CISO's - What's Your Security Strategy For AI, Bots, IoT Devices & AI Leveraged Smart Human Digital Identities?

Updated September 20, 2024

My message - your existing security models aren't prepared for what's arriving on your enterprise doorstep. That's what this article dives into.

Problem #1 - Determining Friend From Foe

Read “The Challenge with AI & Bots - Determining Friend From Foe”. It lays out what I call "whopper sized problems" in determining friend from foe re AI systems, bots and AI leveraged smart digital identities of us. I strongly suggest you skim this recent article I wrote about the implications to your identity architecture:

• “Part I AI Systems, Bots, AI Agents, IoT Devices, & Identity Architecture”

Now your eyes should be wide open to the underlying identity challenges which your IAM vendors and consultants aren't talking to you about.

Good news - I've spent 8 years creating a legal identity framework for these entities

Bad news - It will be years before countries adopt it. In the meantime, you folks are on your own. Thus, I'm giving folks like you a proverbial kick in the ass, telling you, based on risk, you're going to have to create your own internal identity system able to write into an entity's source code, their identity and any applicable credentials.

Problem #2 - Hives

Come with me on a journey to almost any parts of your enterprise. Let's use Payables as but one example.

Jane Doe, your ace payable person, now has an AI leveraged smart payables personal assistant, doing the job of what used to be done by several people. Around her there might be IoT devices, AI leveraged payables apps, and increasing numbers of AI agents, etc. She'll be interacting with your partners who have provided services/goods for which you owe money. Her AI leveraged smart digital identity will likely be interfacing with your partners' AI leveraged apps, their payable's people AI leveraged smart digital identities, their AiI agents, etc.

This is but one example of "hives" which will be soon be sprouting up within your enterprise. IT HAS RISK. Skim “Part II Hives & Fast Changing Authorization Relationships”

So, down in the security, architecture and legal contract levels, you're existing systems aren't up to snuff to deal with this.

Problem #3 - Architecture

Your existing architecture is built on HRMS/CRM, databases, LDAP and old school IAM systems. This isn't going to work well. To see why I can say this read, “TODA, EMS, Graphs – New Enterprise Architectural Tools For a New Age”.

Then consider Agents and authorization. Skim “AI Agent Authorization - Identity, Graphs & Architecture”.

My message to you and your architects? You folks are going to have to rapidly begin rethinking your internal architectures.

Problem #4 - Old School Security Models Aren't Going to Work Well

To see why read “Part III AI, Bots, Behaviour Tech & Security Models” and “Zero Trust On Steroids! Rethinking Security Models For Citizens And Enterprises In The Age of AI Agents And Tech”. Then skim “Zero Trust On Steroids! Rethinking Security Models For Citizens And Enterprises In The Age of AI Agents And Tech”.

My message to you? You and your security folks are going to have to substantially up your game to get yourselves ready for this.

Problem #5 - All the Above Requires Changes in Your HR, Legal & Marketing Departments

HR will have to up their game by creating policies for what's allowed in your physical and virtual workplaces by your employees and contractors re using tech to predict behaviour. Their old HRMS systems are going to have to be redesigned allowing for entities to be added including:

• AI leveraged smart digital identities
• AI systems identities
• Physical and bots identities

I'm suggesting they consider renaming themselves to "Human Resource Entity Management" (HREM).

Your legal department is going to have to change their legal agreements with employees, contractors, customers and suppliers stating what the entities can and can't do, what data they can and can't share, who they can share the data with, etc. Legal will also need to address another risk which most people aren't aware of i.e., AI's ability to own a LLC!

I strongly suggest you get your legal folks to read “Legal Identity Vs. Legal Personhood”. In some jurisdictions around the planet it's not hard to get an AI system to own a LLC - which brings new risk. Thus, where risk is high, legal departments should redo their contracts with LLC's asking them if they're owned or not by an AI system.

