Mar 10, 2023 - Technology

Companies are struggling to keep corporate secrets out of ChatGPT

Illustration of binary numbers inside of speech bubbles.

Illustration: Shoshana Gordon/Axios

Employers are struggling to figure out how to fold ChatGPT into their workflows without risking the security of their corporate secrets, customer information and intellectual property.

The big picture: Engineers and programmers across many industries have found great utility in refining code or double-checking their work by running it through ChatGPT.

  • However, there has not been a lot of transparency around the collection of that data, where it goes or how it could potentially be used.

Driving the news: Using ChatGPT in corporate settings is about to get a lot easier after Salesforce unveiled plans this week to integrate the large language model chatbot into Slack.

What's happening: Increasingly, employers are getting nervous about how employees might use ChatGPT at work.

  • Walmart and Amazon have both reportedly warned employees not to share confidential information in the chatbot.
  • An Amazon corporate lawyer told employees the company has already seen instances of ChatGPT responses that are similar to internal Amazon data, according to Insider.
  • JPMorgan Chase & Co. and Verizon have reportedly blocked employee access to the online tool.
  • Meanwhile, OpenAI changed its terms of service last week so its models no longer use user inputs by default to train amid growing concerns about privacy risks.

By the numbers: 2.3% of workers have put confidential company information into ChatGPT, according to a recent report from Cyberhaven.

The intrigue: Employees are finding ways to evade corporate network bans blocking access to ChatGPT, Cyberhaven CEO Howard Ting told Axios.

  • Ting said some companies believed employees had no access to the chatbot before Cyberhaven told them otherwise. "Users can use a proxy to get around a lot of those network-based security tools," he said.

Between the lines: The first step companies need to take to mitigate the security risks is to get visibility into how employees are actually using ChatGPT, Ting said.

  • Business leaders will also need to place controls on whatever generative AI tools they end up using to prevent them from sharing highly sensitive corporate data with employees who aren't cleared to see it, Arvind Jain, CEO of workplace search company Glean, told Axios.

Meanwhile, companies aren't planning to completely eradicate ChatGPT from their systems. Instead, some have started seeking out custom generative AI solutions that come with more controls than ChatGPT.

  • Peter van der Putten, director of the AI lab at Pegasystems, told Axios his firm is developing several new features following consumer demand for specific generative AI tools to help them craft advertising copy and in other cases.
  • "From a cybersecurity point of view, you have more control if it's a specific use case, and it's not a freeform prompt," van der Putten said.

Yes, but: Placing total control on how generative AI learns and grows from customer inputs is an impossible task, Jain said.

  • "These generative models, they're a black box, and no human can actually explain the algorithms behind the scenes," Jain said "They're uncontrollable in some sense."

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper