Taming Shadow AI Without Stifling Innovation
▼ Summary
– Alan Snyder frames the challenge as balancing the need to adopt AI quickly against competitors and attackers with the need to do it safely.
– He warns that pressure to move fast will win, so leaders must actively manage AI risk, citing a first-ever 8-K filing tied to unauthorized employee AI use.
– Snyder recommends creating an AI ops team to establish approved tools and patterns for safe AI adoption.
– He advises building a governance tracking system to sort AI usage into authorized, unauthorized, or unknown categories, rather than just having a policy.
– He emphasizes gaining visibility into AI within apps, SDKs, third-party components, and agents because data leakage is the primary risk.
In a recent interview with Help Net Security, Alan Snyder, CEO of NowSecure, addressed the challenge of governing shadow AI without putting the brakes on innovation. He framed the dilemma as a clash between two powerful forces. Organizations must adopt artificial intelligence at speed, or risk falling behind competitors and attackers who are already moving fast. Yet, they also need to do so responsibly.
Snyder argues that the pressure to move quickly will ultimately win out. That means leaders must focus on managing AI risk as they go, rather than waiting for perfect security. He points to the first-ever 8-K cybersecurity filing tied to unauthorized AI use by an employee as a wake-up call, then outlines a practical path forward.
First, companies should create a dedicated AI ops team responsible for defining approved tools and usage patterns. Next, they need to build a governance tracking system that goes beyond a written policy. This system should categorize AI usage into three buckets: authorized, unauthorized, and unknown. Publishing a pre-cleared list of tools gives teams a legitimate path forward, removing the need for risky workarounds. Finally, leaders must gain full visibility into where AI lives inside apps, SDKs, third-party components, and agents. The real threat, Snyder warns, is data leakage, not malicious intent.
(Source: Help Net Security)