Marketing too must up their game. Your customers are going to rapidly adopt AI leveraged smart digital identities and bots to interact with your company -which is both good and bad. Skim “Marketing In The Age of AI Agents, Bots, Behavioural Tech and Crime”. It's good if you folks can potentially offer your customers new AI leveraged personal assistants, which you can securely identify, giving them faster, cheaper and better ways of buying goods and services from you. It's bad if they start using them, and the Evil Inc.'s of the planet commandeer them to maliciously do bad things to you.

My message to the C-suite? You're going to have to bring HR, Legal and Marketing quickly up to speed on making changes to their departmental practices, policies and business processes.

Problem #5 - Rapid Rate of Change

Look at this curve. It shows a logarithmic shaped tech change curve we can now no longer keep up with. The rapid rate of change means your old ways of securely running your enterprise aren't going to work well as change comes at every department from the side and head-on.

I strongly suggest you read “Part IV Enterprise Risk & Innovation Governance”. It lays out an outside the box idea of creating a new enterprise "Innovation & Risk Committee". Bottom line? The rapid rate of tech change means you need to get risk management out of your existing silos.

Problem #6 - How Does Your Enterprise Securely Work With All Your Customers?

Historically, enterprises developed web interfaces allowing their customers to do business with them. Then they developed phone based apps, leveraging social media. My point - it's not going to work well anymore. Why?

The development of AI personal agents, AR (Augmented Reality) and VR (Virtual Reality) means there are now a wide variety of different ways your customers can use to interact with you. Your competitors will likely take advantage of this. So, what can you do? Rethink your interfaces.

I strongly suggest your enterprise leverage "co-design". It has people with disabilities as core part of your design and implementation team. These types of people leverage tech like VR and AI to be able to understand and interact with the world. My premise - by including them in your design and implementation processes, it will drive your enterprise into creation of several new types of customer interfaces, like AI avatars, etc. which all of your customer base will love.

However note that security must be built into all the new types of interfaces your design teams will create, implement and maintain.

My message to the C-suite and Marketing team? Skim “Why Disabled People Will Lead The Planet Rethinking Legal Identity, AI/Bots, Credentials & Learning”. This past spring I redid the entire legal identity and learning architecture to embed co-design into design, testing, implementation and maintenance.

Problem #7 - AI LLM's, Security & AI Power Consumption

As the world is currently agog with AI LLM's which, as your company adopts it, down in the weeds it comes with lots of new risk. To mitigate the risk of private data flowing out of your enterprise to the public domain, you should be creating policies about what data can and can't be used in LLM's.

LLM's can hallucinate, be inaccurate and can break copyright. I strongly suggest you view this recent videoby Richard Self on LLM's “The Ethics of Visualisation and Storytellng”. Scroll to each screen showing a graph and listen to what Richard says.? His message, which I agree with, is LLM’s are heading towards a brick wall where they can’t easily improve accuracy and capabilities.?This isn't what the LLM vendors are talking about.

Then there's security. I strongly suggest you read this recent post by Charles Givre on LLM security and read the discussion

Next, there's this problem with AI you aaren't likely aware of - AI POWER CONSUMPTION. Look at Figure 1 in "AI Power Consumption Exploding". It shows, if current AI power consumption trends continue, by 2040-ish, AI will be consuming most of the planet's power!!!!!!

Which is why I'm suggesting your company to create a new internal metric for guesstimating, over the life span of an AI system or entity, the power it will consume. Thus you folks can walk into deployment of these systems or entities with your eyes wide open.

To See The Architectures

• “Rethinking Human Legal Identity”
• “Creating AI Systems/Bots Legal Identity Framework”
• “Learning Vision Flyover”

To See My Message To Government & Industry Leaders

• “Why Should Your Government Fund The Architectures?”
• “National Security – Reduce Risk By Instantly Determining Entity Friend From Foe”
• “Give Your Industry A Significant Competitive Edge“
• "State/Provincial Leaders - A Major Problem Is Heading Your Way"
• “An Identity Day in the Life of Jane Doe”
• “Sir Ken Robinson - You Nailed It!” to understand how it will transform learning
• “National Security, Co-Design & People With Disabilities.”
• “Why Should You Read The 500 Page Cost Centre Document?
• “Budgetary Costs to Deploy a New Learning Architecture Leveraging a Rethought Legal Identity”

Summary - The Sky Isn't Falling - The Tortoise & Nimble Hare

I like to use the analogy of a tortoise and a hare crossing a road. You enterprise can be like the tortoise, more or less doing what you currently do, and being run over by the incoming tech tsunami wave, as it affects your security, risk and your competitors rapidly adjusting.

Or, you can be like the nimble hare, recognizing you're entering a major paradigm shift where your old ways won't work well anymore. Thus, you're going to have to think outside the proverbial box, creating new ways to address this. Then you can nimbly avoid being run over, and securely offer new ways of offering good and services.

My goal is to quickly come in and rapidly assist you folks in creating the beginnings of a new roadmap. If you're interested contact me.

About Guy Huntington

I'm an identity trailblazing problem solver. My past clients include Boeing, Capital One and the Government of Alberta's Digital Citizen Identity & Authentication project. Many of my past projects were leading edge at the time in the identity/security space. I've spent the last eight years working my way through creating a new legal identity architecture and leveraging this to then rethink learning.

I've also done a lot in education as a volunteer over my lifetime.?This included chairing my school district's technology committee in the 90's - which resulted in wiring most of the schools with optic fiber, behind building a technology leveraged school, and past president of Skills Canada BC and Skills Canada.

I do short term consulting for Boards, C-suites and Governments, assisting them in readying themselves for the arrival of AI systems, bots and AI leveraged, smart digital identities of humans.

I've written LOTS about the change coming. Skim the?over 100 LinkedIn articles?I've written,?or my webpage?with lots of papers.

Quotes I REALLY LIKE!!!!!!:

• We cannot solve our problems with the same thinking we used when we created them” – Albert Einstein
• “Change is hard at first, messy in the middle and gorgeous at the end.” – Robin Sharma
• “Change is the law of life. And those who look only to the past or present are certain to miss the future” – John F. Kennedy

Reference Links:

An Identity Day in The Life:

• “An Identity Day in the Life of Jane Doe”

My Message To Government & Industry Leaders:

• “Why Should Your Government Fund The Architectures?”
• “National Security – Reduce Risk By Instantly Determining Entity Friend From Foe”
• “Give Your Industry A Significant Competitive Edge“
• "State/Provincial Leaders - A Major Problem Is Heading Your Way"
• “An Identity Day in the Life of Jane Doe”
• “Sir Ken Robinson - You Nailed It!” to understand how it will transform learning
• “National Security, Co-Design & People With Disabilities.”
• “Why Should You Read The 500 Page Cost Centre Document?
• “Budgetary Costs to Deploy a New Learning Architecture Leveraging a Rethought Legal Identity”

National Security:

• “National Security – Reduce Risk By Instantly Determining Entity Friend From Foe”
• “How Do I Trust Entities??? Different Levels of Identity & Credential Assurance - A Thought Paper”
• "Kids, National Security, Sex, Learning, Privacy, Disabilities & Laws"
• “National Security, Co-Design & People With Disabilities"
• “AI/Bots, National Security, Ethics, Privacy & Identity”
• "GOVERNANCE & TRUST"

Rethinking Legal Identity, Credentials & Learning:

• "Verifiable Credentials For Humans and AI Systems/Bots"
• "Why Disabled People Will Lead The Planet Rethinking Legal Identity, AI/Bots, Credentials & Learning"

• "My Learning Journey"

Learning Vision:

• “Vision: Learning Journey of Two Young Kids in a Remote Village”
• “Sir Ken Robinson - You Nailed It!”
• "Transformational Learning Vision”

Creativity:

• "Kids, Creativity, Learning & Sir Ken Robinson"

AI Agents:

• “Personal AI FinTech Agents - Risks, Security And Identity”
• “AI/Bots Health Agents, Medical IoT Devices, Risks, Privacy, Security And Legal Identity”
• “Marketing In The Age of AI Agents, Bots, Behavioural Tech and Crime”
• “Legal Departments - AI/Bots, Gen AI, AI Agents, Hives, Behavioural Tech And AI's Ability To Own LLC's”
• “AI Agents & Kids"
• “AI Agent Authorization - Identity, Graphs & Architecture”

Architecture:

• Humans - “Rethinking Human Legal Identity”
• AI Systems/Bots - “Creating AI Systems/Bots Legal Identity Framework”
• Learning - “Learning Vision Flyover”

AI/Human Legal Identity/Learning Cost References

• “AI/Human Legal Identity/Learning References”

• “Cost Centres – Rethinking Legal Identity & Learning Vision”
• Guesstimate Cost Notes Rethinking Legal Identity & Leveraging This to Rethink Learning?(Word Doc)
• Guesstimate Costs Rethinking Legal Identity & Leveraging This to Rethink Learning (Excel Spreadsheet)

AI Leveraged, Smart Digital Identities of Humans:

• “AI Leveraged Smart Digital Identities of Us”
• “DIGITAL IDENTITY...”
• Digital Twins/Virtual Selves, Identity, Security and Death – A Thought Paper”

CISO's:

• "CISO's-What's Your Security Strategy For AI, Bots, IoT Devices & AI Leveraged Smart Human Digital Identities?"
• "Enterprise Digital Change"

Companies, C-Suites and Boards:

• “Getting Your Company Ready for AI - What Boards and C-Suites Need to Know”

Legal Identity & TODA:

• “Legal Identity & TODA”

Enterprise Articles:

• “Legal Departments - AI/Bots, Gen AI, AI Agents, Hives, Behavioural Tech And AI's Ability To Own LLC's”
• “Marketing In The Age of AI Agents, Bots, Behavioural Tech and Crime”
• "Major Change – Future of HR"
• “AI/Bots Health Agents, Medical IoT Devices, Risks, Privacy, Security And Legal Identity”
• “TODA, EMS & Graphs – New Enterprise Architectural Tools For A New Age”
• "Entity Management System"
• "Personal AI FinTech Agents - Risks, Security And Identity"

Rethinking Enterprise Architecture In The Age of AI:

• “Part I AI Systems, Bots, AI Agents, IoT Devices, & Identity Architecture”
• “Part II Hives & Fast Changing Authorization Relationships”
• “Part III AI, Bots, Behaviour Tech & Security Models”
• “Part IV Enterprise Risk & Innovation Governance”

LLC's & AI:

• “Legal Identity Vs. Legal Personhood”
• “Toda and LLC Incorporation”

Challenges With AI:

• “The Challenge with AI & Bots - Determining Friend From Foe”
• AI Systems/Bots Beginnings & Endings - A Whopper Sized Problem”
• “Hives, AI, Bots & Humans - Another Whopper Sized Problem”
• “AI Leveraged Smart Digital Identities of Us”
• "Deep Fakes, Privacy, Protection & Misinformation"
• “Decentralized AI – Risks, Legal Identity, Consent & Privacy"
• "Give Every AI a Soul - or Else"
• “How Do I Trust Entities??? Different Levels of Identity & Credential Assurance - A Thought Paper”

New Security Model:

• "Zero Trust On Steroids - Rethinking Security Models For Citizens And Enterprises In The Age of AI Agents And Tech"

DAO:

• "DAO - Identity, Members & AI Systems/Bots"

Kids:

• “Kids & Digital Identities”
• "Kids & Digital Identity Wallets"

Sex:

• “Kids, Sex, Metaverses & Privacy”
• “Sex & Identity”

Schools:

• “The Coming Classroom Revolution – Privacy & Internet of Things In A Classroom”
• “Kids, Digital Learning Twins, Neural Biometrics, Their Data, Privacy & Liabilities”?
• “Bots, Classrooms, Privacy, Legal Identity & Contracts”
• “We Have An Identity Problem – AI/Bots in School, Home & Work”
• “Kids, Schools, AI/AR/VR, Legal Identities, Contracts and Privacy”
• “EdTech Law – Legal Identity Contracts”
• “AI, Cheating & Future of Schools/Work”
• “Using AI/Digital Learning Twins in Assessment & Education”

Biometrics:

• “I Hate How We Use Biometrics Today”

Legal Identity:

• “Revised Laws of Identity”
• "Legal Identity Problem Statements"
• “Legal Identity & TODA”

• "Digital Identity & Legal Identity Relationships - IT'S A PROBLEM"
• “Legal Person: Humans, Clones, Virtual and Physical AI Robotics – New Privacy Principles”

Identity, Death, Laws & Processes:

• “Death & Digital Identity”
• “Kids, Death & Digital Identities”
• “Digital Death & Metaverses”

Open Source:

• "Open Source & Legal Identity"

Notaries:

• “Notaries, Digital Identities & New Age”

Climate Change, Migration & Legal Identity:

"Human Migration, Physical and Digital Legal Identity - A Thought Paper”

Fraud/Crime:

• "Synthetic Identity Fraud, Kids, AI and Smart Digital Identities"
• Argentina’s National ID Database Hacked
• Newfoundland’s Health Database Hacked

Behavioral Marketing:

• “I Know Who You Are & What You’re Feeling – Achieving Privacy in a Non-Private World”
• “Privacy Gone – AI, AR, VR, Robotics & Personal Data”

AI Systems and Bots:

• “AI, Bots & Us - Examples of Rapid Change”
• “Decentralized AI – Risks, Legal Identity, Consent & Privacy”
• "ChatGPT, AI, Identity & Privacy"
• “Why We Need To Legally Register AI Systems and Bots”
• “Why AI Regulation Requires Legal Identities of AI Systems and Bots”
• “Artificial Intelligence & Legal Identification – A Thought Paper”
• “Mission Control – We Have a Problem”
• “Lease or Rent a Bot! Rapidly Emerging Contract Law & Legal Identity Challenges”
• “The Infrastructure Behind Coordinating up to 3,000 bots in One Factory”
• “Nanobots & Legal Identity”
• “Micro Flying Bots & Legal Identity”
• “Microbots Able to Swim Through Your Body & Legal Identity”
• “Bots, Swarms, Risk & Legal Identity”
• “Nanobots, Microbots, Manufacturing, Risk, Legal Identity & Contracts”

Contract Law:

• “A Rapidly Growing Problem – Contract Law & Legal Identities”

Insurance:

• “Insurers Need a New Legal Toolkit”
• “Digital Identities, Risk, Insurance & Death”

Health:

• “Covid, Health & Legal Identity – Leading from the Heart”
• “Digital Health Record & Legal Identity”
• “Health & Bots – A Personal Story”

AI/AR/VR Metaverse Type Environments:

• “Metaverse Bots?”
• “Lifelike Avatars, Risk & Legal Identity”
• “Metaverse, Identity, Data, Privacy, Consent & Security”
• “Challenges With Metaverse Contracts”

SOLICT:

• “Give Each Person Their Own Source of Legal Identity & Credential Truth Database (SOLICT)”
• “A Database Per Person on the Planet - A Deeper Dive on SOLICT”
• “Please Pass This Along to Database Thinkers”

EMP/HEMP Data Centre Protection:

• “When Our Digital Legal Identity Trust Goes Poof!”
• “US Moves Towards Plan Addressing GMD and HEMP Events”
• “The Threat to Digitization”

Climate:

• "Sometimes I Want to Cry - Why?"

A 100,000-Foot Level Summary Of Legal Human Identity

• Each person when they’re born has their legal identity data plus their forensic biometrics (fingerprints, and later when they can keep their eyes open – their iris) entered into a new age CRVS system (Civil Registration Vital Statistics - birth, name/gender change, marriage/divorce and death registry) with data standards
• The CRVS writes to an external database, per single person, the identity data plus their forensic biometrics called a SOLICT “Source of Legal Identity & Credential Truth).?The person now controls this
• As well, the CRVS also writes to the SOLICT legal identity relationships e.g. child/parent, cryptographically linking the SOLICTs.?So Jane Doe and her son John will have cryptographic digitally signed links showing their parent/child.?The same methodology can be used for power of attorney/person, executor of estate/deceased, etc.
• The SOLICT in turn then pushes out the information to four different types of LSSI Devices “Legal Self-Sovereign Identity”; physical ID card, digital legal identity app, biometrically tied physical wristband containing identity information or a chip inserted into each person
• The person is now able, with their consent, to release legal identity information about themselves.?This ranges from being able to legally, anonymously prove they’re a human (and not a bot), above or below age of consent, Covid vaccinated, etc.?It also means they can, at their discretion, release portions of their identity like gender, first name, legal name, address, etc.
• NOTE: All consents granted by the person are stored in their SOLICT
• Consent management for each person will be managed by their PIAM “Personal Identity Access Management) system.?This is AI leveraged, allowing the person, at their discretion, to automatically create consent legal agreements on the fly
• It works both locally and globally, physically and digitally anywhere on the planet
• AI systems/bots are also registered, where risk requires it, in the new age CRVS system
• Governance and continual threat assessment, is done by a new, global, independent, non-profit funded by a very small charge per CRVS event to a jurisdiction to a maximum yearly amount.

A 100,000-Foot Level Summary Of The Learning Vision:

• When the learner is a toddler, with their parents’ consent, they’ll be assessed by a physical bot for their learning abilities.?This will include sight, sound, hearing and smell, as well as hand-eye coordination, how they work or don’t work with others, learning abilities, all leveraging biometric and behavioral data
• All consents given on behalf of the learner or, later in the learner’s life by the learner themselves, are stored in the learner’s SOLICT “Source of Legal Identity & Credential Truth”
• This is fed into a DLT “Digital Learning Twin”, which is created and legally bound to the learner
• The DLT the produces its first IEP “Individualized Education Plan”, for the learner
• The parents take home with them a learning assistant bot to assist the learner, each day, in learning.?The bot updates the DLT, which in turn continually refines the learner’s IEP
• All learning data from the learner is stored in their LDV “Learner Data Vault”
• When the learner’s first day of school comes, the parents prove the learner and their identities and legal relationship with the learner, via their LSSI devices (Legal Self-Sovereign Identity)
• With their consent, they approve how the learner’s identity information will be used not only within the school, but also in AI/AR/VR learning environments
• As well, the parents give their consent for the learner’s DLT, IEP and learning assistant bot to be used, via their PIAM (Personal Identity Access Management) and the learner’s PIAM
• The schools LMS “Learning Management System” instantly takes the legal consent agreements, plus the learner’s identity and learning information, and integrates this with the school’s learning systems
• From the first day, each learner is delivered a customized learning program, continually updated by both human and AI system/bot learning specialists, as well as sensors, learning assessments, etc.
• All learner data collected in the school, is stored in the learner’s LDV
• If the learner enters any AI/AR/VR type learning environment, consent agreements are created instantly on the fly with the learner, school, school districts, learning specialists, etc.?
• These specify how the learner will be identified, learning data use, storage, deletion, etc.
• When the learner acquires learning credentials, these are digitally signed by the authoritative learning authority, and written to the learner’s SOLICT.
• The SOLICT in turn pushes these out to the learner’s LSSI devices
• The learner is now in control of their learning credentials
• When the learner graduates, they’ll be able, with their consent, to offer use of their DLT, IEP and LDV to employers, post-secondary, etc.?This significantly reduces time and costs to train or help the learner learn
• The learner continually leverages their DLT/IEP/LDV until their die i.e., it’s a lifelong learning system
• IT’S TRANSFORMATIONAL OVER TIME, NOT OVERNIGHT