Introducing a Risk Heat Map for employee GenAI SaaS usage

Through our conversation with security practitioners and GenAI innovators, we identified a need for a risk map that focuses on employee use of GenAI SaaS. Below is the first version of the NROC Security SaaS-GenAI Heatmap. We decided to start by creating a solid baseline for the heatmap as - like everyone knows - the area of GenAI SaaS develops so fast the Heatmap must be updated continuously.  So treat this as a snapshot of today. 

Many ratings are certainly subject for debate, and we welcome your points of view, please put them into the comments section!

There are  three takeaways right out of the gate:

1. Common terminology and specificity into internal debates about the risks of GenAI adoption. Even with  the first glance it already shows that the risk picture is very different from traditional SaaS, and many of the risks are not easily addressed by existing security solutions. The risk also varies greatly from service to service. Most enterprises seem to be having a portfolio of GenAI apps and therefore exposure to the most of the risks.
2. GenAI ends up as a portfolio of all enterprises, and will require a portfolio of policies. To realize the productivity promise of GenAI, any and all enterprises will have apps from most of the columns of the risk map. But the acceptable use policy can hardly be the same between a consumer grade AI assistant (that’s very accessible and great at search) and embedded GenAI experience in a business process SaaS. This is certainly a complication that nobody wanted, because it complicates employee training and security operations.
3. Risks require very specific mitigations, like jailbreak detection technologies, but very straightforward tactics like visibility and logging of interactions will go a long way. We have found that doing the basics in an employee visible is a way to hold the users accountable. And when the tone of those interventions is in line with the company culture, the effect can actually feel empowering, rather than restricting.

As said in the beginning, this will be a living document and we welcome the inputs from practitioners and GenAI innovators alike. For a powerpoint version of the map, along with risk definitions and factors considered, you can download it from here

NROC Security is the only solution that comprehensively addresses all potential causes of GenAI copilot security and compliance vulnerabilities – user access, user behavior, prompt and response content - to fully secure them while maximizing their potential for business productivity.