For many businesses, new technologies are treated as, well, just that. Technology – something for the CIO, CTO, or IT teams to worry about. From Cloud computing and cybersecurity through to data privacy and, more recently, artificial intelligence, there has long been a tendency to view these as technical, “back office” concerns. That is no longer the case, of course. These technologies are now firmly board-level concerns, shaping decisions around risk, governance, competitive advantage, and long-term business resilience.
Senior leaders are increasingly expected to understand the implications of data breaches, AI oversight, and ethical technology use, not least because regulators are paying closer attention and investors are asking tougher questions. The result of a tech failure can have significant reputational and even revenue damage, so when failures occur, accountability no longer sits solely with the technology team, but reaches the C-suite.
It is interesting to watch the rapid proliferation of facial recognition technology (FRT) across different industries – without question, FRT is now on that same journey from IT issue to business critical.
For some time, debate around facial recognition has focused on accuracy, technical capability, and regulation. Those issues remain hugely important, but for business leaders they are no longer the whole picture. As FRT becomes more widely deployed across security, identity, and access use cases, the risks associated with it are becoming much broader.
So, while facial recognition may be deployed by security or IT teams, responsibility for getting it right sits much higher up the organisation.
Transitioning from a tool to a risk
We find that FRT is most often introduced to solve a practical security problem. Firms may want to strengthen identity verification, improve access control or reduce reliance on credentials – such as passwords or PINs – that can be lost, stolen or shared.
In many environments, those benefits are real, which is precisely why adoption is growing. But once an organisation begins collecting and using biometric data, the risk profile changes, particularly where customers are involved.
Unlike many other security tools (e.g. physical security passes or cards), facial recognition relies on inherently sensitive personal data that’s tied directly to individuals. That means the conversation cannot stop at whether the system performs well technically. Organisations also need to consider how the technology is governed, how data is stored, how long it is retained, who has access to it and whether its use can be clearly justified.
If those questions are not addressed properly, the consequences can extend far beyond operational issues. A failed or poorly governed deployment can create regulatory exposure, reputational damage and a loss of trust among customers and partners.
This is something business leaders are already seeing in practice. Clearview AI, for example, faced regulatory action in the UK, including a £7.5 million fine and an order to delete data, after authorities found it had scraped images of individuals from the internet to build its facial recognition database without a lawful basis.
The issue was not with the capability of the technology, but how it had been developed and deployed in the UK specifically.
Why facial recognition belongs on the risk register
FRT’s success, therefore, can’t be judged on efficacy alone. It must also be judged on whether it has been introduced responsibly, proportionately and with proper oversight. Therefore, governance needs to keep pace with businesses’ use of FRT, and this means adding it to the risk register alongside cybersecurity threats, rogue AI and IT failures.
The reason is straightforward. Biometric systems introduce risks that cut across multiple areas of the business, from data protection and compliance to reputation and customer trust. That makes them difficult to contain within a single function.
For boards, this requires a more structured approach. Facial recognition deployments should be clearly documented, regularly reviewed and understood within the organisation’s broader risk framework. Ownership also needs to be defined. If concerns arise, it should be clear who is responsible for responding and how decisions will be made.
Increasing pressure from regulators and investors
There is also growing external pressure on organisations to demonstrate that facial recognition is being used responsibly.
Regulators are taking a closer interest in how biometric technologies are deployed, particularly where sensitive personal data is involved. At the same time, investors are placing greater emphasis on governance, risk management and ethical technology use, especially as AI-driven systems become more widespread.
Facial recognition sits at the intersection of both trends. As a highly visible and evocative application of biometric and AI technologies, it is likely to attract a higher level of scrutiny than many other security tools.
Against that backdrop, treating FRT as a standalone security solution isn’t going to be enough. It needs to be managed with the same discipline applied to other business-critical risks.
What responsible deployment looks like
As facial recognition becomes more widely adopted, the organisations that have success with FRT will be those that treat it as a business decision, not just a technical one.
That starts with intent. Facial recognition should only be deployed where there is a clear and proportionate need, not simply because the technology is available. Boards therefore need to be clear that there is a problem that needs solving when investing in this technology.
It also requires a willingness to challenge assumptions. Leaders should look beyond whether a system works and instead consider whether it is the right response in the first place. That includes how its use will be perceived by customers, employees and partners, particularly where trust is already a sensitive issue.
Leaders should also recognise that deployment is not a one-off decision. As expectations, risks and use cases evolve, organisations need to revisit how the technology is being used and whether it remains appropriate.
Ultimately, decisions around facial recognition should not sit in isolation, but reflect broader and ever-changing business priorities and risk considerations – it will be this that defines FRT’s success in the long-term.
For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.
