Navigating Data Security Concerns in AI Implementation: Risks and Solutions

AI is transforming the way people work. A McKinsey Global Survey found that 75% expect generative AI to contribute significant transformation in their industry in the next three years. However, despite the optimism, there’s a notable gap in confidence regarding the safe implementation and use of AI; less than 50% feel very confident about using AI safely, AvePoint’s AI and Information Management Report found.

AI tools wield immense power: they can process and analyze vast amounts of data with unprecedented accuracy and speed. However, this power comes with inherent risks, particularly concerning data security and privacy. Without proper controls in place, there’s a heightened risk that sensitive data could fall into the wrong hands, whether human or AI.

The root of this low confidence may be attributed to the lack of a structured data governance framework. Inadequate governance and information management strategies leave organizations vulnerable to significant data security challenges amplified by AI. Without clear guidelines and controls, there’s a great likelihood of unauthorized access, data breaches, and other security incidents, compromising the integrity of organizational data security practices.

Despite the evident risks, only 38% of organizations are working to mitigate risks associated with AI, McKinsey found. Given these challenges, there’s an urgent need for organizations to address data security concerns in AI implementation. And the best time to do it is now.

Security Risks in the AI Age

If your organization did not have strong data governance policies in place before, you may face challenges, like the 45% of organizations in the AI and Information Management Report who experienced unintended data exposures during AI implementation.

The reality is, mitigating cyber risk remains a top concern for organizations, with the percentage of data breaches reaching at least $1 million rising to 36%, compared to 27% from the previous year, PwC’s 2024 Global Digital Trust Insights survey found.

With AI getting more traction, risks are getting higher.

Most organizations are using public AI tools. In fact, 65% of organizations use ChatGPT, which operates outside traditional IT oversight, allowing employees to freely input data into the engine. This means that sensitive information, if not handled with care, could potentially be shared inadvertently with other users of the tool.

Take, for example, Samsung, which hit the headlines after it experienced exposure of sensitive data when one of their engineers input a sensitive code to the AI platform. This led the tech giant to ban the use of ChatGPT due to concerns that this information could be disclosed to other users of the platform.

But the risks are not limited to public AI tools. Whether leveraging external AI solutions such as ChatGPT or internal AI tools like Microsoft 365 Copilot, organizations must confront and manage these risks head-on.

Organizations can enjoy a greater degree of control with licensed AI solutions like Copilot. However, this control comes with its own set of responsibilities and potential pitfalls. While the internal nature of Copilot may offer more oversight, it is also a very powerful tool that can and will pull information from anywhere it has access; organizations must remain vigilant about how data is handled within the platform to prevent unauthorized access or misuse.

“AI is a powerful tool for society – and that includes the hackers that will use it to exploit every weakness and flaw in our global cybersecurity infrastructure. While the rise of generative AI promises a transformation in productivity at work and at home, these tools are also enabling the evolution of the global landscape at a pace we never could have imagined.”

— Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint

In navigating the landscape of AI-driven tools, organizations must strike a delicate balance between harnessing the power of AI for innovation and ensuring robust data security measures are in place. Failure to address these risks could have far-reaching consequences, from compliance breaches to reputational damage.

Data Protection Strategies for AI Implementation

In the age of AI, businesses must bolster their existing data protection strategies. Among organizations that have faced an AI security or privacy incident, 60% reported data compromise by an internal party, according to Gartner.

Some companies may find it best to utilize enterprise AI applications, such as Microsoft 365 Copilot, as it provides a better level of control compared with public AI tools such as ChatGPT. Whether using public or private AI, though, businesses must put in place an AI-acceptable use policy to dictate what responsible and ethical use of AI looks like.

Currently, only 47% of respondents have implemented an AI Acceptable Use Policy, which fails to set limits on how AI can be used in an organization, thereby welcoming potential risks.

Then, organizations can further security by running a risk assessment to determine any risks already lurking in the environment, such as how content is stored, managed, and shared within the organization. Implementing controls on the data designated to every department, and more importantly, to guests, is vital for ensuring data security. These vulnerabilities can become threats when AI is introduced. For example, an employee can randomly ask for information about a colleague’s salary, and AI can easily provide that personal identifiable information (PII) very easily.

Solutions like AvePoint Insights can identify vulnerabilities already existing in an organization’s digital workspace. It collects data – such as user activities, permissions, configurations – from an organization’s digital workspace, and it will analyze patterns, anomalies, or signs of misuse that could indicate a vulnerability.

In fact, AvePoint helped one of the largest global construction manufacturers audit and reconfigure 200,000 site collections, identifying and removing 20,000 orphaned guest users and 15,000 shadow users, to establish a secure and structured environment conducive for AI innovation.

Maintain the Safety of Digital Workspaces

After taking necessary steps to make the digital workspace secure, it’s vital to keep it that way.

As employees use the workspace, new files will be added into the system. To avoid further risks, it’s crucial to regularly reassess files in digital workspaces. This can be done by ensuring that any new content has the correct controls and permissions applied and/or that existing content doesn’t have controls or permissions altered. However, doing this manually can be daunting and could consume a lot of time for the IT teams.

AvePoint Policies can help with automatically applying the necessary security rules to your Teams, Groups, Sites, and OneDrives, or the entire Microsoft 365 tenant if needed. AvePoint Policies proactively monitors configuration drift, notifying and reverting out-of-policy changes as often as every two hours. This ensures proper access controls and permissions are applied without relying on end-user execution.

Embracing AI Safely

The numbers say it all: AI is vital in today’s business landscape, but risks are also involved.

As we’ve presented here, data security risks are becoming increasingly common, and AI, while useful for organizations, magnifies these risks. With the transformation of the digital workplace, it is natural for organizations to worry about the safety and security of their data.

However, organizations can embrace AI while mitigating security risks. Proactive measures can be taken, and organizations can start by assessing the risks in the organizational workspace and creating a strong data security and IM strategy to ensure that sensitive information does not fall into the wrong hands.

Learn more about protecting sensitive data in Microsoft 365. Watch our webinar: