Rosenquist points to a past client that wanted to replace its human help desk with an AI chatbot for password resets. That bot, he says, would validate the user and reset corporate passwords for the IT department — a huge time-saver, but the system would require administrative access to sensitive credential systems that would be exposed to the internet without thorough testing, vetting, and protection. “Disruptive technology is powerful, but also comes with equitable risks that must be managed” he says.

Insecure AI connected to vulnerable systems can cause big problems

Threat vectors like the DNS or APIs connecting to backend or cloud-based data lakes or repositories, particularly over IoT (internet of things), constitute two major vulnerabilities to sensitive data, adds Julie Saslow Schroeder, a chief legal officer and pioneer in AI and data privacy laws and SaaS platforms. “By putting up insecure chatbots connecting to vulnerable systems, and allowing them access to your sensitive data, you could break every global privacy regulation that exists without understanding and addressing all the threat vectors.” 

Solving these issues won’t be easy, she says, and will require the right multidisciplinary expertise, including developers, data scientists, cybersecurity, legal/risk/regulatory compliance, and other groups.

When it comes to assessing AI usage, business units play a key role in shaping AI policy and managing AI risk, says Renee Guttmann, former CISO of Coca Cola and other Fortune 500 organizations. This includes helping to identify where AI has been adopted. “Initial discovery begins with relationships with the business units to help identify if AI is coming in the back door,” she explains.

To illustrate her point, she refers to an October 2023 Gartner survey of 2,400 global CIOs. In it, 45% of respondents say they are beginning to work with their C-suite peers to bring IT and business staff together to co-lead digital delivery, while 70% say generative AI is a game-changing technology that’s rapidly advancing this democratization of digital delivery beyond the IT function.

Guttmann also advises CISOs to speak to their security solution providers about functionality that they have within their products to address AI risk. Capabilities like SaaS security posture management (SSPM) can scan SaaS applications and flag AI tools that have been integrated with core SaaS applications to provide visibility into the risk level of each tool as well as the users who authorized it and are actively using it. “This will enable organizations to understand how AI is being used within their organization and whether the AI governance policies of the organization are being followed,” Guttmann says.