He said in an interview that this means that CISOs need to use risk assessments for every Genai application that employees use, and then both must follow staff policies and procedures.
He warned CISOs and CEOs not to follow the “ostrich algorithm” – pretending that employees’ shadow use of AI does not exist, even if the danger does not exist.
“There is no doubt that there are a lot of uses of generated AI applications in a way that is extremely problematic for the organization,” he said. “Remember, I can use a Genai application from my personal computer that is out of control and can still leak a lot of data from my requests – and maybe not just what I’m asking, but what others are asking, and the generated AI learns from the problem pattern, too.
