In an age of free-flowing data, is truly sovereignAI achievable?
Discover how organisations can adopt AI securely while protecting sovereignty, governance and compliance in an increasingly complex digital landscape.
In the space of just a few years, AI has moved from the realms of science fiction to the forefront of many organisations' digital transformation strategies. But when global bad actors will seize on any opportunity to access enterprise infrastructure, it is essential that in the rush to train the new algorithms and unlock all the promised benefits, we do not put our sensitive data at risk.
We've spoken before about the increasing importance of true data sovereignty, and maintaining full control and visibility over how our data is stored, managed, and utilised. As AI adoption is increasingly widespread - from content creation to data analysis, customer contact, and digital pathology, such concerns will only increase, and so it is essential that we establish a clear understanding of how the security and sovereignty of our critical data will be impacted.
However, standing still is not an option. Many organisations are falling foul of 'shadow AI', where employees' ill-informed use of public AI platforms at work has impacted the security and sovereignty of their sensitive data. Indeed, in April 2024, a survey of CISOs found that one in five UK organisations had their sensitive data exposed by employees' use of GenAI, with 75% of respondents considering such platforms a greater security risk than external threats1.
To complicate matters, there is still a severe lack of transparency around how GenAI companies utilise users' data to train their models, and no guarantee that they will take organisations' security and compliance practices into account as the race for industry dominance continues. GenAI providers are corporations and have their own interests firmly at heart. In other words, once your employees have allowed a platform access to your data - however well-intentioned the application may be, you have no way of knowing how it will then be utilised, or even whether it will remain within your region.
These concerns are exacerbated by over-reaching regulations such as the US Cloud Act (2018), which all US-based firms are subject to, requiring them to grant the Government access to their data on request, regardless of where their physical servers are located. This, of course, creates considerable risk of conflict with data protection regulations, such as the GDPR, and undermines the sovereignty of organisations' critical data. In a worst-case scenario, this may lead to costly fines and reputational damage if organisations are found to have inadvertently breached their compliance with applicable data protection regulations.
So, whether you are planning on embedding AI at scale or using a softer touch, a clear strategy around AI and data security and governance, at both the micro and macro levels, must be established and documented. This should then inform everything from large-scale technology investments to day-to-day working practices, with designated individuals responsible for ensuring these standards are adhered to and regular training provided to employees to ensure they understand their individual responsibilities.
Taking these principles to their logical conclusion, there's a strong case to be made for bringing AI to your data, rather than the other way round. Instead of putting your trust in a single provider, who may not share or be able to accommodate your security and sovereignty goals, you should establish your own 'toolbox' of solutions that have been designed with specific data protection practices in mind or even developing them in-house if they do not currently exist.
While work still needs to be done establishing clear standards of best practice around AI's implementation across enterprise environments, I would anticipate that this will soon become non-negotiable for GenAI providers, as organisations must contend with increasingly stringent compliance obligations (particularly those operating within the CNI sectors) and end users demand reassurance that the integrity of their data will be maintained. If providers are willing and able to collaborate with their end users to this end, we will not only see an increase uptake of these technologies but also ensure the UK's critical data will remain secure in an increasingly turbulent geopolitical landscape.
Ultimately, the message is clear - do not leave any of this to chance. For this reason, Exponential-e offers a suite of hands-on workshops, where our experts will work closely to establish how and where AI can offer the most benefit to your organisation, determine your current level of AI maturity, and develop an effective roadmap for its implementation - all while maintaining the most rigorous security, governance, and compliance.
