For many organizations, artificial intelligence has become a critical tool. A staggering 37% of companies are currently using AI and 93% of well-known brands plan to invest in it. The potential benefits are vast and tease the imagination. As many as 83% of businesses believe that AI will help them maintain or gain a competitive edge. In the next few years, the artificial intelligence market is predicted to reach $300 billion.
At the same time, business leaders have raced to come up with AI policies (specifically, ChatGPT guidelines for staff) and 3% of companies, including major global firms, banned select AI tools – largely generative AI – outright. All-or-nothing policies, restrictive parameters and outright bans have contributed to an uptick in shadow AI.
What is shadow AI?
Shadow AI consists of AI-based tools that are unknown to the IT department and/or that are not under their control. While shadow AI (like shadow IT) has existed for quite some time, the sudden surge in Chatbot popularity, spurring further AI innovation, means that nearly every organization is liable to see a rise in the deployment of shadow AI.
Risks of shadow AI
These are just a few examples of the cyber security risks that shadow AI presents:
- Employee use of shadow AI can result in non-compliance with data protection laws; GDPR, CCPA or HIPAA. Violation of these laws can result in penalties and legal action.
- Shadow AI is unmonitored, meaning that it’s also likely to be unpatched. This makes shadow AI an attractive target for cyber criminals and can increase an organization’s level of risk exposure.
- The lack of accountability around shadow AI means that, in the event of a cyber security incident, its existence can complicate incident response.
Shadow AI can result in security blind spots and can increase risk exposure. Apply adequate governance and monitoring mechanisms to ensure visibility into and control over generative AI. This can help detect issues such as anomalous employee behavior, data shifting and exfiltration, and sudden instances of privilege escalation or development of suspicious accounts.
Assess and evaluate AI policies on a routine basis. The field of artificial intelligence is evolving at a breakneck pace, and a policy that made sense yesterday may no longer make sense today. Implement structural mechanisms that allow employees to provide input and suggestions regarding policy improvements.
An iterative approach to AI policies can work in your favor. An iterative approach can help ensure that policies remain relevant, effective and aligned with larger business goals while also minimizing AI-based risks.
Culture of security
Inform employees of risks around deploying AI tools and using generative AI platforms without authorization from proper channels. Encourage a culture of security-consciousness. Make sure that employees understand how to get AI-based initiatives approved and who to speak to should any questions arise.
Other shadow AI mitigations
- Deploy AI discovery tools. These types of tools can scan your network for potential instances of shadow AI. In turn, you’ll be able to quickly identify and mitigate the risks associated with unauthorized deployments.
- Build custom LLM tools. Major banks and investment groups quickly restricted access to ChatGPT and similar tools upon their emergence. However, some groups, like Morgan Stanley, commissioned their own independent variation on the chatbot so that employees can use a secure and private version for work purposes.
- AI-powered security solutions. These tools combine AI and machine learning to pin-point anomalous behavior, which can include unauthorized activities involving AI-based tools.
The development of shadow AI has both advantages and disadvantages. On one hand, it brings about innovation and efficiency. On the other hand, it introduces visibility, monitoring and data egress issues – and that’s just the tip of the iceberg.
To mitigate the risks associated with shadow AI, leverage the insights above and keep up with the latest trends surrounding artificial intelligence. See Cyber Talk’s list of the best AI podcasts here and please be sure to subscribe to the cybertalk.org newsletter.