topic Re: The existence of Shadow AI in Industry News

The existence of Shadow AI

Caute_cautim — Tue, 12 Dec 2023 23:01:54 GMT

Hi All

Why should we care about Shadow AI, this piece explains why we should be very worried and that we need to understand and counter this issue now.

https://www.techpolicy.press/beware-the-emergence-of-shadow-ai/

Regards

Caute_Cautim

Re: The existence of Shadow AI

Early_Adopter — Tue, 12 Dec 2023 23:40:14 GMT

That’s a terrible definition of Shadow IT… because the better one has been purloined to define Shadow AI.

It’s never code snippets it’s always a complete service or there is significantly less benefit in using it…

Luckily the vast majority of this stuff is web delivered so set your proxy, CASB and DLP to parent data going to anything but those services that you vet, approve and commission. This policy should be relatively easy as these are categorised and to be usable you should be paying for the service.

Monitor efficacy and do meet every quarter on the progress.

Re: The existence of Shadow AI

Caute_cautim — Wed, 13 Dec 2023 01:18:55 GMT

@Early_Adopter Don't forget the API gateway as well.

Regards

Caute_Cautim

Re: The existence of Shadow AI

Caute_cautim — Wed, 13 Dec 2023 01:29:02 GMT

@Early_Adopter Here is a definition for Shadow AI: Shadow AI represents the hidden, uncontrolled frontier of AI usage within organizations, bringing both opportunities for individual productivity and challenges for corporate governance and risk management.

Forbes also did a piece on it on 31st October 2023: https://www.forbes.com/sites/delltechnologies/2023/10/31/what-is-shadow-ai-and-what-can-it-do-about-it/?sh=60b6ffe77127

CIO.com did a piece too: https://www.cio.com/article/648969/shadow-ai-will-be-much-worse-than-shadow-it.html

2021.AI did a short piece on it too: https://2021.ai/shadow-ai-impact-deploying-ai/

Plenty of explanations available.

Regards

Caute_Cautim

Re: The existence of Shadow AI

Early_Adopter — Wed, 13 Dec 2023 01:36:52 GMT

That’s what the CASB is for API into the service and application aware forward/reverse proxy to the service - if you want a special, sure knock yourself out but all the SASE vendors are crawling over themselves to ‘do’ GenAI traffic with ZTNA, mirrored gateways etc. data you app send out can’t be decrypted, parsed and inspected? “Sorry, computer says no.”

Anyway when you commission a service in most regulated industries you’ll probably need to define the traffic you send down to the data element At some point and the vendor will undertake to not go beyond that - your internal audit reminding you and your internal data flows should all be mapped.

If your applications are sending data out without full instrumentation and oversight, fix it, its probably just a matter of time before it’s over.

Re: The existence of Shadow AI

Early_Adopter — Wed, 13 Dec 2023 01:43:25 GMT

Yes the article at the top looks like it may have used shadow AI to generate its definition of Shadow IT:

“What is Shadow IT?

For those unfamiliar with Shadow IT, these are often code snippets, libraries, solutions, products, services, and apps on managed devices that lurk outside the oversight of corporate, nonprofit, and government IT departments. Shadow IT can threaten an organization's cybersecurity, privacy, and data confidentiality. For example, they increase the likelihood of data breaches and ransomware infiltrating the corporate network, often costing the organization more than $1m for each incident, according to the Verizon 2023 Data Breach Incident Report.”

Whilst it’s Shadow AI definition fits Shadow IT perfectly:

“ What is Shadow AI?

Shadow AI refers to the AI systems, solutions, and services used or developed within an organization without explicit organizational approval or oversight.”

Succinct, elegant and natural.

Re: The existence of Shadow AI

Caute_cautim — Wed, 13 Dec 2023 02:42:04 GMT

HI @Early_Adopter I enjoy these debates by the way:

The definition of Shadow IT can be described as:

Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software, and hardware. The main area of concern today is the rapid adoption of cloud-based services.

I think this is distinctly different from the Shadow AI definition:

Shadow AI represents the hidden, uncontrolled frontier of AI usage within organizations, bringing both opportunities for individual productivity and challenges for corporate governance and risk management.

Which would mean the uncontrolled use of AI tools without authorisation within an organisation, which could result in organisational IP being disseminated out of the organisation without managements actual knowledge. Which would result in the loss of IP, corporate knowledge and potentially share information unintentionally with competitors or the dark side, seeking greater understanding of the internal workings of the company.

I guess the issue, is keeping it in context with a meaningful comparison, and ensuring both are fully understood.

Regards

Caute_Cautim