Security Considerations for Enterprise Implementations of GenAI

Where data is an organization’s most valuable asset, safeguarding its protection, privacy and security becomes the top priority. These tasks become more complex as enterprises begin experimenting with generative AI.

As tempting as the opportunities made possible through AI may be, many industries simply cannot afford the risks of potentially exposing data to public, open source GenAI Large Language Models (LLMs), nor can they sustain the steep regulatory — and reputational — repercussions that result from failing to protect data privacy or security. Even as regulators slowly gain an understanding of open AI tools, they continue to struggle to address timely guidelines or requirements around the technology’s use; still, the FTC has issued multiple warnings that existing consumer protection laws apply to AI.

As data grows and flows through increasingly unknown channels, achieving cyber resilience, maintaining control and locking down data add new complexities to cybersecurity and data loss prevention strategies. Here are a few of the top considerations organizational and IT leaders should bear in mind when weighing GenAI security risks against potential pilots and solutions.

Beware of Shadow AI

 A 2023 study from Cyberhaven found that nearly 11% of knowledge workers had used a SaaS based AI solution (such as ChatGPT) at work and nearly 9% pasted data from their companies into it. As lines of business begin to accelerate their use of public GenAI solutions, gaining a handle on the growing attack surface and potential supply chain security risks becomes a daunting scenario. How can teams provide sound data protection when they aren’t even aware of all the places where their data is potentially exposed?

Even when use of public GenAI solutions is known, it’s important to understand that tools hosted on third-party platforms may use any information employees input as training data for LLMs to improve their technology. Beyond the inherent risks of exposure, these solutions cannot be relied upon to deliver unbiased or trustworthy results, nor do they necessarily offer the tools  required to meet regulatory compliance or internal auditing. They simply do not give you control or sovereignty over your GenAI solutions.

Private GenAI solutions that are built, controlled and managed within an organization’s internal infrastructure, offer greater assurance that data remains under tight controls, and that the entire stack meets strict security specifications – protecting the company from potentially steep fines.

Prioritize Good Governance 

Understanding and controlling precisely who has access to protected data or IP is just as critical as understanding where that data has been left open to exposure through public GenAI tools.

As organizations undertake the hard work of establishing proper data governance, stipulating, for example, which types of data are viewable or usable by specific roles or applications, governance tasks become meaningless when data is unwittingly exposed through unknown or untested public GenAI solutions. Good governance is not possible where data sovereignty is not maintained. 

Only private AI systems let teams ensure and validate proper access, as well as ongoing threat monitoring that safeguards data, proprietary algorithms, IP, secure research, and everything else that demands validated access and protection, now and in the future.

Scale for Growth

When teams maintain data protection and security as their primary objective when weighing or building out GenAI solutions, it’s possible to safely leverage AI’s true potential and scale its use enterprise-wide; and it may surprise leaders to learn that costly, bespoke infrastructure is not required.

Hybrid or cloud-based private GenAI solutions let organizations more rapidly innovate and adopt AI workloads using their own trusted data stores, and gain an edge on their competitors. Real-time threat monitoring ensures that no matter how large or expansive an AI solution becomes, evolving threats can be kept at bay and limit the harm malicious actors may perpetrate. CISA offers a helpful roadmap for public and private sector organizations getting started with AI, and recommends ongoing workforce education as another important element in expanding its use safely and effectively.

Leaders who take a holistic approach to AI adoption, tightly aligning data protection, security and governance with broader cybersecurity frameworks, will minimize the risks of working with AI, and maintain regulatory compliance as well as all-important customer trust.

SUSE believes that democratizing generative AI by providing security, control and choice, allows enterprises to take advantage of opportunities in AI while being able to trust that their private data remains private. 

Stay tuned to hear how SUSE plans on giving you sovereignty and control over your AI solutions with a proven, extensible platform.

(Visited 1 times, 1 visits today)