really made it a group
effort, and I would recommend
503
:that for a lot of organizations.
504
:I know it's tougher in really big
ones, but to the degree you're able.
505
:Jim: So one of the things that, that's
interesting about what you just said
506
:is, defining who's gonna own what and
establishing shared ownership and those
507
:cross-functional relationships that allow
all of that, to, to work well together.
508
:I'm paraphrasing.
509
:when I hear that, my mind goes to,
that makes sense if these things are
510
:rolled out in a top-down fashion, if you
have, leadership driving the process.
511
:What I'm curious about is what happens
or what would your, how would your
512
:recommendations change in those
organizations where their initiatives are
513
:happening more in a bottom-up fashion,
and maybe even at a business unit level
514
:where one function within a business
unit is taking on one AI initiative
515
:and rolling that out, and then you
have something completely different
516
:going on in IT and sales and so on.
517
:How would you adjust for that
sort of environment where it's
518
:more of a bottom-up, initiative
rollout versus a top-down rollout?
519
:Lindsay Castro: So I know
that it's inevitable that
520
:those situations arise, right?
521
:Everyone deals with them.
522
:I think that it's just a little
dangerous to not account for that
523
:possibility by creating a process
at some level, whether it's top or
524
:middle or having a gatekeeper again.
525
:And typically, I think technology is a
great place for that to fall because you
526
:can have different units adopting their
own preferred use of AI or platforms
527
:or software, whatever the case may be.
528
:The problem is, unless there
are parameters, it just allows
529
:for so much unknown, right?
530
:So there are organizations that
are comfortable with that, and I
531
:think it becomes a question of risk.
532
:How much risk are you comfortable
absorbing when it comes to AI?
533
:Some may say, "Ah, I'm good with it.
534
:Like it's…
535
:we're making money," right?
536
:"Things are moving faster.
537
:Like we, we can let go of
some people we don't…"
538
:I think then you'll have other
entities that are like, "Nope," like
539
:I said, we don't wanna touch this.
540
:This is terrifying."
541
:But I do think either way, you
have to have a process in place
542
:because the reality is, no matter
what, your employees are going to
543
:be using it in some fashion, right?
544
:So I think as soon as you become aware
of that, if it is a bottom-up process,
545
:it becomes incumbent on whomever is made
aware to raise that to a level of, hey,
546
:we need to get our hands around this.
547
:we need to understand how
we want to navigate this.
548
:And I think it's perfectly okay to say
"Oh, hey, you're using this system?
549
:Okay, awesome.
550
:I'm just gonna need to take a
look at how that works and make
551
:sure that is acceptable for our
business model or for our clients.
552
:And if it's not, we'll find an
alternative that is," right?
553
:So it's not shutting anyone down or
discouraging the growth that clearly that
554
:employee or that division is striving to
achieve, by utilizing these resources.
555
:It's just working with them to
find the right one, and then to the
556
:degree that you're able, putting
a process in place that gives
557
:you some level of comfort, right?
558
:Based on the level of risk you're
comfortable with, that you can, have
559
:some guardrails and controls around it
560
:Jim: One of the interesting things
that I'll be, observing is the
561
:parallel between what happens with
AI and how it's implemented within
562
:organizations and what was happening…
563
:I came out of the recruiting space.
564
:So one of the things in recruiting,
especially if you're in technology
565
:recruiting, which is where the world
that I came out of, is that you had
566
:standard enterprise IT architecture and
technology policies, and then you had
567
:shadow IT, where each function or each
division within was running their own
568
:tech stack, and that created a lot of
technology bloat, as well as additional
569
:costs and more policy considerations.
570
:I'll be curious to see if we see
something similar, on the AI front,
571
:because you'll have a corporate AI
policy and then you just talked about,
572
:a business unit or a functional group
might have a use case for AI that isn't
573
:inbounds from the enterprise level,
so they go rogue and build their own.
574
:We've talked a lot of compliance
and compliance adjacent stuff.
575
:What I'm curious about is when you
think about all the stuff that we've
576
:talked about, and I'm gonna reference
what you mentioned earlier, which is a
577
:playbook, and you're thinking about an
AI playbook or an initiative playbook.
578
:all the things that we've talked about
so far, what should that playbook
579
:contain for it to be useful as a
starting point for the rollout of an
580
:AI initiative within an organization?
581
:Lindsay Castro: So I think the playbook
has to contain, what we've discussed
582
:already, which is clear ownership, right?
583
:Knowing who is gonna be navigating that.
584
:I think it's helpful to include some
information in that playbook as to
585
:why the rules are important, including
in that playbook matters, right?
586
:Real-life examples.
587
:and then I think providing the employees
the situations in which it can and cannot
588
:be used, creating knowledge, right?
589
:Knowledge is power, I always say.
590
:So it's making sure that they
understand exactly what is
591
:allowed and what isn't and why.
592
:I also think it's, understanding how…
593
:I think it's important to include in
that playbook how employees should
594
:be expected to handle situations in
which perhaps they notice the rules
595
:are not being followed by a colleague,
and that needs to be addressed.
596
:Or, including information on the fact that
there will be audits conducted, right?
597
:As an employer, you're able to conduct
audits of the actual activity happening
598
:across the organization at any given time.
599
:So letting them know that.
600
:giving them a sense of how long
the images or the data that they're
601
:utilizing will exist on the system.
602
:I think there's…
603
:All of those pieces are really crucial.
604
:I also think giving employees,
because this is so new, right?
605
:Giving employees an opportunity and an
arena to actually have the conversation
606
:which, with whomever is going to be
owning or leading that process is
607
:really crucial to understand where
they, where the gaps lie, right?
608
:Because we can only see what we see.
609
:But that gives you the ability to provide
a playbook, but to also update it as
610
:needed with that feedback loop, right?
611
:So that what you're seeing feeds back
into the policy itself as needed.
612
:so I think those are the key pieces.
613
:That was what we had included.
614
:But, having a firm policy in place
as a part of that playbook is key.
615
:it's tough to say, right?
616
:Because each industry is going
to do a little bit differently.
617
:but one of the things and my, my CFO
al- always laughs at me for this one,
618
:but I always say clear is kind, right?
619
:So a playbook is meant to provide
clarity, and that is the kindest thing
620
:you can do for your employees because
it gives them the room to operate
621
:and to understand where the rules lie
and to have the flexibility to come
622
:to you with questions, without fear.
623
:so y- you can define it to some ability,
but I think a playbook has to be a living,
624
:breathing document so that it can be…
625
:It can give the guardrails, but
it can be updated as needed to
626
:align with things as they develop
627
:Jim: Yeah, I like the last part of
what you mentioned that clear is kind.
628
:Clarity also builds momentum.
629
:So if we're taking the concept of
a living document into it, you need
630
:to have forward momentum, to be
able to iterate from where you are.
631
:I think the important thing, what I gather
from what you just mentioned, think of
632
:this as a framework and a foundation,
not something that's absolutely static.
633
:Because if you're building a static
document, the pace of change is gonna
634
:make it such that it's not relevant six
months or 12 months from, down the road.
635
:I guess one of the things that, that
I'm curious about, especially given the
636
:space that you're in, you have these
dual hats inside your organization, but
637
:you're also in, a consulting organization
that works with other firms externally.
638
:And when we think about the dynamics
of that, and especially with something
639
:that's so new in, from the perspective of
AI, when something is this new, there's
640
:gonna be some rough lessons learned
when people go the wrong direction.
641
:Are there any painful lessons learned
that you've seen, that I, that you feel is
642
:worth mentioning that, hey, don't do this?
643
:This should be a clear red line
that you need to watch out for,
644
:no matter how attractive it,
it might appear on the surface.
645
:Lindsay Castro: I see where
missteps become possible.
646
:I think that kind of going a little
bit backwards, y- I see AI and
647
:other items like it that we're
lucky enough to be in the midst of
648
:watching develop, as an opportunity
for connection in an organization.
649
:And, there's so many established archaic,
rules and regs, and you just know, okay,
650
:we have a document retention policy.
651
:of course we do.
652
:Everyone does.
653
:This is something so new
that I think you're able to
654
:bring people into it, right?
655
:You're able to say…
656
:You're able to use it as a space
to say, "I don't know everything.
657
:You don't know everything.
658
:We're gonna learn together."
659
:So when I started to see situations
where maybe someone didn't understand
660
:what was okay or what was not okay
to use as an input, the goal was
661
:to quickly get in front of it and
say, "Let's have this meeting.
662
:Let's provide these materials so we can
actually walk through what we know today."
663
:And because of that, there is no fear
on the part of any of the employees,
664
:to my knowledge, I should say, that
if there is a question for them that
665
:relates to, "Hey, can I use this way?"
666
:Or, "Is it okay to
enter this information?"
667
:Or, or maybe if they had questions on how
they were doing something previously and
668
:wanted to know how to change it, those--
It created an opening, for us to have
669
:that connection and for them to be able
to come in and say, "I have a question."
670
:And it was totally okay
to have a question, right?
671
:And it, it also opens the door to, again,
that feedback, that follow-up conversation
672
:where it becomes a, hey, maybe we
should have a deep dive internally,
673
:which we try to do once a month.
674
:Maybe we should have our next
deep dive on this topic, right?
675
:So you start to see…
676
:I wouldn't say missteps or, horrible.
677
:I haven't seen anything crazy.
678
:I've just seen uncertainty.
679
:and then, on the legal
side, the same thing.
680
:It's become an open door where they
can say, "Hey, this client has an
681
:employee in such and such a space.
682
:This is the question they're asking.
683
:Does this fall in the
legal realm, do you think?"
684
:and sometimes we've had to say,
"Yeah, we can't answer that question.
685
:That would be legal advice."
686
:And, we'll just let them know they
should speak to their counsel.
687
:and again, I'm glad they're asking
me versus inputting that even
688
:as a generic question into AI.
689
:What would you do if this
employee wanted to come back to…
690
:who knows?
691
:So it's really opened the door for kind
of connection and conversation, and I
692
:think that is so important to preventing
huge missteps within an organization
693
:Jim: Great stuff, Lindsay.
694
:If people wanna continue the
conversation, what's the best way
695
:for them to get in touch with you?
696
:Lindsay Castro: Oh gosh.
697
:I'm happy to connect
via LinkedIn, via email.
698
:I can provide that as well.
699
:But in any which way, I love having
these conversations, so I'm so grateful
700
:that you were, open to our doing so
701
:Jim: So we'll make sure that we include
your LinkedIn profile in the show
702
:notes, and people can reach out there.
703
:Speaker 3: Thanks for
hanging out with us, Lindsay.
704
:It was a lot of fun chatting with
you, And I think there was a lot of
705
:opportunity for us to dig even deeper
in certain areas, but we only have,
706
:an hour-long show, so I wanted to
make sure that we keep things tight.
707
:One of the big things that stood out
to me was your recommendation that the
708
:compliance guidelines or foundation
needs to be something that's more of a
709
:living document than a static playbook,
and I think that's pretty important
710
:to keep in mind, especially when we
consider that everything in the AI space
711
:is moving so fast, and you referenced
it yourself, that the tools and the
712
:capabilities are moving faster than
the policies can be put into place.
713
:And when we look at that pace of change,
it's important to keep in mind that
714
:whatever policies and guidelines and
compliance outlines that you put into
715
:place, you need to have wiggle room
established so that you can iterate
716
:and expand those policies and adjust
those policies as the technology changes
717
:and as the business need changes.
718
:The other important thing that you
mentioned in this conversation that
719
:stood out to me that I think is gonna be
important for other leaders to keep in
720
:mind is that when there is so much stuff,
from an AI perspective that's out in the
721
:wild, it becomes really easy to freeze and
just ignore it all and do something else.
722
:And your point about how it can be
overwhelming is well taken, and I think
723
:the solution that you gave is that if
you want to build forward momentum,
724
:leadership has got to take the initiative
and put things into place that allow
725
:people to take small experiments and
small chunks and move forward with those.
726
:So having leadership set the tone,
especially in an environment where
727
:it can seem overwhelming, is an
important lesson that everybody
728
:should take away and be eager to
implement in their own environments.
729
:So for those of you who've been listening
to this conversation, we appreciate
730
:you hanging out and and taking it in.
731
:If you like the discussion, make sure
you leave us a five-star review on your
732
:favorite podcast player, and then tune
in next time where we'll have another
733
:leader sharing their insights on how
they're using AI to future-proof HR.