Artwork for podcast Future Proof HR
Lindsay Castro Building AI Governance That People Will Actually Follow
Episode 8315th July 2026 • Future Proof HR • Thomas Kunjappu
00:00:00 00:44:04

Share Episode

Shownotes

In this episode of the Future Proof HR podcast, Jim sits down with Lindsay Castro, General Counsel and Vice President of Human Resources at HCM Unlocked, to talk about how organizations can build AI governance that employees can understand and use in practice.

Lindsay explains why AI tools will continue moving faster than policies, regulations, and legal precedent. Instead of freezing or banning every new tool, she recommends starting with an inventory of how AI is already being used, assessing the data and platform risks, and giving employees clear examples of what is and is not allowed.

The conversation covers confidential information, human review, discoverability, vendor contracts, embedded AI features, biometric data, and the risks of allowing AI-generated recommendations to influence people's decisions without proper oversight. Lindsay also shares how HCM Unlocked uses cross-functional ownership, tiered risk assessments, approved-platform controls, and employee feedback to govern new AI tools.

The central takeaway is that a policy alone is not governance. Organizations need clear ownership, a repeatable approval process, employee education, and a living playbook that can change as technology, business needs, and legal requirements evolve.

Topics Discussed:

  • Why AI tools are moving faster than policy and legal precedent
  • How to inventory the AI tools employees and clients are already using
  • Why leaders should learn the tools before setting employee rules
  • The baseline rule for keeping confidential and client data out of public AI systems
  • How human review prevents confident but inaccurate AI output from becoming a business decision
  • What to evaluate when approving AI platforms and recording tools
  • How retention, discoverability, privacy, and vendor contracts affect AI risk
  • Why embedded AI features can create new exposure inside existing HR systems
  • How legal, HR, technology, and employees can share responsibility for AI governance
  • How tiered risk assessments and approval workflows control new AI tools
  • What organizations should do when AI adoption starts from the bottom up
  • Why an AI playbook must remain a living document

If you are an HR, legal, compliance, or technology leader trying to support responsible AI use without stopping experimentation, this episode offers a practical framework for creating guardrails people can actually follow.

Additional Resources:

Transcripts

Lindsay Castro:

It's still a computer right?

2

:

So it may give you an answer that

sounds authoritative but it could

3

:

be the wrong information isn't it?

4

:

It could be outdated, right?

5

:

The tools don't wait

for the policy, right?

6

:

The tools are not waiting for

the precedent or the case law

7

:

if it shouldn't be shared publicly,

it shouldn't go into AI, right?

8

:

Speaker 3: The pace of change

when it comes to AI is at a level

9

:

where it's very difficult for a

lot of organizations to keep up.

10

:

And When you're looking at the pace

of change being at that level, it's

11

:

gonna be even more challenging to

establish guardrails and establish a

12

:

foundation that you can operate from.

13

:

So how do you actually tackle that?

14

:

How do you build a compliance

environment when the technology

15

:

is new, the pace is fast, and

there are a lot of open questions?

16

:

That's what we're gonna actually

tackle in today's conversation.

17

:

We're gonna examine what you need to

consider when you're thinking about

18

:

your AI initiatives from a platform

perspective, from a legal perspective,

19

:

from a compliance perspective, and from

an ownership and governance perspective.

20

:

And we're gonna dig into all of it

and share some best practices on how

21

:

you can set your organization up for

success even in the face of rapid change.

22

:

So who's gonna guide us

through that conversation?

23

:

Today we have Lindsey Castro,

24

:

who is the General Counsel and the

VP of Human Resources at HCM Unlockd.

25

:

Lindsey holds the dual executive role,

and she oversees both the legal and people

26

:

functions of a high-growth consulting

firm with over 170 remote employees

27

:

across the US and internationally.

28

:

She's a Buffalo native and

earned her JD from the University

29

:

of Buffalo School of Law,

30

:

where she was recognized for academic

excellence She's built her career advising

31

:

C-suite leaders on everything from

corporate governance and M&A transactions

32

:

to employment law and SEC filings.

33

:

She's a member of the GC Collective, an

invitation-only peer community elevating

34

:

general counsels, as executive leaders.

35

:

And outside of her day job, Lindsay gives

back to her community that she calls home,

36

:

Serving on the boards of Literacy Buffalo

Niagara, the Canisius University Alumni

37

:

Board, and the UB Law Alumni Gold Group.

38

:

Jim: Lindsay, welcome to the show

39

:

Lindsay Castro: Thank you for having me

40

:

Jim: So this is gonna be a pretty fun

conversation and, depending on who

41

:

you are, it may or may not be fun,

but you're an attorney and a CHRO,

42

:

so you have two hats that you wear.

43

:

So I'm looking forward to a really

interesting conversation, both from a

44

:

people lens and also a compliance lens,

which your JD background falls into.

45

:

So I think one of the key things

that we'll be talking about is

46

:

you set up, a strong foundation of

compliance, as you think through

47

:

your AI launches and AI initiatives.

48

:

But before we get into all of that,

I think it's important for you to

49

:

set the stage and tell us a little

bit about the landscape of the

50

:

organization and your background and

how all of those things fit together

51

:

Lindsay Castro: Yeah.

52

:

Okay.

53

:

let's see.

54

:

So HCM Unlocked is the organization

that I am lucky enough to work with

55

:

as their GC and their VP of HR.

56

:

we are a managed services and consulting

firm, so we handle payroll, HR, benefits,

57

:

compliance, data governance, all of it.

58

:

we sit inside of our clients' payroll,

their HR, their benefits, and their

59

:

compliance environments, and we run those

operations for them or alongside them.

60

:

So in addition to having our

own proprietary kind of data

61

:

validation processes, we clean

data, we do system migrations.

62

:

we're very engaged when it comes

to not only our own systems,

63

:

but those of our clients.

64

:

it's a very unique and interesting

space in which to operate, right?

65

:

In both of those roles.

66

:

And what's really interesting is that

in managing the HR operations, for

67

:

this company and assisting others who

are navigating outside entities' HR

68

:

operations, we really have to make sure

that our policies, including those for

69

:

AI, will work across every organization

for every client that we support.

70

:

So that's really the basis of a lot

of what we do and how we frame it

71

:

Jim: So it's interesting, the spaces

that you occupy in managed services

72

:

and consulting, and you have to balance

not only your internal compliance

73

:

and policies, but you also have

to do that for external clients.

74

:

the thing that I'm curious about is what

happens when you encounter conflict,

75

:

between your internal policy and a

client's internal policy and you're

76

:

trying to set up the common ground,

for moving forward on an engagement

77

:

Lindsay Castro: That's

an interesting question.

78

:

So it's tricky because while I can

provide direct guidance internally

79

:

to our employees and the consultants

navigating our client relationships,

80

:

we have to be respectful to a degree

of the client's own policies and the

81

:

way that they are navigating, all sorts

of compliance matters in their world.

82

:

So we offer up enough training.

83

:

We really work diligently to,

to offer up training to our

84

:

internal employees to equip them.

85

:

but we also, as a part of that

training, help them understand that

86

:

sometimes the answer will be, "Here

is what we would recommend," right?

87

:

Or, "Here is how we have seen this occur."

88

:

but not necessarily to demand it, right?

89

:

And certainly never to step into,

providing financial or legal

90

:

advice that, would be perceived

as giving them that direction.

91

:

So a lot of times it's giving them

the option of best practices, giving

92

:

them information, and allowing the

client to decide how best to proceed

93

:

Jim: So I like what you said in

terms of not offering legal advice,

94

:

but giving best practices or sharing

best practices and recommendations.

95

:

that's a good frame of reference.

96

:

I guess the area that I'm thinking

about, especially with our show being,

97

:

an AI and HR show, is everything about

AI is new, so best practices haven't

98

:

necessarily been defined well enough

for you to offer those recommendations.

99

:

And when you're thinking about advising

clients or even thinking about your

100

:

own internal HR, and AI policies,

what are some of the considerations

101

:

that you have high on your list that

other HR leaders should be thinking

102

:

about when-- before they even start

launching a formal AI initiative?

103

:

Lindsay Castro: It's a very layered

question, and I completely agree with you.

104

:

the tools-- what we've come to find is,

to your point, with everything developing

105

:

in real time, on both the legal side

and the HR side when it comes to AI, the

106

:

tools don't wait for the policy, right?

107

:

The tools are not waiting for

the precedent or the case law.

108

:

So it requires a formal inventory, right?

109

:

Of going in and saying,

"What are we using?

110

:

What do we want to use?"

111

:

the regulatory pace is

getting a little bit faster.

112

:

It's picking up steam, but

we're still learning as we go.

113

:

So I think not only did we

have to ask internally, "Are

114

:

we using AI in our processes?

115

:

Where are we using them, and

what protections are in place?"

116

:

But because we operate inside those

client environments I'd mentioned,

117

:

it, it became also looking at, how

are they using that as well, right?

118

:

And how can we ensure that

they are also protected.

119

:

So I think it's based upon knowing

the AI, platforms and software that

120

:

are out there that you're potentially

navigating, trying to gain a pretty

121

:

solid understanding of which, in some

cases is easy, in some it's not, right?

122

:

You wanna understand how they're

using that data, if they're using

123

:

that data to train their systems,

if it's private, if it's encrypted.

124

:

and then, if we really wanted to take

a deep dive, you have to start paying

125

:

attention not only to the federal,

regs that are coming out related to

126

:

AI, but also state-specific, right?

127

:

So there's no real map, there's

no real playbook, but it's a

128

:

matter of kind of understanding.

129

:

And I think it's exciting in this

way, that you have the opportunity to

130

:

look at things as they're developing

and to develop, those best practices

131

:

that we mentioned and offer "Here

is how we see the safest way to

132

:

operate in this space," right?

133

:

Or the most compliant way to operate in

this space based on what we know, right?

134

:

So that's the approach that we took

was starting with that inventory, which

135

:

is what I would always recommend no

matter the business, and looking at,

136

:

who is using AI, how it's being used,

and the protections that are in place.

137

:

Jim: One of the things that I really

liked about what you answer is that you

138

:

mentioned that the tools are moving faster

than organizations and individuals can

139

:

adjust, from a compliance perspective.

140

:

you look at the pace of change, it's

pretty easy for internal stakeholders

141

:

and also external clients to, to freeze

up because they're overloaded with all

142

:

the different paths that they can go.

143

:

whether we're talking about platforms

or use cases or just simply where

144

:

do we start, a lot to take in.

145

:

So when you're looking at that environment

where you have high pace of change,

146

:

emerging technology, so much that can be

done, what are the things that you have

147

:

suggested or recommended to help people

get unstuck from that overload paralysis?

148

:

Lindsay Castro: It's a great question.

149

:

So I think that, yeah, I completely agree.

150

:

I've seen in many instances, and

even in professionally, right?

151

:

That people not only freeze, they

just completely write it off.

152

:

AI, it's too overwhelming.

153

:

Forget it.

154

:

We're not gonna incorporate it.

155

:

We're not even gonna look at it.

156

:

No one's allowed to use it.

157

:

And I get it from the place of

wanting to be as cautious as possible,

158

:

especially in certain industries,

but I also believe it's so invaluable

159

:

if you use it the right way, right?

160

:

So I think it's looking at your business,

what it's doing, the goals that you

161

:

have, the way in which you would want

to use that tool to empower your people

162

:

to be more productive, to be more

knowledgeable, and then to offer…

163

:

step into it yourself first, right?

164

:

you can't, demonstrate or provide guidance

on a platform or a system or, a use case

165

:

if you're not familiar with it, right?

166

:

So I think it's really important that

leadership becomes familiar with it first,

167

:

and then roll it out in a way where, and

this is what we made a point to do, where

168

:

you are, not just saying "Hey, this is

what this is, and this is how it works."

169

:

You're saying, "Let me support you

by offering case-specific scenarios

170

:

that you might find yourself in,

and what you can and cannot do, what

171

:

the yes and the no would be here.

172

:

And not only that, but let

me tell you why," right?

173

:

And then I think when people understand,

like when our employees, we had

174

:

a very, lovely like interactive

meeting with them to walk through

175

:

slides and say, "Here is what it is.

176

:

Here is how it can be used.

177

:

Here's how it cannot be used.

178

:

Let us walk through some

scenarios together, give you the

179

:

opportunity to ask questions."

180

:

But what we really stressed was,

this isn't scary, and we don't wanna

181

:

tell you, no, you can't use it.

182

:

We need to just tell you the parameters

within which you can use it, right?

183

:

No confidential information, no

client information, nothing that

184

:

you wouldn't, you wouldn't wanna

leave out on your desk, right?

185

:

If you were in an office or that

you wouldn't w- you know, want

186

:

someone else to have easy access to.

187

:

So I think we tried to make

it as friendly as possible.

188

:

And when you do that, it

takes away from the freeze.

189

:

People understand, oh, like this could

actually be a really helpful tool.

190

:

And honestly, as a lawyer, it can

also give you real insight into how

191

:

people are navigating things like

revisions on contracts or, policies

192

:

that they're sending back and forth.

193

:

and sometimes you'll witness occasions in

which people may not be utilizing it in a

194

:

way that's beneficial to them, but could

be using it in a way that's detrimental.

195

:

They're not paying attention.

196

:

They're letting things go.

197

:

And, I think, again, I hate to say

that, but it can also be advantageous

198

:

to, then understand who's paying

attention and who's not, right?

199

:

so yeah, I just see it as being

so beneficial, but there are a

200

:

lot of organizations and business

structures afraid to use it.

201

:

If you approach it from a space of

providing boundaries and education,

202

:

I think it's incredibly useful

203

:

Jim: So I wanna dig in, a little

bit more on some of the rules of the

204

:

road stuff that you were referencing,

when we're talking about guidelines

205

:

or, what you can and can't do.

206

:

I think that's an important

discussion to have.

207

:

And when we're talking about

parameters, let's look at it from,

208

:

a platform-agnostic perspective.

209

:

When you think about establishing a

baseline level of do's and don'ts from

210

:

an AI strategy or execution perspective

within an organization, what are

211

:

those baseline considerations that

people should have in front of their

212

:

minds that's consistent with whatever

state, local, federal privacy policy

213

:

that they might be a- adhering to?

214

:

For example, if you're a SOC 2

compliant company, should that type

215

:

of organization be looking at their

AI strategy as they implement whatever

216

:

strategy initiative platform that

they're thinking about implementing?

217

:

Lindsay Castro: Think you have to work

very closely with your IT and technology

218

:

team to accomplish that properly.

219

:

I think at a very basic rudimentary

level, if it shouldn't be shared

220

:

publicly, it shouldn't go into AI, right?

221

:

That's the baseline, expectation.

222

:

So the way that we had framed it is,

if you need to outline a project plan,

223

:

if you, need to draft an email and kind

of get past a blank page, that's okay.

224

:

Use it to structure those things.

225

:

Give it a hypothetical, "Hey,

what if I'm dealing with this?"

226

:

But don't feed it the confidential

information from internal resources

227

:

or on behalf of our clients, right?

228

:

That would then jeopardize,

the confidentiality of those

229

:

materials or of that information.

230

:

I think that's incredibly important

and, again, I think there's a way

231

:

to approach it in a friendly manner

that doesn't scare people off.

232

:

But you're also allowed to say to

them, at least in our business,

233

:

we're an HDM business, so the

clients trust us to get this right.

234

:

And AI doesn't necessarily

understand multiple employment

235

:

laws at a time, or maybe a leave

policy or a termination risk.

236

:

it's still a computer, right?

237

:

So it, it may give you an answer that

sounds authoritative, but it could

238

:

be the wrong information, isn't it?

239

:

It could be outdated, right?

240

:

It still requires human review

and ensuring that you're providing

241

:

the proper information, right?

242

:

So use it where it can help you work

faster and think more clearly or create

243

:

a better draft, maybe give you some

insights, but don't use it as a default.

244

:

And I think with our technology team,

where I am personally, they're incredible.

245

:

They're very good at, looking at kind of

the activity that's happening internally

246

:

at a generic level, understanding

how high the usage is, and then

247

:

supporting legal and HR and really the

organization at large in saying, "Here

248

:

are the platforms we've approved,"

because we are SOC 2 compliant, right?

249

:

So we have to make sure

that we can attest to that.

250

:

and here are the ones that we cannot have

you use, and we're gonna specify those.

251

:

We're gonna make it clear.

252

:

We'll facilitate the use of those

we've approved, and here's a policy.

253

:

Please sign this policy acknowledging

that you understand the parameters

254

:

within which we're working.

255

:

Jim: that's a good foundation.

256

:

So let's dig in a little bit deeper

and talk about some of the things

257

:

that you have to consider, from a

compliance perspective, when we're

258

:

looking at all the different dimensions

of how an initiative gets rolled out.

259

:

So if an organization is rolling out an

AI initiative, and part of that initiative

260

:

involves implementing a piece of

technology, what are those platform-level

261

:

considerations from a compliance

perspective that an organization needs

262

:

to into place before, put into place that

informs how they select the appropriate

263

:

platform for their environment?

264

:

Lindsay Castro: So I think that

may be industry-specific at times.

265

:

and again, the AI kind of

compliance space is moving so fast.

266

:

So I would say if you're going to

be rolling out an AI initiative

267

:

and you have to look at how each

platform would be utilizing the

268

:

data that you're putting into it.

269

:

for example, there's ChatGPT.

270

:

Everyone's fairly familiar with ChatGPT.

271

:

That's gonna be something you're

copying and pasting, right?

272

:

So that's where the guidelines

really come into place, and you say

273

:

"Okay, here are the do's and don'ts."

274

:

There are other AI platforms like

Fathom or recording platforms, right?

275

:

And in sales or in a lot of industries,

you'll see that people are using

276

:

those to record the phone calls

and the conversations happening

277

:

between them and clients or others.

278

:

You have to look at, who has

access to those conversations,

279

:

where are they stored, right?

280

:

How long are they stored, right?

281

:

then it bleeds into kind of a doc-- or

a, I'm sorry, a retention policy, right?

282

:

Making sure your retention policy does

or doesn't reflect that accurately.

283

:

I think you also have to consider, since

we've talked a little bit about the

284

:

sensitive kind of employee data, you

have to look at if I'm having that-- if

285

:

I'm entering that into a platform that

I'm copying and pasting into, or if I'm

286

:

having a discussion on the phone with

someone or, in our case, with a client

287

:

who has employees and we're discussing

sensitive information, again, that kind

288

:

of reclassifies the material that comes

out of that recorded conversation.

289

:

So I, I think it's, I think it's

really dependent on the type

290

:

of organization and what the

purpose of the materials would be.

291

:

So I think that's step one.

292

:

And then I think, for us, we had to make

sure that there was a governance framework

293

:

and, an accountability framework as well.

294

:

we had to make sure that the

vendors and the third parties

295

:

that we work with were also being

protected alongside us internally.

296

:

so it, it's really-- it's tiered.

297

:

there's many levels to that.

298

:

and again, what's interesting too is as

you make those decisions, excuse me, as

299

:

an organization, you have to look at rules

that, might be specific to individuals

300

:

or entities in a specific state, right?

301

:

So things you might not even think about,

like biometric data is being defined

302

:

in really unique ways across various

states Using a platform, you might think,

303

:

yeah, we navigated what, whether this

platform was safe for our industry,

304

:

how we want our people to use it.

305

:

We gave them instructions."

306

:

N- to your point, there's a new law.

307

:

The new law comes out and says, "Okay,

if you enter someone's image into

308

:

this platform, that's biometric data.

309

:

You've now got a whole new list of items

that you need to comply with," right?

310

:

So it's just, it's so tiered and

layered, and we're all learning.

311

:

but I think even if you map out which

platforms you want to use and your

312

:

compliance process for them, you

still have to remain incredibly aware

313

:

of the laws, precedents, regulations

that apply, because that might shift.

314

:

You might be using something today that

you realize you, you don't have the

315

:

controls around and you wanna shift

316

:

Thomas Kunjappu: This has been

a fantastic conversation so far.

317

:

If you haven't already done so,

make sure to join our community.

318

:

We are building a network of the

most forward-thinking, HR and

319

:

people, operational professionals

who are defining the future.

320

:

I will personally be sharing

news and ideas around how we

321

:

can all thrive in the age of AI.

322

:

You can find it at go cleary.com/cleary

323

:

community.

324

:

Now back to the show.

325

:

Jim: So I'm not, an attorney, nor do

I play one on TV, but a lot of what

326

:

you just, talked about strikes me

as a discoverability conversation,

327

:

especially when you were talking about,

call recordings and things like that,

328

:

tools that do that sort of stuff.

329

:

So when we're t- when we're thinking

about discoverability, th- this

330

:

combines both your, general counsel

hat and your chief people officer hat.

331

:

are the discoverability considerations

that people need to have, top of

332

:

mind, when it comes to implementing

tools or products that consume data?

333

:

because theoretically everything

is discoverable depending on what

334

:

the situation you're dealing with.

335

:

So what are those considerations

that people need to be thinking

336

:

about when, they're setting

up the guardrails for usage?

337

:

Lindsay Castro: So this is an area

that is currently a really hot topic,

338

:

and it's very fascinating for lawyer

nerds like myself, to see the cases

339

:

coming out, the precedent coming out.

340

:

What's most interesting is

that some of the determinations

341

:

thus far, contradict, right?

342

:

So some of the states have made decisions

that are different from one another.

343

:

what the overall or, the overarching

finding is if there is a system

344

:

being utilized that, such as,

again, like a ChatGPT, right?

345

:

You can, you can utilize your own account,

you can pay for an account that's gonna

346

:

afford you some privacy that maybe you

wouldn't have if you were not a member.

347

:

However, it's not necessarily encrypted.

348

:

it may be using what you enter

to train its platform, right?

349

:

And so it…

350

:

there's a concern there, right?

351

:

To your point that this

is gonna be discoverable.

352

:

In cases like that where there is a

legal matter at play or someone is

353

:

digging into a matter that ultimately

becomes ripe for litigation, that's

354

:

d- that is, that's discoverable.

355

:

you may have an opposing party who says, I

would like to get in there and see what it

356

:

was you were searching relative to this."

357

:

there, there has been case law

that said, Claude or ChatGPT,

358

:

it's not an attorney, right?

359

:

So it's not privileged.

360

:

You're not able to say, "Oh, this is

attorney-client privilege," right?

361

:

And because you're not an attorney,

if someone's not an attorney doing

362

:

this, this isn't work product either.

363

:

It's not covered by that privilege

either because they're not an attorney

364

:

doing research for this purpose.

365

:

so it does become

discoverable in some cases.

366

:

But there have been other

cases, so there's three key

367

:

cases out there right now.

368

:

there-- One of them had an opposite

result where there was a pro se person

369

:

who did decide to use ChatGPT to

prepare their litigation materials,

370

:

but they were considered to be a

lawyer because they were pro se, right?

371

:

So their materials were covered

as protected work product.

372

:

So it's really interesting to see

how the analysis comes into play.

373

:

in the most recent, decision, there

was a distinction between the two,

374

:

where it was that a pro se litigant's

AI, strategies and work product

375

:

were protected work product, right?

376

:

and just because they were

using a system that maybe wasn't

377

:

protected, like it didn't forfeit

their expectation of privacy.

378

:

However, the court in that

case said, "Hey, we'll give you

379

:

that, but you also have to let

us know which systems you use."

380

:

That is certainly discoverable, right?

381

:

And it also, I think in that case, they

ended up, issuing, like a protective

382

:

order, basically saying, you cannot

upload confidential material."

383

:

So I think each state is navigating

this in a different manner.

384

:

they're doing it organically, but

then as more precedent comes out and

385

:

these cases become more frequent, I

think we're gonna learn a lot more.

386

:

I'm sure you've seen, a lit- a little

bit different, but there are also

387

:

those cases where, there have been,

pleadings submitted to the court

388

:

with hallucinated cases, right?

389

:

That didn't even exist, and then you've

got attorneys or law firms that are

390

:

being, you know- fined or there are

penalties that exist for that too.

391

:

That's an area that's developing.

392

:

But to go back to how that would apply

or impact a business like ours or

393

:

others, that is again, the importance

of the education piece, is letting

394

:

people know part of the reason this

is so significant is because we

395

:

work in a high-stakes environment.

396

:

We're protecting our

information, but our clients'.

397

:

And if something goes askew, which it

always could, this is something that the

398

:

court may have in front of them, right?

399

:

So if you're comfortable with your search

terms being read, in a court, okay.

400

:

But if you wouldn't be, let's

not input it, into the system

401

:

Jim: So I like this, lawyer nerd

conversation we're having, so I'm

402

:

gonna, I'm gonna throw another bit

out there that I think, it'd be

403

:

interesting to get your take on.

404

:

a-a-as, as a executive level leader in

HR, you're probably seeing all sorts of

405

:

platforms from an HR tech perspective

that have AI branding all over the place.

406

:

in fact, every tech platform out

there has some sort of AI wrapper

407

:

that they've included in there.

408

:

What I'm curious about is when we're

thinking about HR tech platforms, and

409

:

particularly those platforms in the

employee engagement space, the performance

410

:

management space, it's consuming

employee data that's designed to do some

411

:

analysis and then help managers make some

coaching or evaluation decisions on it.

412

:

Sticking with that discoverability

conversation and the tendency for some AI

413

:

to hallucinate, what's your take on how

those sorts of tools should be used from

414

:

a people management perspective, and how

can organizations be conservative in their

415

:

usage policies so that they don't end up

in a situation where some employee gets

416

:

fired or reprimanded, due to an error in

the AI platform making the wrong analysis?

417

:

That's probably an edge case example, but

it's something that we have to consider if

418

:

mass amounts of data is being, processed

and a recommendation is being spit out

419

:

about an employee or an employee group.

420

:

Lindsay Castro: It's tricky.

421

:

It's a very tricky area.

422

:

And I don't think it's explicitly

been addressed yet, right?

423

:

In those cases that we

discussed previously.

424

:

so as you mentioned, the vendors are

adding these AI features to their

425

:

existing platforms, and yes, to your

point, they can exist in a payroll

426

:

system, they could e- exist in a

benefits administration system, leave of

427

:

absence, And they're updated oftentimes

through, a routine product update.

428

:

So it's very difficult to keep up

with where there may be an update that

429

:

does allow for there to be sharing

of people information that you maybe

430

:

would not have shared otherwise.

431

:

so we again try to choose and limit…

432

:

You can't even say that because

sometimes you're dealing, at least in

433

:

our line of work, sometimes you are

working with systems that a client

434

:

has chosen for themselves, right?

435

:

So I think it's, I think to be honest

with you, and not to take it away from

436

:

the people piece, because I don't know

that you can avoid necessarily those

437

:

pieces being included and considered

enhancements to those tools you're using.

438

:

I think it really lends itself to the

contract side, which without meaning to

439

:

take it, you know, back to that area,

what you're seeing is that contracts

440

:

are now very explicit when it comes

to you may or may not use data within

441

:

an AI platform, what type of data can

be utilized, what can be audited, as

442

:

well as, what the liability or the

indemnification provisions are, right?

443

:

So that's how I see people or

companies navigating this right

444

:

now, is we-- it's a we recognize we

don't have control over all of these

445

:

platforms and their capabilities,

no matter how cautious we are.

446

:

and so that's how there's

the protection right now.

447

:

But as that continues, I

think you'll see more, right?

448

:

I think there will be more information

made available to us about best

449

:

practices, and I'm sure that there

will be, preferred platforms, right?

450

:

That can guarantee you encryption

or privacy or, the things that

451

:

matter most in, in sensitive cases.

452

:

Jim: I wanna expand on something that

you mentioned, a little bit earlier,

453

:

and that's in the space of ownership

and governance, but particularly, when

454

:

we're talking about building fail-safes,

into the process so that you're not

455

:

getting, off-the-wall recommendations

or hallucinated recommendations.

456

:

So when an organization is thinking

about their AI strategy, whether it's

457

:

talking about rolling out a process,

piece of technology, whatever, what

458

:

should the ownership, governance, and

review mechanisms look like to, to…

459

:

That's the question.

460

:

what should the ownership, governance,

and review process look like so

461

:

that you can feel reasonably secure

that you're on a solid foundation?

462

:

Lindsay Castro: So I think that you

have to, again, kind of work with

463

:

your leadership and your tech teams

to understand where the AI risk

464

:

assessments need to be conducted,

where the controls need to be in place,

465

:

which policies make the most sense,

and who's going to own them, right?

466

:

Which is going to mean

updating them along the way.

467

:

The data governance obligations I think

it's about being honest with yourself

468

:

as an organization and saying, "Here's

the capacity that we have right now.

469

:

Here's the bandwidth we have

to navigate and manage this as

470

:

something that we are embracing."

471

:

and I think it plays…

472

:

So a playbook, without

ownership is just a document.

473

:

So you can say, "We really want to adopt

this," but unless we have that governance

474

:

process in place and we know exactly who's

doing what and how the decisions will be

475

:

made going forward, it won't work, right?

476

:

So I think what I have found effective

at HCM is that cross-functional

477

:

accountability that I was mentioning.

478

:

So for us, like legal, I mapped

regulatory requirements, and then

479

:

our technology team, they inventoried

the tools and the workflows.

480

:

And we actually engaged with, a

lot of our employees, including

481

:

consultants, to flag where they were

experiencing kind of client-facing

482

:

processes that we needed to be aware

of that kind of intersected with AI.

483

:

so each function, had its own piece,

and again, has to remain current.

484

:

But it was that shared ownership.

485

:

That worked well for us.

486

:

And in addition to, once we

established that, I think it

487

:

became a gating process naturally,

especially with our policy in place.

488

:

So no new AI tool can go live, right?

489

:

Whe-whether it's standalone or if

it's embedded, and we have rules

490

:

outlining, what we're willing to

accept, at least right now, in

491

:

terms of the embedded, without

going through a pretty well-defined

492

:

review and approval workflow across

those teams that I mentioned, right?

493

:

And we did tier them, too.

494

:

We tiered like one through three, w-

how each item would be evaluated based

495

:

on the potential risk that it posed.

496

:

So that, I have found in my experience,

is a great way to approach it, because

497

:

you can't take it on unless you're ready

to really tackle it and be consistent.

498

:

But you also can't tackle

it in one department alone.

499

:

Because of all of the areas it impacts,

you really have to bring in leadership,

500

:

and also, your employees are invaluable

in letting you know what they're seeing

501

:

in real time and where they see the risks.

502

:

So we really made it a group

effort, and I would recommend

503

:

that for a lot of organizations.

504

:

I know it's tougher in really big

ones, but to the degree you're able.

505

:

Jim: So one of the things that, that's

interesting about what you just said

506

:

is, defining who's gonna own what and

establishing shared ownership and those

507

:

cross-functional relationships that allow

all of that, to, to work well together.

508

:

I'm paraphrasing.

509

:

when I hear that, my mind goes to,

that makes sense if these things are

510

:

rolled out in a top-down fashion, if you

have, leadership driving the process.

511

:

What I'm curious about is what happens

or what would your, how would your

512

:

recommendations change in those

organizations where their initiatives are

513

:

happening more in a bottom-up fashion,

and maybe even at a business unit level

514

:

where one function within a business

unit is taking on one AI initiative

515

:

and rolling that out, and then you

have something completely different

516

:

going on in IT and sales and so on.

517

:

How would you adjust for that

sort of environment where it's

518

:

more of a bottom-up, initiative

rollout versus a top-down rollout?

519

:

Lindsay Castro: So I know

that it's inevitable that

520

:

those situations arise, right?

521

:

Everyone deals with them.

522

:

I think that it's just a little

dangerous to not account for that

523

:

possibility by creating a process

at some level, whether it's top or

524

:

middle or having a gatekeeper again.

525

:

And typically, I think technology is a

great place for that to fall because you

526

:

can have different units adopting their

own preferred use of AI or platforms

527

:

or software, whatever the case may be.

528

:

The problem is, unless there

are parameters, it just allows

529

:

for so much unknown, right?

530

:

So there are organizations that

are comfortable with that, and I

531

:

think it becomes a question of risk.

532

:

How much risk are you comfortable

absorbing when it comes to AI?

533

:

Some may say, "Ah, I'm good with it.

534

:

Like it's…

535

:

we're making money," right?

536

:

"Things are moving faster.

537

:

Like we, we can let go of

some people we don't…"

538

:

I think then you'll have other

entities that are like, "Nope," like

539

:

I said, we don't wanna touch this.

540

:

This is terrifying."

541

:

But I do think either way, you

have to have a process in place

542

:

because the reality is, no matter

what, your employees are going to

543

:

be using it in some fashion, right?

544

:

So I think as soon as you become aware

of that, if it is a bottom-up process,

545

:

it becomes incumbent on whomever is made

aware to raise that to a level of, hey,

546

:

we need to get our hands around this.

547

:

we need to understand how

we want to navigate this.

548

:

And I think it's perfectly okay to say

"Oh, hey, you're using this system?

549

:

Okay, awesome.

550

:

I'm just gonna need to take a

look at how that works and make

551

:

sure that is acceptable for our

business model or for our clients.

552

:

And if it's not, we'll find an

alternative that is," right?

553

:

So it's not shutting anyone down or

discouraging the growth that clearly that

554

:

employee or that division is striving to

achieve, by utilizing these resources.

555

:

It's just working with them to

find the right one, and then to the

556

:

degree that you're able, putting

a process in place that gives

557

:

you some level of comfort, right?

558

:

Based on the level of risk you're

comfortable with, that you can, have

559

:

some guardrails and controls around it

560

:

Jim: One of the interesting things

that I'll be, observing is the

561

:

parallel between what happens with

AI and how it's implemented within

562

:

organizations and what was happening…

563

:

I came out of the recruiting space.

564

:

So one of the things in recruiting,

especially if you're in technology

565

:

recruiting, which is where the world

that I came out of, is that you had

566

:

standard enterprise IT architecture and

technology policies, and then you had

567

:

shadow IT, where each function or each

division within was running their own

568

:

tech stack, and that created a lot of

technology bloat, as well as additional

569

:

costs and more policy considerations.

570

:

I'll be curious to see if we see

something similar, on the AI front,

571

:

because you'll have a corporate AI

policy and then you just talked about,

572

:

a business unit or a functional group

might have a use case for AI that isn't

573

:

inbounds from the enterprise level,

so they go rogue and build their own.

574

:

We've talked a lot of compliance

and compliance adjacent stuff.

575

:

What I'm curious about is when you

think about all the stuff that we've

576

:

talked about, and I'm gonna reference

what you mentioned earlier, which is a

577

:

playbook, and you're thinking about an

AI playbook or an initiative playbook.

578

:

all the things that we've talked about

so far, what should that playbook

579

:

contain for it to be useful as a

starting point for the rollout of an

580

:

AI initiative within an organization?

581

:

Lindsay Castro: So I think the playbook

has to contain, what we've discussed

582

:

already, which is clear ownership, right?

583

:

Knowing who is gonna be navigating that.

584

:

I think it's helpful to include some

information in that playbook as to

585

:

why the rules are important, including

in that playbook matters, right?

586

:

Real-life examples.

587

:

and then I think providing the employees

the situations in which it can and cannot

588

:

be used, creating knowledge, right?

589

:

Knowledge is power, I always say.

590

:

So it's making sure that they

understand exactly what is

591

:

allowed and what isn't and why.

592

:

I also think it's, understanding how…

593

:

I think it's important to include in

that playbook how employees should

594

:

be expected to handle situations in

which perhaps they notice the rules

595

:

are not being followed by a colleague,

and that needs to be addressed.

596

:

Or, including information on the fact that

there will be audits conducted, right?

597

:

As an employer, you're able to conduct

audits of the actual activity happening

598

:

across the organization at any given time.

599

:

So letting them know that.

600

:

giving them a sense of how long

the images or the data that they're

601

:

utilizing will exist on the system.

602

:

I think there's…

603

:

All of those pieces are really crucial.

604

:

I also think giving employees,

because this is so new, right?

605

:

Giving employees an opportunity and an

arena to actually have the conversation

606

:

which, with whomever is going to be

owning or leading that process is

607

:

really crucial to understand where

they, where the gaps lie, right?

608

:

Because we can only see what we see.

609

:

But that gives you the ability to provide

a playbook, but to also update it as

610

:

needed with that feedback loop, right?

611

:

So that what you're seeing feeds back

into the policy itself as needed.

612

:

so I think those are the key pieces.

613

:

That was what we had included.

614

:

But, having a firm policy in place

as a part of that playbook is key.

615

:

it's tough to say, right?

616

:

Because each industry is going

to do a little bit differently.

617

:

but one of the things and my, my CFO

al- always laughs at me for this one,

618

:

but I always say clear is kind, right?

619

:

So a playbook is meant to provide

clarity, and that is the kindest thing

620

:

you can do for your employees because

it gives them the room to operate

621

:

and to understand where the rules lie

and to have the flexibility to come

622

:

to you with questions, without fear.

623

:

so y- you can define it to some ability,

but I think a playbook has to be a living,

624

:

breathing document so that it can be…

625

:

It can give the guardrails, but

it can be updated as needed to

626

:

align with things as they develop

627

:

Jim: Yeah, I like the last part of

what you mentioned that clear is kind.

628

:

Clarity also builds momentum.

629

:

So if we're taking the concept of

a living document into it, you need

630

:

to have forward momentum, to be

able to iterate from where you are.

631

:

I think the important thing, what I gather

from what you just mentioned, think of

632

:

this as a framework and a foundation,

not something that's absolutely static.

633

:

Because if you're building a static

document, the pace of change is gonna

634

:

make it such that it's not relevant six

months or 12 months from, down the road.

635

:

I guess one of the things that, that

I'm curious about, especially given the

636

:

space that you're in, you have these

dual hats inside your organization, but

637

:

you're also in, a consulting organization

that works with other firms externally.

638

:

And when we think about the dynamics

of that, and especially with something

639

:

that's so new in, from the perspective of

AI, when something is this new, there's

640

:

gonna be some rough lessons learned

when people go the wrong direction.

641

:

Are there any painful lessons learned

that you've seen, that I, that you feel is

642

:

worth mentioning that, hey, don't do this?

643

:

This should be a clear red line

that you need to watch out for,

644

:

no matter how attractive it,

it might appear on the surface.

645

:

Lindsay Castro: I see where

missteps become possible.

646

:

I think that kind of going a little

bit backwards, y- I see AI and

647

:

other items like it that we're

lucky enough to be in the midst of

648

:

watching develop, as an opportunity

for connection in an organization.

649

:

And, there's so many established archaic,

rules and regs, and you just know, okay,

650

:

we have a document retention policy.

651

:

of course we do.

652

:

Everyone does.

653

:

This is something so new

that I think you're able to

654

:

bring people into it, right?

655

:

You're able to say…

656

:

You're able to use it as a space

to say, "I don't know everything.

657

:

You don't know everything.

658

:

We're gonna learn together."

659

:

So when I started to see situations

where maybe someone didn't understand

660

:

what was okay or what was not okay

to use as an input, the goal was

661

:

to quickly get in front of it and

say, "Let's have this meeting.

662

:

Let's provide these materials so we can

actually walk through what we know today."

663

:

And because of that, there is no fear

on the part of any of the employees,

664

:

to my knowledge, I should say, that

if there is a question for them that

665

:

relates to, "Hey, can I use this way?"

666

:

Or, "Is it okay to

enter this information?"

667

:

Or, or maybe if they had questions on how

they were doing something previously and

668

:

wanted to know how to change it, those--

It created an opening, for us to have

669

:

that connection and for them to be able

to come in and say, "I have a question."

670

:

And it was totally okay

to have a question, right?

671

:

And it, it also opens the door to, again,

that feedback, that follow-up conversation

672

:

where it becomes a, hey, maybe we

should have a deep dive internally,

673

:

which we try to do once a month.

674

:

Maybe we should have our next

deep dive on this topic, right?

675

:

So you start to see…

676

:

I wouldn't say missteps or, horrible.

677

:

I haven't seen anything crazy.

678

:

I've just seen uncertainty.

679

:

and then, on the legal

side, the same thing.

680

:

It's become an open door where they

can say, "Hey, this client has an

681

:

employee in such and such a space.

682

:

This is the question they're asking.

683

:

Does this fall in the

legal realm, do you think?"

684

:

and sometimes we've had to say,

"Yeah, we can't answer that question.

685

:

That would be legal advice."

686

:

And, we'll just let them know they

should speak to their counsel.

687

:

and again, I'm glad they're asking

me versus inputting that even

688

:

as a generic question into AI.

689

:

What would you do if this

employee wanted to come back to…

690

:

who knows?

691

:

So it's really opened the door for kind

of connection and conversation, and I

692

:

think that is so important to preventing

huge missteps within an organization

693

:

Jim: Great stuff, Lindsay.

694

:

If people wanna continue the

conversation, what's the best way

695

:

for them to get in touch with you?

696

:

Lindsay Castro: Oh gosh.

697

:

I'm happy to connect

via LinkedIn, via email.

698

:

I can provide that as well.

699

:

But in any which way, I love having

these conversations, so I'm so grateful

700

:

that you were, open to our doing so

701

:

Jim: So we'll make sure that we include

your LinkedIn profile in the show

702

:

notes, and people can reach out there.

703

:

Speaker 3: Thanks for

hanging out with us, Lindsay.

704

:

It was a lot of fun chatting with

you, And I think there was a lot of

705

:

opportunity for us to dig even deeper

in certain areas, but we only have,

706

:

an hour-long show, so I wanted to

make sure that we keep things tight.

707

:

One of the big things that stood out

to me was your recommendation that the

708

:

compliance guidelines or foundation

needs to be something that's more of a

709

:

living document than a static playbook,

and I think that's pretty important

710

:

to keep in mind, especially when we

consider that everything in the AI space

711

:

is moving so fast, and you referenced

it yourself, that the tools and the

712

:

capabilities are moving faster than

the policies can be put into place.

713

:

And when we look at that pace of change,

it's important to keep in mind that

714

:

whatever policies and guidelines and

compliance outlines that you put into

715

:

place, you need to have wiggle room

established so that you can iterate

716

:

and expand those policies and adjust

those policies as the technology changes

717

:

and as the business need changes.

718

:

The other important thing that you

mentioned in this conversation that

719

:

stood out to me that I think is gonna be

important for other leaders to keep in

720

:

mind is that when there is so much stuff,

from an AI perspective that's out in the

721

:

wild, it becomes really easy to freeze and

just ignore it all and do something else.

722

:

And your point about how it can be

overwhelming is well taken, and I think

723

:

the solution that you gave is that if

you want to build forward momentum,

724

:

leadership has got to take the initiative

and put things into place that allow

725

:

people to take small experiments and

small chunks and move forward with those.

726

:

So having leadership set the tone,

especially in an environment where

727

:

it can seem overwhelming, is an

important lesson that everybody

728

:

should take away and be eager to

implement in their own environments.

729

:

So for those of you who've been listening

to this conversation, we appreciate

730

:

you hanging out and and taking it in.

731

:

If you like the discussion, make sure

you leave us a five-star review on your

732

:

favorite podcast player, and then tune

in next time where we'll have another

733

:

leader sharing their insights on how

they're using AI to future-proof HR.

Links

Chapters

Video

More from YouTube