🦾 Shadow AI - 14 September 2023

Demystifying AI - AI Security Champions?

One of the things I’ve come to appreciate as I designed and implemented our company’s AI security strategy is our “AI power users.” These individuals may be developers, sales representatives, data scientists, or other early AI adopters. They can be one of your biggest sources of AI risks, but also one of your biggest opportunities to scale an AI security culture across the business.

As AI becomes increasingly engrained in company workflows, fast-followers and late AI adopters will look to AI power users for help.

How do we build AI Power Users into AI Security Champions?

First, security and IT leaders should partner closely with their AI power users. 

• Understand How They Operate. Ask AI power users about their work, their challenges, and their ideas for improvement. Learn how they use AI tools in their day-to-day work to gain a better understanding of how they use the technology, what they need to be successful, and how they can become advocates.

• Ask for feedback. Solicit their thoughts on specific AI tools, policies, or procedures.

• Involve them in the decision-making process. Include them in discussions about AI strategies, guardrails, and training. Their input will help to ensure that AI is used in a way that is both effective and secure.

Second, learn from traditional Application Security Champion programs.

Traditional Application Security Champion (ASC) programs were created to help deliver secure applications at the speed the business demands. In these programs, developers serve as security champions to promote security awareness and best practices within their teams and act as a critical interlocutor to the security team.

Successful ASC programs have the following characteristics:

1. Executive Sponsorship

2. Eager, voluntary participation with strong incentives

3. Continuous training

4. Clear responsibilities

5. Measurable goals

6. Strong cross-departmental partnership and feedback

But, AI usage at a company is not only limited to developer teams. An AI Security Champion program would need to build on these characteristics to address some unique elements, including:

• Broader participation across engineering and business units leveraging AI

• Training on managing AI-specific risks

• Expanded measurements of success

Third, start slow, pressure test, and iterate along the way. 

Identify a few AI power users in your organization that are good candidates to become early AI Security Champions and iterate on what an effective program could look like. Focus on specific use cases to start and build from there.

I’ll unpack this topic more in an article, but I would love to hear your thoughts on the opportunities and pitfalls of an AI Security Champion program. Reply directly to this email.

AI News to Know

• Capitol Hill Honing in on AI: The U.S. is leading the way in AI, but lagging in AI regulation with the EU AI Act aimed for passing into law by the end of this year. Yesterday’s first AI Insight Forum signals that Congress is intent on seeking input on drafting AI legislation that will promote innovation while reducing security and privacy risks. The AI Insight Forum, however, was the first of 9 planned listening sessions. We’ll be monitoring the outcome and what sway the participation of prominent tech company leaders will have on the AI legislative agenda.

• AI powered influence operations: Microsoft Threat Intelligence released a report detailing the increasing effectiveness and breadth of digital threats from East Asia. One point that stood out was how Chinese information operations (IO) have begun to leverage generative AI for image generation to attract greater levels of engagement. IO posts Americans are re-sharing with more frequency include an AI-generated image of the Statue of Liberty with six fingers in its left hand.

  

AI on the Market

• AI Software Development Trends: GitLab released its annual Global DevSecOps report and a few key AI-related data points stood out:

  1. 65% of developers said they are using AI/ML in testing efforts or will be in the next three years.

  2. 67% are concerned about the impact of AI/ML capabilities on their job… YET…

  3. Only 23% of security practitioners ranked AI/ML as the most important skill for the future.

     

     GitLab 2023 Global DevSecOps Report

• Supercharging CRM: Salesforce announced its next generation of AI technology that operates within its Einstein Trust Layer. CRMs, with their sensitive customer information, can be some of the highest risk systems. If you company is looking into leveraging Salesforce’s AI capabilities, make sure to do a robust threat model and security control review.