The US Declaration of Independence states that “all men are created equal” but a modern response may be to argue that “not all AIs are equal”.
Some AI tools help us with everyday rote tasks while other forms of AI at the other end of the spectrum can potentially change the ways in which business and society operate.
In terms of data security, protection, privacy and corporate governance risks, you can’t realistically treat these as the same, even if they both fit under the catch-all AI ‘umbrella’.
SVP & Field CTO, Saviynt.
So, for IT management struggling to keep up with the exposure threats associated with AI-infused applications, agents and processes, calibrating the risks based on AI variants is a smart first move.
Here’s the problem and conundrum: AI is great and the desire to capitalize on it to create transformative effects is vast, but we are drowning in AI. To take just a few statistics… McKinsey says 62% of enterprises are at least experimenting with AI and PwC says 79% are deploying AI agents. IDC predicts that there will be 1.3 billion AI agents in operation by 2028.
CIOs, CTOs and others want to impress their organizations by creating new levels of automation to reduce costs and save time, identify insights that may otherwise have languished undiscovered, and to liberate staff from rote tasks and performing vast computational sums that agents are better at than humans.
But is there a catch to all this laudable ambition? Well, the familiar challenges of security and governance are certainly perceived as obstacles. So, while the AI uber-trend will doubtless accelerate process automation and discovery, more than half of respondents (52%) to the PwC survey list cybersecurity as a number-one or number-two concern when employing agents.
Another persistent hurdle is change management. Technological change can be overwhelming when all the processes, ingrained pattern recognition habits and domain knowledge we possess are threatened by disruptive new waves of activity. To manage this, CIOs, CISOs, risk officers and others need to establish a baseline.
Keeping score
Just as with proliferation of software applications in the client/server era and the rise of cloud services later, IT leaders should perform a discovery process to see what is going on in their estates. What is needed is a purpose-built capability. Much like ITAM, CMDB or CASB was for Shadow IT, but this time for monitoring. In this way, it is possible to create a journal of record and system of access for the Identity and AI age.
IT chiefs may find that many of the AI activities they observe can be ticked off as relatively safe. Personal agents to scan, parse and understand data, for example, will carry minimal risk. We can say the same for the sorts of AI summary services that are built into online search tools or personal information management programs.
However, in an agentic AI enterprise world we need to progress (and process) with caution. Both the power and the risks of agentic AI processes lie in the ability to cross tolls, systems and workflows and to automate. In these early days of agentic AI it’s natural that missteps will be made. Some pioneers will fail to erect appropriate guardrails, meaning that agentic workflows may have more machine autonomy than is desirable, leading potentially to loss of data, wiped records, privacy intrusions, policy infringements and other familiar woes.
The old IAM won’t cut it
We already see many examples of agentic AI processes being waved through by legacy identity management services as if they were new hires on an HR roster. For these processes, attention to decision attribution, context, intent, input and warning signals will need to be evaluated and weighed before identity access is granted.
Also, CIOs and CISOs need to be on guard against over-excitement where AI enthusiasts, perhaps frustrated by the constraints of corporate IT governance, experiment and even deploy unapproved tools and services ‘to get the job done’. They need to control Shadow IT and skunkworks projects so that humans (or agents) are not ‘doing their own thing’.
We need to understand our ‘known and unknown’ factors and to encourage progressive AI use but with cascading approval levels depending on role and task. We need practical guardrails backed by tools and a culture that help us to course-correct when we veer off track into dangerous areas.
Identity is at the heart of all this. By having a system that controls what AIs have access to what services and through constant monitoring and zero-trust security thinking, organizations can get the best out of AI without incurring risks.
Otherwise they may be exposed to a new threatscape where attacks occur not just on business operations but on shop floors, factories and utilities that are increasingly powered by the confluence of IT and OT, the Internet of Things and agentic AI flows.
We list the best RPA software.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
https://cdn.mos.cms.futurecdn.net/h8ZQHernNUVpnGYX7QnxVM-2560-80.jpg
Source link
