Are practices for managing shadow IT applicable to GenAI tools? If not, how are you changing your approach in order to manage shadow AI at your organization?

Security & GRC Security Strategy & Roadmap

2.7k views5 Comments

Sort by:

Board Member, Advisor, Executive Coach in Software2 years ago

Shadow IT usually happens because IT isnt keeping up with the needs of the business or user. So if you create a forward leaning approach to any new capabilities with early adopters and engagement with users/the business you will have less shadow IT in my view

SVP - Global Technology Services in Travel and Hospitality2 years ago

We've developed a policy for utilizing Freeware and public General AI tools. We recommend that business units submit a detailed use case to guide them towards our private, secure, and pre-approved instances for enhanced security and efficiency.

Senior Director in Travel and Hospitality2 years ago

Whilst they are similar, I think the big difference is that knowledge of how to use new GenAI tools is much easier to come by, so the risk of there being a key person dependency (usually very high with shadow IT) isn’t as prevalent.
We have put in place guidelines for use to support adoption of AI, and some guardrails there to prevent exfiltration of data, but are actively encouraging adoption rather than discouraging it as we would shadow IT

Director of IT in Transportation2 years ago

We are treating employee use of AI/GenAI by adding a new section to our Acceptable Use policy, with simple but clear guidance about what is allowed and what is prohibited and what requires senior exec approval.

CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 years ago

Yes, it should be treated the same. As usual, an understanding of the risk should be socialized enterprise wide. Employees hear about positives in the media before hearing about negatives, if the media mentions negatives at all. xAAS, BYOD and now AI all present risks from shadow IT.

An additional factor is the fact that Covid blurred the line between Shadow IT and regular IT for some, because steps were taken to ensure employees remained productive. Even now, some employees seek to continue their near autonomy with technology.

A clear policy on AI use would be helpful in ensuring all users know about the issue and are held accountable, in much the same way as preventing sending corporate email to personal accounts or blocking uploading corporate files to unauthorized locations. Making the issue known takes it out of the shadows.

Content you might like

What sorts of tools are you currently using to inventory cryptography usage throughout the enterprise? (Choose all applicable)

Key management system or certificate life cycle management 10%

Network security appliance 50%

Custom/proprietary solution 20%

App security posture management (ASPM) tool 50%

Cryptographic posture management tool 10%

Something else

N/A

View Results

To what extent are organisations actually realizing measurable value from AI-enabled capabilities in GRC platforms, and to what degree is embedded AI now viewed as a core, expected feature in GRC tool selection rather than a nice-to-have add-on?

We are currently researching the impact of AI on the future of the software developer role. Looking ahead to the next 1-2 years, which three of the following responsibilities will be the most important for your developers to achieve greater business outcomes?

Determine product vision and roadmap13%

Orchestrate AI agents and tools to deliver software autonomously40%

Build AI/ML powered solutions for end users53%

Ground AI models with RAG and other techniques33%

Design guardrails and guidelines for ethical and secure use of AI60%

Build and manage robust AI pipelines and automate deployment20%

Scale and automate common AI capabilities and engineering tools 33%

Co-develop software solutions directly with business and customer teams20%

Design solution architecture 27%

Deploy and monitor AI models13%

Something else – share in comments

View Results

Are practices for managing shadow IT applicable to GenAI tools? If not, how are you changing your approach in order to manage shadow AI at your organization?

Sort by:

Content you might like

What sorts of tools are you currently using to inventory cryptography usage throughout the enterprise? (Choose all applicable)

To what extent are organisations actually realizing measurable value from AI-enabled capabilities in GRC platforms, and to what degree is embedded AI now viewed as a core, expected feature in GRC tool selection rather than a nice-to-have add-on?

We are currently researching the impact of AI on the future of the software developer role. Looking ahead to the next 1-2 years, which three of the following responsibilities will be the most important for your developers to achieve greater business outcomes?

How can security leaders in smaller organizations stay informed about emerging threats if they don’t have access to formal threat intelligence feeds?

How are you building enterprise AI capabilities? What factors are driving your build-versus-buy-versus-partner decisions?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go