The rapid emergence of ‘generative AI’ technologies has unleashed a revolution in access to information for consumers and businesses alike. These are powerful tools, and organisations need to make sure they are prepared in order to use them safely.

Any information fed into an open generative system such as ChatGPT can be used to answer questions other people might ask, posing risks to commercial and personal data.

Some companies and organisations are now banning staff from using generative AI. But a blanket ban on new technology rarely works, and is a wasted opportunity for retail businesses who have much to gain from using AI to improve productivity and customer service.

So how do we make sure we keep our customers’ data – and our company secrets – safe and secure in this new world of regenerative AI?

I believe that keeping customers’ data safe and secure in a world influenced by ChatGPT and other forms of generative AI begins with understanding your organisational readiness.

1. Define ownership of AI policies

Assigning clear ownership of AI policies is key. In small to medium enterprises (SMEs), the CEO is likely the best fit for this role. In larger organisations, the responsibility may fall on the Chief Operating Officer or Chief Risk Officer.  As the organisation grows, consider the appointment of a dedicated Owner for AI and related policies.

2. Establish RACI framework

Adopting a RACI (Responsible, Accountable, Consulted, Informed) framework helps streamline decision-making and accountability. This framework clarifies roles and responsibilities, ensuring that all necessary tasks are clearly assigned. The RACI matrix could for example specify the COO as the responsible party, with the Board being accountable, Executives and Management to be consulted, and the entire company to be kept informed.

3. Conduct a SWOT analysis

It’s a good idea to identify the Strengths, Weaknesses, Opportunities and Threats associated with AI implementation as it progresses across the business. This assessment might show that AI will enhance margins, reduce costs, increase productivity, and harness existing knowledge within the organisation. It may also highlight that your organisation has a weakness in resources to help with the rollout of those initiatives. It also a good opportunity to play devil’s advocate and identify potential scenarios to avoid.

4. Develop policy and frameworks

Initiate the creation of AI/GPT policies and frameworks early on, to establish a solid foundation. The task of drafting the policy can either be assigned to someone internally with the right knowledge, or to a suitable external partner. The next step is to review existing contracts with partners and customers to ensure the organisation has the rights to use external AI tools. And it is of course crucial that these policies are then shared with and understood by all relevant staff members.

5. Incorporate AI risks into the main risk register

As AI and GPT present unique risks, you will need to identify and add key risks associated with their implementation in the risk register. This ensures regular review, management, and mitigation of these risks. Things are moving fast in this area and a monthly review cycle is recommended to address emerging concerns. Don’t have a risk register? It’s definitely time to create this!

6. Craft an executive outline for the board

Creating a comprehensive executive outline for AI and GPT organisational readiness allows for board-level understanding and support. It is crucial to garner the attention and commitment of the board to ensure a successful integration. This outline must emphasise the importance of adherence to established and new policies and guidelines, fostering a culture of compliance throughout the organisation.

7. Establish usage guidelines for external tools

Clearly define the tasks that staff can use the tools for, and how they can use them. While certain tasks, like creating public social media content, pose minimal risk, others demand caution. For instance, when using open GPT-based tools, it is crucial not to include personal details, identifiable information, customer data, internal company IP, or non-public domain IP. Providing examples and guidelines to employees will help avoid unintended breaches of security and confidentiality.

As AI and GPT technologies continue to evolve, businesses must proactively adapt to the changing landscape. Understand your own readiness now, in order to harness the power of AI while safeguarding data, intellectual property, and reputation.

Tim Warren is CEO of Ambit.