COMMENTARY: The rise of generative AI (GenAI) has reshaped business processes, decision-making, and how we interact with data. While the benefits are clear—improved efficiencies, enhanced creativity, and new growth opportunities—the risks are just as significant, particularly when it comes to security and privacy.
For C-suite leaders, the challenge lies in navigating these complex trade-offs and implementing a framework that balances innovation with responsible governance.
At the heart of the challenge and the risk around AI lies the fundamental uncertainty surrounding how large language models (LLMs) handle data. Proprietary information entered into AI tools may get stored in the cloud or even in foreign jurisdictions with different privacy laws, exposing companies to potential data breaches. The risk escalates when third-party vendors use AI, increasing the chances of unintentional data leaks without proper governance.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Externally, AI has empowered threat actors, from cybercriminals to nation-states, to enhance their attacks with unprecedented speed and scale, including AI-generated phishing schemes and deepfakes, which pose a significant threat to enterprise security.
Compounding this has been the emergence of AI tools sold on dark web marketplaces, such as black-hat versions of ChatGPT, designed explicitly to help bad actors scale their attacks.
But it’s not just about external attackers—the risk of insiders inadvertently misusing AI tools has become universal. An employee who uploads confidential information into a generative AI model might unintentionally expose the company to data leakage, particularly if the AI service provider’s terms and conditions don’t guarantee data privacy.
C-suite executives must ensure that both their internal workforce and third-party partners are aware of these evolving risks to effectively mitigate them.
As organizations embrace AI, many are finding themselves at a governance crossroads. Some of the world’s largest companies have started putting frameworks in place, but there’s still no standard approach to managing AI usage. C-suite leaders need to focus on developing robust governance structures that align with their risk appetite while ensuring compliance with data protection regulations.
For organizations such as law firms and financial services providers, governance committees are emerging as a critical tool in navigating AI use. These committees often include important stakeholders: CEOs, CISOs, chief risk officers, and legal teams tasked with overseeing how AI gets integrated into business operations.
But governance is not just about creating rules. It’s about developing a culture of responsibility around AI. What’s needed are clear policies that define how AI gets used, who has access to it, and how the company will monitor AI. It’s also vital to remember that outright bans on AI tools can drive employees to use unsanctioned, unmonitored services, creating even greater risks. Instead, organizations must embrace AI responsibly and focus on visibility—ensuring that leaders know what tools are being used, by whom, and for what purpose.
Finding the right balance between privacy and security in the age of AI goes beyond just mitigating technical risks. It requires a holistic approach that considers the ethical implications of AI use. For instance, bias in AI models can lead to discriminatory outcomes, while AI-generated hallucinations—where models produce false or misleading information—can create legal liabilities or influence poor business decisions.
To address these issues, companies are turning to methods like pseudonymization to protect personal identifiable information (PII) when feeding data into AI systems. By removing or masking sensitive information, organizations can reduce the chances of AI models producing biased or harmful outputs while preserving the privacy of individuals.
Another critical aspect of balancing privacy and security is education. Employees need to understand the risks of using AI tools both in their professional and personal lives. C-suite leaders should frame their education initiatives in a way that resonates on a personal level—highlighting how the misuse of AI could affect their families’ privacy and security as well as the company’s.
Recommendations for proactive governance
As the threat landscape evolves, organizations must prioritize their security and resilience. Adopting a proactive stance towards AI governance can help organizations stay one step ahead.
The following list offers a clear flowchart for getting started:
As AI continues to transform how businesses operate, the stakes for balancing privacy and security have never been higher. C-suite leaders and CISOs must approach AI governance proactively, putting structures in place that mitigate risk while empowering employees to harness AI’s potential responsibly. In this rapidly evolving landscape, the organizations that strike the right balance between security, privacy, and innovation are well-positioned for long-term success.
Mohan Koo, co-founder and President, DTEX Systems
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.