Common concerns

I don’t have the budget for an AI risk assessment. How should I pitch this internally?

Ask your engineering, product, and finance colleagues the following questions:

• Do we have budget to lose deals to competitors because we cannot explain our AI security posture to prospects (while you are also blasting out blogs and social posts about how we use AI throughout the company!)?
• Do we have budget to address lost competitive advantage from employees unintentionally training SaaS generative AI models on our intellectual property like Amazon did, losing nearly $1.5 million?
• Do we have budget to jump through our a** before our next audit to document how we are meeting compliance requirements while using AI?

Shouldn’t we wait until we have finished our AI project(s) before engaging you?

If you would prefer engineering and product teams to start deploying AI-powered products rapidly, without worrying about cybersecurity or privacy, then this makes sense. But what are you going to do after they have already:

• Been using ChatGPT every day for almost two years?
• Integrated open source AI libraries into their code?
• Connected workflows to SaaS-hosted LLMs?

• Meet regulatory obligations
• Classify and govern data
• Threat model
• Vet vendors

Ok, so what level of sophistication with AI does my company need to have for you to conduct a risk assessment?

We can do an AI risk assessment at any stage of development or maturity. The process is designed to be flexible and can even incorporate future roadmap plans. This means that even if development or rollout is in its early stages, a risk assessment can still provide valuable insights for strategic planning and development. In fact, this is the best time to start!

Shouldn’t we hire someone to build this in-house?

Having a full-time employee run your AI GRC program might make sense under certain conditions. For example:

You have or can acquire sufficient in-house leadership expertise.

This can certainly be true if you are a big 4 U.S. bank or equivalent. Bank of America, for example, made Ann Chang the global head of “security of AI.”

For organizations with the right resources, doing it yourself might be the best way to go.

If you can’t afford to dedicate at least 25% of a senior leader’s time to this task (and find someone capable of the role), though, you might consider getting external help immediately.

You can monitor the constantly-changing landscape yourself.

With the correct mix of:

• security tooling
• procedures
• training

You'll need to stay on top of:

• best practices in terms of confidentiality and IP assignment
• evolving norms regarding data retention and training
• 4th party AI use

You want to focus on AI governance in addition to business use cases.

You will know the business goals of your AI projects better than anyone else, so for certain extremely niche situations, achieving them requires strict oversight of the GRC program as well.

While being able to exert complete control over your program by having employees build it may sound appealing, also consider the opportunity costs:

• negotiation with internal stakeholders with overlapping concerns.
• inability to leverage best practices developed elsewhere.
• heavy initial investment to pay down “ignorance debt.”

You can also see this video response here

Will I be reliant on you to keep my AI governance, risk, and compliance program running indefinitely?

No. StackAware's goal is to

• quickly get you up to speed in terms of governance
• move into maintenance mode right afterward
• eventually move you to a SaaS platform

As we (and the entire industry) builds out best practices for AI security and risk management, white glove service is definitely appropriate for certain organizations.

When these standards solidify, it will be time to move into self-service mode.

Check out this video response as well

Determining the right fit

Are you focused on mitigating AI-powered threats (malware, phishing, etc.)?

No. StackAware is focused on enabling the secure use of AI technologies and systems, not defending against AI-powered threats.

We think we have been hacked. Do you do incident response or forensics?

No. StackAware is focused entirely on preventing AI-related cybersecurity incidents. We do not manage incident responses or post-breach investigations. We do, however, have referral partners whom we can recommend.

Do you have a data sheet I can review and share internally?

Yes. We have ones available for both our assessment and governance offerings.

We are a software product company that provides software partially or exclusively for customers to run in their own environments (i.e. not -as-a-Service). Do you have experience working in these types of situations?

Yes. We have experience at multiple companies that have offered both customer-managed (e.g., on-premises) and vendor-managed (e.g., SaaS) products and know how to handle both models.

What is required for an AI penetration test?

You’ll need a functioning application the tester can interact with, either with a user (UI) or application programming interface (API). It can be in the early stages, but the tester will need to be able to authenticate and supply inputs to the application.

Logistics

Do you just email a PDF at the end of engagement?

No. StackAware provides a machine-readable risk register (in .csv format) that you can upload to your governance, risk, and compliance (GRC) tool. We also provide a Google Slides presentation that is executive-friendly.

How do you use AI? How do you protect my data?

StackAware is an AI-powered company and uses generative AI technologies like GPT for a variety of use cases. Specifically, we use retrieval-augmented generation (RAG) techniques with GPT-4 to analyze customer architectures and technological approaches for compliance implications.

To protect security-sensitive customer data when doing so, StackAware uses only the OpenAI API - which has more favorable data retention policies than the ChatGPT user interface and is opted out of training by default - for RAG analysis. Additionally, out of an abundance of caution, StackAware uses an automated approach to sanitize customer names and identifiers from data prior to its passage to the OpenAI API. Thus, even if there were some data breach or leakage caused by OpenAI, the specific information would not be attributable to your organization.

Separately, StackAware has executed a Data Processing Addendum (DPA) with OpenAI to govern the handling of any personal data processed by the service.

We pride ourselves on our transparency and list all known AI processing in our supply chain in our software bill of materials (SBOM).

You can also learn more about our data security practices at our trust center.

Why do I need to designate a business leader who is accountable for the organization’s security? Shouldn’t that be a security person?

While security might be everyone’s responsibility, only one person should be accountable for it, at the end of the day. Ensuring a leader with holistic responsibility for your business and all the risks it faces is the one who makes risk management decisions is key to having an effective and coherent security program.

Why do I need to designate a single security advisor in our contract? Isn’t that you?

StackAware enables your security program to succeed by applying not only technical but organizational best practices. Ensuring you have a single, full-time individual responsible for giving security advice and implementing business decisions is the best way to set you up for success. If we do our job right and allow your business to scale, eventually you won’t need our consulting services anymore. Grooming a leader to take over when that happens is the best way to prepare for this.