Aishwarya Reehl on What AI in Government Systems Teach You About Trust, Risk, and Accountability

Artificial intelligence is moving fast, but in government and highly regulated environments, speed has never been the primary concern. Trust, accountability, and risk management come first, and the margin for error is slim. As AI systems increasingly influence decisions involving sensitive, financial, and personal data, the question is no longer whether organizations can deploy advanced models, but whether they can do so responsibly.

 In this interview, we spoke to  Aishwarya Reehl, an experienced software engineer who has built AI and machine learning systems inside government and regulated settings where compliance is non-negotiable and reliability is assumed. Drawing on hands-on experience with secure data pipelines, model governance, and large language models, she explains why responsible AI starts with architecture, why governance cannot be bolted on later, and how lessons from regulated environments can help private companies build AI systems that are trustworthy by design.

You have built AI and machine learning systems in government and highly regulated environments. What did those settings teach you early on about responsibility, trust, and risk when deploying AI?

Over the past few years, artificial intelligence has rapidly transformed industries across the globe. When incorporating AI into highly regulated environments, however, managing risk becomes one of the major concerns. The underlying models play an important role in determining which applications can be approved and deployed and which cannot.

Every AI model is built on a specific training foundation that directly influences how it performs within a system. The way a model is trained is essential to determine whether it’s trustworthy, reliable, and effective. While training the model, the important considerations are selecting appropriate data, preventing the use or exposure of personally identifiable information (PII) and protected health information (PHI), ensuring predictions are made with confidentiality in mind, and evaluating how trustworthy and confident the model’s outputs are. While deploying it is crucial to consider the data governance policies to avoid legal, financial, and reputational risks.

When working with sensitive and financial data, how do security and compliance requirements shape the way AI systems are designed from the very beginning?

Security and compliance requirements play a vital role in the design and implementation of AI systems. Data governance is a top priority, requiring that models access only data sources approved by the security team and organizational standards. Strict controls must be enforced to prevent the exposure of sensitive information, with multiple stakeholders involved to ensure that data is protected and the risk of breaches is minimized.

Data security measures, including encryption both in transit and at rest, are fundamental. In addition, access controls and data anonymization techniques are implemented to maintain confidentiality and protect sensitive data.

Establishing these requirements at the outset enables AI models to be designed in alignment with organizational policies, protocols and regulatory standards, thus ensuring compliance throughout the system lifecycle.

Many teams treat governance as something added after a model is built. Based on your experience, why does responsible AI require architectural decisions to be made much earlier?

I believe architectural decisions should be the foundational step in the development process. When governance is embedded into the design of an AI model from the onset, the system is more likely to operate in accordance with established rules and standards. Incorporating compliance early is far more effective than attempting to tweak and fit in controls later, as it ensures consistent adherence to protocols and regulatory requirements throughout the model’s lifecycle.

Reliability is non-negotiable in government systems. How does that expectation change how you approach model validation, monitoring, and failure handling?

Another key concern is validating and verifying the model developed. Before deployment, in the development life cycle, the models are thoroughly tested to verify accuracy, robustness, and fairness. Bias testing is also included to ensure that the model behaves in the same way in various scenarios. Validation processes help determine whether a model is ready to use and if it can proceed for regulatory approval.

Once deployed, it’s continuously monitored with various tools and human oversight as well. Models over time can degrade and overfit due to changes in data patterns, known as model drift. Many monitoring systems track performance metrics, detect anomalies, and trigger alerts when outputs fall outside acceptable thresholds. With regular retraining and version control, we can ensure consistency and traceability.

You work with modern techniques such as large language models. What additional safeguards become necessary when deploying these models in regulated environments?

Besides the one mentioned above, maintaining audit logs is crucial. We need to know detailed logs of data that was accessed and model decisions. The CI/CD pipelines should be protected as well to ensure security. Even with AI, we need to explicitly keep retraining the models on what can be used and accessed, clearly setting up the boundaries.

How do lessons learned in government settings translate to private sector organizations that may not face the same regulatory pressure but still need to deploy AI responsibly?

Irrespective of whether it’s a regulated environment or the private sector, the security aspects and models development cycle is quite similar.  However, what differs the most is that in regulated sectors, one strictly adheres to the governing bodies and their laws, which have to be strictly followed, versus in the private sector, the laws are defined by the organization primarily which can be tweaked and are rather more flexible.

From your perspective, what are the most common mistakes private companies make when handling sensitive data with AI, and how could regulated environments help them avoid those pitfalls?

In the private sector, I feel that compliance requirements are often lighter unless they operate in regulated industries. Organizations can themselves decide how policies are implemented and updated. They have higher risk tolerance and their data usage policies are more flexible than the regulated environments, allowing faster deployments, releases as well as experimentations.

Looking forward, how do you see government and regulated industries influencing broader standards for ethical, secure, and trustworthy AI adoption?

In recent times, a lot of regulations have been targeted towards AI. For example, ISO/IEC 23894. These frameworks, when incorporated, can help in trustworthy AI adoption. More frameworks targeting security and risk are being revised and developed to keep up with the ever-evolving speed of AI.