For many people, Generator AI (Genai) began as a personal experiment on home and personal devices. However, today, AI is deeply immersed in workplace habits, creating productivity gains, as well as exposing organizations to significant security gaps. Delicate corporate data is inadvertently or regularly finding other sensitive data in public AI systems, and cybersecurity leaders are rushing to respond.
When your own data is processed by public AI tools, it can become part of the training data in the model, and serve the line to other users. For example, in March 2023, it was reported that several incidents of employees entering confidential data, including product source code, entered ChatGPT. Genai applications such as large-scale language models are designed to learn from interactions. No company wants to train public AI apps with their own data.
Faced with the risk of losing trade secrets and other valuable data, the default approach for many organizations has now blocked access to Genai applications. This seemed to allow businesses to stem the flow of confidential information on unauthorized platforms, but it has proven ineffective, simply driving risky behaviour underground, and a growing death spot known as “Shadow AI.” Employees find workarounds by using personal devices, emailing data to private accounts, or using screenshots uploaded outside of monitored systems.
Worse, blocking access will result in IT and security leaders losing visibility into what is actually happening without actually managing data security and privacy risks. This move reduces innovation and productivity gains.
A strategic approach to tackling AI risks
Effective mitigation of the risks posed by AI employee use requires a multifaceted approach focused on visibility, governance, and employee implementation.
The first step is to get a complete image of how AI tools are used throughout your organization. Visibility allows IT leaders to identify patterns of employee activity, flag dangerous behaviors (such as attempts to upload sensitive data), and assess the true impact of using public AI apps. Without this basic knowledge, governance measures are destined to fail as they do not address the actual scope of employee interactions with AI.
Development of tailored policies is the next important step. Organizations should avoid banning blankets, and instead, policies should emphasize controls that allow context. For public AI applications, they may implement browser isolation techniques that allow employees to use these apps for common tasks without uploading specific types of company data. Alternatively, employees can be redirected to an authorized and company-approved AI platform that offers comparable capabilities, ensuring productivity without revealing their own information. Some roles and teams may require subtle access to certain apps, while others may guarantee stronger limits.
To prevent misuse, organizations need to implement robust data loss prevention mechanisms that identify and block attempts to share sensitive information with public or unauthorized AI platforms. As accidental disclosure is the leading driver of AI-related data breaches, enabling real-time DLP enforcement becomes a safety net and reduces the chances of harm to your organization.
Finally, employees must be educated about the inherent risks of AI and the policies designed to mitigate them. Training should emphasize actual guidance – it can be done safely using AI. Awareness and accountability should work with technology-driven protection to complete your defense strategy.
Balance between innovation and security
Genai has fundamentally changed the way employees work and the functioning of the organization, providing transformative opportunities along with significant risks. The answer is not to reject this technique, but to accept it responsibly. Organizations that can focus on visibility, deploy thoughtful governance policies and educate their employees can achieve a balance that promotes innovation while protecting sensitive data.
The goal is not to choose between security and productivity, but to create an environment where both coexist. Organizations that successfully achieve this balance will position themselves at the forefront of a rapidly evolving digital landscape. By mitigating the risks of Shadow AI and enabling safe and productive AI adoption, businesses can turn Genai into an opportunity rather than a responsibility, and make it possible to succeed in the future in the process.
For more information, please see zscaler.com/security
