May 6, 2024 By Dimple Ahluwalia 4 min read
IBM and AWS study: Less than 25% of current generative AI projects are being secured 

The enterprise world has long operated on the notion that trust is the currency of good business. But as AI transforms and redefines how businesses operate and how customers interact with them, trust in technology must be built.  

Advances in AI can free human capital to focus on high-value deliverables. This evolution is bound to have a transformative impact on business growth, but user and customer experiences hinge on organizations’ commitment to building secured, responsible, and trustworthy technology solutions.  

Businesses must determine whether the generative AI interfacing with users is trusted, and security is a fundamental component of trust. So, herein lies the one of the biggest bets that enterprises are up against: securing their AI deployments. 

Innovate now, secure later: A disconnect 

Today, the IBM® Institute for Business Value released the Securing generative AI: What matters now study, co-authored by IBM and AWS, introducing new data, practices, and recommendations on securing generative AI deployments. According to the IBM study, 82% of C-suite respondents stated that secure and trustworthy AI is essential to the success of their businesses. While this sounds promising, 69% of leaders surveyed also indicated that when it comes to generative AI, innovation takes precedence over security. 

Prioritizing between innovation and security may seem like a choice, but in fact, it’s a test. There’s a clear tension here; organizations recognize that the stakes are higher than ever with generative AI, but they aren’t applying their lessons that are learned from previous tech disruptions. Like the transition to hybrid cloud, agile software development, or zero trust, generative AI security can be an afterthought. More than 50% of respondents are concerned about unpredictable risks impacting generative AI initiatives and fear they will create increased potential for business disruption. Yet they report only 24% of current generative AI projects are being secured. Why is there such a disconnect? 

Security indecision may be both an indicator and a result of a broader generative AI knowledge gap. Nearly half of respondents (47%) said that they are uncertain about where and how much to invest when it comes to generative AI. Even as teams pilot new capabilities, leaders are still working through which generative AI use cases make the most sense and how they scale them for their production environments. 

Securing generative AI starts with governance 

Not knowing where to start might be the inhibitor for security action too. Which is why IBM and AWS joined efforts to illuminate an action guide and practical recommendations for organizations seeking to protect their AI. 

To establish trust and security in their generative AI, organizations must start with the basics, with governance as a baseline. In fact, 81% of respondents indicated that generative AI requires a fundamentally new security governance model. By starting with governance, risk, and compliance (GRC), leaders can build the foundation for a cybersecurity strategy to protect their AI architecture that is aligned to business objectives and brand values. 

For any process to be secured, you must first understand how it should function and what the expected process should look like so that deviations can be identified. AI that strays from what it was operationally designed to do can introduce new risks with unforeseen business impacts. So, identifying and understanding those potential risks helps organizations understand their own risk threshold, informed by their unique compliance and regulatory requirements. 

Once governance guardrails are set, organizations are able to more effectively establish a strategy for securing the AI pipeline. The data, the models, and their use—as well as the underlying infrastructure they’re building and embedding their AI innovations into. While the shared responsibility model for security may change depending on how the organization uses generative AI. Many tools, controls, and processes are available to help mitigate the risk of business impact as organizations develop their own AI operations. 

Organizations also need to recognize that while hallucinations, ethics, and bias often come to mind first when thinking of trusted AI, the AI pipeline faces a threat landscape that puts trust itself at risk. Conventional threats take on a new meaning, new threats use offensive AI capabilities as a new attack vector, and new threats seek to compromise the AI assets and services we increasingly rely upon. 

The trust—security equation 

Security can help bring trust and confidence into generative AI use cases. To accomplish this synergy, organizations must take a village approach. The conversation must go beyond IS and IT stakeholders to strategy, product development, risk, supply chain, and customer engagement. 

Because these technologies are both transformative and disruptive, managing the organization’s AI and generative AI estates requires collaboration across security, technology, and business domains. 

A technology partner can play a key role. Using the breadth and depth of technology partners’ expertise across the threat lifecycle and across the security ecosystem can be an invaluable asset. In fact, the IBM study revealed that over 90% of surveyed organizations are enabled via a third-party product or technology partner for their generative AI security solutions. When it comes to selecting a technology partner for their generative AI security needs, surveyed organizations reported the following: 

  • 76% seek a partner to help build a compelling cost case with solid ROI.  
  • 58% seek guidance on an overall strategy and roadmap. 
  • 76% seek partners that can facilitate training, knowledge sharing, and knowledge transfer. 
  • 75% choose partners that can guide them across the evolving legal and regulatory compliance landscape. 

The study makes it clear that organizations recognize the importance of security for their AI innovations, but they are still trying to understand how best to approach the AI revolution. Building relationships that can help guide, counsel and technically support these efforts is a crucial next step in protected and trusted generative AI. In addition to sharing key insights on executive perceptions and priorities, IBM and AWS have included an action guide with practical recommendations for taking your generative AI security strategy to the next level. 

Learn more about the joint IBM-AWS study and how organizations can protect their AI pipeline
Was this article helpful?

More from Security

Authentication vs. authorization: What’s the difference?

6 min read - Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system. Authentication verifies a user’s identity. Authorization gives the user the right level of access to system resources.  The authentication process relies on credentials, such as passwords or fingerprint scans, that users present to prove they are who they claim to be.  The authorization process relies on user permissions that outline what each user can do within a particular resource or network. For example,…

Top 7 risks to your identity security posture

5 min read - Detecting and remediating identity misconfigurations and blind spots is critical to an organization’s identity security posture especially as identity has become the new perimeter and a key pillar of an identity fabric. Let’s explore what identity blind spots and misconfigurations are, detail why finding them is essential, and lay out the top seven to avoid. What are the most critical risks to identity security? Identity misconfigurations and identity blind spots stand out as critical concerns that undermine an organization’s identity…

Intesa Sanpaolo and IBM secure digital transactions with fully homomorphic encryption

6 min read - This blog was made possible thanks to contributions from Nicola Bertoli, Sandra Grazia Tedesco, Alessio Di Michelangeli, Omri Soceanu, Akram Bitar, Allon Adir, Salvatore Sollami and Liam Chambers. Intesa Sanpaolo is one of the most trusted and profitable European banks. It offers commercial banking, corporate investment banking, asset management and insurance services. It is the leading bank in Italy with approximately 12 million customers served through its digital and traditional channels. The Cybersecurity Lab of Intesa Sanpaolo (ISP) needed to…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters