It is not the tool but the interaction the RFP guide to governing the IA in companies

Just a few years ago, talking about security and artificial intelligence between executives used to cause frowned fences and scarce budgets. Today the situation has changed: the IA is the engine that drives productivity in many companies and, with this, the money came to protect it. However, there is a silent tension in the management rooms: many organizations recognize that they need governance over the IA, but they do not know exactly what to look for or how to turn these concerns into clear technical requirements.

Part of the problem is conceptual. For decades, corporate cybersecurity has been organized around applications, networks and endpoints. Attempts to "catalogue" each tool used by employees work in theory, but in practice they quickly lose the race against the avalanche of new interfaces, browser extensions and GPT-driven assistants that appear each week. This dynamic has led to what many technicians call "Shadow AI": IA initiatives and tools that proliferate outside formal IT and security control. On this phenomenon and its risks have already written voices from industry, for example in the analysis of Forbes.

In the face of that reality, an idea that claims more common sense than fashion is to change the focus from "what application" to "what interaction." In other words, it is no longer just about blocking or allowing apps, but about understanding and controlling the instant when an employee introduces a prompt, sticks a document or drags a file to an IA extension. That moment - the interaction - is where it is decided whether a sensitive corporate data travels outside the safe perimeter.

A practical guide has recently been published to assist security teams and CISUS in this transition: an RFP designed to evaluate IA (AI Usage Control) use control solutions. It is not a catalogue of brands or a superficial checklist; it is intended to be a technical framework for transforming abstract "IA governance" objectives into measurable and verifiable project criteria. You can check the guide directly Here..

Why do you need something like that? Because many of the traditional controls - the CASB, the SSE solutions or the policies based on network traffic alone - are insufficient against modern flows: integrated web panels that act locally in the browser, encrypted plugins in code editors, incognito-mode sessions or "AI-native" browsers that abtract external calls. These conditions create operational blind for solutions that depend only on the analysis of packages on the network.

In addition, the specific threats that need to be addressed have evolved. Prompt handling techniques, known as prompt injections, and other forms of accidental or malicious exfiltration require controls that inspect interaction and context in real time. To address such attacks, there is very useful technical material, such as the reference sheet on prompt injection published by OWASP which helps to understand vectors and mitigations.

The RFP guide approaches the governance of IA from various technical dimensions that should be carefully considered. It doesn't just ask if a supplier "says he can" but requires descriptions of how: how the tool detects IA uses in shared sessions, how it differentiates a corporate identity from a staff in the same browser, how it applies context-sensitive policies and how it works before a data leaves the company. This emphasis on traceability and evidence avoids the danger of "feature-wash," where a set of boxes marked in a demo can hide real gaps in deployment or scale.

A crucial aspect of the guide is the ability to apply controls at the point of interaction without imposing a gigantic operational burden: deployments that do not require intrusive agents on each endpoint, that do not break the operation of the network and that allow safety equipment to offer protection without becoming a bottleneck for business. In parallel, modern governance needs reports that are usable in the face of audits and board of directors, that is, evidence that turns policy into executable metrics.

This approach is aligned with the efforts of agencies and good practices that promote responsible frameworks for IA. The NIST IA risk management framework and the recommendations of different cloud manufacturers and suppliers on responsible practices illustrate why it is important to combine technical controls with corporate processes and governance. Microsoft and Google, among others, have published guides on responsible practices and security considerations in IA environments that complement this perspective; for example, Google Cloud's approach to the responsible IA offers practical resources for architects and security teams ( see), and Microsoft documents principles and tools for risk assessments in IA ( see).

For equipment that must make purchase decisions or design an implementation plan, the practical recommendation is clear: to define own and measurable requirements before the market is imposed. Require suppliers to describe architecture, references to actual deployments, detection tests in unknowable scenarios or with Aitinative browsers, and latency and performance metrics is more valuable than being seduced by polished but shallow demos.

The RFP guide provides a template and structure to standardize this evaluation and to make it a reproducible process that accelerates research and reduces subjectivity in purchase. It does not replace the need for pilots and technical testing in real environments, but it makes it easier for those pilots to measure what matters: detection at the point of interaction, real-time enforcement and audit to respond to incidents and regulators.

In short, the challenge of governance of IA in companies is not solved by budget alone. You need to change the question of "what is the tool that covers everything?" to "how do I control interactions that expose sensitive data?" Adopting rigorous technical criteria, relying on recognized risk frameworks and requiring concrete evidence from suppliers makes governance operational and verifiable. If you want to start with a practical resource that helps you transform intention into requirements, you can download the RFP guide and template here: RFP Guide for Evaluating AI Usage Control Solutions.