While major corporations such as Apple, Spotify, and Samsung are all placing restrictions on how employees interact with generative AI in the workplace, it appears that many workers are going full steam ahead with AI use. Recent research by Dell, for example, shows that 91% of respondents have used generative AI, and a notable 71% have specifically used it at work.
This phenomenon has earned itself a name: Shadow AI, a nod to the previous, data-breach-ridden era of shadow IT.
However, left unchecked, shadow AI could be even more destructive to enterprise risk management and cybersecurity than its predecessor.
Here’s everything you need to know.
A history of shadow IT
Most of you will be familiar with the concept of shadow IT, but for those unfamiliar, here’s a brief history:
The emergence of the public cloud ushered in the era of shadow IT. Eager to speed up their operations, business departments redirected their individual budgets towards Software-as-a-Service (SaaS) solutions like Google Drive, Teams and Slack–often bypassing the traditional IT procurement process.
On a positive note, this shift catalyzed a wave of innovation, enabling quick-fire decision making, collaboration and communication. However, at the same time, it also led to a momentous surge in data loss and exposure incidents.
Sensitive information found itself vulnerable on the public internet, and hackers stumbled upon troves of protected health data, personally identifiable information and more. These failures resulted in countless incidents of damaged brand reputation, compliance fines, class action lawsuits and financial losses.
Thankfully, shadow IT 1.0 is less an issue than it used to be. With next generation data loss prevention (DLP) tools giving organizations the visibility and control they need to prevent data leakage in cloud applications.
However, just as organizations began to get a grip on cloud-fuelled shadow IT, enter shadow AI–a risk even more challenging to manage.
Shadow AI: The complexities
Generative AI introduces a unique challenge: every employee has the potential to become a source of data exposure. This means that from graduates to CEOs, everyone must consistently make security-conscious decisions whenever they engage with these platforms.
There’s a couple of issues with that. Firstly, we know from psychological studies that humans rely on instinctive decision-making for about 70% of the choices they make daily. Because of this, expecting employees to always make secure-choices is setting them–and you–up for failure.
Moreover, the inherent nature of how generative AI operates introduces more complex risks that we didn’t even have to consider in the initial shadow IT era. Because generative AI platforms learn from the data you feed them, any data your employees input into these models is extremely difficult to keep track of and impossible to completely recover.
The major risks of shadow AI
So, what exactly are the consequences of shadow AI in practice? Here’s the risks you need to know about.
- Use of submitted data: When employees utilize AI tools without the proper authorization, they may not fully comprehend the intricacies of how their data is employed. In the case of the free version of ChatGPT, for example, input prompts and responses are crucial for refining and training the platform’s AI models. Consequently, any data entered into these systems has the potential to reappear as output when another user submits a prompt, which is troubling when we consider that, at the beginning of 2023, research found employees in just one organization shared confidential business information with ChatGPT over 200 times in a week.
- Bugs and vulnerabilities: AI tools, much like any other software, are susceptible to bugs and vulnerabilities. For instance, in March 2023, a bug inadvertently allowed some ChatGPT users to view titles from other users’ chat history. The mishap also revealed the payment information of a number of ChatGPT Plus subscribers.
- Compliance issues: Using generative AI exposes organizations to violations of industry standards such as HIPAA, PCI, GLBA and GDPR. Something as simple as sharing a prompt with personally identifiable information can be classified as a compliance violation and lead to hefty fines.
What to do to combat shadow AI
Shadow AI is a looming threat for organizations everywhere. But the shadow AI problem doesn’t need to become exponential. The solutions already exist to stop this issue before it leads to a breach.
No, we don’t mean prohibiting generative AI in your organization. Even if you do this “officially”, your employees will still find a workaround. As we all know by now, productivity always trumps cybersecurity.
Luckily, there’s a better way forward. In the same way that cloud DLP put an end to the first era of shadow IT, DLP for AI can extinguish the second before it becomes an issue.
Here’s how our tool, Polymer DLP for AI, helps you combat shadow IT:
- Bidirectional monitoring: Protect sensitive data in real-time with Polymer DLP for AI. Our advanced monitoring system scans and analyzes conversations, both initiated by employees and generated by ChatGPT, to prevent data exposure. Bidirectional monitoring ensures that sensitive data is never received by employees, even if inadvertently generated by ChatGPT.
- Logs & audits: Enhance your data security with Polymer DLP for AI’s robust logging and audit features. Gain comprehensive insights into employee transactions, track policy violations, investigate data breaches, and monitor ChatGPT’s usage patterns.
- E-discovery for GenAI interactions: Our solution enables organizations to efficiently conduct searches and retrieve relevant Generative AI interactions when faced with e-discovery requests. Meet your legal and regulatory obligations, and facilitate investigations, audits, and legal proceedings with ease using Polymer DLP for AI.
- User training & nudges: Our platform supports point-of-violation training, providing real-time nudges to users when violations occur. This approach has proven to reduce repeat violations by over 40% within days. Additionally, Polymer offers workflows that allow users to accept responsibility for sharing sensitive data externally when it aligns with business needs.
Shine a light on GenAI with Polymer DLP
The potential Generative AI holds for businesses is awe-inspiring, but we mustn’t forget the importance of data security and compliance. Prioritizing these matters now is crucial to preventing any unintended consequences and realizing the full potential of AI.
By tackling shadow AI now, we can ensure that data protection becomes an integral part of the process from the very beginning. Rather than treating it as an afterthought, weave the principles of data protection into your strategy today, starting with Polymer for AI.
Read our whitepaper to find out more.