What is Shadow AI and how is it a risk for IP and data security?
Since November 2022, industries across the board are seeing the impact of AI, following the launch of today’s most predominant generative AI (gen AI) platform - ChatGPT.
According to cio.com's State of the CIO 2024 report, 80% of CIOs say that they will be more involved in AI/machine learning over the next year, an increase of 55% from 2023. No matter the size, organisations are seeing a rapid adoption of gen AI, transforming the way teams across all functions approach their roles.
Organisations are putting AI to work in different ways, from implementing gen AI as a standalone tool (for example ChatGPT) or as an enhancement of existing solutions (common use cases include chatbots to automate front-line support and programming “copilots”). Those truly at the forefront enable gen AI use with robust policies, processes and monitoring tools to protect their intellectual property and data while empowering teams to improve efficiency and productivity.
Risks associated with generative AI use
While generative AI can be a powerful enabler, as a new and fast-evolving technology, it can pose risks to organisational compliance (eg: ISO42001 as well as established frameworks such as HIPAA) and security if it is not well supported and monitored. With this understanding, some organisation’s approach gen AI with a highly risk averse mindset and choose to completely block its use, others might allow specific use cases only, while some are going all in. No matter where an organisation is on their AI adoption journey, the risk of employees misusing it remains high and often outside of the visibility and control of security and compliance teams.
What is Shadow AI and how is it a risk for IP and data security
Generative AI used outside organisational policy, knowledge and security boundaries is known as Shadow AI, and it can put an organisation's intellectual property and data privacy at risk. The lack of visibility of the use of gen AI tools along with employees' limited appreciation for the associated risks and breaches are becoming increasingly common.
Why is Shadow AI a risk
There are three reasons Shadow AI is increasingly posing security risks and AI compliance is becoming more important, organisations must be aware of:
Lack of visibility of use and insufficient endpoint management
Robust monitoring of AI use is difficult and organisations can only police and monitor it so far. Policies are insufficient as controls alone, as users can wittingly or unwittingly violate them and it also may not be apparent to less technical users that they are in fact interacting with an external AI tool.
The risk is compounded for users who deal with sensitive data in a company. This may range from legally protected data such as PII/PHI, company IP or other confidential business data.
Many existing endpoint monitoring solutions lack the capacity to monitor and understand communication with AI tools, so while they could potentially provide coarse-grained awareness of use, they are unable to show what data is actually being sent or how AI is being used.
Most existing endpoint security tools will block AI adoption, rather than providing effective inline moderation, they will typically blanket redirect to a block page when violations occur, breaking the interaction with the AI.
Lack of mature security and risk governance
When it comes to policies and business protocols, due to the pace at which AI as a technology is evolving and adoption is being embraced, organisations will generally find themselves in one of two situations - move fast and embrace it at all costs, potentially lacking safe use policies and protocols or block use all together.
For those looking to go all in, the challenge then becomes how to use it safely. Aspects of generative AI may be caught in some standard policies but there are many edge cases unique to this technology (especially around how data is used) and so Shadow AI use and/or policy breaches arise.
With flexible and remote workforces, dual-use of company devices in both work and personal contexts (which itself creates some potential policy risks) and AI tools becoming a go-to in our personal lives as well as professionally, many novel opportunities for unauthorised use of data arise. These violations are often unintentional meaning that staff are less likely to realise they are breaching company data policies.
It is not uncommon that I hear employees wanting to make their job easier, so they share proprietary organisation information on personal AI accounts (eg: ChatGPT) - a classic example of Shadow use.
As security and compliance professionals know, it all boils down to control over data boundaries and maintaining them appropriately while advancing your organisation with safe adoption of generative AI.
Unclear data policies from AI providers
Providers of 3rd party AI tools often do not provide clear and accessible policies on their use or retention of customer supplied data and data deletion requests typically involve a manual process that needs to be periodically performed, some examples of this include MidJourney and LeonardoAI.
An employee without a data security mindset will likely not be aware of the risks associated with AI. For example, not understanding how the data they include in prompts will be used for training the underlying models (unless specific opt-outs and often payment are provided) and having a naive approach to free tool use “It’s so great, I don’t have to pay a thing and I get all these benefits”.
The impact of Shadow AI
An iconic industry case study is Samsung, where in 2023, an employee in the engineering department was responsible for an accidental leak of sensitive internal source code when it was uploaded to ChatGPT.
The power of generative AI tools is enabled by the vast swathes of relevant data consumed in their training - and so when a free version of a tool is used, the supplied data will be used in a future optimisation/training of the underlying model.
Fortunately for Samsung, this instance did not result in a major breach, however the complete ban of gen AI tools by Samsung is an indicator of their appetite for risk around this newer technology.
Managing the risks of Shadow AI
There are two key actions organisations should be taking to manage and mitigate the risks associated with gen AI use:
Detection of use
While some security products on the market may boast of their ability to detect generative AI use, unless the solution monitors individual device activity and the actual interaction with AI tools, complete coverage and risk detection is not possible.
Subrosa has introduced a specialist and complete Shadow AI assessment for organisations to understand the full extent of generative AI use across the organisation.
Mitigate risk with governance and specialist monitoring
Gen AI poses a new risk to organisations that cannot be monitored by existing security tools. Deploying a gen AI-specific monitoring solution, such as Subrosa, as part of an overall governance process and policy, will capture and put a stop to unauthorised Shadow AI use while enabling productive, authorised use.
Closing thoughts
Not putting AI to work can mean businesses miss out on productivity gains. By maintaining safe data boundaries with appropriate tooling and empowering teams to adopt gen AI safely, Shadow AI risks can be a thing of the past.
Book a Shadow AI assessment with Subrosa to get a complete view of AI use within your business. Inquire now.
