Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Move Fast and Break the Enterprise With AI

The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for speed.

Michael Bargury, CTO & Co-Founder, Zenity

January 23, 2024

4 Min Read
Jockeys race four horses down a racetrack, crops raised
Source: Michael Turner via Alamy Stock Photo

COMMENTARY

Working for a large enterprise for many years often leaves you with a strong feeling that everything will forever stay the same. Sure, some things change, even drastically. There are ups and downs, reorgs on a regular cadence, and sometimes companies even reinvent and rejuvenate themselves like Satya Nadella's Microsoft did in recent years. But most things stay the same, and culture runs deep. There is an inherent unwillingness to change; after all, these are large, successful enterprises — why change?

Security professionals often reach a point in their careers where they look back and ask: Have we made any progress? Are organizations really more secure today than they were 20 years ago? Sure, the threat landscape is different, but so is the amount of money and, more importantly, mindshare being spent on security throughout the industry. Even with all of that, some things never change. We have evergreen sayings, like "developers don't care about security," "you can't secure the perimeter," "x is the new perimeter," and my personal (un)favorite, "users are the weakest link."

Securing a large enterprise means having to deal with the problems of a large enterprise, which, as stated above, has a basic unwillingness to change.

Until it does.

Changing at the Speed of AI

Enter artificial intelligence (AI). Emboldened by the technology's promise of changing all industries, large enterprises are mobilizing their AI initiatives at lightning speed. It's been incredible (and frightening) to see how fast Microsoft and others, including Salesforce, Google, and Amazon, have pushed AI directly into their core enterprise offerings. They do this despite knowing that AI has serious problems that no one can really solve yet, like alignment with human values and safety risks. They do this because their customers — the entire enterprise market — are eager to adopt the bleeding edge to get one up on their competition.

Whether you are an AI enthusiast or an AI skeptic doesn't matter at this point. The winds of change are blowing, and an opportunity has opened up in which enterprises are willing to risk their core competencies to reap the rewards of AI before their competitors do.

Breaking the Enterprise

The most significant advancement in enterprise AI is business Copilots. Every large Microsoft shop is looking into Microsoft 365 Copilot to seek fulfillment of the promise of a huge productivity boost. Google, AWS, and Salesforce have released their own versions: Duet AI, Amazon Q, and Einstein, respectively. They're doing this because they see a huge value to be gained. This idea of a Copilot also completely breaks key assumptions about how an enterprise operates.

  • Breaking permissions. To service my requests, my personal corporate AI needs to munch through all of the data I can access in order to index it so that it's available for query. Pretty soon we can expect it to train on the previous conversation I had with it. Now let's consider what happens when I move to a different role in the company or somebody removes my access. Can we remove that knowledge from the AI's neural network? That does not seem to be an existing capability of models today. Maybe tomorrow?

  • Breaking data boundaries. If a single AI can answer questions across all of my corporate data access, it is difficult to see how data boundaries could be maintained. Every control we put in front of data becomes meaningless, when the AI can read the data and write it infinite times from its "memory."

  • Breaking activity monitoring. We're used to monitoring user activity to find snooping employees or distinguish between human and scripted behavior. When AI works by user impersonation and has to touch every piece of data to which I have access to build an index, does anomalous access mean anything anymore?

These problems might have solutions right around the corner, or they might be insurmountable in AI's current form and require a fundamental rethink. But one thing is clear: The problems have not been solved, yet we're moving forward anyway. And that is bound to be interesting.

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights