EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can Help
-
Discover how EY's Cybersecurity Transformation solution can help your organization design, deliver, and maintain cybersecurity programs.
Read more
Stronger armor: A three-pronged approach to technology, governance and operations
Given the competitive pressure on AI adoption, organizations must not allow cybersecurity governance to become a barrier to progress. Instead, the function needs new approaches to support responsible acceleration.
To nurture a cyber-secure workforce, the function needs visibility into how AI tools are being used across the business, which requires a three-pronged approach centered on technology, governance and operations.
On the technology front, security and network companies are already developing solutions that enable cyber teams to detect when certain AI services are being used, tracking data flow and lineage and automating compliance through common controls and tests. Others are leveraging data already in an organization’s network to monitor activity, such as documents that are being uploaded or prompts used in a ChatGPT function. AI is also increasingly embedded in incident management processes. But technology is supplemental to a deeper evaluation of a company’s risk profile.
Cybersecurity policy should focus on threat modeling from the outset, including an inventory of third and fourth-party AI services, from the architecture and service itself to the integrations and APIs required. Modeling these threats in aggregate allows organizations to quantify and spot risk and informs the design of appropriate controls. Organizations also need to define the procedures for ensuring data protection and privacy provisions in the development of AI models and be accountable for the outputs of their algorithms. This should include not just compliance requirements but ethical considerations.