EP 18 — GW Law’s Robert Kang on Why Moving Too Slow With AI Creates Shadow Adoption

Robert Kang, Professorial Lecturer of Cybersecurity & National Security, The George Washington University Law School, has been building enterprise cybersecurity programs since 2009, making him one of the “OG” practitioners when most organizations didn't even have dedicated cyber counsel. His unique perspective comes from protecting both critical infrastructure and social media platforms, highlighting how the same governance, risk management, and compliance framework applies across radically different threat landscapes. 

In his conversation with Jean, he shares why organizations face equal risks from implementing AI too quickly or prohibiting it entirely, and how complete AI prohibition drives employees to use personal accounts for business purposes, eliminating organizational oversight entirely. Robert's systematic approach to building relationships with law enforcement agencies before crisis situations emerge provides a practical framework most organizations ignore. From free services like InfraGard to subscription-based programs like the National Cyber Forensics Training Alliance, these partnerships deliver both threat intelligence and confidential channels for sharing information with federal agencies. 

Topics discussed:

• The fundamental differences between protecting critical infrastructure versus social media platforms while using identical governance, risk management, and compliance frameworks.
• Why complete AI prohibition creates shadow adoption risks where employees use personal accounts for business purposes, eliminating organizational oversight and control.
• Building systematic relationships with law enforcement agencies through programs like InfraGard and the National Cyber Forensics Training Alliance before crisis situations emerge.
• The evolution of enterprise cybersecurity legal programs from non-existent in 2009 to essential business functions requiring dedicated counsel and executive sponsorship.
• How anticipating technology trends years in advance, rather than reacting to current adoption, positions cybersecurity professionals ahead of emerging threats.
• Training methodologies for technology lawyers that combine legal knowledge with technical understanding of AI, cybersecurity, and privacy frameworks.
• Essential certification pathways for legal professionals entering technology risk management including CC, CIPP, and AIGP credentials.
• Government threat-intelligence-sharing programs ranging from free public services to subscription-based personalized assistance for specific industries.
• Why law schools must teach both the law of AI and the technology of AI to prepare students for the transformed legal profession.