Addressing AI via Corporate Policies

A client recently approached me with a request to help navigate the topic of "AI in the workplace." Having previously developed their information security and privacy policies, my initial thought was to simply expand those existing frameworks to include AI within their Acceptable Use Policy or privacy guidelines. However, the rise of AI brings with it a host of organizational challenges that require more thoughtful consideration, starting with expansive policy development.

It's not just about integrating generative AI tools or ensuring data privacy—there are many broader aspects of AI adoption that need to be addressed.

AI Issues to Discuss

Before integrating AI into your organization, several key areas require careful consideration and discussion within the organization.

• Laws and Regulations: Identify relevant laws, regulations, and the company’s position on AI usage within the organization.
• AI Governance: Establish who will oversee AI use, how it will be monitored, and how risks related to security, privacy, and compliance will be managed.
• Ethical Use: Identify any areas where AI deployment requires careful planning to ensure ethical practices—such as in public safety, resource allocation, or hiring.
• Data Privacy and Security: Assess the implications AI may have on data handling, storage, and protection.
• Transparency and Accountability: Define how the organization will communicate its AI usage to the public or stakeholders, and how they can inquire about it.
• Bias & Fairness: Evaluate whether AI systems might affect fairness or introduce bias, and plan for measures like design, legal review, testing, monitoring, transparency, or adding a human in the loop to ensure impartiality.
• Workforce Impact: Consider whether AI could disrupt the workforce and explore mitigation strategies like retraining or reassignment.

Policies Needing Creation or Updates for AI Integration

Based on the AI issues discussed above an organization will need to develop several new policies and update existing ones to account for the issues and challenges created by use use or presence of AI systems. Key policies and process include:

• Acceptable Use Policy (AUP): This policy should be updated to specify usage restrictions around sensitive data when interacting with AI applications and any other restrictions on the use of AI systems.
• Awareness and Training: Update awareness training to cover AI-specific risks and responsibilities. These include AI attacks such as data poisoning; acceptable use of AI, corporate ethical guidance, and regulation and compliance implications.
• Data Classification Policy: Expand data classification examples to include AI-generated text, synthetic data, and images. These new data types should be evaluated for their sensitivity and integrated into the data governance structure, considering ownership, security, and privacy implications.
• Ethics and Responsible AI Policy: Introduce a dedicated policy focused on the ethical use of AI, covering issues like fairness, transparency, bias, and accountability.
• Information Security Policy: Expand security and privacy risk management processes to address AI system issues and ownership of AI-generated data and AI systems,
• Information Flow Policies: Update policies that address data leakage and unauthorized exfiltration of sensitive information. These policies must ensure that the flow of data through AI systems is protected, both internally and when interfacing with external systems or vendors.
• Incident Response Policy: Ensure incident response protocols include scenarios where AI systems produce biased, incorrect, or harmful outcomes. Having specific steps for mitigating AI-related incidents is crucial for minimizing damage and maintaining trust.
• Logging and Monitoring: Update logging and monitoring policies to identify AI-specific events to be logged (e.g., AI-system privileged access and commands) and incorporate AI-specific Indicators of Compromise (IoCs).
• Privacy Policy: Update the policy to ensure that AI systems comply with data privacy regulations such as GDPR or HIPAA. This includes specifying how personal data is collected, processed, and stored by AI applications, and ensuring appropriate consent mechanisms. Expand the use of data privacy impact assessments to include relevant uses of AI systems.
• Security and Privacy Compliance Policies: Compliance processes should be updated to include AI-specific impact assessments. Organizations should implement security and privacy evaluations for all systems and applications incorporating AI, ensuring they meet regulatory and ethical standards.
• Software Development Security and Privacy Policies - Expand software development lifecycle (SDLC) and other relevant policies and processes to address AI-specific issues. These include AI threat modeling, AI-specific controls (e.g., protections against malicious exploitation and tampering), AI-specific data minimization and restrictions of production data in testing environments, AI-specific testing (e.g., penetration testing of AI systems, bias and fairness audits), and access control for privileged AI system interfaces and commands.
• System Acquisition Policy - Expand this policy to address the identification, documentation, review, and approval of AI-systems in the acquisition process.
• Vendor Management Policy: Update vendor management policies to ensure third-party AI tools and services meet the organization's privacy, security, and ethical standards. Risk assessments for AI-related third-party tools must be thorough to prevent breaches or misuse of AI systems.
• Workplace and Employment Policies: AI’s impact on job roles and tasks may necessitate updates to workplace policies. This can include retraining or reskilling programs for employees, ensuring they are prepared for changes in workflows due to automation or AI integration.

Lantego is a premier provider of cybersecurity and privacy policies for government entities and corporations. To work with Lantego contact me @ 5`2 6