Governance has become the defining buzzword of corporate AI strategy, but Patrick Bourk (pictured) says the conversation is skipping the most basic step. The vice president of cyber and professional lines at Navacord argues that companies cannot govern data they do not know they have, and that most organizations have no real inventory of where their information actually sits.
"Governance is a big, big word in AI now," Bourk said. "But what's interesting is you can't really have governance until you know what your data is. You can't do governance without data inventory."
The gap between governance aspiration and operational reality is not just a Canadian problem. Bourk noted that cybercriminals actively exploit regulatory blind spots, using markets with weaker oversight as testing grounds before moving on to higher-value targets. Canada, he said, tends to lag roughly a decade behind the US in regulatory maturity and cyber awareness – and less developed markets lag a decade behind Canada, making them attractive testing grounds for threat actors refining their methods before moving to higher-value targets.
That applies to businesses building AI strategies. It applies equally to individuals who have spent years signing up for apps, subscriptions and platforms without reading the fine print.
Bourk breaks down where personal data actually ends up into three categories. The first is straightforward – information you knowingly shared and authorised. The second is murkier.
"There's a huge chunk of your information sitting ‘out there’, and you have no idea where it is," he said. "Because unbeknownst to you, when you sign that subscription for whatever, you unknowingly gave them authorization to broker your data to somebody else."
The third category is the dark web – data that has been stolen, leaked or sold and is now circulating beyond any individual's control.
Most people are aware of the third category in a vague, abstract way. The second is where the real surprise tends to land. The average Canadian has authorised data sharing they have no memory of, through terms and conditions they never read, with third parties they have never heard of.
The good news, Bourk said, is that an emerging category of companies is trying to address this. Some are building platforms that help individuals identify where their digital footprint has spread – and, crucially, use existing privacy laws to demand that data brokers who acquired that information remove it.
"Because there are laws and regulations around the safeguarding of that information, they can go to those companies that have it because they bought it and you can say I don't give you authorization to do that anymore," Bourk said.
Others are tackling the deepfake verification problem – developing what Bourk describes as communication intelligence tools designed to confirm that the person on a call or in a message is actually who they say they are. As deepfake audio and video become increasingly convincing, that verification layer is moving from a nice-to-have to a genuine business need.
The underlying problem feeding all of this, Bourk said, is digital hoarding. Most people accumulate far more apps, accounts and online presences than they actively use or need – and every dormant account, forgotten subscription and unused app is a potential entry point for threat actors.
"We each have to take some individual responsibility for it," he said. "In some cases, we just hold on to more stuff than we need to. I think we should take some personal accountability for where all of our stuff is."
The practical steps are not complicated. Audit what apps you actually use and remove the ones you do not. Change passwords regularly. Think carefully before creating yet another account for a service you will use once.
"From a personal standpoint, we can look back and say, ' Do I really need these particular apps?’" Bourk said. "And of course changing passwords on a regular basis."
