‘Shadow AI poses a risk to companies’ data security and compliance’

This varies greatly depending on the industry, company size, IT structure and data and service criticality. However, as more and more companies are using AI technologies, the risk of unsupervised AI use that has not been explicitly authorised is also increasing. Shadow AI creates significant risks in respect of data security, compliance and company reputation. The main problem is that, as with shadow IT, there are a lot of free and cheap AI services on the internet. This increases the risk of employees using non-approved services to work more efficiently, which in turn represents an opportunity for companies.

The main problems with shadow AI are data security and compliance. Depending on why it is being used, a variety of data may be affected, including customer data, employee information, in-house communication, internal vulnerabilities, passwords, annual reports, code and other sensitive information that is normally protected by IT security policies and measures. AI technologies should be considered equivalent to other data processing. This means that the same regulations apply as we have for personal data, for example. We therefore have to carefully analyse the risks and the flow of data(opens in new tab).

We are also seeing new, specific AI regulations being created at this time to cover the use of artificial intelligence in connection with sensitive data and, in general, the deployment of AI models that have been trained on specific data.

When this happens, IT departments often have no overview or control over the data processed by these AI tools. This can lead to confidential data being saved on insecure platforms, the data being used to train the models or unauthorised persons gaining access to the data. In addition, the use of shadow AI may violate legal and contractual compliance regulations governing the secure handling and storage of data.

In that case, they should immediately take action to investigate this and minimise its impact – as with any incident. This could include forensic analysis of the incident and carrying out a risk assessment, for example with the SOC or CSIRT(opens in new tab). The analysis might include new elements such as whether the data entered will be used for training and if it can be deleted again. Measures should then be taken to prevent similar incidents in the future.

Technical measures might include implementing solutions such as secure browsers and network proxies to identify or block unauthorised AI tools, as well as others with SASE or CASB features. Such tools have been created to deal with issues such as data loss prevention (DLP) and can therefore help ensure safe use of AI. There is also a new generation of tools that focus on shadow AI and support secure deployment.

Organisational measures might include policies and procedures that require the consent of the IT department for the adoption of new AI tools and provide training on the risks associated with shadow AI.

Companies should invest in new security technologies as quickly as possible, conduct ongoing security training and establish strong policies and procedures for the safe use of AI. They can also hire or train cybersecurity professionals who specialise in AI security risks.

I think there’s still a lot ahead of us here. And because the technology is developing so quickly, it’s important for companies to get on board early and familiarise themselves with this, for example through small trials. They can then use the results of these to make better decisions about company-wide deployment.