What are the basic controls, especially technical ones, that are considered most important for mitigating GenAI risks in the enterprise?
Sort By:
Oldest
VP of Information Security in Software3 months ago
I agree with Andrea's emphasis on education and communication. Given the novelty of GenAI technologies, there isn't a universally accepted method for handling them. However, treating them like any other new technology—by educating and discussing their implications thoroughly—seems to be an effective strategy.AVP of Information Security3 months ago
Community members, this is a great topic and I think it depends upon the industry that each of us is in. For healthcare, cardholder, or financial services I would recommend the following controls:1. An AI policy or security stance outlining the rules of engagement
2. DLP scanning of any repositories in order to identify whether classified data exists within the data sources that may be leveraged for any LLM.
2. A CASB endpoint software configuration that allows you to control any uploads of classified data is being uploaded to site categorized as AI in your Secure Web Gateway
Group Director of Information Security in Banking2 months ago
Basic Controls, especially technical ones changes from one use case to another. You need to concentrate on use cases. For example:1. If you are using the most often deployed Retrieval Augmented Generation (RAG) in Azure AI Search, below is a good source of basic controls to build within:
https://learn.microsoft.com/en-us/azure/search/search-security-overview
2. If you have subscribed to Copilot for Microsoft 365, then take a look at ' How does Microsoft Copilot for Microsoft 365 protect organizational data?' This will give guidance for some controls to consider.
https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
3. Controls market is split between products that claim to mitigate GenAI risks in areas of Content Anomaly Detection, Privacy & Data Protection and AI Application Security. Calypso AI, Lasso Security and Robust Intelligence products comes near to covering 2 of the 3 areas. As it's a highly evolving market, keep evaluating.
We also took steps to ensure that any copying of confidential content by these tools was highlighted as a significant risk. Our next step was to seek a solution that provided a safer, more controlled environment, which we could contractually protect, rather than leaving it to the unpredictable nature of the broader internet.