3 steps to eliminate shadow AI

Imagine a highly competitive market where the urgency to innovate is high. A product manager is under immense pressure to deliver complex customer insights that could pivot the company’s product strategy. Frustrated by the lack of generative AI tools, he discovers a free online tool that analyzes his data and generates the report he needs in a fraction of the usual time. His manager praises his efficiency and the depth and breadth of insights he produces.

The accolades are short-lived. A routine audit uncovers severe compliance issues with how the tool accesses and stores data. It also flags a potential data leak, undermining what was initially seen as a breakthrough innovation.

Similar events have unfolded in multiple industries, and that’s not surprising given that 93% of IT and data decision-makers globally report that their organizations already use generative AI in some capacity. These same decision-makers identify a host of challenges in implementing generative AI, so chances are that a significant portion of use is “unsanctioned.” In fact, over half the AI users in a recent study say they’re “reluctant to admit” using AI because of concerns that using it makes “them look replaceable.” The familiar narrative illustrates the double-edged sword of “shadow AI”—technologies used to accomplish AI-powered tasks without corporate approval or oversight, bringing quick wins but potentially exposing organizations to significant risks. 

The allure of generative AI

As AI theorist Eliezer Yudkowsky wrote, “By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.” While his statement long predates the incredible generative AI explosion of 2023, his point is even more relevant in the case of free online generative AI tools. Unsanctioned by IT, these tools offer ease of access and use that can cloud the judgment of even well-intentioned employees to the broader implications of their choices.

The perils of unsanctioned generative AI

The added risks of shadow generative AI are specific and tangible and can threaten organizations’ integrity and security. Unmonitored AI tools can lead to decisions or actions that undermine regulatory and corporate compliance measures, particularly in sectors where data handling and processing are tightly regulated, such as finance and healthcare.

Generative AI models can perpetuate and amplify biases in training data when constructing output. Models can produce material that may infringe on copyrights. If not properly trained, these models can replicate code that may violate licensing terms. If the code isn’t appropriately tested and validated, the software in which it’s embedded may be unstable or error-prone, presenting long-term maintenance issues and costs. The generated code could contain undetected malicious code that further risks the severe consequences of a data breach and system downtime.  

Ultimately, mismanaged AI interactions, especially in customer-facing applications, can lead to regulatory and public relations issues if they violate laws or lead to poor customer experiences or ethical concerns, such as when bias taints AI outputs. It’s up to leaders to wrap the guardrails around shadow generative AI to prevent the “pros” from being “cons” that expose their organizations and employees to unintended consequences.  

How C-suite executives can bridge the chasm  

With “78% of AI users bringing their own AI tools to work,” a growing chasm exists between what employees want and what IT and AI teams can safely provide. A study of 700 IT and data decision-makers sponsored by Iron Mountain indicates that 36% rank “protecting and managing the data and other assets created by generative AI” among the top challenges they face. “Creating and enforcing generative AI policies” closely follows at 35%. Following are three recommendations for encouraging innovation while maintaining security, compliance, ethics, and governance standards.

Sync your AI, security, and asset governance strategies

To fully leverage the benefits of AI while maintaining security and compliance, it’s crucial to integrate AI governance with your overall organizational strategy. Examples of initial steps:

• Communicate the role of AI in achieving your strategic objectives, ensuring alignment with business goals and operational needs.
• Establish comprehensive guidelines that address ethical considerations, data privacy, and regulatory compliance to ensure responsible AI deployment.
• Create committees or roles specifically responsible for overseeing AI deployments across the organization, including those initiated by individual departments.
• Form dedicated governance structures to monitor, evaluate, and guide AI initiatives, ensuring consistent oversight and accountability.
• Integrate AI-specific security measures into existing IT frameworks to mitigate risks and safeguard against potential threats.

Foster a culture of responsible AI use

A recent study shows that “65% of respondents admit they lack education around generative AI.” Promoting responsible AI use within your organization involves creating a supportive environment and clear guidelines to ensure ethical and safe practices. Here are essential steps to foster such a culture:

• Involve generative AI users and functional experts in developing written guidelines and protocols for various departments–such as marketing, engineering, human resources, patient care, and customer-facing decision processes–to ensure appropriate and ethical use in specific environments.
• Provide end-user training on using enterprise-grade applications and platforms with integrated generative AI. This will increase data value while safeguarding against data breaches.
• Establish continuous training emphasizing ethical considerations and potential risks.
• Provide sandboxes for safe testing of AI tools and applications and appropriate policies and guardrails for experimentation. 

Leverage AI for strategic advantage

Using AI effectively can provide a significant competitive edge by creating new value from your data. These steps can help: 

• Empower employees to experiment with integrated generative AI in a secure environment. This can improve productivity and job satisfaction by eliminating monotony in their day-to-day activities and encouraging them to recommend additional uses. 
• Maintain a comprehensive catalog of AI tools used across the organization, managed by IT or an AI leader, to streamline the integration and management of valuable applications.
• Review and integrate successful experimental AI projects into the company’s main operational framework.
• Evaluate the performance of AI initiatives to gather insights, refine strategies, and ensure that AI investments drive desired business outcomes.

Conclusion

For C-suite executives, shadow AI presents formidable challenges but also significant opportunities. By understanding its dual nature, executives can formulate strategies that harness the benefits of decentralized AI innovations while mitigating the associated risks. The key lies in creating a balanced environment where innovation is nurtured and governance is enforced, ultimately steering the company toward sustained growth and success in an AI-driven world.

Learn more in this paper about shadow AI and options you can take to protect your enterprise.
  
Visit our Iron Mountain InSight® Digital Experience Platform (DXP) page to see how you can use secure generative AI built into the platform to help you access, manage, and govern your physical and digital information.