The IT world has a tendency to repeat itself in terms of the mistakes it makes scrambling to adopt the latest technology innovations. The best current example of this is the rush we have seen in the last year to adopt generative AI (GenAI) tools, which was kicked off by the popularity of ChatGPT. The proliferation of new GenAI applications parallels what we witnessed with SAAS. Organizations rushed to migrate applications from their datacenters into cloud environments and only started to worry about their security (and performance) as an afterthought.

Zscaler recently commissioned research titled “All eyes on securing GenAI“ to uncover how today’s enterprises are utilizing GenAI tools, the security implications of this rapid adoption, and the ways in which intellectual property and customer data is being protected along the way. The findings, which represent the responses of 900 IT leaders across 10 global markets, suggest that organizations are feeling the pressure to rush into GenAI tool usage, despite significant security concerns.

Security concerns are dominating

According to our research, a staggering 95 percent of organizations are already using GenAI tools in some guise within their businesses. 57 percent of the IT leaders are allowing their use without restrictions and a little over a third (38 percent) are approaching their use with caution. The remaining 5 percent of the respondents answered that they are either holding back to see where the technology goes or have banned the tools’ use entirely.

Despite such high usage figures, however, a significant 89 percent of the surveyed IT leaders admit that their organization considers GenAI to be a potential security risk, and nearly half (48 percent) agreed that the threat may currently outweigh the opportunities these tools could unlock.

A majority of businesses are using GenAI tools

Given results like these, early GenAI adoption appears to be less of a calculated risk than we might like to believe. And in fact, organizations would be well advised to take both security and privacy concerns into consideration before they go any further. GenAI promises remarkable benefits in terms of productivity and creativity, so a complete ban on its use would place organizations at a substantial competitive disadvantage. From that perspective, it is encouraging to see that only a small minority is taking this route. But its adoption must be approached strategically, with a paramount focus on security to ensure responsible and safe utilization.

Where are security concerns coming from?

The top concerns listed for those organizations not using GenAI were the potential loss of sensitive data, a lack of understanding around its dangers and benefits, and a lack of resources to monitor its use. With 23 percent of the organizations who are using GenAI tools not monitoring this at all, it’s clear to see why this last point in particular was raised as a threat.

Organizations are not acting on the security concerns

When bringing in any new technology, it’s crucial to understand the unique security challenges it raises so that these don’t overshadow its potential. Failing to implement any additional GenAI-related security measures—which a third of the organizations using it admit to—is another risky move that could leave organizations vulnerable. And while 31 percent of that same group have included GenAI-specific solutions in their roadmap, intent is far less effective than action as the temporary tends to become the permanent.

With GenAI the primary security challenge lies in data leakage, underscoring the vital importance of robust data security measures. The first step organizations must take therefore is to have visibility of who is using what AI apps and then control the use. Once they have regained visibility, they can implement data protection measurements starting with data classification to prevent leakage. Astonishingly, only 46 percent of respondents expressed confidence in their organization having classified all its data based on its level of criticality. A further 44 percent have at least started to classify some of their data as a prerequisite to implement security measures. But that still leaves a big gulf to close.

Organizations must act now to regain control

IT needs to take control of GenAI use and security

With organizations appearing to be so unprepared to secure GenAI, you might speculate about what is forcing such a rapid adoption of the technology.

Surprisingly, the rollout pressure isn’t coming from where people might think. Despite mainstream awareness, it is not employees who appear to be the driving force behind current interest and usage – only 5 percent of respondents said it stemmed from this group. Nor is it business leads (21 percent). Instead, 59 percent of IT leaders said they were driving it themselves.

The situation, in this case, seems to be less about business “pressure” to introduce new technology and more about IT teams’ “desire” to keep up with technological innovation. If anything, with interest from business leaders still low, it would seem that GenAI has yet to bridge from being the playground of IT teams to a broader business enabler.

The fact that IT teams are behind early adoption should offer reassurance for both IT and business leaders. It means there is room to strategically temper the pace of GenAI adoption, giving IT enough time to establish a firm hold on its security measures before security and privacy risks turn into crises.

Implementing GenAI should be accompanied by a zero-trust solution like the Zscaler Zero Trust Exchange platform, ensuring comprehensive oversight and authority over the technology’s usage per user and application, and allowing organizations to maintain a secure and controlled environment. The following steps will allow IT teams to regain control of GenAI tools:

Conduct thorough security risk assessments for GenAI applications to understand and respond to security and privacy risks
Implement a holistic zero trust architecture to get visibility and authorize only approved GenAI applications and users
Establish a comprehensive logging system for tracking all GenAI prompts and responses
Enable zero trust-powered Data Loss Prevention measures to secure all GenAI activities and prevent data exfiltration

Whenever a new technology emerges, it brings both positive and negative use cases. Zscaler is pioneering zero trust solutions to unleash GenAI's massive potential safely and responsibly, just as we spearheaded secure cloud adoption. With Zscaler, boldly accelerate your generative AI revolution.