Want to Use AI internally? Learn How

This article has been reposted from the Tokio Marine Legal Updates blog. The original article was published on May 23, 2023, by Erich Falke.

What's all the Chat(ter)GPT?

AI and Large Language Models (LLM) like ChatGPT have many business benefits including improved response time, the elimination of clerical work, and 24/7 availability. It's also a significant force multiplier when well-implemented.

However, it's not magic, and there are risks. Here are a few.

• Huge computer resources and vast data are required to train from scratch.
• The more complex the task-set, the more it requires domain expertise to maintain.
• AI must be "trained" on your specific datasets/processes.
• AI can "evolve" into an undesirable state where it cannot provide expected value.
  
  
  • It can "hallucinate" or use highly-tenuous extrapolation to generate incorrect facts.
  • It can be biased and/or gullible (in responding to leading questions, for example).
  • It can be manipulated into creating toxic content.
  • They are prone to "injection attacks" that skew or corrupt the dataset.

Here are some general considerations for the use of AI internally:

• Carefully define the AI's role, functionality, and available dataset. Do not allow the AI access to data you do not want it to reveal under any circumstance. AI can be susceptible to "adversarial training" where a malicious user can use a specific line of inquiry to have the AI reveal sensitive information.
• If using a cloud-based AI/LLM, perform a detailed review of the terms of use and privacy policy. It's important to understand how the data they use for fine-tuning or prompt augmentation is managed.
  
  
  • Is it available to the vendor’s researchers or partners? If so, in what form?
  • Is data shared in isolation or in aggregation with other organizations?
  • Under what conditions can an employee at the provider view queries?
• Self-hosted AI/LLMs are likely to be highly expensive. Perform a security assessment before allowing it access to organizational data.
• Even if your AI does not have access to sensitive information, users may submit queries that DO contain sensitive information. In the event you use a third-party AI or LLM, those queries are visible to the organization that supports it. They typically store queries in order to further develop the utility of the AI. This could lead to unauthorized disclosure.
• Have someone on staff with training in AI or engage a trusted and cyber-vetted third-party vendor. Their role would be to troubleshoot any issues, increase or reduce the training set, and improve/upgrade/re-instantiate the AI. They will also need to periodically check the AI's output to ensure the information provided is accurate, especially if business processes are reliant on the output.
• Make sure the AI knows what questions they should NOT answer. Users may be tempted to ask random or confusing questions or ask for information that the AI does not have a good grasp of. The AI will attempt to be helpful. It may lead to inappropriate or highly extrapolated incorrect answers.
• Make sure the AI knows when to defer a matter to a person.

AI is a great way to increase the velocity of business. It also means the velocity of information exchange increases significantly and can lead to a reliance on the accuracy of the data it is providing. Confidentiality of sensitive information can also be a concern, as AIs can be socially engineered just as well as a person if not properly implemented. Care must be taken to ensure the AI remains within its defined role, has access to the minimum amount of data necessary to perform its function, and is periodically audited to ensure it is working as intended.