Generative AI Security Protocol Mitigates Risks to Sensitive Information
December 10, 2024 by Gordon Advisors
by Carlos Lopez, Senior Manager, Gordon Advisors, P.C.
Generative AI (GenAI) continues to gain wide acceptance in the workplace as a tool to create efficiencies, reduce the time drain of repetitive office work and generate new ideas. Even with its wide embrace, so little is known about how it works, including its seemingly endless capabilities. In today’s connected world, the ability of legal and regulating bodies to assess threats and develop new laws and regulations to mitigate security risks always lags a beat behind the pace of the latest technology developments. By the time new laws are enacted, the technology continues to advance, creating new security risks, while legal and regulating bodies scramble to catch up.
The perpetual cycle of technology development and the emergence of new security risks is not going to change any time soon. However, your company can benefit from the advantages of using GenAI in the workplace while mitigating security risks by creating a written security protocol for its use.
GenAI in the workplace
Many of the mundane, time-consuming workplace tasks that benefit from using GenAI include sifting through mounds of data, documents or resumes; mostly sensitive information that must be protected against exposure with a security breach.
By its very nature, GenAI brings significantly different risks than those presented by traditional technology applications and requires different security strategies to protect company information.
GenAI Security Protocol
Most GenAI tools are used by employees. Therefore, instituting a written, company-wide GenAI security protocol is imperative.
First, state the need for a specific, written GenAI Security Protocol to define for employees the unique security challenge GenAI tools create and employees’ role in helping to protect vital company information. Once the GenAI security protocol has been established, conduct trainings to educate employees on the importance of strict adherence to the policy, as well as the potential for disciplinary action for policy violations.
Include the following in the statement of purpose to introduce the GenAI Security Protocol:
- Define GenAI as publicly available applications driven by artificial intelligence that mimic human intelligence to create written or visual content to generate work product, answers to questions or to perform specific tasks
- Provide a list of GenAI tools that the company has installed or approved for use
- Offer a brief summary of the pros and cons of using GenAI in the workplace
- State the seriousness of the unique risks the use of GenAI can bring to company and client/customer security and intellectual property information, as well as risks from inaccuracy
Next, state the goals for the GenAI Security Protocol:
- To highlight the unique issues pertaining to using GenAI tools
- To set guidelines for acceptable employee use
- To protect the company and its customers/clients’ sensitive/confidential information, including intellectual property, trade secrets, brand, commitment to diversity and workplace culture
Third, write out clear guidelines for the use of GenAI tools in the workplace. Work with key stakeholders in the company — Legal, HR, IT and Security — to define policies and procedures for using GenAI; who can use it and under what circumstances, what information can be used as input and how the output information needs to be vetted before it’s used.
Sample guidelines include:
- Do not use GenAI tools as a substitute for human judgment and creativity
- The accuracy of responses from GenAI queries must be meticulously verified by a human; many GenAI tools can produce “hallucinations,” false answers or information that is outdated
- Regardless of the privacy settings, the possibility is very real that every piece of information you feed into GenAI will go viral on the internet; choose wisely, especially where sensitive information is involved
- Require employees to inform their supervisors when they used a GenAI tool to assist in performing a task
- Verify every response from a GenAI tool that you intend to use is accurate, appropriate, not biased, not a violation of any other individual or entity’s intellectual property or privacy and is consistent with company policies and applicable laws
- Prohibit the use of GenAI tools to make employment decisions about applicants or employees and their career paths
- Do not upload any confidential, proprietary or sensitive company information into any GenAI tool; any information uploaded into GenAI may be used to continue to develop and train the tool and be publicly shared, which can risk public exposure of sensitive company information
- Do not upload any personal information — yours or that of your colleagues — into a GenAI tool
- Never represent work generated by GenAI as your original work
- Only integrate GenAI tools with internal company software after
receiving written permission from your supervisor and the IT Department
- Do not use GenAI tools other than those approved by the IT Department; malicious chatbots can be designed to steal, or convince you to divulge, information
- Violating this policy may result in disciplinary action, including immediate termination, and could result in legal action
- Report concerns about behavior in violation of this policy to your supervisor or any member of HR
At Gordon Advisors, we have implemented a GenAI Security Protocol and advise all businesses to do the same. It’s a new day. The need to protect confidential and proprietary information, as well as trade secrets and intellectual property, does not negate the use of GenAI in the workplace. By implementing a company-specific GenAI Security Protocol, organizations can benefit from the efficiencies of using GenAI in the workplace without jeopardizing information security.
For further guidance, reach out to a trusted professional at Gordon Advisors, P. C.