Do you know who is using AI as a Service in your Organization?

June 6, 2023
Gearóid Ó Fearghaíl
Product Manager
Do you know who is using AI as a Service in your Organization?

The recent Cambrian explosion in what is possible with large language models has been incredibly exciting. Every month sees new uses for these tools, from quickly and cheaply generating thumbnails for your blog posts through acting as if they were fundamentally opposed to your blog post and offering criticisms, to translating your blog posts into other languages coherently — with a full understanding of what you’ve written!

Even in the world beyond blog posts, if such a world exists, there is a huge amount of potential in this nascent tool. But potential also means we don’t know what it might end up doing, and this creates serious, tangible, business risk.

An image representing spies stealing papers from an office, in the style of Monet

Ask anyone to ask a LLM a question, and they’ll immediately think to use ChatGPT, by OpenAI. This is the most accessible and easy to use tool. ChatGPT lets anyone ask it questions through a web browser, and it generates quick responses back. This is great for the average user, but for any company, this ease-of-use masks three serious conundrums. Any data sent to ChatGPT is stored by OpenAI for quality and tracking purposes, the source of any answer is unknown and the answer may be completely fabricated…

OpenAI tracks submissions users make in order to be able to iterate on and improve their product, and to monitor for any abuse of the system. This is completely reasonable behaviour by OpenAI, but there is no reason to believe they take great care with this data. Additionally, OpenAI can’t really control what data is submitted to ChatGPT, so they end up storing a lot of information they don’t really want. For example, Samsung employees were recently found to have used ChatGPT to debug proprietary software and to summarize meeting minutes.

The second issue is that ChatGPT answers queries without attributing sources to its responses. ChatGPT will make statements based off its findings, and unfortunately you need to take this as it is. This information could be under copyright, and you would not know until you received a letter from lawyers claiming a breach. Getty Images has sued the creator of an LLM image generation tool for copyright infringement after finding the tool was generating images including a Getty Images watermark. It is not unreasonable to argue that any end users using these images could also be liable. Code generation is another area of concern, even though there haven’t been concrete examples up to this point — but it feels inevitable.

However, the biggest issue with ChatGPT is that these LLMs can have “hallucinations,” which is the industry parlance for “tell bald-faced lies.” Since ChatGPT has no transparency on how it arrives at answers, users need to be able to critically analyze answers to decide if these are true, as ChatGPT and its ilk will always reply with absolute confidence. This can have repercussions from Google’s embarrassing launch, to a professor failing all his students after ChatGPT falsely claimed to have written student essays — to the most egregious example — where a lawyer used ChatGPT to write his court briefing, and ChatGPT made up six completely fake sources to support the argument. Google’s poor demo saw its market valuation drop $100 billion, the university professor lost serious credibility, and a multi-million dollar court suit may just be thrown out… These are hugely impactful, and sadly easily avoidable.

A robot arguing a case to a human judge in court in the style of a realistic courtroom sketch.

Organizations are reacting to these facts with policies banning the use of OpenAI without approval, but it is hard to track compliance with this policy since the traffic works through an encrypted browser without any software being required. Fortunately, Vectra AI is able to see this activity in your network, using our existing detection network sensors. Vectra NDR is designed to monitor all network traffic across your organization, with carefully placed sensors that monitor traffic both into and out of your network — but also within your network itself. This depth of analysis powers our powerful AI-driven detection framework and it also allows for powerful compliance insights, which we’ve curated into our ChatGPT Usage Dashboard.

This dashboard, which is available for free to all Vectra platform customers, will show hosts in your environment that are actively interacting with OpenAI — by tracking DNS requests to OpenAI servers made by any hosts. This will allow compliance officers to quickly see not just a list of people who have accounts with OpenAI or who have registered an interest, but actively monitor who exactly is using a system, and how much they are using it.

The dashboard in action.

This dashboard is made even more powerful by leveraging Vectra's patented host ID attribution technology to track these users to a deep extent. Even as machine IP addresses change, or a laptop joins a new network, Vectra will track this as the same machine, so that the dashboard shows exactly how often a device is accessing ChatGPT — also allowing you to quickly pivot to see who Vectra believes to be the probable owner for a host. Using this dashboard, you’ll see not just what hosts are using ChatGPT, but you’ll also know who to contact about it, and you’ll have this information in minutes, not hours.

This is just one example of how the Vectra platform delivers deep visibility into activity across your organization, showing how it can help with compliance in your organization by tracking active compliance issues. Just as with our Certificate Expiry Dashboard, which monitors for certificates that are expiring and are in active use in your organization, or our Azure AD Chaos Dashboard, which tracks MFA bypassing. Vectra can offer compliance officers valuable insights into not just what is misconfigured in their org, but what security risks are actively in use!

A Security Analyst getting an award for monitoring compliance to a company's chatGPT policy, in the style of the Bayeux Tapestry.

You can find more information about the Vectra Platform, here.