{"id":7042,"date":"2025-01-23T09:00:00","date_gmt":"2025-01-23T15:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/security-risk-rampant-shadow-ai"},"modified":"2025-01-23T09:00:00","modified_gmt":"2025-01-23T15:00:00","slug":"the-security-risk-of-rampant-shadow-ai","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/23\/the-security-risk-of-rampant-shadow-ai\/","title":{"rendered":"The Security Risk of Rampant Shadow AI"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI.<\/span><\/p>\n

Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company’s IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung.<\/span><\/p>\n

Unfortunately, enforcing such a policy is an uphill battle. According to a recent report, non-corporate accounts make up 74% of ChatGPT use and 74% of Gemini and Bard use at work. Employees can easily skirt corporate policies to continue their AI use for work, <\/span>potentially opening up security risks<\/a><\/span>.<\/span><\/p>\n

The greatest among these is the lack of protection for sensitive data. As of March 2024, 27.4% of data inputted into AI tools would be considered sensitive, an increase from 10.7% at the same time last year. Protecting this information once it is put into a GenAI tool is virtually impossible.<\/span><\/p>\n

The uncontrolled risk of shadow AI usage<\/a><\/span> reveals the need for stringent privacy and security practices when employees use AI.<\/span><\/p>\n

It all boils down to data. Data is the fuel of AI, but it is also the most valuable asset to organizations. Stolen, leaked, or corrupted data causes real, tangible harm to a business \u2014 regulatory fines from leaking personally identifiable information (PII), costs associated with leaked proprietary information like source code, and an increase in severe security breaches like hacks and malware.<\/span><\/p>\n

To mitigate risk, organizations must secure their data while it’s at rest, in transit, and in use. The counter to risky shadow AI use is having fine control over the information employees feed into large language models (LLMs).<\/span><\/p>\n

How Can CISOs Secure GenAI and Company Data?<\/h2>\n

Securing sensitive company data is a challenging balancing act for chief information security officers (CISOs) as they weigh the desire for their organizations to take advantage of the perceived value of GenAI while also protecting the sole asset that makes these benefits possible \u2014 their data.<\/span><\/p>\n

So, the question becomes: How do you do this? How do you get the balance right? How do you extract positive business outcomes while protecting the enterprise’s most valuable asset?<\/span><\/p>\n

At a high level, CISOs should look at protecting data through its entire life cycle. This includes:<\/span><\/p>\n

\n