As the number of generative AI tools continues to proliferate, companies must determine the risks and rewards of using the technology.
When it comes to generative artificial intelligence (GAI), there is no going back. The genie is out of the bottle and companies must now grapple with a number of big questions. For example, what guardrails should be put in place for employees looking to take advantage of AI’s tremendous potential? Do the risks associated with the emerging technology outweigh the benefits? Is there a way for humans and machines to co-exist in a mutually beneficial relationship?
GAI is different from what many people think of when it comes to AI. Instead of the human-like robots that are often portrayed in movies and the media, generative AI is a form of machine learning that can produce content – including audio, code, images, text, simulations, and videos – more quickly than humans can on their own. Which makes their use enticing.
According to an April 2023 Gartner report, 82% of organizations are currently planning to issue some guidance on the use of generative AI tools, like ChatGPT. However, standing in the way is an insufficient framework for implementation. This has increased the urgency for guidance, training, and education that can greatly reduce the fear, anxiety, and perceived risks associated with generative AI.
“We can’t underreact or overreact,” Frank Post, CISO at the Ontario Pension Board. “This is truly the beginnings of humans and machines working in a much tighter collaboration than we ever imagined possible.”
Doing nothing is also not an option as the number of generative AI miscues rapidly grows. For example, in June 2023, there was a well-documented example of the misapplication of ChatGPT when a New York lawyer was sanctioned for submitting fictional cases to the court. The lawyer attempted to use the artificial intelligence-powered chatbot to build a legal brief that referenced past court cases. However, instead of pulling from actual case law, the AI tool fabricated a number of cases. The lawyer failed to verify that information and submitted his filing to great embarrassment and professional self-destruction.
In a separate instance in April 2023, Samsung barred the use of ChatGPT throughout the company when they determined that some of their proprietary information made it into ChatGPT’s database. This happened because anything submitted to a GAI tool will get incorporated into the system’s Large Learning Model (LLM), and can then be accessed in the future by others. Furthermore, that sharing, once completed, is forever and cannot be undone.
An initial risk assessment may force some companies to follow suit with an outright ban of GAI on company devices. Conversely, other companies may encourage some experimentation, which could lead to the development of GAI applications that deliver huge benefits to investors, employees, and customers alike.
“You can’t easily stop the use of AI tools,” says Dr. James Norrie, Founder and CEO of cyberconIQ – a company that pioneered the merging of psychology and technology to measure and manage cybersecurity and online risk. “If you suppress the use of GAI, it will go underground. People won’t admit they use it, and they will do it from home, exposing you to greater security and privacy risks. Why not get ahead of this curve before that happens?”
A better approach is to encourage the safe exploration of business use cases for GAI that might benefit your organization and its customers. For example, some companies are now implementing GAI tools to enhance customer service, streamline order processing, and support rapid internal knowledge sharing among project teams. Regardless, most organizations will be confronted with GAI at some point and would therefore benefit from considering some principles ahead of any possible adoption.
Implementing appropriate guidelines allows companies to use the power of generative AI while reducing the risk of being affected by its negative aspects. While no set standard will work for all companies, guidelines should adhere to three principles.
Principle 1: Be AI-safe and secure
When you submit a question to tools like ChatGPT, Google Bard, and Claude AI, that information is stored and used to train it further. Once businesses send information to these tools, they effectively hand over that data to an external entity and lose control over its use. And that has consequences.
“If you’re in healthcare, finance, or any other regulated environment, there are severe implications for misuse of the information you’re in charge of,” says Post. “Those types of organizations should not jump in until they have been properly trained and have guardrails put in place.”
LLMs can also open the door to intellectual property theft because people unwittingly give them proprietary information such as trade secrets, company financial data, personally identifiable information from clients, and customers, and much more.
Safety, security, and privacy comprise the first guiding principle and ensure employees do not input anything into a generative AI tool that they should not share.
Principle 2: Demonstrate data provenance integrity and accountability
Generative AI tools have a fundamental flaw; that being that LLMs are now known to fabricate information. This behavior is commonly called “hallucination,” and has been widely reported in early GAI versions. Currently, there is no known solution.
“Because generative AI tools and large language models don’t have the ability to distinguish fact from fiction, everything produced by those tools needs to be validated,” says Post. “Whatever information you think you’re learning from a generative AI tool, verify it with other sources.”
Secondly, in many situations, it can be unethical to portray AI-generated output as if it were done by a human. For example, if a website visitor uses a chatbot interface, they should know whether they’re interacting with a conversational AI tool or a human being.
Finally, there are accountability concerns to consider. US courts have, so far, ruled that AI-generated content is not protected by copyright. Organizations that use AI-generated content as a central portion of their business might not be protected if a competitor takes that content and uses it without permission. Many AI companies are facing copyright infringement lawsuits because plaintiffs claim the tools illegally used their intellectual property for training. The ripple effects of these lawsuits on businesses using generative AI are unknown but are rapidly emerging.
Principle 3: Understand information warfare and disinformation
Companies should assume their competitors have bad intentions with their use of AI.
“Not all information online is true,” says Dr. Norrie, whose company compiled the aforementioned guiding principles and has released a set of free AI training resources for organizations or individuals looking for direction. “AI, too, can be trained to produce incorrect answers. Cybercrime gangs are already using AI in social engineering to advance their criminal agenda, and this will lead to an increase in the volume and sophistication of cyberattacks.
Companies that use generative AI where they don’t control the input data must be aware of this fact and act accordingly. However, even with control of the data that goes into the LLM, the hallucination problem remains making fact-checking an essential defense mechanism. It is also critical to improve the cyber judgment and intuition of employees as AI-enabled attacks grow in sophistication.
The guidance principles are meant to raise awareness about the current state of AI tools. Humans will need to learn to work with AI, not rebel against it.
“It’s a bytes and brains collaboration,” says Dr. Norrie. “We must figure out the machine instead of letting the machine figure us out. It is best to establish your AI guidelines while you’re developing your own knowledge and understanding of how you plan to govern and regulate its use.”
For more information or if you need help implementing AI guidelines in your company, please contact cyberconIQ at +1 (717) 699-7305 visit https://cyberconiq.com/ or email info@cyberconiq.com.
Patti Jo Rosenthal chats about her role as Manager of K-12 STEM Education Programs at ASME where she drives nationally scaled STEM education initiatives, building pathways that foster equitable access to engineering education assets and fosters curiosity vital to “thinking like an engineer.”