Security News > 2024 > July > ChatGPTriage: How can CISOs see and control employees’ AI use?

This rings true; I've spoken with nearly 100 enterprise CISOs in the first half of 2024, and their primary concerns are how to get visibility over employee AI use, how to enforce corporate policies on acceptable AI use, and how to prevent loss of customer data, intellectual property, and other confidential information.

How is AI acceptable use policy expressed? Consider an AI data access policy: a law or consulting firm might require that LLM data from client A can't be used to generate answers for client B. A public company's general counsel might want an AI topic access policy: employees outside of finance and below the VP level can't ask about earnings info.

With eighteen months of experience using generative AI, enterprises have started to learn what's necessary to gain visibility and control of user activity.

Catalog actual activity: To get visibility, you'll need to continuously map that employee activity to the destination database, to build a catalog of employee activity - specifically, where are your employees going, relative to AI? The basic version can happen after the fact, to provide only visibility into which AI models, chatbots, etc.

Capture the conversation: Of course, visibility includes more than just destinations, it includes the actual prompts, data, and responses into and out of those AI destinations.

I have spoken with a few that have built much of this AI visibility and control from scratch.

News URL

https://www.helpnetsecurity.com/2024/07/16/employee-ai-use-visibility/