Many believe that Generative AI Software-as-a-Service (SaaS) tools, such as ChatGPT, are insecure because they train on user inputs and can retain data indefinitely. While these concerns are valid, there are ways to mitigate the risks, such as opting out, using enterprise versions, or implementing zero data retention (ZDR) policies. Self-hosting models also has its own challenges, such as cloud misconfigurations that can lead to data breaches.
The key to addressing AI security concerns is to adopt a balanced, risk-based approach that considers security, compliance, privacy, and business needs. It is crucial to avoid overcompensating for SaaS risks by inadvertently turning your organization into a data center company.
Another common myth is that organizations should start their AI program with security tools. While tools can be helpful, they should be implemented after establishing a solid foundation, such as maintaining an asset inventory, classifying data, and managing vendors.
Some organizations believe that once they have an AI governance committee, their work is done. However, this is a misconception. Committees can be helpful if structured correctly, with clear decision authority, an established risk appetite, and hard limits on response times.
If an AI governance committee turns into a debating club and cannot make decisions, it can hinder innovation. To avoid this, consider assigning AI risk management (but not ownership) to a single business unit before establishing a committee.
It is essential to re-evaluate your beliefs about AI governance if they are not serving your organization effectively. Common mistakes companies make in this area will be discussed further in the future.
GenAI is insecure because it trains on user inputs and can retain data indefinitely, posing risks to data privacy and security. To secure GenAI, organizations should adopt a balanced, risk-based approach that incorporates security, compliance, privacy, and business needs (AIMS). This can be achieved through measures such as opting out of data retention, using enterprise versions with enhanced security features, implementing zero data retention policies, or self-hosting models with proper cloud security configurations.
Generative AI Security: Theories and Practices
Step-by-Step: Build an Agent on AWS Bedrock
From Oversight to Override: Enforcing AI Safety Through Infrastructure
The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance
Businesses leveraging AI should prepare now for a future of increasing regulation.
DISC InfoSec’s earlier posts on the AI topic
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
