What Lurks in the Dark: Taking Aim at Shadow AI

Generative artificial intelligence tools have unleashed a new era of terror to CISOs still battling longstanding shadow IT security risks.

Steve Won, Chief Product Officer, 1Password

October 27, 2023

4 Min Read
Jack-o'-lantern in a spooky, shadowy setting
Source: James Thew via Alamy Stock Photo

Security teams are confronting a new nightmare this Halloween season: the rise of generative artificial intelligence (AI). Generative AI tools have unleashed a new era of terror for chief information security officers (CISOs), from powering deepfakes that are nearly indistinguishable from reality to creating sophisticated phishing emails that seem startlingly authentic to access logins and steal identities. The generative AI horror show goes beyond identity and access management, with vectors of attack that range from smarter ways to infiltrate code to exposing sensitive proprietary data.

According to a survey from The Conference Board, 56% of employees are using generative AI at work, but just 26% say their organization has a generative AI policy in place. While many companies are trying to implement limitations around using generative AI at work, the age-old search for productivity means that an alarming percentage of employees are using AI without IT's blessing or thinking about potential repercussions. For example, after some employees entered sensitive company information onto ChatGPT, Samsung banned its use as well as that of similar AI tools.

Shadow IT — in which employees use unauthorized IT tools — has been common in the workplace for decades. Now, as generative AI evolves so quickly that CISOs can't fully understand what they're fighting against, a frightening new phenomenon is emerging: shadow AI.

From Shadow IT to Shadow AI

There is a fundamental tension between IT teams, which want control over apps and access to sensitive data in order to protect the company, and employees, who will always seek out tools that help them get more work done faster. Despite countless solutions on the market taking aim at shadow IT by making it more difficult for workers to access unapproved tools and platforms, more than three in 10 employees reported using unauthorized communications and collaboration tools last year.

While most employees' intentions are in the right place — getting more done — the costs can be horrifying. An estimated one-third of successful cyberattacks come from shadow IT and can cost millions. Moreover, 91% of IT professionals feel pressure to compromise security to speed up business operations, and 83% of IT teams feel it's impossible to enforce cybersecurity policies.

Generative AI can add another scary dimension to this predicament when tools accumulate sensitive company data that, when exposed, could damage corporate reputation.

Mindful of these threats, in addition to Samsung, many employers are limiting access to powerful generative AI tools. At the same time, employees are hearing time and time again that they'll fall behind without using AI. Without solutions to help them stay ahead, workers are doing what they'll always do — taking matters into their own hands and using the solutions they need to deliver, with or without IT's permission. So it's no wonder that the Conference Board found that more than half of employees are already using generative AI at work — permitted or not.

Performing a Shadow AI Exorcism

For organizations confronting widespread shadow AI, managing this endless parade of threats may feel like trying to survive an episode of The Walking Dead. And with new AI platforms continually emerging, it can be hard for IT departments to know where to start.

Fortunately, there are time-tested strategies that IT leaders and CISOs can implement to root out unauthorized generative AI tools and scare them off before they begin to possess their companies.

  • Admit the friendly ghosts. Businesses can benefit by proactively providing their workers with useful AI tools that help them be more productive but can also be vetted, deployed, and managed under IT governance. By offering secure generative AI tools and putting policies in place for the type of data uploaded, organizations demonstrate to workers that the enterprise is investing in their success. This creates a culture of support and transparency that can drive better long-term security and improved productivity.

  • Spotlight the demons. Many workers simply don't understand that using generative AI can put their company at tremendous financial risk. Some may not clearly understand the consequences of failing to abide by the rules or may not feel accountable for following them. Alarmingly, security professionals are more likely than other workers (37% vs. 25%) to say they work around their company's policies when trying to solve their IT problems. It's essential to engage the entire workforce, from the CEO to frontline workers, in regular training on the risks involved and their own roles in prevention while enforcing violations judiciously.

  • Regroup your ghostbusters. CISOs would be well-served to reassess existing identity and access management capabilities to ensure they're monitoring for unauthorized AI solutions and can quickly dispatch their top squads when necessary.

Shadow AI is haunting businesses, and it's essential to ward it off. Savvy planning, diligent oversight, proactive communications, and updated security tools can help organizations stay ahead of potential threats. These will help them seize the transformative business value of generative AI without falling victim to the security breaches it will continue to introduce.

About the Author(s)

Steve Won

Chief Product Officer, 1Password

Steve Won is Chief Product Officer of 1Password, where he focuses on strengthening the bond between customers and the world-class security products they rely on.

Prior to joining 1Password, Steve served as Vice President of Product at e-commerce business Shogun, where he oversaw the initiation of the product team as well as leading multiple high-impact partnerships programs. Previously, he was Head of Authentication Products at Duo Security. As an early employee, Steve contributed across Customer Success, Product Marketing, and Product Management disciplines as the company grew to become a leader in user authentication and was acquired by Cisco in 2018.

Steve lives in Seattle with his wife and two daughters.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights