IDC Names Securiti a Worldwide Leader in Data Privacy

View

AI Risk Assessment : Mitigating Risks in the Age of Generative AI

Published January 16, 2024

Listen to the content

Introduction & Current Situation

Artificial Intelligence (AI) is well and truly here. No longer the subject of futuristic sci-fi adaptations, 2023 marked a tremendous leap forward for technology, with Generative AI becoming increasingly adopted within the business world. The biggest companies in the world are locked in intense competition right now, trying to outwit each other by developing their own AI frameworks and models with the express purpose of delivering better productivity and results than ever before.

The excitement is not without merit, with a recent McKinsey report estimating the GenAI industry potentially generating between $2.6-$4.4 trillion in value within the next few years. This, combined with the potential applications of AI in nearly every major industry, paints a delightful portrait of a more automated and productive future.

That is if AI is appropriately managed.

Like any other technological leap, one key facet of challenges posed by AI is to understand and quantify the risks posed by AI. For businesses that hope to leverage the potential of AI, understanding any and all risks associated with AI is not simply a matter of regulatory compliance but of strategic importance. How they chart this course will have a lasting financial, operational, and reputational impact.

Few organizations have unfortunately had to find this out for themselves, with critical operational discrepancies borne out of both inexperience with the technology and the lack of a clear framework with guidelines on managing its usage responsibly.

Whether it’s Morgan Stanley cracking down on the use of ChatGPT by its staff citing possibilities of hallucination while generating convincing outputs that are factually incorrect, Samsung banning its staff from using any GenAI tools after reports of multiple sensitive IP code being uploaded to such platforms, or the Dutch “toeslagenaffaire” scandal, where thousands of Dutch citizens had incorrectly been penalized by the tax authorities for suspected child care benefits fraud using a self-learning algorithm, these episodes echo the aforementioned problems of both inexperience and lack of a clear framework for responsible usage.

Gartner recently reported in its findings that organizations that are successful in operationalizing secure and trustworthy AI infrastructure stand to see a 50% increase in the likelihood of successful AI adoption and subsequent business objectives.

So, staying away from AI is not an option worth considering.

An AI risk assessment is designed to be a highly comprehensive and dynamic exercise that evolves apropos to the AI landscape and the unique needs of the businesses themselves. It not only helps identify all relevant risks an organization may be subject to but aids in the development of the strategies best poised to mitigate these risks.

Understanding AI Risks

AI poses significant risks and challenges for organizations hoping to implement it within their existing operations. The most significant and immediate risks of such an endeavor include:

AI Model Risks

Model Poisoning

Malicious actors use model poisoning to compromise the learning process of an AI model by injecting the training dataset with false and misleading data. As a result, the model learns incorrect patterns, leading to erroneous conclusions. Model poisoning can severely compromise the integrity and reliability of an AI model, leading to both bias and hallucination within the generated outputs.

Bias

Bias within AI models occurs when the output generated is prejudiced owing to the discriminatory assumptions embedded within the dataset it was trained on. This can be reflected in numerous forms, such as racial, gender, socio-economic, or political bias. The source of bias is almost always the training dataset which was not sufficiently neutral or contained historical bias. The subsequent biased outputs can lead to adverse effects in critical areas where AI decision-making capabilities are leveraged, such as recruitment, credit evaluations, and criminal justice.

Hallucination

Hallucination within an AI model occurs when a generated output is false or corrupt due to being trained on a compromised dataset. The generated output is coherent but fabricated, reflecting the limitations of the AI model’s capabilities in terms of understanding context and its reliance on defined patterns learned during training.

Prompt Usage Risks

Prompt Injection

A prompt injection attack aims to compromise an AI model’s generated outputs by manipulating the input prompt. This is usually done by disguising the input dataset in a manner that would trigger a compromised response from the model. Consequently, the outputs generated in the aftermath may be false, biased, or misleading.

Prompt DoS

Malicious actors can also leverage a Denial of Service (DoS) attack to trigger automated responses within AI models and systems that have used a compromised dataset. Such an attack can be used to overload a system, with the purpose of crashing it once a compromised prompt is run.

Exfiltration Risks

Hackers and malicious actors may exploit certain words, phrases, and terminologies to reverse engineer and leak training data. These malicious actors gain access to a compromised training dataset. Information from such a dataset is reverse-engineered to exploit any sensitive data within the compromised dataset.

Other Risks

Sensitive Data Risk

AI models require extensive training on training sets to be functional. Often, such datasets contain personal and sensitive data. If not appropriately managed and protected, such data can be vulnerable to all manner of risks, such as breaches, unauthorized access, and misuse, which can result in privacy violations, corporate sabotage, and identity theft. Hence, it is critical for organizations to adequately encrypt and deploy appropriate access controls on all such data that is to be used as part of a training dataset.

Data Leakage

Data leakage occurs when test data not meant to be part of the AI model’s training dataset ends up influencing the model. This can not only lead to operational issues such as overfitting and poor generalization but can also end up potentially exposing private messages, financial records, and personally identifiable information (PII) if not properly curated.

