Beware the minefield of AI and Shadow IT
Article by James Flint
One of the key headaches for any data protection team is the incidence of “shadow IT” in the organisations they’re looking after. With so many great apps and tools available at the press of a thumb, the temptation for employees to route around officially sanctioned software and use things they prefer is often too great to resist.
This has been as true during the current AI boom as it was with email, browsers, social media and messaging in decades past. Skipping over for a quick dip into ChatGPT, Anthropic, Claude or Gemini to help you with a bit of drafting or analysis, though frowned upon by management, has proved popular enough to propel many of the companies behind these AI models to billion dollar valuations within the last 12 months.
But at least management could attempt to ban or block these websites, and data protection teams could issue statements forbidding their use. These tactics are of little help now that the leading tech companies are building the capabilities directly into the platforms your employees are already using to do their work– or even the operating systems of their computers, especially at a time when people are being flooded by webinars and sessions extoling the virtues of all these AI tools while rarely mentioning the risks.
To make things even harder, the technology is evolving so fast that products come and go – or change completely – in the space of months or even weeks. Microsoft is one of the main offenders here. Its flagship AI system (which is, in effect, its rebrand of OpenAI’s latest tools), has gone through multiple name changes since last year (from Cortana to Bing Chat to Bing Chat Enterprise), and now seems to have settled in three flavours: Copilot for Edge, Windows and Microsoft 365, although how long the distinction will last, no one knows. Google meanwhile has turned Bard into Google Gemini, and kept Google Assistant running alongside.
Not wishing to be left behind, Apple is getting in the act as well, though it is doing a better job of keeping some consistency in its branding. It’s new Apple Intelligence makes the operating system not just the delivery system for the AI, but its main focus. The job of the AI models to be incorporated into the new top of the line iPhones, iPads and Macs is less about generating content and more about stitching together different applications into a unified whole that can be directed by the existing Siri interface. It’s about making Siri actually useful, in other words, something that is long overdue, and something that is more likely to be welcomed by a general audience than the ability to write a poem, create a picture of a panda riding a motorcycle, or draft yet another marketing email. This use case has a very different privacy profile to Microsoft, and will likely differ substantially too from whatever Google’s Gemini morphs into.
For businesses, all this is a minefield. Trying to parse the differences between these tools and work out the corresponding compliance risks is extremely difficult. But differences there are, very significant ones, particularly with respect to the information they can access and store. And that’s before we even get to the AIs being incorporated into Adobe, Atlassian, Slack, Salesforce and so on, and before you start creating, training and deploying models of your own.
To keep up with such change, your data protection stance has to change to. Static RoPAs and DPIAs and training materials that just rehash the GDPR aren’t cutting it in a world where trusty products you’ve come to rely on turn up one morning with a large language model keen to scan and riff on your data flashing at your employees from the sidebar. Like software itself, compliance processes are having to become smarter and more dynamic – while finding ways to do that which won’t cost you the earth.
And this is where Securys can help. We can help you decide which AI tools are best for you, produce policies and guidelines to safeguard your company and train your workforce, and assist you in designing and deploying this exciting new technology in ways that put privacy first without stifling productivity.