Saying "No" to AI Fuels Shadow Risks, IBM Expert Warns

When cybersecurity teams reflexively block emerging technologies, they inadvertently drive employee behavior underground, creating unmanageable "shadow" risks that ultimately cost organizations dearly. This was the central, provocative thesis presented by Jeff Crume, a Distinguished Engineer at IBM, in a recent commentary on the escalating challenges posed by Shadow AI, Bring Your Own Device (BYOD), and cloud tools. Crume emphatically argued that a prohibitory stance not only stifles innovation but actively cultivates a more perilous security landscape.

Crume opened with a powerful analogy, likening security controls to the brakes on a car. "Why do you put brakes on a car? So you can stop? No. So you can go really fast," he asserted, explaining that robust security should be an enabler, not an inhibitor. He cautioned that if security acts as a constant "parking brake," business units will inevitably find ways to bypass it, leading to unmonitored and uncontrolled practices. This dynamic, Crume stressed, is a historical pattern, repeating itself with each new wave of technology.

The IBM expert traced this cycle through several technological eras. Early attempts to ban Bring Your Own Device (BYOD) policies, for instance, led employees to connect their personal, often insecure, laptops to corporate networks using remote control software, introducing unvetted vulnerabilities. Similarly, when companies deemed mobile phones too insecure for corporate email, users simply forwarded their work emails to public email services like Gmail, creating shadow data stores beyond organizational control. The same pattern emerged with Bring Your Own Wireless (BYOW) and Bring Your Own Internet (BYOI), where employees bypassed restrictions by setting up personal Wi-Fi hotspots or using dial-up modems to bridge internal networks to the public internet, effectively turning their corporate devices into unmanaged routers.

This historical trajectory, Crume highlighted, is now manifesting acutely with "Bring Your Own AI," or Shadow AI. Organizations, fearing data leakage and intellectual property exposure, are often quick to block access to public large language models (LLMs) and generative AI tools. However, Crume warned, employees, driven by efficiency and curiosity, will find ways to use these tools regardless. "You can block it at the firewall, I've got a mobile device, I'll just access it from that," he stated, illustrating the futility of blanket prohibitions.

Shadow AI presents a particularly insidious threat. When employees input sensitive corporate data into public AI models, they inadvertently train external systems with proprietary information, creating significant and often irreversible data leakage. The financial implications are stark. According to the IBM Cost of a Data Breach Report 2023, the average cost of a data breach in the US exceeded $10 million. Critically, if Shadow AI was involved, it added more than $670,000 to the average breach cost.

Related Reading

• CrowdStrike CEO: AI Needs Cybersecurity, Not Replacement
• ChatGPT Unlocks Enterprise Data with New Company Knowledge Feature

To mitigate these risks, Crume advocated for a proactive, enabling approach. He outlined four key strategies: First, organizations must **assess the full risk picture**, moving beyond fear and uncertainty to understand the actual threats and opportunities. Second, **find vetted alternatives**; instead of banning, provide employees with approved, secure versions of the tools they need, whether it's a sanctioned cloud storage solution or a private, in-house AI platform. Third, **train users** to understand the risks associated with unsanctioned tools and the benefits of approved alternatives. Finally, **implement discovery mechanisms** to actively identify and monitor shadow IT, AI, and data within the environment, ensuring everything operates above board.

Ultimately, Crume’s message to security leaders and business executives is a call to strategic engagement rather than outright denial. By understanding the inherent drive for innovation and providing secure, sanctioned pathways for technology adoption, organizations can transform security from a barrier into a powerful enabler, safeguarding their assets while fostering a culture of informed progress.