Article Summary
I don’t profess to be an AI expert by any means, but here at Layer8 Consulting, we have begun using AI toolsets for several reasons and recently went through the process of creating our own AI policy. The following are some nuggets of information we’ve learned through the process.
The use of Artificial intelligence (AI) has been growing exponentially over the past few years. Organizations have been integrating AI tools into areas like customer service (think chatbots) and customized & personalized marketing campaigns. Automated copywriting is a big use; I admit to using AI to help write this blog!
As a business it is important to set clear rules and guidelines for how public artificial intelligence tools can be used safely, legally, and responsibly within the company to mitigate risks. Some of the primary reasons to create a business AI policy are:
Without a policy, employees may inadvertently upload information into public AI tools that maybe be used against the company such as uploading non-public information that could be used by others to create highly targeting phishing attacks and social engineering threats.
If employees do not have any directions on properly using public AI tools, they may think it’s ok to use the tool to increase productivity and create automation when in reality they introduce huge security risks.
Employees may also be afraid to use AI tools for lack of training and direction. AI can provide huge benefits when properly used.
AI tools can provide a ton of benefits and be a time saver in the workplace, but they are far from perfect. Care must be taken by an intelligent human to thoroughly review and fact-check/double-check the validity of the output.
Someone once told me about a person in marketing that was proud to announce they had figured out a way to streamline a targeted marketing campaign by feeding the company’s CRM database into an online AI tool to create the campaign. See anything wrong with that scenario? Hint: they just gave away their customer base.
Any company data you would not want the rest of the world to know should not be put into public AI tools. This includes financial, employee, and other sensitive information.
In order to create an AI policy for a business, it is important to recognize that it is a team effort. It’s not just an Information Technology decision but must also involve areas such as human resources, legal, marketing, customer service, etc.
The team should determine if AI is being currently used to benefit the company. This includes determining if the current use meets security and other company restrictions. Examples could include research, creation of project plans, etc. With some additional input and steering, one could even ask an AI tool how AI could benefit my specific industry.
Starting with your existing policies such as your IT Acceptable Use Policy (AUP) and others, you can begin to determine what is and is not acceptable use of AI tools. The policy must clearly spell out this out. If you do not have an AUP, stop now and get to it!
Have someone in your organization research the various AI platforms and determine which ones the company will approve. You should also define what tools will not be allowed to be used.
As previously mentioned, AI tools are not perfect. It is critical to have an intelligent human review any and all AI tool output for accuracy. This doesn’t just mean proofreading for mis-spelled words but for content, context and tone.
Document that your organization reserves the right to monitor and enforce the policy by monitoring AI tool usage and data handling procedures. It is important to define the consequences of not adhering to the policy.
As with any written policy you should define and document the purpose and scope of the policy. Include written examples of acceptable/unacceptable uses and the list of authorized AI tools that can be used for business purposes.
As we worked through our own AI Usage Policy, we did some research on mistakes to avoid and also included feedback from our HR department. Here are a few common mistakes we’ve learned about.
This particular policy is not the place to be vague. Statements such as “use AI in the best interest of the company” doesn’t cut it. Make your statements clear so employees will understand what they can and cannot do regarding AI usage.
Your policy should mandate an intelligent human review of all AI output to ensure it correctly reflects the intended output, adheres to the company’s other policies and is 100% accurate BEFORE sending it on or posting.
Most policies should have input from multiple business departments, and an AI policy is no different. Since the policy touches on legal, compliance and human behavior, it should have input from legal, HR, customer support and other relative departments.
While we can assist our clients with written policy and procedures, Layer8’s primary focus is providing efficient, cost-effective network and IT security infrastructures. Below is a list of just some of the many technology areas we have expertise in.
Contact us today to see how Layer8 Consulting can improve your network and IT security.