It’s 2024 and AI is everywhere. The recent Consumer Electronics Show in Las Vegas had AI added to everything - grills, backpacks, televisions, cars. For those (like me) who are old enough to remember the early, halcyon days of the internet, it's the same hype cycle. AI is transforming everything, those who hesitate will be left behind, so forth and so on.
Despite the hype, though, AI poses a real conundrum for compliance professionals, both at the executive and delivery levels. The benefits are clear: it offers a way to finally have a reliable way to search through dozens of terabytes of log files, to map patterns like a human at an inhuman level of concentration and endurance, to watch for events without getting tired, to track regulatory requirements without getting distracted. All of these are things we have wanted ever since compliance became an issue.
What is less obvious - or is at least less mentioned - are the potential security challenges. In the rush to implement any new technology common sense is often left behind in the scramble. Sensitive information which (if stolen) would require disclosure to the government is being cut and pasted into third-party AI applications because of its ability to generate analytics. Open-source models are being integrated into sensitive business processes without any security validation of the developers or products. The obvious risks are many but are largely going unaddressed. Here is a short list of things that should be considered before securely implementing AI projects in your organization.
Rate of Change
AI burst onto the commercial scene in 2022, but took off in 2023. As a result, the market is scrambling to find applications for it and the rate of change for every model is exceptionally high. If a core business process is going to be based on AI, make sure that the company has control over the model and isn't reliant on a third party for processing - otherwise, a simple version change could potentially wipe out the functionality that permitted the process to work.
Third-Party Control
Some models are open source, but many of those are not licensed for commercial use. Care is needed in vetting the producers of an AI model in the same way that all critical software is vetted; a vendor risk management process is key to understanding the risks inherent in third-party control of a key component. If sensitive data is involved, either from a business secret or regulatory sense, more scrutiny is required.
Regulation
As AI becomes commonplace various agencies and government bodies will pass regulations which will place requirements on business. There is already a potential 'AI Bill of Rights' being discussed at the highest levels of the executive branch in the US; the EU will doubtless move on this in the near future as well. New York City has implemented a requirement that assesses AI models for bias in hiring practices where applicable. Any business implementing an AI model should be prepared to offer answers to regulators on training methodology, sourcing, and other areas of interest upon request.
None of this is to say that AI should be avoided. On the contrary, it presents unique opportunities for business and society. Like the advent of the internet, AI stands poised to transform the business environment in one way or another. It is important, though, as leaders and as custodians of shareholder value to ensure that this new technology - like any other new technology - is implemented in a safe, secure, and responsible way.
To learn more about how ePlus can help you achieve your AI goals, click here.