Categories
DTQ Data Trust Quotients Events

Report: AI Memory and Data Retention- How Much Should Machines Be Allowed to Remember?

Categories
DTQ Data Trust Quotients Events

Report: AI Memory and Data Retention- How Much Should Machines Be Allowed to Remember?

A report on the closed-door leadership dialogue hosted by DTQ (Data Trust Quotient), bringing together CISOs, risk advisors, and AI governance leaders to examine whether enterprises can truly delete what an AI system has learned.

About the Platform: DTQ

DTQ — the Data Trust Quotient — is a leadership dialogue platform focused on AI governance, privacy, and data security. The series brings together the people directly responsible for these decisions: Chief Information Security Officers (CISOs), data protection leads, and AI governance practitioners, for candid, closed-door conversations about where the industry is heading.

This session opened with the discussion around a real-world flashpoint: a U.S. court order compelling OpenAI to preserve all ChatGPT conversations — including those users had deleted — as part of its ongoing copyright litigation with The New York Times. The episode illustrated how, once a machine has “remembered” something, true deletion becomes a far harder problem than most organizations assume.

The Panel

The discussion was steered by a moderator and featured three senior practitioners spanning cybersecurity, enterprise IT, and risk advisory:

RolePanelist & Profile
ModeratorMohit Sharma — Cybersecurity Advisor, Baker Hughes. Works in industrial and operational technology, where questions of what gets logged, stored, and retained carry real operational consequences.
PanelistAniruddha Mehta — Partner, Risk Consulting, EY. Advises organizations on data privacy, the DPDP Act, and AI/data risk governance as regulation evolves.
PanelistVinod Nair — CISO, leading cybersecurity and IT infrastructure across large enterprise and SAP environments, bringing a practitioner’s view of enterprise data governance at scale.
PanelistRohit Ponnapalli — Global CISO, Envoy Global. Over 14 years building security from the ground up, including running information security for 30,000 people across 11 locations and architecting security operations centers for state governments and India smart-city projects.

Session Report

Opening Question: Who Wins — Privacy Law or Algorithmic Memory?

Moderator Mohit Sharma framed the central tension: privacy laws are built on the principle that individuals can be forgotten, while AI systems are built on the principle of learning from what they remember. He asked the panel directly — in one line, can a company truly forget a person today?

“This is the illusion of absolute erasure in Gen AI. The right to be forgotten, codified under Article 17 of GDPR and Section 12(3) of India’s DPDP Act, grants data principals the right to demand erasure — but generative AI systems store data in two distinct states: explicit storage and implicit parametric storage. Erasing from explicit storage (vector databases, caches, logs) is technically feasible. Erasing from implicit parametric storage — the billions of weights inside a trained model — is practically impossible, because no single data point resides in an isolated, identifiable location.”

— Aniruddha Mehta, Partner – Risk Consulting, EY

Mehta outlined four technical paths organizations can use to bridge this gap:

  • Exact unlearning — deleting clearly targeted data outright.
  • Approximate unlearning — offering no absolute guarantee of erasure, but relying on probabilistic reduction of a data point’s influence.
  • Concept-level / cohort unlearning — removing influence at the level of a defined group (e.g. by department or team), which is easier to isolate and action.
  • CSA architecture (shared, isolated, sliced, and aggregated training design) — a more efficient, consent-aligned design for targeted retraining.

His conclusion: the tension between contextual utility and legal liability is best managed not as a fight between privacy and AI, but through responsible AI design as the operating principle.

Panelist Vinod Nair added a regulatory-timeline perspective, noting that India’s IT Act 2000 was followed by the IT Rules 2021 and that the DPDP Act is expected to come into force around May 2027. He stressed the need to track evolving model architectures — autoregressive LLMs, masked language models, sequence-to-sequence and retrieval-augmented models — and to embed standard data-loss-prevention (DLP) practices directly into AI deployments.

Rohit Ponnapalli, Global CISO at Envoy Global, offered a starkly practical view: with prompts, chat histories, and retrieval-augmented (RAG) models now layered across every tool and vendor in an enterprise, organizations frequently have no reliable way of knowing where their data actually resides — making proof of deletion nearly impossible at scale.

“Every department has multiple third-party vendors, and every tool has AI built in already. Where do you even delete the data — your laptop, your AI models, or your vendor’s systems? We have no idea where the data resides with all this AI in place.”

— Rohit Ponnapalli, Global CISO, Envoy Global

Ponnapalli proposed grounding AI memory governance in privacy-by-design and zero-trust principles, layered across three planes: strategy (how long data should be retained), tactics (how AI models and third parties are onboarded), and operations (data mapping). His view: if an organization can achieve reliable data mapping, retention controls and purpose definition become possible — and roughly 90% deletion success is achievable even in the AI era.

Categorizing AI Memory by Risk

Moderator Sharma turned the discussion toward practice: should session memory, user memory, organizational memory, and training data be treated as different risk categories — and what should be kept?

Mehta proposed a four-part risk-utility framework for classifying data before deciding how it should be governed:

Data ClassAI UtilityRegulatory RiskRecommended Action
Interaction / informal data (logs, raw text)Low long-term valueHigh — unsolicited PII riskAggressive erasure; automated TTL protocols
Inferred / analytical data (behavioral profiles, risk flags)High — personalization, automationSevereCohort-level unlearning; purpose-bound grouping
Demographic / trend data (anonymized)High — fairness tuning, model stabilityLow, if irreversibly anonymizedRetain under audit; verify re-identification resistance
Sensitive financial / health dataFraud detection, diagnosticsMaximum — sector and cross-border lawsFederated architecture; strict access controls; segregate memory from weights

Vinod Nair built on this with an enterprise security lens, identifying three foundational controls: a documented data inventory and classification system, enforced identity controls, and encryption that is never standardized indefinitely — since static encryption algorithms become predictable targets over time. He also called for regular red-team exercises, defined playbooks for memory abuse or model leakage, and clear deletion workflows tied to defined retention periods.

He further distinguished organizational memory needs by seniority and exposure: persistent profiles tied to senior executives (e.g. a CIO or CEO) require separate, higher categorization and protection than standard user or session memory, given the greater risk of profiling or targeted leakage.

Should AI Remember Everything It Can?

Sharma posed a pointed question to Ponnapalli, whose background spans smart-city and public-sector systems: just because a system can remember something, does it mean it should?

“Just because you have unlimited data storage, you should not keep storing the data. There should be a boundary to what you want to store.”

— Rohit Ponnapalli, Global CISO, Envoy Global

Ponnapalli illustrated the point with a consumer example — automated calls nudging customers to complete abandoned cart purchases — to show how easily “customer experience” framing can stretch the boundary of acceptable data use. He recommended segregating storage by data type (PII versus service-quality or analytics data), applying regulation-driven retention periods (citing seven years as a common standard for PII in his sector), and using DLP and DSPM tooling to maintain visibility into where data is flowing and which systems are using it.

He also offered a candid status check on enterprise AI maturity: most organizations remain at the proof-of-concept stage, with AI largely permitted to read data — but not yet trusted to write, execute, or delete it autonomously.

Board-Level Governance and Accountability

As the discussion moved toward governance at the top of organizations, Mehta argued that overseeing AI memory has moved beyond a technical concern into a fiduciary duty for boards, particularly where AI informs credit decisions, financial crime monitoring, and forecasting.

“A company may execute a delete query on a relational database to satisfy a regulatory audit, but if the AI system continues to make automated decisions based on hidden patterns learned from those deleted records, the board remains exposed to severe legal, financial, and reputational jeopardy.”

— Aniruddha Mehta, Partner – Risk Consulting, EY

He set out three governance imperatives for boards:

  • Demand algorithmic transparency and explainability — rejecting black-box systems for critical operations, and ensuring decisions can be traced back to the parameters and data that drove them.
  • Implement responsible AI checkpoints — maintaining an enterprise-wide inventory of all AI models (built, deployed, or procured), with mandatory Data Protection Impact Assessments (DPIAs) before deployment and risk-tier classification across the AI lifecycle.
  • Enable human accountability in agentic systems — building clear boundaries, accountability mechanisms, and human-in-the-loop overrides directly into system architecture as AI moves from flagging issues to acting on them autonomously.

Audience Q&A Highlights

The moderator relayed several audience questions from the chat for rapid-fire responses:

  • Do we need dedicated standards for AI memory and retention, similar to information security standards? Vinod Nair: Yes — existing frameworks such as ISO/IEC 27001 and 42001 provide a starting control criteria, but organizations need specific, auditable controls mapped to applicable regulations (IT Act, DPDP, and sector-specific clauses) to track AI-specific risks such as RAG pipeline design and vector database/cache access.
  • How should AI data governance be embedded into vendor relationships? Aniruddha Mehta: Treat data protection policy as a core part of vendor assessment and re-assessment, the same way sectors like pharma conduct vendor risk reviews before deployment.
  • Is compliance ever a fixed, one-time state? Rohit Ponnapalli: No — there is no such thing as point-in-time compliance. An organization can be compliant at the moment of an audit and fall out of compliance shortly after as systems and data continue to evolve, which is why governance must be continuous and unbiased.
  • If advising a startup building AI with persistent memory, what is the first question founders should ask? Rohit Ponnapalli: Start with the basics — what data is being collected, and specifically what is the AI being asked to remember (PII, behavioral data, business intelligence)? Then stress-test the downside: what happens if this data leaks, and what would that cost the business in trust, customers, or survival?

Key Insights

  • Complete erasure from a trained AI model is not currently achievable — deleting a source record removes it from explicit storage, but its statistical “fingerprint” can remain embedded in the model’s parametric weights.
  • Four technical approaches — exact unlearning, approximate unlearning, cohort-level unlearning, and federated (CSA) architecture — offer practical, if imperfect, paths to manage this gap.
  • Not all AI memory carries equal risk. A four-tier data classification framework (interaction data, inferred/analytical data, anonymized trend data, sensitive financial/health data) helps determine the right retention and governance response for each.
  • Most organizations cannot currently map where their data — or its AI-driven derivatives — actually reside across departments, vendors, and embedded AI tools, making provable deletion a major operational gap.
  • Responsible AI governance must operate at three levels simultaneously: strategic (policy and retention limits), tactical (model and vendor onboarding), and operational (data mapping and controls).
  • Boards are increasingly exposed to fiduciary liability when AI systems continue to act on patterns learned from data that has technically been deleted from source systems.
  • As AI moves toward agentic, autonomous action, human-in-the-loop oversight and clear accountability boundaries must be designed into system architecture from the outset — not added afterward.
  • Compliance is not a fixed, point-in-time state; with AI systems continuously evolving, governance and audit processes must be continuous and unbiased.
  • Regulatory timelines are tightening — India’s DPDP Act is expected to be enforced around May 2027 — making early investment in data classification, vendor assessment, and retention controls a near-term priority rather than a future concern.

Closing Note

The session closed with the panel agreeing that the boundaries of “responsible AI” are still being actively written, and that the conversation — including several audience questions that could not be addressed live — is expected to continue in a follow-up DTQ session. The discussion underscored a consistent theme across all four speakers: as AI systems become more persistent and context-aware, remembering and forgetting are no longer purely technical actions — they are business, security, and governance decisions that boards, CISOs, and risk leaders must own together.

Categories
Applied Innovation

Responsible AI:  Principles, Practices, and Challenges

Categories
Applied Innovation

Responsible AI:  Principles, Practices, and Challenges

The emergence of artificial intelligence (AI) has been a catalyst for profound transformation across various sectors, reshaping the paradigms of work, innovation, and technology interaction. However, the swift progression of AI has also illuminated a critical set of ethical, legal, and societal challenges that underscore the urgency of embracing a responsible AI framework. This framework is predicated on the ethical creation, deployment, and management of AI systems that uphold societal values, minimize potential detriments, and maximize benefits.

Foundational Principles of Responsible AI

Responsible AI is anchored by several key principles aimed at ensuring fairness, transparency, accountability, and human oversight. Ethical considerations are paramount, serving as the guiding force behind the design and implementation of AI to prevent harmful consequences while fostering positive impacts. Transparency is a cornerstone, granting stakeholders the power to comprehend the decision-making mechanisms of AI systems. This is inextricably linked to fairness, which seeks to eradicate biases in data and algorithms to ensure equitable outcomes.

Accountability is a critical component, demanding clear lines of responsibility for AI decisions and actions. This is bolstered by the implementation of audit trails that can meticulously track and scrutinize AI system performance. Additionally, legal and regulatory compliance is imperative, necessitating adherence to existing standards like data protection laws and industry-specific regulations. Human oversight is irreplaceable, providing the governance structures and ethical reviews essential for maintaining control over AI technologies.

The Advantages of Responsible AI

Adopting responsible AI practices yields a multitude of benefits for organizations, industries, and society at large. Trust and enhanced reputation are significant by-products of a commitment to ethical AI, which appeals to stakeholders such as consumers, employees, and regulators. This trust is a valuable currency in an era increasingly dominated by AI, contributing to a stronger brand identity. Moreover, responsible AI acts as a bulwark against risks stemming from legal and regulatory non-compliance.

Beyond the corporate sphere, responsible AI has the potential to propel societal progress by prioritizing social welfare and minimizing negative repercussions. This is achieved by developing technologies that are aligned with societal advancement without compromising ethical integrity.

Barriers to Implementing Responsible AI

Despite its clear benefits, implementing responsible AI faces several challenges. The intricate nature of AI systems complicates transparency and explainability. Highly sophisticated models can obscure the decision-making process, making it difficult for stakeholders to fully comprehend their functioning.

Bias in training data also presents a persistent issue, as historical data may embody societal prejudices, thus resulting in skewed outcomes. Countering this requires both technical prowess and a dedication to diversity, including the use of comprehensive datasets.

The evolving legal and regulatory landscape introduces further complexities, as new AI-related laws and regulations demand continuous system adaptations. Additionally, AI security vulnerabilities, such as susceptibility to adversarial attacks, necessitate robust protective strategies.

Designing AI Systems with Responsible Practices in Mind

The creation of AI systems that adhere to responsible AI principles begins with a commitment to minimizing biases and prejudices. This is achieved through the utilization of inclusive datasets that accurately represent all demographics, the application of fairness metrics to assess equity, and the regular auditing of algorithms to identify and rectify biases.

Data privacy is another essential design aspect. By integrating privacy considerations from the onset—through methods like encryption, anonymization, and federated learning—companies can safeguard sensitive information and foster trust among users. Transparency is bolstered by selecting interpretable models and clearly communicating AI processes and limitations to stakeholders.

Leveraging Tools and Governance for Responsible AI

The realization of responsible AI is facilitated by a range of tools and technologies. Explainability tools, such as SHAP and LIME, offer insight into AI decision-making. Meanwhile, privacy-preserving frameworks like TensorFlow Federated support secure data sharing for model training.

Governance frameworks are pivotal in enforcing responsible AI practices. These frameworks define roles and responsibilities, institute accountability measures, and incorporate regular audits to evaluate AI system performance and ethical compliance.

The Future of Responsible AI

Responsible AI transcends a mere technical challenge to become a moral imperative that will significantly influence the trajectory of technology within society. By championing its principles, organizations can not only mitigate risks but also drive innovation that harmonizes with societal values. This journey is ongoing, requiring collaboration, vigilance, and a collective commitment to ethical advancement as AI technologies continue to evolve.

Reach out to us at open-innovator@quotients.com or drop us a line to delve into the transformative potential of groundbreaking technologies. We’d love to explore the possibilities with you

Categories
Applied Innovation

Understanding and Implementing Responsible AI

Categories
Applied Innovation

Understanding and Implementing Responsible AI

Our everyday lives now revolve around artificial intelligence (AI), which has an impact on everything from healthcare to banking. But as its impact grows, the necessity of responsible AI has become critical. The creation and application of ethical, open, and accountable AI systems is referred to as “responsible AI.” Making sure AI systems follow these guidelines is essential in today’s technology environment to avoid negative impacts and foster trust. Fairness, transparency, accountability, privacy and security, inclusivity, dependability and safety, and ethical considerations are some of the fundamental tenets of Responsible AI that need to be explored.

1. Fairness

Making sure AI systems don’t reinforce or magnify prejudices is the goal of fairness in AI. skewed algorithms or skewed training data are just two examples of the many sources of bias in AI. Regular bias checks and the use of representative and diverse datasets are crucial for ensuring equity. Biases can be lessened with the use of strategies such adversarial debiasing, re-weighting, and re-sampling. One way to lessen bias in AI models is to use a broad dataset that covers a range of demographic groupings.

2. Transparency

Transparency in AI refers to the ability to comprehend and interpret AI systems. This is essential for guaranteeing accountability and fostering confidence. One approach to achieving transparency is Explainable AI (XAI), which focuses on developing human-interpretable models. Understanding model predictions can be aided by tools such as SHAP (SHapley Additive exPlanations) and LIME (Local Interpretable Model-agnostic Explanations). Furthermore, comprehensive details regarding the model’s creation, functionality, and constraints are provided by documentation practices like Model Cards.

3. Accountability

Holding people or organizations accountable for the results of AI systems is known as accountability in AI. Accountability requires the establishment of transparent governance frameworks as well as frequent audits and compliance checks. To monitor AI initiatives and make sure they follow ethical standards, for instance, organizations can establish AI ethics committees. Maintaining accountability also heavily depends on having clear documentation and reporting procedures.

4. Privacy and Security

AI security and privacy are major issues, particularly when handling sensitive data. Strong security measures like encryption and secure data storage must be put in place to guarantee user privacy and data protection. Additionally crucial are routine security audits and adherence to data protection laws like GDPR. Differential privacy is one technique that can help safeguard personal information while still enabling data analysis.

5. Inclusiveness

AI security and privacy are major issues, particularly when handling sensitive data. Strong security measures like encryption and secure data storage must be put in place to guarantee user privacy and data protection. Additionally crucial are routine security audits and adherence to data protection laws like GDPR. Differential privacy is one technique that can help safeguard personal information while still enabling data analysis.

6. Reliability and Safety

AI systems must be dependable and safe, particularly in vital applications like autonomous cars and healthcare. AI models must be rigorously tested and validated in order to ensure reliability. To avoid mishaps and malfunctions, safety procedures including fail-safe mechanisms and ongoing monitoring are crucial. AI-powered diagnostic tools in healthcare that go through rigorous testing before to deployment are examples of dependable and secure AI applications.

7. Ethical Considerations

The possible abuse of AI technology and its effects on society give rise to ethical quandaries in the field. Guidelines for ethical AI practices are provided by frameworks for ethical AI development, such as the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems. Taking into account how AI technologies will affect society and making sure they are applied for the greater good are key components of striking a balance between innovation and ethical responsibility.

8. Real-World Applications

There are several uses for responsible AI in a variety of sectors. AI in healthcare can help with disease diagnosis and treatment plan customization. AI can be used in finance to control risks and identify fraudulent activity. AI in education can help teachers and offer individualized learning experiences. But there are drawbacks to using Responsible AI as well, such protecting data privacy and dealing with biases.

9. Future of Responsible AI

New developments in technology and trends will influence responsible AI in the future. The ethical and legal environments are changing along with AI. Increased stakeholder collaboration, the creation of new ethical frameworks, and the incorporation of AI ethics into training and educational initiatives are some of the predictions for the future of responsible AI. Maintaining a commitment to responsible AI practices is crucial to building confidence and guaranteeing AI’s beneficial social effects.

Conclusion

To sum up, responsible AI is essential to the moral and open advancement of AI systems. We can guarantee AI technologies assist society while reducing negative impacts by upholding values including justice, accountability, openness, privacy and security, inclusivity, dependability and safety, and ethical concerns. It is crucial that those involved in AI development stick to these guidelines and never give up on ethical AI practices. Together, let’s build a future where AI is applied morally and sensibly.

We can create a more moral and reliable AI environment by using these ideas and procedures. For all parties participating in AI development, maintaining a commitment to Responsible AI is not only essential, but also a duty.

Contact us at innovate@quotients.com to schedule a consultation and explore the transformative potential of this innovative technology.