I’m often brought into conversations with organizations about concerns of sensitive data being leaked. Lately, those conversations involved AI such as AI taking notes within meetings, AI used for eDiscovery, or the general organization using AI with sensitive data. It’s a real concern as AI violations of copyright data continue to be discovered both from how AI is trained to how people are using it. One example of this is this article about Meta firing employees for leaking sensitive data found HERE.
My high-level recommendation is developing proper lifecycle management practices regardless of the technical focus. This means both maturing access control to data as well as data classification and protection. For example, if your concern is AI in meetings, you need to consider both controlling access to AI within meetings as well as if AI or other transcribing is used, treat such data like any sensitive data meaning applying data lifecycle management principals. Security sensitive data is not a new topic, but what is creating and accessing data is continuously changing.
Organizations that are failing at keeping up with security data tend to overcomplicate the focus. My advice is leaning on mature security frameworks for controlling access and data security. If adding something like AI breaks your ability to control access, then the focus should be implementing controls to identify any AI use, blocking unapproved AI, and when allowing AI, allow it only using approved methods to access such as corporate login vs personal login. If AI is creating data that is sensitive, treat it like sensitive data and apply classification as well as DLP policies. You may need to look at your existing access control and data security solutions to see what “models” or other features are added to address new data types and access, but most vendors are going to keep up with new risks. If not, maybe it’s time to invest in an enterprise grade technology or seek out an expert consultant to help.