National Bank’s Andre Boucher on Managing AI without Shadow IT Friction

André Boucher, SVP Technology and Information Security at National Bank of Canada, shares his innovative approach to balancing AI innovation with security, emphasizing collaboration over control. His strategy of enabling experimentation through secure platforms transforms 31,000 employees from risks into security partners.

In this compelling episode of Future of Data Security, host Jean Le Bouthillier sits down with André Boucher to explore how one of Canada’s systemically important financial institutions manages the AI revolution. André brings a unique perspective, having transitioned from commanding Canadian Forces Cyber Command to leading security at National Bank of Canada. Rather than treating shadow AI as a threat to be eliminated, André’s team has created secure environments where innovation happens within guardrails—making security a collaborative partner rather than an adversary. The conversation reveals why data inventory remains the hardest unsolved problem in AI governance, not due to lack of tools but because of immature taxonomy and classification ecosystems. André also sounds the alarm on third-party risk management reaching crisis levels as vendors embed AI features without notice or transparency.

3 Key Takeaways

1. Enable Innovation, Don’t Block It
Shadow AI emerges when security teams move too slowly. André’s approach involves providing secure platforms that business teams actually prefer over unauthorized tools. By enabling early experimentation with proper guardrails, National Bank shifted from adversarial detection tactics to collaborative innovation, treating employees as team participants rather than risks to manage.

2. Data Discovery Is the Foundation
Organizations struggle with AI governance not because they lack tools, but because they haven’t achieved ecosystem maturity around data taxonomy and classification. The ability to know what data you have, where it lives, and how it flows across structured and unstructured environments remains the critical foundation that most organizations underestimate despite its importance.

3. Third-Party Risk Is Reaching Crisis Levels
Major vendors are embedding AI features into existing products without transparency, notice, or updated contractual language. This creates blind spots in supply chains that current regulatory frameworks can’t address. Organizations need to proactively engage vendors about AI capabilities and data usage rather than discovering changes after deployment.

Listen on Apple Podcasts

Listen on Spotify

Watch on YouTube