Are Unmanaged AI Identities Increasing Cyber Risk?
Expert Insights interviews Andy Thompson, Offensive Cybersecurity Research Evangelist at CyberArk.
AI identities are machine identities and should be secured as such, Andy Thompson, Offensive Cybersecurity Research Evangelist at CyberArk, tells Expert Insights.
We caught up with Thompson on this month’s episode of the Expert Insights Podcast. Read on for the highlights, and you can listen to the full conversation here.
Why It Matters: As businesses continue to adopt AI technologies, they could be increasing their cyber risk. Just like traditional machine identities, threat actors can exploit AI identities to get a foothold within an organization.
- “Pandora’s box has been opened; once you’ve enabled the end user to use [AI tools]…it can be either a tool or a weapon.”
- “You have data poisoning, whether it be through log or prompt, and there is the jailbreaking aspect where you could get the AI model to do unintended actions, or expose unintended data. There are all sorts of ways that a threat actor could exploit an AI model.”
The Key Takeaway: There isn’t a one size fits all approach to securing AI identities—different types of AI have different controls that ought to be wrapped around them, Thompson says.
- “Prompt-based generative AI might require prompt filtering that can filter requests in a way that they’re safe to ingest and respond to. Whereas other sorts of AI tools that can be used for cybersecurity controls, for example, would require prompt filtering in a different way, to make sure that the data being ingested is accurate, so that we’re not seeing log poisoning.”
The Big Question: Whose responsibility is it to make sure that AI is safe—the developer, the security officer, or the end user? According to Thompson, it’s all of the above.
- “Everybody should be responsible for that—during creation, [developers should be] taking security as a core component of why it’s being built and how it’s being built.”
- “But at the same time, it should be a consideration of the people that are choosing to bring it into the organization […] Because what we’ve seen with just about any product on the market today is, it all boils down to how it was being implemented, installed, and configured. This isn’t just relating to AI, but across the board, 99% of all the data breaches are not necessarily caused by vulnerabilities and exploits, but by misconfigurations and human error.
- “I’m adamant about security being all through the entire lifecycle of the AI implementation.”
Where Is AI Identity Security Headed? The quick rollout and adoption of AI tools—particularly those being built into existing security products—is a concern that cybersecurity vendors need to address immediately, says Thompson.
- “AI has become the big buzzword of 2024, and everybody is bolting on chat bots or some level of AI into their existing product and portfolio. But my concern with that is that if they’re not developing it with the security mindset, they could be exposing these existing tools and platforms to more risk.”
- “Security ought to be the core foundation on which this initiative is built. And I don’t feel that all security vendors are necessarily doing that.”
Expert Insight: “AI is not a replacement for human action, and we currently shouldn’t just be explicitly trusting it.”
Final Advice: Thompson’s final piece of advice is for teams to take the best practices that they’ve already been using across their organization, and apply them to this new technology.
- “You’re already doing the right thing. The previous security controls and best practices that you’ve implemented are just as applicable in AI as they are in the traditional InfoSec landscape. So, things like making sure that these AI models don’t have more privileges than they ought to have, making sure that you’re filtering requests, and sanitizing your data.
- “You can’t singly rely on one product to solve all your woes, there’s no such thing as that silver bullet—these are the sorts of best practices that have been preached for years. And the great part about that is, they’re more relevant than ever.”
About Expert Insights
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.
For more interviews with industry experts, subscribe to the Expert Insights Podcast here.