The upcoming Wave: AI's Emergence as the New Shadow IT

Thousands (potentially tens of thousands) of Indie AI Apps are emerging. What are the risks?

‍

a) The Challenge of AI in Cybersecurity

Similar to the historical emergence of SaaS shadow IT, the integration of AI poses a familiar challenge for Chief Information Security Officers (CISOs) and cybersecurity teams. Employees are discreetly incorporating AI into their workflows, often bypassing established IT and cybersecurity review processes. The rapid adoption of ChatGPT, accumulating 100 million users within 3 months with minimal marketing, signifies a growing demand for AI tools driven by employees.

‍

b) Risks of Indie AI Tools

‍Joseph Thacker categorizes the risks associated with indie AI tools, highlighting areas such as data leakage, content quality issues, product vulnerabilities, and compliance risks. AI tools, especially those employing large language models, have extensive access to employee prompts, leading to potential leaks. Content quality issues arise from hallucinations in large language models, risking the publication of inaccurate information. Indie AI tools, developed by smaller entities, are more susceptible to product vulnerabilities and compliance risks, lacking mature privacy policies and adherence to industry standards.

‍

c)  Linking Indie AI to Enterprise SaaS Applications

Employees seeking enhanced productivity through AI tools often progress to integrating AI with daily-used SaaS systems. Indie AI vendors actively encourage these connections within their products. However, this integration poses an increased vulnerability to backdoor attacks. As AI tools predominantly use OAuth access tokens for AI-to-SaaS connections, the continuous API-based communication granted to tools like AI scheduling assistants with platforms such as Slack, Gmail, and Google Drive can expose organizations to potential security risks.

‍

These notes come from one of our favorite newspapers, The Hacker News