No one is guarding the gates of enterprise AI

  • Enterprises want the benefits of AI but aren't fully fleshing out their AI governance strategies, IBM found
  • A lack of governance opens the door to more risk, especially in an environment ripe for a rise in AI-focused attacks
  • Access controls are a key security element enterprises should focus on

You’ve heard of technical debt, but what about security debt? It turns out enterprises are racking up a whole lot of that as they race to deploy AI.

A newly released study from IBM found a stunning lack of AI oversight in the corporate sphere. Of the 600 companies surveyed for the report, a whopping 63% said they had no AI governance policies in place.

The same day IBM’s report came out, AuditBoard released its own report, which found only 25% of respondents had a fully implemented AI governance program.

Why does this matter? Well, governance policies are designed to provide critical oversight, outlining guidelines and processes for the deployment and management of AI systems. Among other benefits, they can help with user authentication (aka access control) and guard against the use of so-called “shadow AI” (aka unauthorized tools).

“By neglecting foundational cybersecurity practices when adopting AI, companies leave themselves vulnerable to operational disruption of AI-based workloads, large-scale data breaches that span multi-cloud and on-premise environments, and the potential exposure of intellectual property used to train or tune their AI implementations,” Limor Kessem, IBM’s global lead for X-Force Cyber Crisis Management, wrote in a blog.

The global average cost of a data breach fell slightly year on year to $4.4 million, but in the U.S. that figure rose 9% to $10.2 million. Either way, AI security is an expensive problem to let slide.

All about access

Access control in particular seems to be vitally important. IBM’s report found that only 13% of organizations reported attacks that impacted their AI models or applications. But within that cohort, 97% of respondents lacked sufficient access controls.

Kessem noted that while the percentage of attacks directly impacting AI is small for now, AI is emerging as a key target.

“We are likely to see many more in the coming 12 months, unless security leaders and their business counterparts recognize the risk and pivot to focus more intently on AI security,” she wrote.

IBM isn’t alone in banging the drum about access control. Altman Solon previously highlighted access control as a key element of governance that telcos should pursue. And Palo Alto Networks and SentinelOne have also been trying to spread the good word about access control.