CIOs face new AI security gaps as Microsoft expands Copilot

Machine Learning


Earlier this week, Microsoft expanded Copilot capabilities with new features designed to provide persistent AI co-workers across enterprise workflows. These features combine It features multiple AI models and works continuously within the tools your employees already use. At the same time, Google continued to expand Built-in AI function chrome products The ability to interpret and operate on multiple tabs effectively turns the browser into an execution layer rather than a passive interface.

Taken individually, these announcements look like incremental product updates. Taken together, these suggest more meaningful changes. Today’s AI is not limited to individual tools that users open and close. It is becoming embedded in the environments in which work takes place, and we increasingly observe, interpret, and act on information in real time.

For CIOs, this change introduces new types of security issues. Not because AI creates entirely new risks, but because it now operates in a place that most enterprise security programs were not designed to manage: the interaction layer.

Related:AI vendor is a single point of failure

A model built around data movement

Modern enterprise security is built on the premise that risk can be controlled. Manage access Track data movement. Identity systems determine who has access to what. Data loss prevention (DLP) tool Monitor where your information goes. Endpoint and network control enforce boundaries around both.

That model is still valid, but it’s no longer perfect.

The most immediate concerns are also the most immediate. As Dan Lohrmann, public sector field CISO at Presidio, explained, users already enter sensitive information into AI systems as part of their daily work. “Users paste sensitive content (source code, customer records, incident details, internal strategy documents) into chat prompts because it feels quick and informal.”

These interactions often occur outside of authorized workflows when users access their personal accounts on corporate devices. This creates what Roman described as permanent. Shadow AI issues.

But focusing on what users input into AI systems only captures part of the risk. The more important change is what happens next.

Data that changes shape

AI doesn’t just move data; it reshapes it. Edward Liebig, CEO of OT SOC Options, a consortium of operational technology cybersecurity experts, explained that this distinction is often overlooked. Businesses have spent years building controls around data movement, but AI introduces risks through the transformation of that data. Summarize, recombine, and reinterpret information in ways that are difficult to trace.

Related:Vibe Coding: Speed ​​without security is a liability

“The incorporation of AI into browsers, email, and workflow tools is changing not just how data moves, but how context is constructed and how decisions are influenced,” Liebig said.

He warned that this change creates scenarios that deviate from traditional detection models. Sensitive reports that are bulleted may no longer match classification rules. Combining multiple low-risk data sources can lead to high-risk conclusions. The output may reflect internal strategy or operational logic even if it does not contain the original data.

“AI doesn’t need to extract data to cause exposure,” Liebig said. “You can guess that.”

Cameron Brown, head of cyber threat and risk analysis at insurance company Ariel Lee, is also concerned about this new security gap. Traditional controls are built to detect clear signals such as files leaving the system, data being copied or transferred. But the exposure generated by AI is more subtle.

“AI doesn’t necessarily leak data in obvious ways,” Brown said. “You summarize, you rearrange, you hint at, you infer. Suddenly, that ‘leak’ doesn’t seem like a leak at all.”

Access is allowed, but there are unintended consequences

Related:A practical guide to managing AI agent costs before they skyrocket

If data transformation is your only issue, you may be able to evolve your existing DLP controls to address it. But AI raises a second, more complex problem. It is a risk that arises from a completely permitted activity.

“The main risk at the interaction layer is not unauthorized access,” Liebig said. “Uses with unintended consequences are permitted.”

Identity and access management (IAM) systems can determine whether a user is authorized to access a data set. Once an AI system accesses that data, it cannot decide how to interpret it or how to combine it with other inputs.

“IAM solves the access problem,” Liebig says. “In the end, it doesn’t solve the problem.”

This gap will grow even wider as AI systems are integrated into enterprise environments. Lohrmann pointed out that linking AI tools to systems such as CRM platforms, ticketing tools, and code repositories effectively creates a new operator with the user’s authority, one who can query and integrate information across multiple systems.

“AI is the power to enhance access,” Roman says.

This not only means that access is more widespread, but also that it is used more powerfully and is less predictable. In other words, a security nightmare.

The browser as a control gap

Where these interactions occur is just as important as how they occur. AI is increasingly embedded in browsers and productivity layers. It’s the same environment in which users authenticate to systems, access sensitive data, and interact with external content. This makes the browser a central point of exposure, but it has historically been ignored from a security perspective.

“The browser wasn’t the weakest link,” Liebig said. “It simply exposed layers that we could never govern.”

Enterprises have spent years implementing networks, endpoints, and identity systems. Far fewer companies are investing in managing the interaction layer where users and AI systems currently converge. Brown was candid about the impact.

“This is where most of the AI ​​interaction happens, and it’s treated like the least interesting part of the stack,” he said. “It’s the opposite. It should be ground zero.”

Lohrmann agreed, noting that built-in assistants and extensions often operate with less control and visibility than traditional enterprise applications.

The problem is even worse when users operate outside of a corporate-managed environment. Roman said employees pose security risks by using personal accounts on corporate devices, and data shared with AI tools may be stored outside of corporate systems and beyond audit and response processes.

Then the issue of visibility arises. “Model history piles up and business information gets tangled up there. Good luck to forensic teams trying to untangle that overcooked spaghetti,” Brown said.

Extending control beyond access

None of these developments render existing security controls irrelevant. Identity management, endpoint security, and DLP remain essential. However, it is not enough to address the risks posed by AI.

Traditional surveillance approaches are limited by what they are designed to detect, Brown explained. “Traditional DLP is still about capturing the obvious,” he said. However, AI exposures often break from these patterns and require a shift towards monitoring behavior and intent rather than simply moving data.

Businesses need new layers of control beyond access to how AI systems use and transform data, Roman said. “IAM typically answers, “Who are you?” and “What do you have access to?” he said. “AI adds, “How is the data used and transformed?” ”

This change means new requirements, such as visualization of prompts and outputs, tighter control over how AI tools connect to enterprise systems, and more granular oversight of how outputs generated by AI are used in decision-making.

Taken together, these changes represent a broader evolution in enterprise security that does not replace traditional controls, but rather extends them to layers that have traditionally been largely unmanaged. It’s no longer enough to just watch where your data goes when the meaning of your data can change without visibility. Controlling access is not enough if the consequences of access cannot be verified.

“We are moving from a world of data protection to a world of decision assurance,” Liebig said.





Source link