The Prompt: Gen AI demystified: Understanding gen AI types and their risks

Business leaders are buzzing about generative AI. To help you keep up with this fast-moving, transformative topic, our regular column “The Prompt” brings you observations from the field, where Google Cloud leaders are working closely with customers and partners to define the future of AI. In this edition, Erin Joe and Anton Chuvakin, security advisors, Office of the CISO, explore what you need to know about the types of gen AI, and the risks that come with each one.

Generative AI can be used to create wonderful new experiences. We’ve seen it generate realistic-looking content. It can follow instructions. It can learn new tasks using only a few examples. It augments, assists, and automates. However, gen AI also can be a source of security risks including data leakage, prompt attacks, data poisoning, and rogue actions.

At Google Cloud's Office of the CISO, we’ve heard concerns from customers about gen AI use cases and the security risks that come with them. To help business leaders better understand these uses, we’ve looked at common types of gen AI and prioritized the risks for each.

Gen AI deployments can be grouped into three broad types:

• Consumer or enterprise
• Open-model or proprietary
• Cloud or on-premises

Here’s what you need to know about each one, and how the risks associated with each play out.

1. Choosing consumer or enterprise gen AI

Consumer gen AI refers to tools and applications designed for everyday use by individuals. These publicly-available tools use machine learning models to create various types of content, including text, images, music, and videos. Consumer gen AI can help users express their creativity, streamline tasks, and access information in new and engaging ways.

Enterprise gen AI tools and applications are designed and implemented privately by organizations to streamline operations, enhance productivity, and support decision-making. These tools use advanced models to generate enterprise content, automate tasks, analyze data, and provide insights. They can empower businesses to optimize workflows, improve customer experiences, and gain a competitive advantage.

Inside the enterprise, customers can have more nuanced controls, such as the data and users interacting with models, the purpose and grounding for model use, and the container and boundaries where the model operates. Enterprise gen AI can provide the user with the ability to test and monitor the model’s behavior and function. Exercising close control can help mitigate risks, and lessen the potential impact of prompt attacks and data poisoning.

Confusing the two can lead to problems (such as shadow AI), and increase associated risks.

Data exposure is a specific risk that can be amplified when business data is input into consumer gen AI. For example, business data could be used to train consumer gen AI models and could be exposed to users from other organizations in search results. Organizations can minimize this risk by using enterprise models where the data and models remain inside the enterprise or organization.

Enterprise gen AI comes enabled with additional control functions that aren’t available from consumer gen AI, designed to give the organization better security, data protection, and results. Forcing consumer gen AI into enterprise use cases for the most part will not produce the best results for the user and may expose the organization to risks of data use, inappropriate outputs, or rogue actions that are hard to control.

Rogue actions by consumer gen AI are harder to mitigate, because the user has little ability to detect, contain, and respond to risks. Enterprise gen AI can provide an organization with greater visibility, control, and options to detect, contain, and respond to rogue actions. This can enable them to implement safeguards and react more effectively.

Addressing these risks requires careful governance and fine-grained access control and visibility for centrally managing cloud resources, along with rigorous testing and transparency to ensure responsible deployment.

2. Choosing an open model or a proprietary model

“Open” AI models refer to models whose model weights have been released openly to the public. Open access allows researchers, developers, and users to study, modify, and build on the underlying technology. This approach can foster collaboration, innovation, and transparency in the AI development community, which can enable the development of many diverse applications and promote responsible AI practices through scrutiny and shared knowledge.

Open models are stored on a platform where public availability makes them susceptible to alterations in ways that can impact the model’s integrity.

Proprietary AI models relate to AI models and systems developed and owned by private entities, where the underlying weights, code and training data are kept confidential. These models often offer advanced capabilities and performance, but access to use the model is typically restricted through commercial licenses and access to APIs. This approach enables the proprietary model owner to protect its intellectual property, and control model usage while granting permission to others to use the model.

A key feature of proprietary models is that they remain unchanged by the user. As users, you can tune the models with your own data. It is important to note that you are not retraining them, and you are not changing the fundamental coding of the model.

While potential risk scenarios differ between open and proprietary models, there are two specific risks that are germane mostly to each type of model.

Model theft is specific to closed models, as the nature of the open models makes them easily accessible. The code for proprietary models is intended to be protected from theft and disclosure. Data theft and leakage are concerns as you tune open models using data that should have been better protected.

Model integrity compromises relate more to open models, due to their open nature and potential for widespread use. This makes them more susceptible to attacks aiming to compromise their integrity or manipulate their behavior. Proprietary models, with controlled access and use, are generally less exposed to such risks.

Addressing these risks requires that organizations prioritize secure-by-default machine learning tools, robust model and data integrity management, stringent model access control, and comprehensive model inventory management.

3. Choosing cloud or on-premise AI

As the name implies, cloud-based gen AI tools and applications are hosted and delivered through cloud computing platforms. These tools use the scalability, accessibility, and computing power of the cloud to generate diverse content including text and images.

Users can access these AI capabilities remotely, eliminating the need for extensive local hardware and facilitating collaboration across distributed teams. Cloud-based gen AI offers access to powerful AI technologies, making them readily available to individuals and organizations of all sizes.

On-premise gen AI (which, for example, is available as part of our air-gapped Google Distributed Cloud) refers to tools and applications that are deployed and operated in an organization's own physical infrastructure, instead of relying on external cloud services. This approach can provide more control over data, particularly sensitive information.

However, with greater customization comes greater upfront investment in hardware and expertise — especially in security.

Generally, proprietary foundational models remain in the control of the vendor and may not be available for on-premise use. Of course, proprietary models that you trained on premise can be run on-premise.

Specific risks come to the forefront when choosing between cloud or on-premise AI.

• Overall data risks: With cloud-based gen AI, the cloud provider might have access to your data depending on contractual terms and conditions (unless AI is paired with Confidential Compute). The shared nature of cloud environments raises concerns about data isolation and potential cross-contamination between users, compromising confidentiality. Robust security measures, strong data encryption, data privacy controls, and careful vendor selection are crucial to mitigating risks.
• Security burden: On-premise gen AI houses your protected data, but also may require that you bear the full responsibility for security, including strong IAM and model access controls, and updates, potentially increasing its susceptibility to breaches. If not managed carefully, on-premise gen AI deployments can hinder innovation because of slower response times and less frequent model updates.

Addressing these risks requires making a choice: Do you prioritize keeping control and doing security on your own? Or do you trust the provider, leverage contractual commitments, and make use of their vast security resources?

SAIF: A framework for dealing with AI cyber risk

The potential of AI, especially gen AI, is immense — but not without risk. The potential for misuse underscores the need for robust safeguards, responsible usage guidelines, and continuous research into mitigating the security challenges of open gen AI. There’s a definite need for industry security standards for building and deploying this technology in a responsible manner.

To address this challenge, Google offers the Secure AI Framework (SAIF), a template for secure AI systems. SAIF is designed to address top-of-mind concerns for your security professionals — such as AI/ML model risk management, security, and privacy to help ensure that when AI models are implemented, they are secure by default.

You can learn more by reviewing SAIF guidance for secure AI, and our best-practices guidance for building AI on Google Cloud.