Hackers of India

CISO’s take on BYOAI

By Venugopal Parameswara on 15 Nov 2024 @ C0c0n
πŸ“Ή Video πŸ”— Link
#risk-management #security-governance #security-compliance #architecture #security-training #devsecops
Focus Areas: βš–οΈ Governance, Risk & Compliance , πŸ” Application Security , πŸ—οΈ Security Architecture , πŸ“š Security Awareness

Presentation Material

AI Generated Summary

The talk addresses the security challenges posed by “bring your own AI” (BYOAI), where employees independently adopt external AI services or tools without centralized IT oversight. This trend, driven by high productivity gains (70-85% adoption in Indian knowledge sectors), creates significant risks including data exposure, non-compliance with organizational policies, and lack of visibility.

A key case study illustrates an auditor using an AI service to generate a Python script for automating a daily report. The script required database credentials, and the user opted to share feedback with the AI provider, inadvertently transmitting corporate data. This exemplifies common issues: unsanctioned AI asset proliferation, sensitive data leakage to third parties, and potential violations of privacy or regulatory standards.

The speaker proposes a security framework focusing on three core components of AI systems: data, models, and usage.

  • Data risks include poisoning (tampered training data) and exfiltration via unsanctioned outputs. Mitigations involve discovering unsanctioned AI assets through agent-based scanning, classifying AI tools based on data sensitivity (e.g., PII access), and applying access controls and encryption.
  • Model risks involve malicious or biased pre-trained models, vulnerable plugins, and intellectual property theft. Countermeasures include validating model sources, hardening configurations, managing dependencies, and ensuring patch management for underlying libraries.
  • Usage risks include prompt injection (manipulating AI outputs), denial-of-service, and model theft via probing. Detection requires AI-aware monitoring, such as extended detection and response (XDR) tools that analyze AI behavior, and analytics for plugin activity.

Practical implications stress integrating AI-specific controls with existing infrastructure security. Organizations must establish acceptable use policies for AI, classify permissible tools, conduct employee training, and implement continuous governance and monitoring. The overarching goal is to enable productive AI adoption while systematically addressing the expanded attack surface introduced by decentralized AI consumption.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.