5 Steps to Maximize AI in Business Projects: Avoiding Security and Regulatory Headaches
Companies across the globe have jumped on the artificial intelligence (AI) bandwagon and started developing products that incorporate AI or use AI tools to empower their current workforce.
There are three main reasons for this:
Everyone is looking for the transformative change and innovation that AI promises.
Boards and VC firms want to know how companies use AI in their products.
Prospects are looking for solutions that incorporate AI.
These approaches are logical, reasonable, and exciting, but they often fail to account for how future AI problems with security and regulations could hurt business.
When it comes to using new and emerging technology, the same innovation and bottom-up culture that often gets rewarded in the tech space tends to lead to trouble and stunt growth down the road — especially if you aren’t doing advanced planning. In the case of AI, regulatory interest is growing quickly, and while most countries don’t yet have concrete AI rules, regulations, and laws in place or even exact details laid out, soon they will.
So where should your organization start? Should you leave it to the legal and compliance nerds to figure it out and blaze ahead with their efforts? In my humble opinion, definitely not! As Nishant Bhajaria states in Data Privacy, A Runbook for Engineers, “Early stage efficiency wins can cause late-stage headaches.” I think this rings true for AI use. Similar to how you need to empower your engineering teams to face technical debt, you want to empower your teams across your organization to think about AI now and develop a strategy to avoid serious issues or fines down the line and save yourself the heartache and re-work. Plus, this approach should differentiate your business offerings and make you appear more competent in front of your prospects and customers (who doesn’t want that?).
Here are the five actions on AI that your company can take right now:
1. Find out which areas of your business are utilizing or developing AI tools
If you don’t know which areas of the business use AI, you can’t make informed decisions about how to protect your business or how to guide personnel around using it safely. This can be hard to track, especially in fast-moving, siloed, decentralized organizations. By doing a quick survey or talking to department leads and managers, you’ll get the information you need to guide and focus your efforts.
2. Develop an AI policy and procedures for AI use
Once you’ve found the answers to step 1, develop policies and procedures for AI use. While most employees aren’t trying to put your sensitive corporate info out there on the web, they might not realize that generative AI services might share information publicly. For instance, engineers are almost certainly not thinking about privacy or data minimization principles as they work with AI and large language models (LLMs). To address this reality, you should:
Develop a company policy that describes the types of AI activities that are safe
Provide a list of questions that your teams must ask about their AI use
Provide a list of points about AI that your teams need to get clarification about
Create a set of procedures for incorporating AI into product development
Create a set of procedures for evaluating future AI use
From a security perspective, engage your security team where you need to. You may need to block tools or provide tooltips or hints for sites or applications you don’t want people to use if you have capabilities in your security toolsets. Overall, make sure you do lots of education about AI and security. You will never be able to out-engineer every unsafe scenario, no matter how hard you try!
3. Add AI questions to your annual risk assessment/risk management process
Once you know which teams are utilizing or developing products with AI, you need to figure out the associated risks and how to prioritize and minimize them. The NIST AI Risk Management Framework is a great starting point if you're unsure where to begin. It will show you how to frame and evaluate AI risks, assess trustworthiness, and understand how AI risks differ from traditional risks. These actions will provide early benchmarks on AI and lay the foundation for the business risks that await your AI projects.
4. Conduct a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA)
AI and privacy considerations go hand-in-hand. Based on your organization, your specific needs, or where you do business, you might need to do both a DPIA and PIA! Check out a quick overview of the differences between the DPIA and the PIA. Ask questions about your AI products and projects like:
What types of information are being collected, stored, and used?
How long will you retain that data?
Can you remove it if an individual requests it?
What access to the data will your personnel have?
What safeguards will be in place to protect that data?
5. If developing your own product that utilizes machine learning (ML) models, get ALL the deets
Read up on the FTC investigation into OpenAI and prepare your organization to answer the same questions. Become BFFs with your product and engineering teams so that you can:
Find out where you purchased your models
Find out which sources of data they were trained on, including third parties that might have provided data sets or data sets you purchased
Make sure you have consent for the data contained in the models
Define your data retention strategy
Figure out how to protect against risks in your product, like prompt injection risks
Conclusion
The five steps outlined here are significant steps in the right direction. But they are only a starting point. As FTC Commissioner Alvaro Bedoya recently shared in his IAPP Keynote remarks, unpredictability is rarely a defense. They will call on companies to be more transparent and accountable regarding AI and privacy. If you want AI to have a positive impact on your organization, if you want AI to help your business thrive and grow into an exciting and wide-open new future, you need to take the appropriate actions now to avoid the headaches and roadblocks ahead.
I think therefore I am. I want to share this site with the world therefore I will.
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD