AI’s Two Faces: Unlock Innovation but Manage Shadow AIAI’s Two Faces: Unlock Innovation but Manage Shadow AI

By leveraging time-tested risk management principles and fostering ongoing and open communication, we can minimize the threat, share the responsibility, and reap the rewards of artificial intelligence.

4 Min Read
Two anonymous masks with binary code.
jiri33 via Alamy Stock

Balancing the duality of opportunities and risks that come with emerging technologies is an age-old challenge, and one that is no different with artificial intelligence. Just like cloud computing, data analytics, and robotic process automation in recent years, AI brings the potential to enhance productivity and bring businesses other advantages while also posing threats that require serious consideration.  

Amazon has emphasized caution among its engineers when using ChatGPT while highlighting AI's potential in products like Alexa. At our company, we strive to balance the need for a thoughtful approach to mitigate risks while encouraging innovation in the development and use of AI in our platform and business.  

According to Gartner, spending on AI software is set to surge to $297 billion by 2027. Despite all the buzz, a recent survey conducted by AuditBoard and The Harris Poll reveals that less than half of employed Americans (42%) say their company has a formal policy for using non-company supplied AI-powered tools for work -- opening them up to potential ethical, legal, and privacy risks. Recent regulations like the EU AI Act and signaling directives such as the US Executive Order for the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence underscore the importance of getting your house in order now, before there are penalties for non-compliance. 

Related:What IT Leaders Can Learn From Shadow IT

Enterprises must prepare for AI-augmented decision-making across their enterprises -- acting now to put guidelines in place to effectively manage AI risks while harnessing new capabilities to stay ahead of the competition.  

AI might feel intimidating, but it’s not necessary to reinvent the wheel. If we look more closely, AI risk resembles many familiar risks we already have processes and policies in place to mitigate that risk, including data governance, identity and access management, and data loss prevention. Here are three ways that organizations can leverage proactive policies and well-established processes to manage AI risk while tapping into its game-changing potential: 

1. Greenlight safe AI use cases with acceptable use policies. 

Without stifling innovation and productivity, organizations need to balance the opportunities for the technology with acceptable use. A blanket prohibition on AI will likely lead to “shadow AI,” the unsanctioned use of AI outside IT governance. Taking a thoughtful approach to crafting acceptable use policies can effectively greenlight some use cases without impeding creativity. Strong policies should provide a list of approved generative AI tools, establish guidance on permissible categories of data or data sets, and identify high-risk use cases to avoid. Restrictions should be in place to prohibit using specific data for model training purposes, limit automated decision-making, and ensure ethical considerations. The policy should also outline procedures for requesting, reviewing, and approving new use cases. 

Related:How to Gain Control Over Shadow Analytics

2. Minimize risk with AI key control policies. 

Key control policies can play an essential role in reducing the risk of data breaches or misuse. A well-crafted AI key control policy will ensure AI adoption is compliant with regulations and policies, that only properly authorized data is ever exposed to the AI solutions, and that only authorized personnel have access to datasets, models, and the AI tools themselves. Isolation from core systems reduces the chance of data finding its way into third-party systems, and audit logs and monitoring facilitate the detection of unusual activities or breaches. A key last step is to require that humans are in the loop, with AI recommendations always being reviewed by human operators with an evidence trail of the output that is reviewed and the decisions made. 

Related:Salary Report: IT in Choppy Economic Seas and Roaring Winds of Change

3. Incorporate AI considerations into tool selection processes 

Approving new tools in the era of AI is less about creating a new process, and more about ensuring that your existing third-party risk management processes can account for the nuances of AI. At our company, when we review proposals for new tools, we evaluate potential benefits and risks, alignment with organizational goals, and compliance with ethical standards and regulations. Key questions to ask when selecting tools related to AI include: 

  • Do we have permission to provide this data to this tool? 

  • Is this tool a “subprocessor” that needs to be disclosed to customers? 

  • Can we restrict the AI from using sensitive data for training? 

  • Can I opt out of allowing tools to use my data for training models used by other parties? 

  • Can we detect data flow to unauthorized tools?  

Once tools are added to an approved list, guidance is provided on authorized data sets. Additionally, we provide guidance on AI’s limitations, establish restrictions on automated decision-making processes, determine prohibited uses, and consider ethics to ensure fairness and accountability.  

By building out these processes, organizations can foster innovation while prioritizing ethical considerations and societal impact. 

Managing AI Risk Is a Team Sport 

AI risk and opportunity aren’t owned by a single person or function in the organization. It spans us all. It will take collaboration and communication to create a cohesive approach to managing AI risk while enabling innovation. We must be mindful that there is no one-size-fits-all approach to managing AI -- it will look different for every organization.  

To get the ball rolling, spearhead discussions about potential risks and challenges associated with AI adoption at your organization. Follow that by working with key stakeholders to develop a comprehensive AI usage policy that enables innovation while mitigating risks. By leveraging time-tested risk management principles and fostering ongoing, open communication, we can minimize the threat, share the responsibility, and reap the rewards of AI.  

About the Authors

Anton Dam

VP of AI, AuditBoard

Anton Dam is the VP of Engineering for Data, AI/ML at AuditBoard. He is responsible for the development and deployment of artificial intelligence and machine learning technologies to enhance audit, risk, and compliance workflows. His experience includes developing enterprise AI products at LinkedIn and Workday, as well as at Restless Bandit and Skupos. 

Richard Marcus

CISO at AuditBoard

Richard Marcus leads the Information Security Team at AuditBoard where he is focused on product, infrastructure, and corporate IT security. He is also responsible for leading the charge on AuditBoard’s own internal compliance initiatives.  

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights