The use of AI in 2024 is swiftly moving in enterprises, transforming and impacting employees and how business gets done across industries. Enterprise CTOs and CISOs understand the need to integrate AI technologies to streamline operations, speed up decision-making, and increase productivity. At the same time, they realize that AI has an impact on people, policies, and processes within their organizations. They want to create the right ethical standards, protect intellectual property, and ensure employees’ (and the company’s) well-being. Finding the right balance is at the top of the list of challenges for C-suite leaders this year.
Managing generative AI in the workplace
Eight months ago, Pat Brans wrote an article on CIO.com titled ‘CIOs still grapple with what gen AI can do for the enterprise.’ Pat found that some company leaders were uncertain about how to move ahead with generative AI practices. Should enterprises work with third-party vendors or build in-house models? And if they build, is the in-house AI expertise sufficient to run the models? Much has changed in the months since then.
Since ChatGPT, Copilot, Gemini, and other LLMs launched, CISOs have had to introduce (or update) measures regarding employee AI usage and data security and privacy, while enhancing policies and processes for their organizations. In many cases, these changes have usually gone above and beyond what already existed for the organization.
To better understand what’s happening with AI usage in enterprises and its impact on people, policies, and processes, I conducted an informal poll in June with several CISOs and CTO peers. What I learned will hopefully shed some light and help support or validate your organizational efforts regarding AI. [NOTE: In next month’s column, I’ll highlight how AI is changing the ways that enterprise technologies are being selected and used.]
People, policies & processes
When I asked a CISO if his organization had made any people, policy, and process changes as a result of AI use in his company, he replied, “Yes, we made several changes at the governance level to set expectations, rules of the road, monitoring, and reporting. We felt it was important to set and enforce standard patterns, models, and usage.”
That insight was comparable to other responses I received. Setting up guidelines and governing principles seems to be a common step for managing AI use in large enterprises.
A CISO for a national healthcare enterprise said their organization had drafted policies and procedures for LLM and its data use. Currently, the team is working to quickly review security and privacy issues, particularly as regulations evolve. The changes “are being implemented and communicated in real-time knowing that we will need to be nimble to move, or change month to month, as the regulations are pushed out and other compliance and security requirements become best practice.”
The CISO of a large online consumer brand informed me of similar moves. This CISO’s team has created a new policy around the use of AI and tied it to the company’s acceptable use policy. The CISO remarked, “We really want people to think about how they’re planning to use AI. In some cases, we will perform a risk assessment and a privacy impact assessment (PIA) if sensitive information is being used.”
Another CISO shared that their organization had made changes to enforce AI measures within their CSP control fabric, including logging, monitoring, and reporting to the key leadership overseeing and governing the deployment and usage. This was critical for the organization to protect data (IP, confidential information, client data, etc.) and understand usage and demand for the business functions and segments.
All of the executives that I spoke to note the importance of communicating these shifts throughout the organization. A CISO in the healthcare industry shared that their team has made recent policy changes. These changes were delegated by a central committee responsible for AI use evaluation and approval. The CISO added that internal communications moved through standard clinical communications channels to be transparent regarding the changes and to de-escalate concerns regarding new AI applications.
Advisory committees
Another important area several CISOs called out regarding AI use with enterprises is the need to create clear guidelines, well-thought-out rules, and ethical principles for AI development and use. As a result, AI advisory boards are popping up everywhere. One recent example is that AI company C3 has hired former U.S. Speaker of the House Kevin McCarthy to its advisory board to help guide its efforts through the labyrinthian levels of the U.S. government and those of allied countries.
Government bodies are also moving in similar directions to clarify ethical AI use. The U.S. government has its own National AI Advisory Committee. Other organizations have been launched to provide AI guidance, including Northeastern University’s Institute for Experiential AI, and the Center for Artificial Intelligence, a think tank launched by the Future of Privacy Forum.
A CISO and Chief Data Officer of a financial services firm shared that they had created an AI steering team of senior executives (legal, tech, others) to approve AI use, especially if it poses ‘unacceptable risk and unlimited exposure of intellectual property’ for any of the firm’s work. Having such a central governing committee can also help respond to any cybersecurity incidents among its employees and vendors.
The CISO AI mindset: words of advice
Most of the CISOs and CTOs noted how they are dedicating time and resources to stay on top of AI’s growth within their organization. Advice ranged from a simple directive like “sweat the details” to more cautious bullets around AI integration with employees. To wit:
“For your company and industry, find ways to allow LLMs to help you. Get educated on the business impact of hallucinations, bias, and all the unintended yet expected defects that could represent a risk to reputation, brand, privacy, regulations, and operations. Start paying careful attention to these areas listed and continue to search for the business value vs. the risk appetite.” Another more cautious bit of advice was, “Emerging technologies that create business value may also introduce threats and weaknesses. Be aware that these threats will likely require new investments in controls and resiliency.”
A CISO who shared their forward-thinking and optimistic viewpoint advocates that enterprises “Embrace the innovation and use of AI, and create a safe place for people to experiment, like a sandbox within your trusted enterprise or cloud service. I’ve heard of too many CISOs that are blocking AI use in the enterprise. This will only create a stigma that forces people who are curious or want to use AI to make their lives better or more efficient to go outside the enterprise. You’ll be much happier with the use cases and innovation you can learn from your users. Lay out some guardrails for people so they innovate, and you can be the hero!”
I couldn’t have said it any better myself!
In part 2, I’ll focus on how enterprises are handling existing technologies that are being impacted by AI, the new use of AI technologies, and how those elements of change are impacting the enterprise. Until next time…