Governance of Generative AI

 

https://www.cybersecuritytribe.com/articles/governing-generative-ai-what-cisos-are-saying-behind-closed-doors

 

This week I reviewed an article related to the governance of generative AI (GenAI) and how Chief Information Security Officers (CISO) are approaching this issue from various organizations. 

The general consensus seems to be that companies are being cautious when adopting GenAI tools due to the security issues that they present, such as exposing sensitive data.  In addition, concerns have also been raised about “creating regulatory and contractual risk that are difficult to unwind later”.  To address this, some companies are utilizing internal GenAI platforms as a way of providing additional controls over these tools. 

This helps address internal concerns, but outside vendors that these organizations rely on are also utilizing GenAI tools.  Agreements on how customer data is used for model training and notifications on when AI features are being added to their processes are just a few items that are under review from a security stance.

Data classifications are also under review as the foundational approach does not fully address AI-specific risks.  Companies are fine tuning internal GenAI tools to meet their specific business needs instead of relying on standard models as doing so could expose them to more commonly known vulnerabilities.  The way in which data is being handled when using such tools is also under review to avoid oversharing of sensitive data.

From my perspective, it seems that many organizations are acting quickly to adopt this new technology.  With the rush for implementation, it is inevitable that there will be security oversights along the way.  It is important that we understand that GenAI tools are continually learning from the data that is being fed into these models and that doing so can pose serious security issues in the future.  When placing additional security controls into place, I had not considered that outside vendors could also be using GenAI tools to handle sensitive data.  I think it is important to have open communication between businesses so that we understand exactly how company information is being handled so as to ensure that trust is maintained.  I found it reassuring that this is a topic that is being commonly discussed and that many organizations appear to be aware that this risk exists.

Comments

Post a Comment

Popular posts from this blog

Flipper Zero at NYC Inauguration

 As there was some mention of the Flipper Zero tool in our last class, I found the following article as an interesting topic for discussion: https://www.bleepingcomputer.com/news/security/nyc-mayoral-inauguration-bans-flipper-zero-raspberry-pi-devices/ The 2026 New York City mayoral inauguration took place earlier this year.  With this event came a list of items that would be prohibited.  The list contained standard items addressing safety concerns, but also specifically named Flipper Zero and Raspberry Pi devices.  The article indicates that this strays from the norm, as these lists tend to use more generalized categories such as "general computing or wireless devices".  In this instance, laptops and mobile phones were not present on the list.  This created some confusion as the author notes that these devices are capable of performing the same functions as Flipper Zero and Raspberry Pi devices.  The author notes that the event organizers did not prov...
Read more