Council Discourse: Ensuring Supply Chain Integrity: The Imperative of Regulating GenAI Utilization Guidelines
Companies often collaborate with external entities like contractors, freelancers, providers, and marketing agencies to manage workloads, automate tasks, and hire efficiently. As enterprises integrate generative AI (GenAI) systems, guaranteeing the trustworthiness of data inputs from these collaborators becomes essential.
GenAI software supply chain vendors frequently handle sensitive information, and inadequate oversight could lead to unintentional data leaks, technological misuse or corruption. Enhancing GenAI software supply chain security is vital to ensure that everyone uses AI responsibly and securely going forward.
Establishing GenAI governance standards encourages a trustful relationship between enterprises and their software supply chain partners. By mandating that these partners adhere to the same level of governance and data security as the enterprise, risks are minimized, and confidence is boosted.
Exploring Software Supply Chain Governance and GenAI's Role
The software supply chain encompasses all entities and individuals involved in the software development lifecycle (SDLC), spanning application development through the continuous integration and continuous delivery/deployment (CI/CD) pipeline and deployment. It encompasses networks of software components like infrastructure, hardware, operating systems, cloud services, and their corresponding developers and sources.
Collaborating with vendors employing GenAI necessitates knowing their usage is governed and whether adequate GenAI forensics or an audit trail can trace their progression. Establishing minimum standards is crucial for understanding the types of data being integrated into your systems.
The widespread adoption of GenAI in enterprises, as demonstrated by the 5,020 GenAI or GenAI-enabled tools currently in use, necessitates governance over the adoption and usage of these AI tools. Typically, companies must adhere to certain minimum security requirements to work together, but controlling vendors' AI usage grows impractical. The next best option is ensuring vendors implement some type of governance.
The Consequences of Insufficient Governance
A LayerX report published in June 2023 revealed that 4% of employees habitually paste sensitive data into GenAI weekly, including internal business data, source code, personally identifiable information (PII), and customer data. All GenAI models rely on user input, and any employees who inadvertently or intentionally paste confidential information into the model preserve it indefinitely. Organizations must establish a governance framework to prevent sensitive data from leaking through GenAI tools.
Data breaches caused by third-party vendors are a significant concern. A 2022 Ponemon Institute study revealed that 59% of organizations experienced data breaches attributed to third-party vendors, and 63% of enterprises admitted to lacking insight into their software supply chain partners' data security practices. Moreover, an ISACA report published in May 2024 found that only 15% of organizations have AI policies intact.
GenAI supply chain issues may also stem from 58% of organizations offering their employees inadequate GenAI training annually, highlighting the need for more extensive employee education on the risks and governance of GenAI tools.
Designing a GenAI Governance Framework
GenAI supply chain standards aim to facilitate adoption and advance the organization rather than merely deter attacks. To demonstrate that care and responsibility have been exercised for your business, suppliers should adhere to the same governance standards.
Enterprises need to inquire whether a vendor's supplied product relies on a GenAI model and, if so, request evidence of model governance. Additionally, if vendors utilize models or allow employees to use GenAI, they must also establish adoption and usage governance. A comprehensive GenAI governance framework enables:
• Visibility to all GenAI usage, including unsanctioned "shadow AI"
• Historical auditability and forensics
• Monitoring data security, privacy, and data loss
• Understanding AI usage, including tools, prompts, intent, and uploads
• Monitoring and measuring risk
• Educating users and disseminating policy
Operating on trust alone is insufficient when it comes to an organization's GenAI usage through its software supply chain. Furthermore, establishing strong GenAI governance standards is pivotal for enterprises collaborating with third-party vendors, both for safety reasons and because it enables adoption and acceleration. GenAI has the potential to revolutionize an organization, but only if used securely and responsibly.
By implementing these frameworks, companies can enable adoption, safeguard their data, build trust with software supply chain partners, reduce data breaches, misuse, and corruption risks, and maintain high data security standards. The intricacy of GenAI systems necessitates a proactive approach to ensure all parties adhere to the highest data security standards. This shields enterprises from liabilities and forms a more secure and dependable supply chain.
Our Website Technology Council is an exclusive community for highly regarded CIOs, CTOs, and technology leaders. Do I qualify?
In the context of enhancing GenAI software supply chain security, establishing a governance framework with vendors like Arti Raman is crucial. This ensures that they adhere to the same level of governance and data security as the enterprise, thereby minimizing risks and boosting confidence.
To effectively implement a GenAI governance framework, enterprises need to ask their partners like Arti Raman if their supplied products rely on GenAI models and request evidence of model governance. This helps in maintaining visibility, historical auditability, and monitoring data security in the software supply chain.
