As organizations increasingly adopt third-party AI tools to streamline operations and gain a competitive advantage, they also introduce new risks that leave many businesses unprepared, lacking clear policies and proper employee training to mitigate these new dangers.
AI risks extend far beyond the usual focus of IT and security departments, introducing new vulnerabilities in customer success, marketing, sales, and finance. From privacy violations and biased algorithms to financial loss and regulatory issues, these risks require new levels of vigilance and preparation. With new threats looming, it's more important than ever to establish AI policies quickly.
Due diligence for AI adoption
When considering a new AI tool, CISOs should weigh the risks across several key factors: These considerations apply not just to security tools that use AI, but to all tools that may leverage AI across all business functions.
The first is how data is handled, from collection and processing to storage and encryption, ensuring robust access controls are in place. Data privacy is also a top priority, with measures in place to comply with regulations such as GDPR and CCPA, and clear policies on anonymization and user consent. CISOs should also set guidelines for how new AI tools manage third-party data sharing, ensuring vendors meet the organization's data protection standards.
It is important to scrutinize the security of the models. CISOs should consider safeguards against tampering and attacks on the AI tool. Equally important is model transparency, seeking tools that can explain decisions and audit fairness and bias. Error handling procedures, regulatory compliance, and legal liability should all be clearly defined. If issues arise, there should be clear escalation paths to GRC and legal counsel. CISOs should also evaluate the integration of the AI tool with existing systems, its performance and reliability, ethical implications, user impact, scalability, vendor support, and how changes are communicated to stakeholders.
These considerations don't just apply to AI-focused tools. Other third-party tools may have small AI integrations turned on automatically without CISO approval. For example, a video conferencing platform may have an AI transcription tool that automatically transcribes internal and external calls. In this case, the AI tool has touch points with company and customer data and should be reviewed and approved by the CISO and security team before employees can use it.
Guardrails for responsible use of AI
In addition to establishing guidelines for evaluating AI tools, it is also essential that companies develop acceptable use policies around AI to ensure all employees understand how to use the tools appropriately to mitigate risks. All policies should cover the following key topics:
- Aim and Scope – Clearly define the objectives and boundaries of AI use within your company, specifying which tools are allowed and for what purposes.
- Permitted and Prohibited Uses – Outline acceptable and unacceptable uses of AI tools and provide specific examples to guide employee behavior.
- Data Security and Privacy Guidelines – Establish strict protocols for handling sensitive data, including encryption, access controls, and adherence to relevant regulations. Data accuracy checks are essential to prevent generative AI tools from outputting hallucinations.
- Integration and Operational Consistency – Define guidelines for the proper integration and use of AI within existing systems and processes to ensure smooth operations and minimize disruptions.
- Risk Management and Execution – Describe steps to identify, assess, and mitigate AI-related risks, and the consequences of violating policies.
- Transparency and Accountability – Establish mechanisms to document and justify AI-driven decisions, promoting transparency and building stakeholder trust.
- Best Practices and Training – Provide comprehensive guidance on responsible AI use, including regular employee training covering all aspects of acceptable use policies, with company-specific examples.
Employee training is the most important element in establishing guidelines and policies regarding AI. Without proper training, it is difficult to ensure that employees understand AI risks and how to mitigate them. For many companies, a home-grown training program may be the best way to ensure that it includes examples of company-specific use cases and risks. The less ambiguity there is for employees, the better.
Communicating with customers about your AI usage is also important. If your AI tool ingests customer data, you should inform customers about the data being used, what it is being used for, and what the output is. Customers should be able to choose not to have their data used by the AI tool.
Conclusion
The transformative potential of AI is endless, but so is the potential for new risks. By establishing robust policies and guidelines for usage, practicing strong data management, conducting thorough risk assessments, and fostering a culture of security awareness, CISOs can help their organizations harness the potential of AI while minimizing the risk of breaches and other issues.
