On LinkedIn
The headlines say AI security is “the next big tech battle.”
What that actually means: the industry discovered a new surface to sell point solutions for. Again.
I’ve sat through a lot of customer conversations the past 6 months. The pattern is exhausting. AI rolled out everywhere, nobody knows what data flows where, and the CISO is somewhere between panic and PowerPoint.
Before any AI touches your data, someone needs to answer five questions:
Where is it processed; EU or elsewhere? Does the model train on your input? Who can see your prompts? What’s the data retention policy? Does it fall under the EU AI Act’s high-risk category for your use case?
That’s your vetting checklist.
Not a year-long project.
A conversation.
Then you need three labels. Secret. Confidential. Public. That’s it. If you’re sweating because you think you need more: You don’t. You need better product owners.
Secret goes nowhere near any AI. Confidential goes to vetted, EU-compliant models with a policy behind it. Public is fair game. The CISO writes the rule. Your firewalls and end-points enforce the labels in transit.
The hard part was never the technology, no…:
Nobody labeled anything for years, and now we’re surprised we can’t govern where it goes.
ON2IT’s vCISO practice runs this internally. Because you can’t sell a framework you’re not running yourself.
The AI security market will be worth billions. Most of it solving a problem a three-row spreadsheet could have prevented.
Good luck out there..
