How to Stop AI From Leaking Your Company’s Confidential Data

Within months of its launch in November 2022, ChatGPT had started making its mark as a formidable tool for writing and optimizing code. Invariably, some engineers at Samsung thought it was a good idea to use AI to optimize a specific piece of code that they had been struggling with for a while. However, they forgot to note the nature of the beast. AI simply does not forget; it learns from the data it works on, quietly making it a part of its knowledge base.

As the exposure of proprietary code was discovered, Samsung immediately rolled out a memo that explicitly banned the usage of generative AI tools. And they had solid reasons to do so. Typical loss estimated from such data exposure can run into millions and result in loss of competitive advantage.

Understanding the hidden risk

How AI tools are different from traditional software:

Most of us are accustomed to working with traditional software. We share whatever data we want with them, and the results are private to us. Quite expectedly, corporate employees pay scant regard to the type of data they share, expecting standard access controls to cover any security threats.

In sharp contrast, AI systems tend to absorb every piece of data that we share with them. Every code snippet, every document and even our prompts are used to inherently improve the system’s results. This leads to the permanence problem, as the data that AI absorbs can technically be accessed by outsiders, especially if you are using a publicly accessible AI platform.

Moreover, you really do not have a Delete button in AI as opposed to traditional software, where you can simply delete all your data. AI systems ingrain learnings that cannot be removed as they end up becoming part of its knowledge corpus and are inseparable from the model itself.

Take a hypothetical scenario: Over the years of intense research and experience, your organization has built a formidable M&A strategy. What happens when this highly privileged information becomes public knowledge? You would be looking at a serious loss of competitive advantage. The same thing can occur for a software company if its product roadmap or the source code for its product becomes public. Now the risks can even expand to the very future of the company and its existence.

The 3 critical policies every company needs to put in place

1. Create a crystal-clear and acceptable AI use policy

One of the best failsafes against AI-related leaks is a clear policy document, written in simple language, explaining what can be shared with AI systems and what cannot be shared under any circumstances. The policy must be crystal clear and include examples to showcase different scenarios.

Typical examples of explicitly prohibited data include source code, product roadmaps, proprietary frameworks, identifiable customer data and financial records, to name a few. Depending on your company and what you deem as critical, you should clearly demarcate what kind of data employees should steer clear of while working with AI systems.

Next, you also need to ensure that strict NDAs are in place and compliance norms mandate employees to inform seniors and security teams about disclosing any new type of data to AI systems. Club this with consequences for violating the policy, which can range from mandatory training to even dismissals based on the degree of egregious behavior.

2. Deploy enterprise-grade AI solutions with data controls

Public AI platforms, like ChatGPT, are often an open risk item for corporates. Instead, you should invest in enterprise editions of AI systems, like ChatGPT Enterprise, that offer a secure environment with an explicit promise of not training their models on your proprietary data and strong encryption. You can also run solutions like Azure OpenAI Service from your private instance or secure cloud.

While specific enterprise versions and private instances may cost more, the investment in providing a secure AI platform to your employees simply pales before the enormous costs that you may incur due to critical data exposure.

3. Implement robust technical safeguards and regular monitoring

Now, one cannot just implement a policy and hope everyone starts following it. Hence, it is important to place technical controls through Data Loss Prevention tools. These systems are designed to recognize patterns and can raise an alert when proprietary information like source code, credit card numbers or even frameworks is entered into the AI console. In conjunction, you need to implement regular IT audits for AI usage by employees to prevent inadvertent leaks.

At the same time, you should provide a solution for typical use cases depending on the nature of your business. For example, if your team often needs AI help for effective coding, make sure you have tools like GitHub Copilot for business installed with appropriate security controls.

Implement a cultural shift through ongoing awareness

When it comes to preventing data leaks through AI systems, annual training modules or policy reminders through emails are not enough. You need to have AI champions in your organization who liaise with different teams and alert them about different vulnerabilities, real examples and best practices. Moreover, keep an open environment where employees can mention their errors or possible near misses without attracting punitive actions.

Using AI in organizations is now becoming inevitable, and companies need to strike a balance between innovation and data security. As a leader, you should take a proactive approach by creating a framework that facilitates innovation while protecting critical organizational data. This will help you gain a competitive advantage over your peers who vacillate between absurd bans and open AI usage.

Sign up for the Entrepreneur Daily newsletter to get the news and resources you need to know today to help you run your business better. Get it in your inbox.

Within months of its launch in November 2022, ChatGPT had started making its mark as a formidable tool for writing and optimizing code. Invariably, some engineers at Samsung thought it was a good idea to use AI to optimize a specific piece of code that they had been struggling with for a while. However, they forgot to note the nature of the beast. AI simply does not forget; it learns from the data it works on, quietly making it a part of its knowledge base.

As the exposure of proprietary code was discovered, Samsung immediately rolled out a memo that explicitly banned the usage of generative AI tools. And they had solid reasons to do so. Typical loss estimated from such data exposure can run into millions and result in loss of competitive advantage.