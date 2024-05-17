CAMBRIDGE, MASS. -- As AI tools and systems have proliferated across enterprises, organizations are increasingly questioning the value of these tools compared with the security risks they might pose.

At the 2024 MIT Sloan CIO Symposium this week, industry leaders discussed the challenge of balancing AI's benefits with its security risks.

Since the introduction of ChatGPT in 2022, generative AI has become a particular concern. These tools have many use cases in business settings, from virtual help desk assistance to code generation.

"[AI] has moved from theoretical to practical, and I think that has raised [its] visibility," said Jeffrey Wheatman, cyber-risk evangelist at Black Kite, in an interview.

McKinsey & Company partner Jan Shelly Brown helps companies in the financial sector and other highly regulated industries evaluate the risk profiles of new technologies. Increasingly, this involves AI integration, which can introduce both business value and unforeseen risks.

"The cybersecurity agenda, because technology is woven into every corner of the business, becomes super, super important," Brown said in an interview.

The balancing act Introducing AI into the enterprise brings cybersecurity benefits as well as drawbacks. On the security front, AI tools can quickly analyze and detect potential risks, Wheatman said. Incorporating AI can bolster existing security practices, such as incident detection, automated penetration testing and rapid attack simulation. "AI is starting to get really good at running through millions of iterations and determining which ones are actually real risks and which ones are not," Wheatman said. While generative AI has seen increased use across enterprises, its security applications are still in the early stages. Left to right: Fahim Siddiqui, Jan Shelly Brown, Jeffrey Wheatman and moderator Keri Pearlson speak during the 2024 MIT Sloan CIO Symposium. "We believe that it's far too early yet for GenAI to be a core pillar of cyber preparedness," said Fahim Siddiqui, executive vice president and CIO at The Home Depot, in the panel "AI Barbarians at the Gate: The New Battleground of Cybersecurity and Threat Intelligence." But despite these reservations about generative AI in particular, Siddiqui noted, many cybersecurity tools currently in use already incorporate some type of machine learning. Andrew Stanley, chief information security officer and global digital operations vice president at Mars Inc., described the high-level benefits that generative AI can bring to enterprises in his presentation "The Path Goldilocks Should Have Taken: Balancing GenAI and Cybersecurity." One of these advantages is bridging gaps in technical knowledge. "The really powerful thing that generative AI brings into security is the ability to allow ... nontechnical people to engage in technical analysis," Stanley said in his presentation. Due to the technology's various benefits, businesses are increasingly using AI -- including generative AI -- in their workflows, often in the form of third-party or open source tools. Brown said she's seen extensive adoption of third-party tools within organizations. But organizations often don't know exactly how those tools use AI or manage data. Instead, they must rely on external vendor assessments and trust. "That brings a whole different risk profile into the organization," Brown said. The alternatives -- custom LLMs and other generative AI tools -- are currently less widely adopted among enterprises. Brown noted that while organizations are interested in custom generative AI, the process of identifying valuable use cases, garnering the right skill sets and investing in the necessary infrastructure is much more complex than using an off-the-shelf tool. Regardless of whether an organization chooses a custom or third-party option, AI tools introduce new risk profiles and potential attack vectors, such as data poisoning, prompt injection and insider threats. "The data starts to show you that in many cases, the threats may not exist outside the organization -- they can exist within," Brown said. "Your own employees can be a threat vector." This risk includes shadow AI, where employees use unsanctioned AI tools, making it difficult for security teams to pinpoint threats and develop mitigation strategies. Explicit security breaches can also occur when malicious employees exploit poor governance and privacy controls to access AI tools. The widespread availability of AI tools also means that external bad actors can use AI in unanticipated and harmful ways. "Defenders need to be perfect or close to perfect," Wheatman said. "The attackers only really need to find one way in -- one attack vector." Threats from bad actors are even more concerning when cybersecurity teams aren't well versed in AI -- one of the many AI-related risks that organizations are starting to address. "A very low percentage of cybersecurity professionals really have the right AI background," Wheatman said.