Non-Regulatory Compliance

Most organizations are still experimenting with the best approach to maximizing the potential of AI capabilities while ensuring compliance with the necessary data protection regulations. This is further exacerbated by new AI regulations coming into effect globally, leading to new compliance considerations organizations must consider depending on separate jurisdictions. Non-compliance not only leaves organizations subject to legal penalties but results in a loss of public trust.

AI Risk Assessments & Global AI Regulations

As AI continues to expand in both capabilities and operations, it has become increasingly important for organizations to conduct regular and comprehensive risk assessments to ensure the safe use of such capabilities while ensuring adherence to global AI regulations to the best of their ability.

While this is easier said than done owing to the diverse nature of global AI regulations in addition to their sheer number, these regulations serve as critical frameworks that allow organizations a foundation to build upon when addressing the unique risks posed by AI developments. Additionally, such assessments are vital in helping organizations balance innovation with affording appropriate protection for their customers’ digital rights.

Global AI Law Overview

Although AI regulation is an umbrella term, the global state of AI-specific laws reflects a highly diverse picture owing to the unique cultural, ethical, and social values such laws have to address and adhere to.

Landmark regulations such as the European Union’s AI Act, the GDPR, and Canada’s Artificial Intelligence Data Act (AIDA) each provide a unique but strict set of guidelines pertinent to data privacy, user consent, and how organizations must responsibly implement the use of any AI systems that might affect the former two.

On the other hand, the United States has taken a comparatively more laissez-faire approach. In the absence of federal regulation, states and individual departments have instead been empowered to develop, implement, and assess various strategies, guidelines, and standards to curate AI-related matters.

However, the United States may be shifting towards a more uniform approach, as signified by Executive Order 14110. Officially titled “Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”, it was signed by President Joe Biden in October 2023.

Among other things, the order elaborates on how the US federal government aims to take a more proactive approach toward both AI development and governance. Additionally, it calls on all executive agencies currently using AI capabilities to take proactive measures in aiding the government in its goals, most notably by requiring all such agencies to hire a chief AI officer.

AI Risk Assessment Provisions

While different AI regulations will require organizations to undertake a variety of assessments and measures to ensure compliance, risk assessment provisions are one of the few cornerstones of each of these regulations.

An effective AI risk assessment constitutes a thorough and rigorous process where all AI models, systems, and capabilities deployed within an organization are evaluated to identify and mitigate any potential risks across different domains, such as security, privacy, fairness, and accountability.

  • Bias Assessment - Addressing the issue of bias within AI systems and models, specifically the input datasets, to monitor for any discrepancies in the form of discriminatory elements that may lead to potential bias in the generated outputs.
  • Algorithmic Impact Assessment - Focusing on the operational aspect of AI, specifically the generated outputs such as decision-making processes, data usage, and recommendations.
  • AI Impact Assessment - Evaluating the broader implications of the use of specific AI systems and models while taking into account any and all social, ethical, and environmental factors that ought to be considered.
  • AI Classification Assessment - Determining the categories of AI systems and models currently in use within the organization. These should be classified on a (low-medium-high) scale depending on their intended use and potential impact on the organization itself.

Challenges of AI Risk Assessment

While AI risk assessments are a critical tool that can be of tremendous help to organizations, they come with a host of challenges. These include the following:

Lack of Transparency

Transparency, or lack of it, is both a functional and ethical challenge in nearly every major AI system. It is often described as a “blackbox” within the AI industry as the developers of AI systems and models themselves have fairly little knowledge of how these systems and models make their decisions.

Not only does this vagueness affect the ability to address issues of effectiveness and efficiency appropriately, but it also leaves organizations relying on estimates when assessing the risks posed by these systems and models.

Rapid Technological Leaps

It is crucial to both understand and acknowledge the fact that in this particular space, the technology is developing at a vastly superior pace than the governance measures can keep up with. Every technological leap brings with it new possibilities but leaves organizations just as perplexed on how to deal with the various challenges that arise as a result.

Legal frameworks and risk assessment methodologies are being developed that can help organizations appropriately address the challenges that AI presents but these challenges are constantly evolving. The frameworks and methodologies are developed following a laborious and comprehensive process, highlighting how certain technologies and developments still need to be more regulated or sufficiently scrutinized.

Regulatory compliance often proves to be a herculean task for most organizations. Navigating the complicated and complex web of international, national, regional, and local regulations can leave organizations stretched thin, both in terms of resources and functionality. Different regulations often place different legal standards and requirements upon organizations, representing a challenge for organizations to continue their operations while maintaining the quality of products and services provided.

AI regulations can be especially challenging owing to their dynamic nature and how there is yet to be a globally recognized approach towards such regulations. Different jurisdictions have adopted different approaches, with the US poised for a barrage of numerous AI-related federal and state laws in the near future, indicating the battle for regulatory compliance that lies ahead for organizations of all sizes.

Ethical Dilemmas

Arguably, one of the more pressing issues for organizations levering AI capabilities lies in the ethical dilemmas that arise as a result. Most AI systems and models are developed based on the fundamental principle of minimizing and replacing the human element within decision-making. However, while decisions of such nature carry better technical merit, they often need to take into account several other subjective factors.

While such subjective factors as fairness and bias are critical goals being pursued in the development of better datasets for AI to be trained on, it leaves organizations currently in limbo when dealing with the moral implications of AI within sensitive sectors such as healthcare and criminal justice.

Best Practices for AI Risk Mitigation

This section elaborates on certain best practices an organization can rely on when carrying out an AI risk assessment:

AI Model Discovery

An organization must have a comprehensive understanding of its internal AI infrastructure. To this end, it must ensure it has a catalog detailing all the AI models in use across its public clouds, SaaS applications, and private environments.

Once all AI models in use have been identified and cataloged, it is just as important to classify them appropriately. Organizations can choose to classify all AI models per their unique needs. Appropriate classification helps organizations plan their risk mitigation and data protection mechanisms accordingly.

AI Model Risk Assessment

Once an organization has appropriately classified all AI models, it can proceed to evaluate each model for the various risks it may be exposed to. Doing so is not only an effective way to comply with various global regulatory requirements but can help in identifying and mitigating the following risks:

  • Bias
  • Copyrighted data elements
  • Disinformation/Hallucinations
  • Efficiency (e.g., training energy consumption, inference runtime)

Data & AI Mapping and Flows

Once an organization has an appropriate understanding of all AI models in-use as well as the unique risks associated with them, they can then proceed to connecting AI models to the relevant data sources, data processing paths, vendors, potential risks, and compliance obligations. Doing so not only helps create a foundation for AI risk management processes but also allows for continuous monitoring of all data flow.

This allows for a more in-depth context around the AI models in use within the organization while also establishing mechanisms that facilitate proactive measures to mitigate, or at the very least, minimize, any privacy, security, and ethical risks before they materialize.

Data & AI Controls

With robust data and AI controls, organizations can thoroughly curate model inputs and outputs, ensuring they can identify and counter any of the aforementioned risks.

Furthermore, establishing these controls ensures that any dataset ingested into the AI models aligns with the organization’s enterprise data policies. Additionally, such controls also facilitate an organization’s other data-related obligations, such as consent opt-outs, access and deletion DSR fulfillments, and compliance-driven user disclosures, allowing for seamless use of AI models per the regulatory requirements.

Lastly, such controls also allow for access governance, enabling strict policies related to which personnel and AI models have access to sensitive data assets by establishing the Principle of Least Privilege (PoLP).

How Securiti Can Help

Just as AI is a highly dynamic field, constantly evolving in terms of capabilities and possibilities, AI regulations mirror this phenomenon. Globally, countries are deliberating on how best to regulate this technology without impeding the innovation that fuels it. Hence, responsible and considerate legislation becomes that much more critical.

Organizations that are at the forefront of the development, adoption, and improvement of these AI capabilities are likely to find themselves under intense scrutiny as a result. How they approach this technology will play a pivotal role in the shaping of AI regulations.

Securiti, a global market leader in enterprise data privacy, security, compliance, and governance solutions, can greatly help in empowering organizations to adopt AI capabilities within their operations while ensuring regulatory compliance.

Thanks to its Data Command Center, an enterprise solution based on a Unified Data Controls framework, it can enable organizations to optimize their oversight and compliance with various data and AI regulatory obligations.

Easy to use, deploy, and monitor, the Data Command Center comes equipped with all the modules and solutions necessary to ensure organizations can seamlessly automate and monitor various consent, privacy policy, and DSR-related obligations from a centralized dashboard in real-time.

Request a demo today and learn more about how Securiti can help your organization comply with AI-specific regulations you may be subject to.

Frequently Asked Questions

Here are some of the common questions related to AI risk assessments:

There’s no objective answer to this. Decisions related to the frequency of the assessments depend on the unique development and deployment process within the organization. Ideally, there should be periodic reviews, with at least a yearly assessment, to ensure appropriate updates are in place. Other organizations may find bi-annual or quarterly reviews to be better suited to their needs.

When conducting an AI risk assessment, it’s better to ensure stakeholders from all departments that either contribute to the AI models in use or use these models to deliver services are on board. This can include data scientists, engineers, legal teams, marketing teams, as well as the compliance department.

Yes, one of the most direct and immediate benefits of an AI risk assessment is that it can promptly identify potential sources of bias within all datasets, processes, or algorithms in use within an organization. Corrective measures can then be implemented as deemed necessary.

An AI risk assessment will typically focus on AI and machine learning-related systems, such as bias, data quality, and ethical considerations. A traditional IT risk assessment focuses on the broader IT security and operational risks, such as network security and data breaches.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share


More Stories that May Interest You

Follow