Advertisement

The Data Governance Wake-Up Call From the OpenAI Breach

By on
Read more about author Jessica Smith.

Shockwaves reverberated throughout the political and tech ecosystems this summer when OpenAI – the creator of ChatGPT – admitted it had been breached. The breach, which involved an outsider gaining access to internal messaging systems, left many worried that a national adversary could do the same and potentially weaponize generative AI technologies.

National security aside, the breach also serves as a wake-up call for enterprise data leaders, given the proliferation of generative AI across business. As AI becomes more powerful and exudes more influence over our decisions and the world, so must the CIO and CDO community increase its accountability. This incident underscores the vulnerabilities that can arise from fragmented data management responsibilities and shines a spotlight on the urgent need for more robust data governance and protection measures.

Strengthening Data Governance: A Crucial Imperative

Data governance is not a checkbox activity – the stakes are too high. Without a strategic, well-funded, and unified data management strategy, organizations cannot identify, classify, and protect their sensitive data. Put simply: You cannot protect the assets you don’t see.

A comprehensive data governance framework involves connecting to and identifying all data sources, understanding which data needs protection, and setting up robust data protection processes. These processes can include managing consents centrally, defining clear policies and permissions, and establishing stewardship workflows to help protect sensitive information and streamline compliance with data access, data erasure, and other user rights. 

Cybersecurity measures are increasingly complementing these frameworks, delivering a holistic approach that not only protects an organization’s digital assets but also provides the visibility to prevent and respond to breaches effectively. The OpenAI breach underscores the consequences of failing to govern in this manner. In OpenAI’s case, the internal messaging platform, which contained sensitive internal IP and “crown jewel” information, was overlooked. 

The Intersection of AI and Data Governance

With data governance in place, the next step is to outline a robust approach to AI governance. This should consider how AI tools are being used or could be used within the organization to enhance performance and what data would make them most useful in order to map a risk profile. A key part of this is ensuring that only suitable data is fed into the LLMs, balancing vital ethical considerations with output accuracy to cultivate accuracy and trustworthiness in AI.

When implemented correctly, effective data governance helps mitigate these risks. Tackling AI governance in conjunction with data governance and strong cyber security makes it possible to create a multi-layered approach to protect the business. Beyond pure cyber defense, data and cyber teams need to understand their potential exposure should a breach take place. That’s impossible if you don’t have a complete view of your data.

While most organizations are not protecting state secrets, they are storing and processing sensitive and personal information every day. That means they have a responsibility to fully commit to data governance and strengthen their approaches, and it should not be down to the regulators to enforce ethical, responsible technology usage.