Data is the new oil. It fuels our economy and drives new technology—notably, generative AI. However, for AI to be widely adopted, it must be trustworthy and secure.

As IBM’s latest Cost of a Data Breach Report shows, business disruptions push breach costs and regulatory fines to new heights, with the average cost of a data breach reaching USD 4.88 million.

However, according to a survey conducted by the IBM Institute for Business Value (IBV) study on cybersecurity and gen AI, over 94% of business leaders believe that securing AI is important, but only 24% state that their AI projects will incorporate a cybersecurity component within the next six months.

This leaves many businesses vulnerable, as gen AI also comes with new risks, such as data leakage, data poisoning and prompt injection attacks. It can also be difficult for businesses to control who has access to their data, notes Scott McCarthy, IBM Global Managing Partner for Cybersecurity Services.

“It’s important to make sure that controls are in place so that business and client data don’t get exposed,” explains McCarthy.

To safeguard their data and secure their AI, businesses should establish their AI governance and secure their infrastructure: their data, their models and their models’ usage. This is IBM’s framework for securing generative AI—a framework that can be applied in other environments, including Salesforce’s Einstein, a set of AI tools for CRM.

Here are 3 steps that businesses can take to start this process.

1. Understand the data’s location

Many teams innovate rapidly with gen AI, but this can create what is known as shadow IT. “We have to ensure that businesses have visibility too. There are new tools like data security posture management and AI security posture management that will help with this,” says McCarthy.

2. Classify the data

Whether you’re working with customer data or business data, different types of data will have different implications and can be subjected to different policies and procedures.

3. Implement classification limits

Apply the appropriate controls to that data based on the classification limit, such as the customer data, the census of business data or publicly available data, to help ensure the right people have access to the right data at the right time.

In conclusion, “Security teams need to be business enablers, not just the gatekeepers of security policies and procedures,” believes McCarthy.