Navigating the Intersection of AI: Acceptable Use Policies, Data Security, and SDLC
Source: McKonly & Asbury
By now, most companies have implemented an artificial intelligence (AI) acceptable use policy. However, there are other policies that can be affected by AI, including data security/data governance and software development life cycle (SDLC). This article will outline these three policies including their purpose and importance, as they relate to AI usage.
Acceptable Use Policies
The purpose of an acceptable use policy for AI is to provide a framework to ensure responsible and ethical use of this tool within an organization. Acceptable use policies are important to implement when an organization uses AI to make sure their data is secure.
Key considerations related to AI in Acceptable Use Policies:
- Request/Review/Approval process for new AI tools or use cases
- List of approved generative AI tools
- Guidance on authorized data sets – all data should be anonymized
Restrictions on data that cannot be used for model training purposes - Guidance on the limitations of AI
- Restriction on automated decision making and ethics considerations
- Prohibited Uses – respect copyright, licensing, and intellectual property
Data Security and Data Governance
The importance of data security in AI applications is crucial for any industry, especially finance and healthcare. These industries need to be extra cautious when inputting their data in AI because there can be serious concerns that can affect regulations like the Health Insurance Portability and Accountability Act (HIPAA), Electronic Communications Privacy Act (ECPA), and Family Educational Rights and Privacy Act (FERPA).
Key considerations related to AI in data security and data governance:
- Encryption is a good practice when securing data in AI applications. This will make data unreachable to outside users.
- When possible, separate AI applications by utilizing a specific instance locally (on prem) as opposed to a shared service, such as ChatGPT (cloud).
- Access control and authentication can require people who want to look at information to ask for permission from someone higher up in an organization, so no one from an outside source can access information without the organization knowing.
Impacts on the SDLC
The SDLC is a structured process that is used to design, develop, and test good-quality software. As AI continues to improve, it can change software development in positive ways.
Key considerations related to using AI in SDLC Guidelines:
- Data and data governance
- Ensure data set quality through training, data sets validation and testing, data design, and collection documentation
- Record keeping
- Enact automatic recording of events (logs)
- Enforce log standardization and specifications
- Transparency conformity assessment procedure
- Ensure reperformance of system output and uses
- Accuracy, robustness, and cybersecurity
- Ensure processing integrity and consistency, along with security
- Technical documentation
- Documentation must be sufficient to allow auditors or government authorities to assess compliance
As the integration of AI continues to increase, the importance of AI guidelines and uses are critical to keeping data secure. AI is widely spread across the globe and will continue to become a part of every organization.