AI Security: tips to write a comprehensive policy

Regulating AI use in your company doesn't have to be complicated.

Not regulating AI use in a company can give headaches...

(Yes, handling incidents, note-taking apps listening to business meetings, and so on, isn’t fun).

Regulating AI use can also be hard, when you don't know where to start.

But happily enough, some people already gave it a thought.

Here's what I think an AI Security Policy should contain:

1. Purpose. Why are you regulating AI use? Protect sensitive data? Be clear about the goals, your staff will thank you.

2. Scope. What are the tools under this policy? ChatGPT? GoogleBard? All AI extensions? Vendors using AI? The clearer, the better.

3. Risks. Explain your staff what are the risks this policy is supposed to mitigate. Data breach, mise use of AI generated content, failure to align with data protection regulations, etc.

4. Access to AI tools. Explain how employees should access AI tools. Requesting their manager, sending a ticket to IT support, etc. If shadow (i.e., self-installation of AI tools) is forbidden, say it and suggest alternatives.

5. Who is it for: Specify who is supposed to access AI tools, and for what purpose.

6. Explain security authentication mechanisms AI tools should have. For example, require tools under scope to be used with multi-actor authentication.

7. Protection of sensitive information. Give guidelines such as not providing personal info or company names in AI conversations, turning off conversation history in AI tools, and so on.

8. Authorized and prohibited use case: draw the line because acceptable and forbidden AI uses in your company.

9. Data retention: clarify how you control and try to minimize retention of your company data in AI tools used by the company.

10. Monitoring tool: do you use any Data Leakage Prevention tool capable of monitoring interactions with ChatGPT or equivalent? If yes, mention it.

11. Training and awareness: if you require staff to follow a ChatGPT security training, mention it.

That's already something.

This is a complicated topic and there's no silver bullet, but I hope this helps.

PS, you don't have to start from scratch. Get your AI security policy:
https://lnkd.in/dWjvRiDe

It’s free, and you won’t be subscribed to a newsletter or anything. Just to make your job easier.

Did you already write an AI security policy? Or are you stuck? If yes, what’s your issue?

I would love to hear your thoughts.

Best,

Tristan