Chloé Messdaghi and Ben Lorica discuss AI security—a subject of increasing importance as AI-driven applications roll out into the real world. There’s a knowledge gap: Security workers don’t understand AI, and AI developers don’t understand security. Be aware of all the resources that are available; we expect to see AI security certifications and training in the coming year. And make sure to bring everyone in the organization together to develop AI security policies and playbooks, including AI developers and experts.
Check out other episodes of this podcast or the full-length version of this episode on the O’Reilly learning platform.
About the Generative AI in the Real World podcast: In 2023, ChatGPT put AI on everyone’s agenda. In 2025, the challenge will be turning those agendas into reality. In Generative AI in the Real World, Ben Lorica interviews leaders who are building with AI. Learn from their experience to help put AI to work in your enterprise.
Timestamps
- 0:00: Introduction
- 0:24: How does AI security differ from traditional cybersecurity?
- 0:44: AI is a black box. We don’t have transparency or explainability. Transparency shows how AI works and explainability shows how it makes decisions. Black boxes hard to secure.
- 2:12: There’s a huge knowledge gap. Companies aren’t doing what is needed.
- 2:24: When you talk to executives, do you distinguish between traditional AI and ML and the new generative AI models?
- 2:43: We talk about older models as well. But it’s as much about what am I supposed to do. We’ve had AI for a while, but for some time, security has not been part of that conversation.
- 3:26: Where do security folks go to learn how to secure AI? There are no certifications. We’re playing a massive catchup game.
- 3:53: What’s the state of awareness about incident response strategies for AI?
- 4:15: Even in traditional cybersecurity, we’ve always had an issue of making sure incident response plans aren’t ad hoc or expired. A lot of it has to be aware of all the technologies and products that the company has been using. It’s hard to protect if you don’t know everything in your environment.
- 5:19: The AI Threat Landscape report found that 77% of the companies reported breaches in their AI systems.
- 5:40: Last year, a statistic came out about the adoption of AI-related cybersecurity measures. For North America, 70% of the organizations said they did one or two out of five security measures. 24% adopted two to four measures.
- 6:35: What are some of the first things I should be thinking about to update my incident response playbook?
- 6:51: Make sure you have all the right people on the room. We still have issues with department silos. CISOs can be dismissed or not even in the room when it comes to decisions. There are concerns about restricting innovation or product launch dates. You have to ensure that you have CTOs, data scientists, ML developers, and all the right people to ensure that there is safety and that everyone has taken precautions.
- 7:48: For companies with a mature cybersecurity incident playbook that they want to update for AI: What AI brings is that you have to include more people.
- 8:17: You have to realize that there is an AI knowledge gap, and that there is insufficient security training for data scientists and training. Security folks don’t know where to turn for education. There aren’t a lot of courses or programs out there. We will see a lot of that develop this year.
- 9:16: It’s important to be aware of everything related to AI. We should have more conversations about AI ethics. It’s important to take a look at the bipartisan US House AI Task Force Report.
- 10:25: Globally, I recommend checking out the OECD AI policy hub. There’s also the World Economic Forum Presidio AI Framework. And check out OWASP, MITRE ATLAS, DASF, and the NIST AI Framework.