With Shadow AI Expanding Attack Targets, “AI Registries” Provide Visualization and Governance Capabilities

As companies increasingly adopt generative AI technologies, the unauthorized use of AI tools by employees, or shadow AI, is on the rise. “Failure to monitor actual AI usage can lead to risks, including expanding the attack surface exposed to malicious actors,” said ServiceNow Japan’s Takuro Mizuno.

Global regulators and standardization organizations have already provided a clear direction in response to this challenge. One common principle incorporated into guidelines, such as the Artificial Intelligence Risk Management Framework of the US National Institute of Standards and Technology, the EU’s Artificial Intelligence Act, and Japan’s AI Guidelines for Business, is to “identify,” that is, to understand what AI tools are being used. The most important principle in cybersecurity is knowing what must be protected, and what cannot be seen cannot be protected. Therefore, centralized visualization of all AI tools in use is essential to protect the organization.

In order to manage AI assets, the following four elements are essential: Firstly, a data model to define necessary management items and eliminate local management rules. Secondly, a lifecycle process to control entry points such as usage applications and continuously monitor status and changes. Thirdly, automated discovery through mechanisms that enable automatic data updates, maintaining both accuracy and freshness. Finally, centralized visibility that consolidates all data into a usable foundation, enabling integration with a variety of tools.

ServiceNow’s AI Control Tower (AICT) makes this possible. By acting as an “AI registry,” it provides asset visibility and centralized management, and by integrating with related tools, it serves as a platform that supports an organization’s overall AI governance. “Visualization is the cornerstone of both risk assessment and asset protection. In the AI era, AI governance is the very essence of cybersecurity strategy. AICT also incorporates best practices for governance that we have developed in collaboration with global enterprises, allowing organizations to begin taking action immediately,” emphasized Mizuno.