GenAI Security in the age of sacrificial CISOs: How to demonstrate due-diligence with PAIG

No dilly-dallying on due-diligence – that’s a mouthful, but an important lesson for security leaders. Gone are the days when regulators would “punish” the lukewarm, slow-walking, opaque responses to cyber incidents with a soft rap on the knuckles. Case in point, the criminal conviction of Uber CISO, a first of its kind where they barely avoided jail time. Or the more recent SEC charges against the SolrWinds CISO. People and businesses are losing their privacy in breaches, regulators and prosecutors are losing their patience, and so begins the era of real personal liability for the InfoSec leaders. GenAI and LLM have the capacity to make it… well, a lot worse.

Cyberattacks, ransomwares, social engineering, phishing attacks are on the exponential rise year on year. In addition, the rise and rise of CVE volumes are seemingly competing with NVIDIA stock [hope this ages well]. And even when leaders do everything right, trusted vendors like SolarWinds might just become a perfect vector for an attack. CISOs are stretched too thin and can’t seem to catch a break.

As an InfoSec leader, it seems like there is a real risk of being a Sacrificial CISO – tasked with untenable mandates, very little budget, and all of the blame if things go south. The formative security landscape of GenAI makes this even worse. But not all is lost – let us break down how CISOs can navigate GenAI security confidently and how Privacera AI Governance (PAIG) can help establish a strong trail of their due-diligence efforts while providing a firewall around GenAI applications. 

Due-diligence, a popular term in InfoSec world, is a legal test, which sets the onus on the responsible leader (GRC lead, CISO, privacy leaders etc.) to demonstrate that they were aware of the applicable security, compliance & regulatory requirements and ensured, like any prudent man would, that the governance and operations satisfied those requirements via due care efforts.

To drill down further, on a high level, a prudent InfoSec leader will have to ensure the following:

• Observability: To “know” where and what our information assets, specially crown jewels are – such as intellectual property, sensitive business and personal data, business critical applications and systems etc. and eliminate data sprawl and dark data
• Governance and Compliance: To actually stay on the right side of internal and external (regulatory, contractual) requirements. Tying the InfoSec governance to applicable benchmarks, regulations, frameworks, and standards such as NIST publications, PCI DSS, ISO, GDPR, SOX etc. is a great way to do this.
• Due-Diligence: The buck stops at due-diligence. The above two points are a part of the due-diligence process. Another equally important part is to be able to “demonstrate” due-diligence by ensuring policies, procedures, guidelines etc. are followed properly and can be showcased via an immutable audit trail.

So far so good, this is all well-known. So what has this got to do with GenAI? Well, when all businesses seem to be racing to be early adopters of AI based applications, CISOs are finding that old security playbooks don’t really apply as well to GenAI and LLMs. Some roadblocks stand out like as sore thumb:

• Lack of observability: LLM and GenAI apps are often a black box.
• Risk Exposure
  • Sensitive, production data sources linked with GenAI apps via the process called Retrieval Augmented Generation (RAG), often contain sensitive data which increases the risk of data leak, malicious exposure via prompt engineering etc.
• Incipient standards, regulations, and compliance structures
  • Although standards and frameworks such as OWASP top 10, EU AI Law, ISO 42001, AI executive order are becoming available, it is still early days in regulatory landscape and such efforts may often not be cost justifiable for several GenAI projects
• Data residency, privacy, contract clauses, acceptable use policies etc.
• Lack of security testing methodologies and test coverage
• Lack of clear trust-boundaries

The good news is that Privacera, an industry leader in data observability, security and governance solutions, brings its extensive data governance expertise to the GenAI applications with its latest offering PAIG (Privacera AI Governance). PAIG checks off all three major pillars in establishing due-diligence efforts – observability, governance and compliance. Key features include:

• Vector DB Observability and Protection
  • Real-time scanning for sensitive data.
  • Granular permissions and access control, with ability to replicate source system policies
  • Tagging training data with over 160 classifications. This helps identify regulatory and privacy implications and shines a light on dark data that may otherwise slip through the cracks.
• Prompt and Response Filtering
  • Real-time scanning of user prompts, and LLM responses to identify sensitive data
  • Redact/de-identify detected sensitive data,Scales automatically to handle varying number concurrent conversations on-demand
• Configurable access control
  • Allow/deny rules based on various attributes such as user identity, governance policies, tag type etc.
• Continuous Monitoring and Audit
  • Records the audit trail of all model usage including prompts and responses.
  • Capture any attempts at prompt engineering attacks, injections, leaks etc.
  • Capture all events that triggered filtering rules resulting in masked output for analysis
  • Records several other aspects and metadata to enable observability and fine-tune policies such as user behavior, analytics etc.
• Defense in Depth
  • Provides an added layer of protection by functioning as an application layer LLM firewall

If you find yourself evaluating the risk of GenAI projects at your organization, PAIG is what you need to rest easy while the product teams tinker with LLMs and your sensitive data stores.

To summarize, in the age of ever increasing cyber threats and attacks, CISOs & security leaders are being held accountable and even personally liable for security breaches and lacking response efforts. The scorching pace of GenAI application deployments are making this worse, by bypassing existing but often inapplicable security controls, and dramatically increasing the attack surface. So if you are a Security, Privacy or GRC Lead worried about the risk and liability exposure introduced by GenAI applications, PAIG helps you discover, observe, protect and govern usage of your prized sensitive data which could otherwise be exposed by GenAI applications deployed without appropriate security guardrails. PAIG helps InfoSec leaders demonstrate their due-diligence efforts and reduces liability exposure by protecting against cyberattacks targeting LLMs and GenAI applications.

The road forward

And last but not the least, the best part of it all is that in the spirit of openness and community driven approach, Privacera is making PAIG open source. So ask yourself – If it costs nothing to deploy, what do I have to lose? (well, maybe a lot if you do not use PAIG). Try it out for free today at paig.ai or reach out to us if you’d like us to help you try it out.