Skip to main content
9 – 17 UHR +49 8031 3508270 LUITPOLDSTR. 9, 83022 ROSENHEIM
DE / EN
AI Officer AI Security

Bring Your Own AI (BYOAI): Challenges for Medium-Sized Companies

Tobias Jonas Tobias Jonas | | 5 min read

Digitalization has brought forth many new ways of working that are meant to make companies more efficient and flexible. One of these developments is the trend toward “Bring Your Own Device” (BYOD), where employees use their own devices for work. Now a similar trend is emerging: “Bring Your Own AI” (BYOAI). Employees are increasingly using AI tools and applications that are not approved or controlled by the IT department. However, this trend carries significant risks, particularly regarding data protection and IT security. In this article, we examine the challenges that arise from BYOAI and why solid AI governance is necessary to address them.

What Does Bring Your Own AI (BYOAI) Mean?

The term “Bring Your Own AI” refers to employees in companies using their own AI tools and applications to optimize their workflows. These tools can range from chatbots to speech recognition software to machine learning applications. Often these tools are not provided or monitored by the company’s IT department but are downloaded and used directly by employees. This practice can lead to so-called “shadow IT” – the use of IT systems, software, and applications without the knowledge or approval of the IT department.

Shadow IT and Its Risks in Connection with BYOAI

The use of unauthorized AI tools leads to the emergence of shadow IT, which brings significant risks for companies. These risks primarily affect two central areas: data protection and IT security.

1. Data Protection Issues

A major problem with using AI tools that haven’t been reviewed and approved by a company’s IT department is data protection. Many AI tools collect and process large amounts of data, including personal data. Without a clear overview and control over the tools used and their data protection practices, a company can easily violate data protection laws such as the General Data Protection Regulation (GDPR).

Risks in Detail:

  • Uncontrolled Data Collection: AI tools used by employees without authorization could collect and store sensitive company data and personal data without adequate security measures.
  • Data Transfer to Insecure Third Countries: Many AI tools are cloud-based and can store data on servers located in countries outside the EU. This could result in data being transferred to countries that don’t offer a comparable level of data protection to the EU.
  • Missing Consent: Using certain AI tools may require the consent of affected persons. However, if these tools are used without the knowledge of the IT department or data protection officers, the necessary consent may be missing.

2. IT Security Risks

Beyond data protection concerns, using shadow IT also poses significant risks to IT security. Particularly with AI tools downloaded directly from the internet without a security review, there is a great danger that malware could be introduced.

Risks in Detail:

  • Malware Introduction: Unauthorized AI tools may have security vulnerabilities that could be exploited by cybercriminals to introduce malware.
  • Loss of Control Over Data Flows: By using AI tools operated outside the company’s own infrastructure, the company loses control over data flows. This can lead to sensitive information unintentionally leaking outside. Every AI tool in the cloud should also be considered individually, and a risk assessment should be created.
  • Insufficient Security Protocols: Many AI tools used independently by employees may not have the necessary security protocols or encryption techniques required in a corporate environment.

The Need for Solid AI Governance

Given the risks mentioned above, it is essential for companies to establish solid AI governance. Effective AI governance helps monitor and regulate the use of AI tools within the company and ensures they comply with legal requirements and internal company policies.

1. Developing a Clear AI Policy

A clear AI policy should be part of a company’s IT strategy. This policy should define which AI tools may be used, what security requirements they must meet, and what steps are required to comply with data protection regulations.

Important Aspects of an AI Policy:

  • List of Approved Tools: A list of AI tools approved by the IT department that meet the company’s security and data protection standards.
  • Tool Evaluation Procedure: A clear procedure for evaluating and approving new AI tools, including a risk assessment and data protection impact assessment.
  • Training and Awareness: Regular training for employees to raise awareness of shadow IT risks and inform them about permitted tools and practices.

2. Implementing Monitoring and Control Mechanisms

To minimize the use of shadow IT, companies should implement monitoring and control mechanisms. This can be done through software to monitor network traffic and detect unauthorized applications.

Monitoring and Control Measures:

  • Network Monitoring: Implementing systems to monitor network traffic to identify and block unauthorized AI tools.
  • Regular Audits: Conducting regular audits and security reviews to ensure no unauthorized tools are being used.
  • Access Controls: Setting up access controls that restrict downloading and using applications outside the approved list.

3. Involving Employees in AI Governance

Another important aspect of AI governance is involving employees. Employees should not only be informed about risks and policies but also be involved in developing and implementing these policies.

Measures for Employee Involvement:

  • Feedback Loops: Regular feedback loops with employees to understand and address their needs and concerns regarding AI tool use.
  • Compliance Incentives: Creating incentives for employees who follow established policies and contribute to improving AI security in the company.
  • Deploying AI Officers and AI Managers: Establish a person who deals with AI topics from both legal and technical perspectives.

Conclusion

“Bring Your Own AI” (BYOAI) can offer companies a variety of benefits, such as higher employee productivity and innovation power. However, uncontrolled use of AI tools also carries significant risks, particularly regarding data protection and IT security. Companies should therefore develop a comprehensive AI governance strategy to control the use of AI tools and ensure compliance with legal and security requirements. Only then can the benefits of AI technology be fully exploited while minimizing risks.

innFactory AI Consulting can support you with creating AI governance, AI strategy, as well as training for AI Officers and AI Managers.

Tobias Jonas
Written by

Tobias Jonas

Co-CEO, M.Sc.

Tobias Jonas, M.Sc. ist Mitgründer und Co-CEO der innFactory AI Consulting GmbH. Er ist ein führender Innovator im Bereich Künstliche Intelligenz und Cloud Computing. Als Co-Founder der innFactory GmbH hat er hunderte KI- und Cloud-Projekte erfolgreich geleitet und das Unternehmen als wichtigen Akteur im deutschen IT-Sektor etabliert. Dabei ist Tobias immer am Puls der Zeit: Er erkannte früh das Potenzial von KI Agenten und veranstaltete dazu eines der ersten Meetups in Deutschland. Zudem wies er bereits im ersten Monat nach Veröffentlichung auf das MCP Protokoll hin und informierte seine Follower am Gründungstag über die Agentic AI Foundation. Neben seinen Geschäftsführerrollen engagiert sich Tobias Jonas in verschiedenen Fach- und Wirtschaftsverbänden, darunter der KI Bundesverband und der Digitalausschuss der IHK München und Oberbayern, und leitet praxisorientierte KI- und Cloudprojekte an der Technischen Hochschule Rosenheim. Als Keynote Speaker teilt er seine Expertise zu KI und vermittelt komplexe technologische Konzepte verständlich.

LinkedIn

Related Articles

AI AI Act

AI Security: Why Global Standards and Safeguards Are …

12.08.2024
AI AI Act

European AI Regulation Also Known as 'AI Act' Enters Into …

01.08.2024
AI Act ChatGPT

How SMEs Stay Competitive Through Generative AI: A …

01.07.2024
Back to Blog