AI’s Two Faces: Unlock Innovation but Manage Shadow AI

Balancing the duality of opportunities and risks that come with emerging technologies is an age-old challenge, and one that is no different with artificial intelligence. Just like cloud computing, data analytics, and robotic process automation in recent years, AI brings the potential to enhance productivity and bring businesses other advantages while also posing threats that require serious consideration.  

Amazon has emphasized caution among its engineers when using ChatGPT while highlighting AI's potential in products like Alexa. At our company, we strive to balance the need for a thoughtful approach to mitigate risks while encouraging innovation in the development and use of AI in our platform and business.  

According to Gartner, spending on AI software is set to surge to $297 billion by 2027. Despite all the buzz, a recent survey conducted by AuditBoard and The Harris Poll reveals that less than half of employed Americans (42%) say their company has a formal policy for using non-company supplied AI-powered tools for work -- opening them up to potential ethical, legal, and privacy risks. Recent regulations like the EU AI Act and signaling directives such as the US Executive Order for the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence underscore the importance of getting your house in order now, before there are penalties for non-compliance. 

Related:What IT Leaders Can Learn From Shadow IT

Enterprises must prepare for AI-augmented decision-making across their enterprises -- acting now to put guidelines in place to effectively manage AI risks while harnessing new capabilities to stay ahead of the competition.  

AI might feel intimidating, but it’s not necessary to reinvent the wheel. If we look more closely, AI risk resembles many familiar risks we already have processes and policies in place to mitigate that risk, including data governance, identity and access management, and data loss prevention. Here are three ways that organizations can leverage proactive policies and well-established processes to manage AI risk while tapping into its game-changing potential: 

1. Greenlight safe AI use cases with acceptable use policies. 

Without stifling innovation and productivity, organizations need to balance the opportunities for the technology with acceptable use. A blanket prohibition on AI will likely lead to “shadow AI,” the unsanctioned use of AI outside IT governance. Taking a thoughtful approach to crafting acceptable use policies can effectively greenlight some use cases without impeding creativity. Strong policies should provide a list of approved generative AI tools, establish guidance on permissible categories of data or data sets, and identify high-risk use cases to avoid. Restrictions should be in place to prohibit using specific data for model training purposes, limit automated decision-making, and ensure ethical considerations. The policy should also outline procedures for requesting, reviewing, and approving new use cases. 

Related:How to Gain Control Over Shadow Analytics

2. Minimize risk with AI key control policies. 

Key control policies can play an essential role in reducing the risk of data breaches or misuse. A well-crafted AI key control policy will ensure AI adoption is compliant with regulations and policies, that only properly authorized data is ever exposed to the AI solutions, and that only authorized personnel have access to datasets, models, and the AI tools themselves. Isolation from core systems reduces the chance of data finding its way into third-party systems, and audit logs and monitoring facilitate the detection of unusual activities or breaches. A key last step is to require that humans are in the loop, with AI recommendations always being reviewed by human operators with an evidence trail of the output that is reviewed and the decisions made. 

Related:Salary Report: IT in Choppy Economic Seas and Roaring Winds of Change

3. Incorporate AI considerations into tool selection processes 

Approving new tools in the era of AI is less about creating a new process, and more about ensuring that your existing third-party risk management processes can account for the nuances of AI. At our company, when we review proposals for new tools, we evaluate potential benefits and risks, alignment with organizational goals, and compliance with ethical standards and regulations. Key questions to ask when selecting tools related to AI include: 

Once tools are added to an approved list, guidance is provided on authorized data sets. Additionally, we provide guidance on AI’s limitations, establish restrictions on automated decision-making processes, determine prohibited uses, and consider ethics to ensure fairness and accountability.  

By building out these processes, organizations can foster innovation while prioritizing ethical considerations and societal impact. 

Managing AI Risk Is a Team Sport 

AI risk and opportunity aren’t owned by a single person or function in the organization. It spans us all. It will take collaboration and communication to create a cohesive approach to managing AI risk while enabling innovation. We must be mindful that there is no one-size-fits-all approach to managing AI -- it will look different for every organization.  

To get the ball rolling, spearhead discussions about potential risks and challenges associated with AI adoption at your organization. Follow that by working with key stakeholders to develop a comprehensive AI usage policy that enables innovation while mitigating risks. By leveraging time-tested risk management principles and fostering ongoing, open communication, we can minimize the threat, share the responsibility, and reap the rewards of AI.