Insight and analysis on the information technology space from industry thought leaders.

How to Take a Security-First Approach to AI ImplementationHow to Take a Security-First Approach to AI Implementation

Prioritizing a security-first approach and robust data governance can help organizations harness AI's potential while safeguarding sensitive information.

Industry Perspectives

December 17, 2024

6 Min Read
magnifying glass hovering over the letters "AI"
Alamy

By Venkata Krishna Ramesh Kumar Koppireddy

Momentum for organizations incorporating generative artificial intelligence (GenAI) into their business processes without full consideration of potential security repercussions is growing at an alarming rate. As more employees use AI on the job, they are more likely to leak confidential data about their company and customers.

Responsible use of AI does not have to come at the cost of efficiency or innovation. Emphasizing a security-first approach to AI implementation will enhance public and private organizations' overall effectiveness and help them stay ahead of the competition.

Data Leaks and Evolving Risks

According to an IBM Institute for Business Value survey, "96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years." The risk of such a breach can be minimized with tried-and-true security practices such as establishing security boundaries, tracking data flows, and applying principles of least privilege. Beyond traditional security risks, new data exfiltration methods are evolving with the advent of AI.

Through data memorization, large language models (LLMs) memorize portions of training data, which can be displayed in the result of a future prompt. For example, the GPT-J model memorizes at least 1% of its training data. Even anonymized data can be recovered through a process known as inference, where a GenAI tool triangulates multiple data points to reconstruct the original data accurately.

Related:AI Basics: A Quick Reference Guide for IT Professionals

In 2023, it was reported that Amazon employees unknowingly shared sensitive company data with ChatGPT, which was subsequently leaked to outside users. Experts estimate the damage to be in millions of dollars. A similar scenario occurred at Samsung the same year, resulting in a ban on the use of GenAI tools on company-owned devices. Once sensitive or proprietary data is passed to a third-party tool and embedded in the model weights, it can never be removed. For this reason, it is imperative that information like passwords and other highly sensitive data is never shared with an AI tool.

The introduction of bias into GenAI models is also a serious concern. Harmful biases regarding race, ethnicity, gender, socioeconomic status, and more have surfaced in the outputs of popular GenAI tools. Security is also threatened when systems trained on biased data misidentify threats, miss potential threats, and generate false positives. For these reasons, it is important to scrutinize and monitor the potential for bias in training data and AI-augmented decision-making.

Related:AI Quiz 2024: Test Your AI Knowledge

Secure by Design

Whether it's a third-party tool or an in-house project, thorough research and a clear plan will go a long way toward reducing risks. When developing guidelines for AI implementation, the first step is to match the business case with available tools, remembering that some models are more suited to specific tasks than others.

Practicing a Secure by Design strategy from the ground up can future-proof AI implementation. These principles ensure that security is prioritized throughout the entire lifecycle of an AI product. A Secure by Design methodology implements multiple layers of defense against cyberthreats.

During the planning stage, the security team's input is critical for a Secure by Design approach. Vendor trust is also vital. Evaluating vendors for trustworthiness and auditing contracts thoroughly, including regular monitoring of updates to vendor terms and conditions, are imperative. It is essential for data quality to be assessed for metrics like accuracy, relevance, and completeness. Focusing on security in the adoption and integration of AI reduces the risk of compliance issues and costly remediations down the road.

Importance of Data Governance

Data governance frameworks help develop working relationships across departments on AI policy, implementation, and monitoring. They can also reduce the likelihood of fines and data breaches and ensure brand safety.

The security team, however, is not the only group necessary for secure, efficient, and transparent AI implementation. Good data governance practices involve multiple stakeholders within an organization, like legal, finance, and human resources (HR) representatives. These best practices come down to the policies that allow employees to manage and monitor data as they move across an organization, including clear guidelines for specific departments to provide input to the decision-making process. Ongoing employee training at every level of an organization also plays an important role. Data governance involves continual reassessment and helps to prevent a "set it and forget it" mentality.

Requirements around legal and regulatory compliance underscore the value of good data governance. As laws continue to evolve, adhering to these frameworks can ensure AI investments are made on a stable foundation. Experts recommend that companies serious about creating or improving their policies consult data governance frameworks like the NIST cybersecurity framework 2.0. The Coalition for Secure AI (CoSAI), Cloud Security Alliance (CSA), and National Institute of Standards and Technology (NIST) offer additional resources and data governance guidelines.

Toward Safer AI

Visionary business leaders understand the importance of proper data governance while adopting this rapidly changing technology. Implementing a SAFER strategy and having a common-sense approach to AI and security will help protect company assets and keep customer information private. Here's how to practice a SAFER AI strategy:

  • Think about the sensitivity of the information being shared. Any information an employee shares could become publicly available. Could a competitor gain access to this information? Could sharing it open the door to a cyberattack or lawsuit?

  • Consider the organizational cost of sharing data in an AI pipeline. Is it worth it for the possible benefits of utilizing the strengths of AI?

  • Match the business case with an AI model well-suited to the task. Practice good data governance to communicate and monitor results.

  • Only use an AI service when absolutely necessary. Ensure that AI is the best method for solving a problem.

  • Sharing information from emails, spreadsheets, and server logs can expose company and customer information. Scrub all personal information and remove identifiers.

The Future of AI Security

Keeping security at the forefront from the get-go confers advantages, especially as tools and risks evolve. Safer AI is on the horizon as more users adhere to best practices through regulatory frameworks, international collaborations, and security-first use cases. The trend toward reliable, secure AI will benefit companies and customers while these tools continue to weave into the fabric of today's digital lives.

About the Author:

Venkata Krishna Ramesh Kumar Koppireddy is the principal security architect for the Illinois State Comptroller and has more than 18 years of experience in software engineering, technical project management, and business analysis. He holds a Master of Computer Applications from Bangalore University and an executive diploma in strategy and innovation with distinction from the Saïd Business School at the University of Oxford. Connect with RK on LinkedIn.

About the Author

Industry Perspectives

Industry Perspectives

See more from Industry Perspectives
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

jobs key on keyboard
Career Management
IT Jobs Outlook 2025: Evolving Skills, AI, Workplace Flexibility Will Shape IT Workforce
IT Jobs Outlook 2025: Evolving Skills, AI, Workplace Flexibility Will Shape IT Workforce

Nov 20, 2024

an it pro is disappointed as a poster for sustainability is switched with one for financial results and garbage piles up next to a recycling bin
Green IT
How Do I Advocate for Green IT Without Being Dismissed as a Lorax?
How Do I Advocate for Green IT Without Being Dismissed as a Lorax?

Nov 27, 2024

person using a laptop with the Ubuntu logo on its scree
IT Operations
3 Simple Ways to Install and Run a Virtual Machine on Ubuntu
3 Simple Ways to Install and Run a Virtual Machine on Ubuntu

Nov 22, 2024

Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

AI chip
Cloud Computing
Cloud vs. On-Prem AI Accelerators: Choosing the Best Fit for Your AI Workloads
Cloud vs. On-Prem AI Accelerators: Choosing the Best Fit for Your AI Workloads
SaaS concept on a tablet
Cloud Computing
Why SaaS Backup Matters: Protecting Data Beyond Vendor Guarantees
Why SaaS Backup Matters: Protecting Data Beyond Vendor Guarantees
DevOps logo on top of code
DevOps
DevOps: Key to Faster, More Efficient Government Software Development
DevOps: Key to Faster, More Efficient Government Software Development
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

cartoon shows a person next to a checklist and several icons that represent disaster scenarios
Disaster Recovery
BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster RecoveryBCDR Basics: A Quick Reference Guide for IT Pros
technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables