Banning AI ❌ or regulating its use in companies? ⚖
In all cases, better to have a document that defines do's and don'ts.
From an info security management perspective, here's what I would include in an AI security policy:
1. Clarifying policy purpose. Is it about ChatGPT? AI chrome extensions? Are we defining what can or can't be done?
2. Defining scope. Beyond tools covered by the policy, you should explicit who shall this policy apply to.
3. Identified security risks. If you ask people to be compliance with an AI policy... it's better to remind the risks this policy tries to manage.
4. Explain how people will access AI tools. Is it people using ChatGPT with personal accounts? Is it ChatGPT Enterprise? Is it through company-managed extensions...? Once again clarity in what you allow or not is key.
5. Personnel authorized to access AI tools. If some people, due to their specific role, are expected not to use assistance of AI tools, mention it.
6. Authentification mechanisms. Here's where you would enforce or recommend MFA, among other auth. methods, for example.
7. Data Protection measures. Mention key AI tools expected to be used in the company, and detail the data protection measures and retention periods you expect them to apply, based on relevant research.
8. Explain the expected uses of AI in the company. i.e., customer support, content redaction, processes improvement, etc.
9. GOLD: explicitly say what's forbidden. What are the uses cases for which employees can't use AI? It shouldn't be left for guessing.
10. Confidential data. What type of information should never be sent to ChatGPT (or any other tool) ? Here as well. Say it.
11. Use of monitoring tools. If you use a Data Leakage Prevention service to monitor ChatGPT or any other AI tool usage, say it. You can also mention a restriction on browser extensions installation, even if it is a limited control measure.
12. Training. This is my favorite part. No real AI prudent behaviour without real AI security awareness training. Say what you do about it.
13. As usual, explain what will trigger any review of the policy.
It's been long to write these words,
So I can't even imagine writing an AI security policy from scratch.
For this reason, I built an AI Security Policy Generator.
Check it out 👉 : https://app.ismspolicygenerator.com/demo_ai_security_policy/