Artificial intelligence continues to evolve rapidly, with solutions emerging to enhance worker productivity , help businesses develop products more quickly, and improve business operations. Implementing these solutions, however, means introducing a bevy of new AI apps and agents –– and that means introducing security risks.
“AI technology has evolved rapidly, from single modal foundation models to multi-modal to reasoning models to agentic AI,” says Vimal Navis, Principal with PwC focused on Cyber, Data and Tech Risk. “Industry frameworks, standards, and cybersecurity controls are taking time to catch up. The gap becomes debt.”
It’s a tricky balancing act because employees have easy access to a slew of coding assistants and other AI tools, creating at least a couple of issues. First, as new capabilities come on board, they may make others redundant, adding to the problem of technical debt.
Second, each new solution can introduce a potential security risk and, to the extent they operate without the knowledge of IT, they add to the problem of shadow IT – or shadow AI, in this case.
Shadow AI, in turn, adds to the AI security debt. “Even within approved tools, new AI features are being added that IT may not be prepared for,” Navis says. Think of a new AI chatbot or query engine being added to a CRM tool, or connectors to external applications, for example. While such technologies may be useful, they also pose security challenges, such as new forms of attack that companies may not be prepared to defend against.
Managing AI Starts with the Right Tools: A Look at Microsoft
Microsoft is starting to treat AI agents as first-class enterprise assets that can be inventoried, governed, and monitored. That is important because AI security debt often comes from moving fast on innovation while losing track of what was deployed, what it can access, and who is accountable for it.
With Microsoft Agent 365, IT gets a view of agents that are registered and interact with the organization’s Microsoft stack. IT can set policies for who can create, onboard, and manage agents.
Agent 365, together with Microsoft Defender, helps organizations observe, secure, and govern AI agents across the enterprise. It can help detect suspicious and malicious agent activity, visualize potential attack paths from agents to critical assets, and support remediation of agent misconfigurations, exposure risks, and related vulnerabilities, among other capabilities.
Similarly, Microsoft Purview can be used to check for incorrect or excessive permissions on sensitive data and to enable strict controls apply to it. Purview DLP can help organizations tackle sensitive data leaking through prompts, chat histories, connectors, and retrieval paths.
Additionally, Microsoft Entra now includes identity and network access capabilities that apply to AI agents – aimed at applying zero trust principles to non-human actors.
Microsoft Defender for Cloud Apps can help govern agent-related SaaS and genAI usage by discovering shadow AI apps, assessing risk, controlling unsanctioned apps, governing OAuth access, and applying real-time session and data protection controls.
If all this sounds like a lot to tackle, companies can turn to PwC, a Microsoft Agent 365 launch partner, for assistance.
“We help companies assess the rapidly evolving threat landscape, identify where AI security debt is accumulating fastest, and translate requirements into workable controls aligned to Microsoft’s expanding capabilities,” Navis says. “We help them get a view of the threat model and help confirm their controls can keep up without compromising on the speed of innovation.”
Learn more about how PwC can help you employ AI securely. Read, “Building trust in AI from the ground up: How you can secure the data behind it,” by PwC’s Vimal Navis and Joe Ponder.
Read More from This Article: Innovate fast, owe less: A practical path to help reduce AI security debt
Source: News
