🦾 Shadow AI - 21 March 2024

Demystifying AI - Corporate Strategy and AI Risks

I spend a lot of time analyzing SEC disclosure for cybersecurity takeaways to help me understand how companies are designing their governance and risk management strategies and identify thematic challenges CISOs need to be prepared to tackle. I thought it could be interesting to tailor this analysis to artificial intelligence by analyzing any differences in how AI is incorporated in 10-K Annual Reports from January 1, 2024 - March 20, 2024 compared to the same time period in 2023.

Here are my top 3 takeaways:

1. Increasing Prominence of AI Risks and Strategies

   Artificial intelligence is referenced in 40% (1,506 of 3,682) of Annual Reports between January 1, 2024 - March 20, 2024. By comparison, artificial Intelligence was referenced in only 16% (618 of 3,821) of Annual Reports between January 1, 2023 - March 20, 2023. This is a staggering 150% increase. While we often read about how companies and boards are struggling to define their AI strategies, it’s clear many companies are acknowledging the risks and opportunities AI presents to their business.

2. Competitive Pressure to Successfully Deploy AI in Products

   A common theme across 10-K reports is the threat AI poses to companies and how critical it is to successfully deploy AI in their products. Companies acknowledge the need to integrate generative AI and machine learning technology into new features, the criticality of investing in proprietary datasets, the need to maintain robust system testing for accuracy, bias, and other variables, and the opportunity of leveraging third party integrations.

3. The Risk of Legal, Business, Operational, and Security Risk

   Another common theme is how the use of AI and machine learning in products and business brings new legal, regulatory, security, and ethical issues they need to contend with, which could result in reputational harm and liability. Across the 10-Ks, there’s a clear tug of war between go-to-market strategies for AI features and the secure development of AI technology.

So What For Security?

The significant uptick in AI references within Annual Reports from the first quarter of 2024, compared to the first quarter of 2023, underscores a pivotal shift in corporate governance and strategic risk management. For security practitioners, especially CISOs, this shift is not just a trend but a clear call to adapt and evolve. As AI's footprint widens, it intertwines with cybersecurity in ways that are both promising and challenging.

Security practitioners must grapple with the dual task of harnessing AI's potential to bolster security defenses while simultaneously guarding against the unique vulnerabilities it introduces to the business. This requires a comprehensive reassessment of risk frameworks to account for AI-driven threats and a thoughtful strategy on how security teams can enable the safe and secure development and deployment of AI to enable the business.

Security cannot be the “Department of No” when it comes to artificial intelligence. We must recognize the burgeoning role of AI in corporate strategies presents both an opportunity and a responsibility for security practitioners to enable those ambitious business objectives.

AI News to Know

DHS All in on AI: Just as publicly traded companies are seeing the opportunities and risk of AI, the Department of Homeland Security is becoming “the first federal agency to embrace the technology with a plan to incorporate generative AI models” across a wide range of applications and divisions. DHS is launching a pilot program in partnerships with OpenAI, Anthropic, Meta to help police human and drug trafficking, protect critical infrastructure, and improve disaster response.

Saudi Arabia’s $40B AI Fund: The AI market may not be cooling anytime soon if Saudi Arabia’s plans to launch a $40B AI fund come to fruition. They are rumored to be in partnership talks with venture capital firm Andreessen Horowitz and others to support tech startups with AI, including chip makers and large scale data centers. Saudi Arabia’s energy resources and deep pockets make a potential partnership alluring for venture capitalists.

AI on the Market

A Tale of Two Stories: AI acceleration is clearly extending to the private markets too. Redpoint released a March 2024 market overview that highlighted how AI businesses are growing 2.5x faster, raising 70% more capital, and demanding 3x higher premiums than non-AI companies.

Move Over Security and Trust Centers: GitLab released an AI Transparency Center that explains how they implement governance and transparency throughout their AI products. This will be the natural evolution of Security and Trust Centers as more and more companies adopt AI. I especially like how GitLab is not tied to a single model provider by design and how they share clear documentation on:

• Each of GitLab’s AI features and their intended purposes

• Which models are powering each of their AI features

• How they use your code and other data

• Their AI model vendors’ current retention periods

• The current status (experiment/beta/GA) of each AI feature

• The GitLab tiers and offerings that include access to each AI feature