Risk exposure from Gen AI products from Third Parties and risk exposure

by | Nov 3, 2023 | Blog

Array

Generative AI is the buzzword in the IT industry and has gained attention and popularity in recent years. Applications using AI span from data analysis and virtual assistant to content creation and more. Many organizations are inclined to adopt the generative AI offering to reduce the spend, time, and resources and lead the way in adopting the cutting-edge technology offerings of generative AI. That’s the Bright Side of it but using generative AI products offered by third parties comes with inherent risk and challenges, especially when governed by security and privacy regulations and compliance with security standards. Let us look at some of the most common risks and how businesses can effectively address these.

General Understanding

Software Solutions that leverage Generative AI features use large language models and deep learning models to create content like audio, text, video, images and lines of code. Such softwares have many applications such as Natural Language Processing, Machine Learning, Robotics, Automation, Speech Recognition, Medical Diagnosis, Chatbot etc. Large amounts of data sets are analyzed and these softwares learn from

Prominent Risks associated with Generative AI products by Third Parties

Information Security and Privacy: While implementing generative AI products, generally, organizations need to provide access to their information which could be confidential in nature. Unauthorized exposure or data leak of confidential information due to incidents or breaches could result in a risk that could cost a company dearly resulting in financial and reputational impact. It is crucial that Third Party provided Generative AI solutions are vetted, and the security measures that are in place be validated to meet the security and privacy standard.

  • Regulations and compliance: In today’s day in age most industries are governed by specific regulations with respect to privacy such as the General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the US, Brazilian General Data Protection Law (LGPD) in Brazil to name a few and health regulations such as Health Information Portability and Protection Act (HIPAA) in the United States; and Compliance such as ISO 27001 (Information Security) and Payment Card Industry – Data Security Standard (PCI-DSS) standard. Due to the nature of the products that use generative AI, that could be challenges in trying to comply with these regulations and Standards. This non-compliance to regulations could result in regulatory fines affecting the reputation of the organization and the client’s trust.
  • Dependency on Third Parties: Businesses rely heavily on third parties providing generative AI products creating a dependency on the technology and the license costs. Any change in the license structure or unavailability of the service good result in distracting operations and financial impact to compensate and make adjustments.
  • Customization: Generative AI products may not be easily customizable as per the evolving needs of the business. The face at which these changes need to be implemented may not favor organizations to leverage generative AI Technology. This can limit the progress of a company to execute as per their road map and could defeat the purpose of creating a difference.
  • Fairness: Large data sets are analyzed by the generative AI models and if there is any unfair content or biased content, the resulting output may also be biased. It is imperative to properly vet the content generated by a product to exclude any inappropriate or discriminatory content that can harm the reputation of the company and lead to any legal issues.

How to effectively manage these risks?

  • Third Party Risk Management (TPRM) framework. Implement and deploy a Third Party Risk Management (TPRM) framework in your organization with well-defined processes and SOPs that have strong support from the top management. A strong collaboration among multiple teams during the vetting process is crucial as information exchange can go a long way and save time and effort.
  • Due Diligence. Ensuring that all Third Parties are assessed for Inherent and Residual risks and are addressed in a timely manner to understand the risk exposure. This will allow the decision-makers to evaluate the risk and engage with the Third Party accordingly.
  • Agreements. A well-negotiated agreement that covers key details on how the data will be handled, processed, stored and destroyed; how the technology is integrated and what kind of security controls are to be implemented will save the organization when there is a liability due to an incident or breach
  • Audits. With inputs from Legal and (or) compliance officers, ensure the solution is aligned with the specific regulations. Compliance has to be achieved even by modifying the guidelines and workflows.
  • Continuous Monitoring. Periodic monitoring of the Generative AI products’ functionality and output will highlight the defects or weaknesses (if any). This will help to fine-tune or regulate the outputs.

Conclusion

Following a stringent Third Party Risk Management Framework diligently will enable the business and allow to make risk aware decision before adopting any Generative AI software or product.

Related Blogs

TPRM Awareness, upskill and cross skill

TPRM Awareness, upskill and cross skill

Feb 15, 2024

The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive...