Max Chan knew he had to do something. Soon after ChatGPT burst on the scene in November 2022, Chan realized generative AI would amount to far more than the just the latest technology flash-in-the-pan.\n\nWith the ability to instantaneously ingest reams of data using large language models (LLMs), generative AI technologies such as OpenAI\u2019s ChatGPT and Google\u2019s Bard can produce reports, contracts, and application code far surpassing earlier technologies in speed, accuracy, and thoroughness. Result: dramatic productivity gains and potentially game-changing business advantage.\n\n\u201cEmployees are going to use this. If we don\u2019t do anything about it, they will have no choice but to use it on their own,\u201d says Chan, CIO of Avnet, a technology parts and services provider.\n\nMichele Goetz, vice president and principal analyst at Forrester Research, agrees. \u201cThere is a fear of missing out. Even if you say, \u2018Don\u2019t use it,\u2019 your employees or customers are going to use it,\u201d she says. \u201cThe Pandora\u2019s box has been opened, so it\u2019s best to partner with your employees so they don\u2019t have to hide what they\u2019re doing.\u201d\n\nDespite its immense promise, generative AI can expose sensitive and proprietary information to public view. That could lead to compromised intellectual property and regulatory penalties. Moreover, generative AI results can sometimes be wildly erroneous, resulting in \u201cconfabulation,\u201d or \u201challucination.\u201d And because the generative AI models pull from myriad sources, incorporating generative AI output in an organization\u2019s corporate content could lead to copyright infringement.\n\nSome of those dangers were realized in April 2023 when Samsung employees inadvertently leaked sensitive internal data to ChatGPT, leading the company to temporarily ban employees\u2019 usage of generative AI technology \u2014 an incident that put IT leaders on high alert about the impending rise in shadow AI that may soon take hold at their organizations if they don\u2019t get in front of it. \n\nTwo-track strategy\n\nWith those stakes in play, taking a hands-off approach was unthinkable for Chan. Instead, he\u2019s implementing a dual-track strategy: to limit generative AI utilization through strict policies, while rapidly developing and piloting approved and safe applications.\n\n\u201cIf someone wants to try it, they have to submit a request and we have to review it, and we will work with them to build a minimum viable product,\u201d he explains. The MVP could in turn evolve into a proof-of-concept (POC), and from there, usually with the help of a strategic partner, to a production implementation. Those early applications are now nearing fruition. \u201cWe will definitely be in production with a couple by the end of the year,\u201d Chan says.\n\nOther CIOs have adopted similar strategies. \u201cOur approach is one of cautious interest,\u201d says Robert Pick, executive vice president and CIO for Tokio Marine North America, a multinational insurance provider with headquarters in Japan. While Pick is encouraging employees at the insurance company to experiment, he insists their activities be monitored.\n\n\u201cIn insurance, we live in data all the time \u2014 and in third-party data \u2014 that\u2019s different from some industries. We have some comfort with the idea of our data going somewhere to be processed and then coming back. If we give professionals the right tools and guidance they will make the right decision,\u201d says Pick.\n\nDespite the best efforts of Chan and Pick, Gartner foresees that unsanctioned usage will be impossible to prevent. The consultancy predicted in March 2023 that by 2026, 5% of employees will engage in unauthorized use of generative AI in their organizations. \u201cIf anything, 5% is conservative. I get calls every day from people wanting to know how to stop their employees from using ChatGPT,\u201d says Avivah Litan, distinguished vice-president analyst at Gartner. \n\nCIOs realize that unless they quickly implement policies that allow and even encourage use of generative AI for some purposes, they will lose control over a transformative technology in their organizations.\n\nAccording to IDC, CIOs have gotten off the sidelines and are now getting out in front of the parade. In March 2023, 54% said they were not yet doing anything with regard to generative AI, but in June 2023, only 23% made that admission [see chart]. \u201cIn some cases, people are blocking; in other cases, they are adopting policies; and in still other cases they are conducting intentional pilots,\u201d says Daniel Saroff, group vice president for consulting and research at IDC. \n\nHackathon exposes vulnerabilities\n\nAt Parsons Corp., a global solutions provider in the national security and critical infrastructure markets, early instances of shadow AI spurred a conversation between Karen Wright, vice president of IT strategy, products, and commercialization, and her cybersecurity counterpart at Parsons. This followed a ChatGPT hackathon to identify security risks. \u201cIt was a really good approach to understanding the implications of the technology,\u201d says Wright.\n\nThe hackathon showed Wright and her fellow IT leaders at Parsons that ChatGPT was not qualitatively different from some web-based tools that employees were already using, such as Adobe Acrobat online services, in which data is sent outside an organization to be processed. Consequently, Parsons settled on the use of data-loss prevention (DLP) tools to prevent data exfiltration via generative AI.\n\n\u201cOur focus is embracing and accelerating the use of smart artificial intelligence, while managing it with DLP tools to ensure security,\u201d says Wright.\n\nEducation also will play a critical role in taking control over generative AI at Parsons. \u201cOur focus is educating employees on the best practices and tools to accomplish their goals while protecting the company,\u201d Wright says.\n\nInsurers understand risk\n\nAs a global insurer with a presence in many countries, TMG\u2019s international units have been experimenting with generative AI. \u201cWe did see a tremendous amount of personal experimentation going on. But because we are risk-aware, there was not a rush to put everything on ChatGPT. The reaction was quick and clear: education and monitoring,\u201d says Pick.\n\nTMG has set up working groups within its various companies to examine use cases such as drafting letters and marketing content to give humans a headstart on the process, according to Pick. Another prospective generative AI use case is for the various business units to draft reports on market conditions and performance. \n\n\u201cAny company with many business units can benefit from generative AI\u2019s ability to summarize information,\u201d notes Pick. \u201cTo take an underwriting manual and summarize it in plain language could take seconds or minutes to get to a first draft, rather than days or weeks,\u201d he says. \u201cThat will enable us to focus our people resources more efficiently in the future.\u201d\n\nIn addition to ingesting and generating written content, generative AI shows great potential in application development, according to Pick. The ability to translate in near real-time a stored procedure from one language into another with an accuracy rate of perhaps 60%, while including comments, will increase developer efficiency greatly, he asserts. \u201cIt could take weeks for a programmer to do the same thing. That will pay dividends for years,\u201d Pick says.\n\nIn addition, the use of private LLMs is immediately attractive for an insurance provider such as TMG. \u201cThere is the hope that it might find things humans would not notice. We\u2019re also interested in \u2018little LLMs,\u2019 if we can get to that state, because you would not need a cloud data center. Instead, we would use sandboxes that are cordoned off so that we are stewarding the data,\u201d says Pick.\n\nBut even with private LLMs, regulation comes into play, says the CIO. \u201cFor a global company such as TMG to use a private LLM, the data would need to be loaded into a tenant system that is within the area governed by specific regulations, such as GDPR in Europe,\u201d he explains.\n\nBuilding on POC\n\nChan\u2019s pursuit of both safety and opportunity shows promise in several POCs. \u201cWe are training Azure OpenAI with all the product information we have, so a business person can do a quick search to find a particular connector and can get back several examples, including which ones are in stock. It saves time because people no longer need to call the materials team,\u201d Chan says.\n\nAzure OpenAI also generates custom contracts quickly. \u201cBy loading the last 10 years of contracts into the repository, we can say, \u2018I need a contract for a particular project with such and such terms,\u2019 and it comes up with a full contract within seconds,\u201d says Chan. Sales executives can then review and tweak the contract before sending it to the customer. The quick turnaround is expected to result in quicker conversions of prospects to sales as well as happier customers.\n\nThe process is similar with requests for proposals (RFPs), in which business analysts specify what they need and generative AI creates the RFP within seconds. \u201cThe business analyst just reviews and makes changes. This is a huge productivity gain,\u201d says Chan. Engineers can also call upon generative AI to come up with possible solutions to customer demands, such as reducing the physical footprint of a circuit board by replacing certain components in the bill of materials, while shortening the go-to-market lead time. \u201cIt will return options. That is huge in terms of value,\u201d Chan says. \n\nA challenge worth taking on\n\nIn general, CIOs are finding the upside of generative AI productivity justifies grappling with the challenges of controlling it. \u201cWe make sure the company data is safe, yet the AI is not lacking in capabilities for IT and business employees to innovate,\u201d says Chan.\n\nAccording to Pick, generative AI will not make human workers obsolete, just more productive. \u201cWe don\u2019t view it as a people replacement technology. It still needs a human caretaker,\u201d he says. \u201cBut it can accelerate work, eliminate drudgery, and enable our employees to do things of a higher order, so we can focus people resources more acutely in the future.\u201d\n\nMost important, Pick says, generative AI has much more potential than earlier much-hyped technologies. \u201cThis is not the next blockchain, but something that will really be valuable.\u201d\n\nTo extract that value, Goetz of Forrester says setting policies for generative AI is a matter of establishing clear dos and don\u2019ts. She recommends, like Chan, following a two-track strategy in which approved generative AI applications and data sets are made available to employees, while AI applications and use cases that might put data in jeopardy are prohibited. Following the guidelines, according to Goetz, will make possible safe, self-service usage of generative AI in an organization.\n\nIn the meantime, when developing or deploying gen AI capabilities, Saroff of IDC recommends assessing the controls that generative AI tools implement, as well as the unintended risks that might arise from the use of those AI tools.