While data breaches are a prominent concern, they aren’t the only potential outcome of AI. “AI risk is not only digital risk, it can become physical very, very quickly,” says Pablo Ballarin, co-founder and vCISO at Balusian and ISACA member. Does the use of shadow AI open the door to operational disruption, wasted resources or safety issues? Answering these questions is also a part of the necessary risk assessment.
Understand why AI is being used
If CISOs want to manage shadow AI effectively, they need to understand why it keeps popping up. The immediate reaction may be to shut down the use of shadow AI, but there must be more to the response than that.
“Our focus is understanding why they’re using it, educating them on the risks of using an unapproved AI tool, identifying whether or not we already have tools in the organization that can meet those needs and then, obviously, redirecting them with a…serious reminder of if it’s not approved for use,” says Hamidi.
