COMMENTARY: The majority of respondents (88%) in a McKinsey survey said their organization used AI in at least one business function. No longer experimental, modern enterprises have leveraged AI to improve productivity, accelerate decision making, optimize costs, and compete.Yet many organizations are less clear about how AI handles data, how we can monitor and govern its usage. To put it simply, questions are being asked about safe AI usage. Incidents of AI used as a catalyst for data breaches aren’t helping to boost confidence, either.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]This lack of confidence creates uncertainty, which can slow AI deployment and adoption, creating a rift between the teams that want to move quickly with AI and the team that wants to put the brakes on it.Security must become an enablerThe cornerstone of traditional enterprise security includes prevention, restriction, and exception management. Stop malicious activity, control access privileges, and reduce exposure. The arrival of AI demands that we tweak these responsibilities.For security teams, it’s not about whether we allow an AI tool, but about ensuring that we can adopt them safely. Security must create an environment in which AI adoption becomes a successful, repeatable business capability. If security teams can’t provide a governance framework for AI adoption, then it will happen without requisite oversight.Why it’s hard to control AIOne of the biggest advantages of AI also increases its risk profile. AI use has not been limited to developers, data scientists, or those with tech profiles. Any employee can use a public AI tool. If needed, they can create a custom assistant to help with tasks, and with limited technical knowledge, introduce an AI-powered service into a workflow.Employees can improve a presentation, summarize a document, draft code, analyze data, or automate a routine task within minutes. Considering the benefits, it’s only natural that users accidentally or intentionally paste sensitive information into tools they don’t fully understand.There’s also the risk of shadow AI, where employees use unauthorized tools. Leaders may believe AI use has been limited to approved applications, while employees are already experimenting with agents and workflows. There’s a gap between AI governance and everyday AI usage.It's not possible to protect against security issues we can’t see. The same thinking applies to AI. It’s not possible to govern activity that our organization cannot see.Before developing a "safe AI use" framework, using policies, or introducing controls, security leaders must get the lay of the land. This includes knowing which AI tools are being used across the organization, who the users are, what data they are sharing, and where and how AI has become integral to various business processes.While this may appear obvious, tech visibility has plummeted. Out of 2,000 surveyed CxOs, 70% say business teams deploy technology faster than IT can keep up.Visibility lets leaders distinguish between low and high-impact adoption, with the latter having the potential to expose confidential data, violate regulatory requirements, influence decision-making, and introduce drill-down operational dependence. This helps implement controls by context rather than by broad-based rules, which we can work around by “enterprising” employees.By revealing the full scale and nature of AI use, visibility helps teams define acceptable boundaries, introduce continuous monitoring, and offer approved alternatives to shadow AI.The publicly available AI tools many organizations use are the start of our experiments with AI. We’ll need to secure AI that our organization builds into its own applications, workflows, and agents. The AI built by organizations calls up deeper questions, including which systems the agent can access; the data it can retrieve; the actions it can take; who reviews the outputs; and who’s accountable for automated decisions that can impact customers or operations in an unintended manner.In this scenario, AI governance should move a few notches higher, right up to architecture-level oversight. We must bake security into data accessibility, integration, permissions, monitoring, and decision workflows from the get-go. With more autonomy given to AI systems, we need controls that are more dynamic and evolve with the technology.Moving forward, teams need to adopt AI with the right amount of visibility, governance, and control. In doing so, security then becomes the operating model for trusted AI adoption.Mark Bayne, chief solutions officer, Cato NetworksSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




