I’ve written about how the term ‘Huge Data’ is more appropriate today than Big Data because of the huge leaps in data generated and the need for AI models to be trained using large data sets. Also, how few businesses today know all the sources of all data they use, much less can manage and govern them legally, properly, and efficiently. This astronomical growth in data generated today, its varied usage, and the laws and regulations surrounding it are increasingly challenging to keep up with. Many companies are already behind on this and are falling farther behind fast. The risks associated with this data are growing as well.
At the same time, another aspect of today’s business world that is difficult to keep up with is AI tool usage in companies. Most AI tools are cloud-based and have EULA or SLA user agreements. These user agreements state that any data entered into the AI tool by a user can be stored and used by the company producing the AI tools. As with the recent explosion of data and data governance, many businesses are already far behind in understanding what data is being captured by the AI tools their employees use, and some of this data is company IP that is leaking outside of the company.
Prevalence of Data Leaks due to AI tool usage
For example, some company employees use AI tools for software debugging software or to write software. Many companies are only partially aware of the AI tools their employees are using and what company IP is being leaked and captured by the AI tools if they are even aware. Many employees also lack awareness about what happens to their data once it is shared with these tools, leading to unintentional security violations.
“Shadow AI” refers to the unauthorized use of AI tools outside an organization’s control. This phenomenon increases the likelihood of data breaches and complicates compliance with data protection regulations. Employees often lack awareness about what happens to their data once it is shared with these tools, leading to unintentional security violations. While utilizing AI tools in the workplace helps efficiency, the high percentage of workers who are keeping AI use a secret puts company data at risk in an environment where leaders’ No. 1 concern for the year ahead is cybersecurity and data privacy.
Many companies are already behind on this issue and falling farther behind fast. The risks associated with company data leaking to AI tools are growing. Some scary statistics for business leaders from recent reports include:
- A 2024 Work Trend Index Annual Report released by Microsoft and LinkedIn found usage of GenAI tools like ChatGPT among knowledge workers across the globe has nearly doubled over the past six months, with only 75% of employees acknowledging they use AI tools.
- About half of the group (46%) that use AI recently started using it, within the past six months, and the majority of them (78%) are using AI tools at work “without guidance or clearance from the top.”
- A survey conducted by the National Cybersecurity Alliance (NCA) and CybSafe found that 38% of employees using AI tools admitted to submitting sensitive work-related information to these applications without their employer’s knowledge. This behavior is particularly prevalent among younger employees, with 46% of Gen Z and 43% of Millennials reporting similar actions.
- At small and medium-sized companies, the percentage of workers taking this “bring your own AI” approach is even higher: 80% of employees use AI discreetly, without a go-ahead from higher-ups.
- Research from Cyberhaven indicates that 74% of ChatGPT usage at work occurs through non-corporate accounts, which poses a significant risk as these tools can potentially utilize or train on the data provided. Furthermore, nearly 83% of legal documents shared with AI tools are done so through unauthorized channels, including personal accounts.
- These trends apply across generations — 73% of boomers and 85% of Gen Z reported using AI tools not provided by their companies. Of the workers who use AI at work, 78% said they brought their tools to the workplace. And the “bring-your-own-AI” (BYOAI) trend is not just happening among young folks. The study found it crossed all generations of workers.
Generative AI risks that most organizations today consider relevant are:
IP infringement, Cybersecurity, Personal/Individual privacy, and Regulatory Compliance, in that order. All of these risks can be greatly reduced or eliminated through the use of proper data governance programs. However, keeping up with changes in businesses requires an ongoing and agile focus on what has changed and then determining what data governance work is required to properly mitigate the risks associated with those changes.
Lack of Training, Awareness, and Data Governance contributing to AI tool data leaks
A significant contributing factor to these data leaks is the lack of training on secure AI use. The same NCA report revealed that only 48% of employees had received any form of AI training, highlighting a critical gap in organizational preparedness. “Employers are faced with the challenge of locking down access to the tools that could expose a company to a data breach, but also finding a way to bring new technology into the workplace. “This is an imperative part of the AI governance and security posture of companies, and creating a framework that can adapt to impending regulations will help protect company data, limit restrictions, and alleviate concerns as employees look to use these new tools.”
Mitigations Recommended for Organizations
To mitigate these risks, organizations should consider implementing the following strategies:
- Regular Audits and Monitoring of AI tool usage: Conduct regular audits to monitor how AI tools are being used within the organization and identify any unauthorized usage patterns.
- Inclusion of AI tools in Data Governance and Risk Management efforts.
- Strict Access Controls: Limit access to sensitive data based on employee roles to minimize exposure risks.
- Comprehensive Training Programs: Develop training that emphasizes the potential consequences of unsafe AI use and educates employees on best practices for handling sensitive information.
- AI Acceptable Use Policies: Establish clear guidelines regarding the use of AI tools within the workplace, ensuring that employees understand what is permissible and what is not.
References:
McKinsey survey (May, 2024)
Link to article is here.
Joint survey report from LinkedIn and Microsoft (May, 2024)
Link to article is here.