Generative AI in the Workplace: Striking a Balance Between Innovation and Risk
Published 11/17/2023
Originally published by CXO REvolutionaries.
Written by Christopher Jablonski, Director, CXO REvolutionaries & Community, Zscaler.
Given what we’ve observed since the launch of OpenAI’s ChatGPT last Fall, generative AI and large language models look poised to eventually make every employee and virtually every enterprise process more productive in one way or another. It heralds limitless possibilities like many transformational technologies we take for granted today, for example, the Internet.
Simultaneously, implementing GenAI securely and responsibly is a challenge for virtually every CXO. Seizing new capabilities must be done without compromising intellectual property, proprietary business information, or personal data.
In the face of a tsunami of “BYOAI,” harness the power of this revolutionary technology internally by following these steps:
1. Create a company-wide AI use policy and update your cybersecurity strategy
As a first step, IT leaders should partner with heads of security and legal to set up policy. Convert rogue and unsanctioned use of GenAI before it gets out of hand. You don't want another round of heartache dealing with the challenges we’ve seen with shadow SaaS. Get ahead of the curve and make responsible governance easy for employees. List new AI tools and ideas that come up from across your organization, and as you chalk up their promises, equally look for imperfections, caveats, and risks. In the old world, CIOs would lay out checkpoints and speed bumps. You are now expected to provide "bumper cars" and guardrails so everyone can move quickly and safely.
Do you have a GenAI policy that covers employees, officers, contractors, and other third parties working at or performing services on behalf of your organization? If so, ensure it includes your accountability, fairness, transparency, security, and compliance practices. Suppose you haven’t created your policy or are updating it. In that case, the basics are establishing guidelines that cover compliance with laws and regulations, privacy, material nonpublic info, confidential info, bias/discrimination, and output accuracy. Each enterprise and industry is different, but doing good is universal, so keep data governance, ethics, and transparency in check alongside other tracks like AI use cases and investment prioritization.
When experimenting with GenAI tools and capabilities, use role-based access control (RBAC) to provide initial access for proof of concepts and testing for teams responsible for discovering and understanding how new capabilities function, like developers and engineers, then open up access to larger employee tiers accordingly. There’s no need to be binary with every decision. Take the middle ground so that POC/experimentation with security controls can flourish, and you get to know all the contours of potential productivity gains and applications. But once you open up an AI application, monitor the usage and prevent data leakage.
Lastly, regularly communicate updates to your AI policies and procedures with your employees and offer continuous training.
2. Define use cases to help answer “build vs. buy vs. extend” decisions
Department heads and employees are eager to pounce on an ever-growing list of easy-to-use, natural language prompt-enabled AI tools and services, and the last thing you want is FOMO or falling behind. Channel that enthusiasm into forums and ideation buckets so business, legal, and technology leaders can consider demand and use cases when addressing fundamental questions for adopting GenAI.
According to McKinsey, four areas could account for roughly 75% of the value that generative AI use cases deliver: Customer operations, marketing and sales, software engineering, and R&D. Invite department heads from each area to working groups or GenAI meetings and conferences. The importance of understanding your use cases thoroughly is vital. The same rules for generating a comprehensive problem statement still apply. Find the solution to your problem, not a problem that fits a GenAI solution. If you start with a business problem, the path you end up on may lead you to something other than GenAI, so respect that, even if it isn’t the shiniest object.
Create a table with use cases in rows and three columns: one for building in-house AI capabilities, one for vendor-delivered AI, and a third for vendor-delivered from incumbent partners. How much falls into each depends on your IT capabilities, AI prioritization, budget, time-to-market, business model, etc. Whether building or buying, you will need to be able to communicate your ROI for investment and/or be able to understand your vendor's requirements for purchasing. (Note of caution: some incumbent vendors may be sneaking AI into their products without permission, so check that your existing vendors' terms of service and privacy policy do not allow them to use your personal data for training.)
If you see several use cases that are an extension of one another, consolidate them into “bigger rocks.” Find the foundational use cases, start small, and extend from there. Some players have been working on AI solutions for years if not decades, and others are searching for overnight success. Understand market maturity and where vendors have added one-off features versus releasing a transformational product. Look through the hype for evidence of who has staying power. You want to invest in products that will get this correct in the long run, not just a first mover with a shiny new feature or model.
Educating the employee base about GenAI concepts is the only way for this exercise to succeed. Start with your engineers and hands-on technical personas, then appropriate leadership and the broader employee masses. Otherwise, discussions can be plagued with circular conversations about solutions. Understanding the correct application of the technology will help everyone speak the same language.
3. Place a premium on third-party risk mitigation
You already manage third-party risk, so adapt your protocols and provisions for GenAI, noting any updates or special considerations for screening, onboarding, assessment, risk mitigation, monitoring, and offboarding on a case-by-case basis. For example, suppose an existing approved vendor is adding a new AI feature to the services delivered – and trust me, just about all of them are – you might want to request that your vendor completes a security questionnaire before activating a large language model (LLM) feature in your environment. Go one step further and routinely send a questionnaire to your existing vendors on AI usage and TOS.
When building AI, ensure the chosen platform(s) fits your data governance, intellectual property, and privacy policies. Engage your company’s security, legal, privacy, and compliance stakeholders to ensure that any anticipated uses of generative AI platforms and technology follow the company-wide AI use policy, which should contain the guiding principles and serve as the north star when conducting due diligence on the third-party vendor. Extend your procurement due diligence to cover GenAI to understand the risks and advantages of our strategic decision.
4. Establish or augment your AIOps
Finally, it is worth exploring how GenAI can benefit the IT department. Enterprises with preexistent AI/ML operations must fold GenAI into a growing portfolio of related capabilities. Those getting started with AIOps could not have been given a better reason to set one up. There are two ways in which AIOps is impacted by GenAI. One deals with how CIOs and their data teams must observe, predict, and act on IT operational issues affected by GenAI. The other is to apply AI to improve and automate IT operations to cut costs and boost efficiency.
Consider your helpdesk. Service-desk chatbots can handle many of your entry-level helpdesk requests without human assistance and will only improve. AI can augment and automate many other parts of your IT environment. Below are top examples to consider:
- There’s a lot of excitement and support for an NLP-based interface for all enterprise data that allows users to replace dashboards and tables with conversational insights that cut through all the steps to clear and robust business answers
- Solve challenges by analyzing root causes, correlating events, and detecting anomalies
- GenAI can write, correct, and test code, as well as create reports
- GenAI can pinpoint the causes of outages or performance issues so IT teams can take remediation action (see ZDX)
It’s a special time to be in information technology. We just dropped in on a wave as significant as other paradigm-changing technologies like the internet, mobility, and cloud/SaaS. With the advice presented in this article, I hope you are ready to explore how IT can play a crucial role in introducing automation, intelligent decisions, and even self-driving processes across your organization.
Related Resources
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024