Lakera’s Post

Transcript

I guess where I want to start off is to look at some of these headline numbers that that we put together from the report. If we look at the data that we got out of this, all the contributions, 90% of organizations are actively implementing or exploring LM use cases. But at the same time 5% feel confident and I should say only 5% feel confident in their AI security implementation slash preparedness. And then, you know, a third number here is around AI specific threat modeling where a fraction of the people that we ask are actually sort of. I mean this as part of their genuine efforts. So I guess what I wanted to start off with is, is a quick conversation with you, Joe, Christina and David around all these numbers. Surprising. Like we asked, you know, over 1000 people. Is this what you would have expected? Is this surprising? Any thoughts on these headline numbers before we dive into that? I'll jump in. I'm not surprised at all. What's what I'm seeing inside organizations is a little bit confusion about who's responsible. For AI security, especially when you layer in, you know, some people thinking about AI safety as opposed to security. So the content moderation side, the user experience stuff, a lot of security organizations inside enterprises. Aren't used to thinking about the product experience and user experience outside of their own employees and so many of the AI deployments are customer facing and so the security teams are they're comfortable stepping up and saying, oh, it's my job if it's a data security thing I got to lock down the inside stuff I've been doing that forever that's what I do and they'll say OK, if it's an application security issue where there's a vulnerability in code that's that's always that's kind of been our job too. But then this content moderation the all the. Kind of new things make make security organizations look at it and say, like, well, who on our team's job is that? That kind of falls outside of our traditional scope. And like one of the questions that, that I, that I ask every company is like, where are you putting your AI security work? And sometimes it's closer to the product team than it is the security team. So I, I don't think it's actually fully settled whose job it is in every organization. But the good news is that the high level the boards are, you know, they're pushing the companies to adopt, but they're also worried about the risks. And so that a lot of security leaders are realizing, if I want to get budget, I should go through this work because the board will give it to me. I'd say the other thing too is the how you actually understand if you were vulnerable to these I security vulnerabilities. It's not just like a, a single check and you're done kind of problem either, right? And and that's part of the, the fundamental shift, especially for the security organizations that are starting to deal with this, like Joe, spot on, right? Like a lot of people are struggling with whose problem this is to begin with. But even beyond that, the, the fundamental change in how you assess this risk over time and the fact that you have to right, because these systems are. Constantly bringing in new data, they're changing over time, right? And even then, your use case and the type of risks that you might have a tolerance towards are evolving over time. So there, there's a pretty significant shift in even the traditional cyber world, right? Like you can't just, you know, deploy a patch and say I'm protected against X or look at a system once and say, OK, it's good to go. You have to kind of evolve this to be a full life cycle. Continuous evaluation and risk discussion around using an AI. Old system now that is kind of fundamentally breaking some of these traditional security models and that's been a really interesting thing for us to try to help the broader community figure out especially as even the the language around the space continues to evolve because I think that's the other thing that the communities really still struggling with right like how we describe these problems in a standardized way or even you know if are we using the same words to mean the same thing right because many folks are kind of blending this world from the traditional cyber landscape to now these. AI development organizations they they might be using the same words but meaning 2 totally different things, which is helping to slow down the overall progress in general. Yeah, I'm, I'm not surprised by 90% of organizations are actively, you know, expecting to use LM. I, I think it's not necessarily just. In this case of a brand new technology coming out like this happened for the past 30 years, but I think this is really changing the entire world like we're we're never going to go back for sure I do I am a little sauce about the 5% that actually surprised me. I thought it would be less. I think highly confident and a security preparedness is really that seems really high to me simply because nobody quite understands it yet like a lot of companies have been working with are talking to are like sure, AI security is super important. What is it explain it to us like we don't understand. I think what what I found at least while doing this is really interesting that like data X-Files, obviously there a lot of the historical security vulnerabilities are still there. But I think what Elvins really exposing a bubbled up is the risk of reputation. I think it's happened a lot. We saw with Gemini, we've seen it with there's a Chevrolet dealership that's all the truck for $1.00 like there, there's financial loss there, but there's also just risk of reputation, which I think is really, really interesting and and maybe a new threat vector. Reputation is always been a risk that security has to account for, but I think now it's just it's increasing that quite a bit. And yeah, I think that 22% of organizations doing threat modeling is also really exciting. That's super encouraging to me to see people starting to adopt this, starting to understand the test and evaluation of your models is is super important to to really understand the threat landscape. We're not there yet, but it's really encouraging to see people continuing to build that.