X
Akamai to acquire LayerX to enforce AI usage control on any browser. Get details
Akamai
Login
Login Close
Control Center
Access the Akamai platform
Login Close
Cloud Manager
Manage your cloud resources

What Leaders Should Know About GenAI

Share

Key takeaways:

  • Understanding non-determinism is critical for effective security testing.
  • Widespread hands-on training is necessary to internalize AI risks.
  • Security teams must automate to match the increased velocity of AI-driven development.
  • The "Toxic Trifecta" creates significant architectural risks for the enterprise.
  • Strategic configuration can mitigate unpredictability where creativity is not required.

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC. As generative AI moves from a cool, innovative approach to an absolute economic imperative, firms and teams need to learn to think not just about AI, but think like AI. Patrick Sullivan, SVP and CTO at Akamai, spent some time geeking out with me on how security teams can learn to harness the non-deterministic nature of AI tools.

Heathfield: Thanks so much for being here. I appreciate it. I'm super excited to talk to you about this because I know that we're both AI geeks. So let's talk about managing non-deterministic risk. Lay the ground rules, set the basics out here. What is non-determinism in GenAI models?

Patrick Sullivan, Senior Vice President and Chief Technology Officer, Akamai: Perfect. Yeah, I think it's important to set the table first. You know, I think when we look at the generative AI models that we're all so excited about, at their core, what they're doing is a lot of complex matrix multiplication and then trying to complete the next word with the most probable outcomes. Depending on how you configure things, it will be the most likely [word] or you could sample a less likely alternative.

But what that means and why we say it's non-deterministic is, if you run [matrix multiplication] with a set of inputs – and even though that model is completely static – there's no change to the system. The next time you run that, you're going to get a different set of results, right? And you run it again, a different set of results still.

In some ways, that's different from a lot of the systems that we traditionally have run. So there's a mindset shift that people need to wrap their heads around for things like security testing. If you have maybe a latent payload for pumped injection that doesn't detonate once, that does not mean that you have assurance that you're not vulnerable. Because the very next time you play back that exact same payload against the exact same application, it may detonate it, and you end up with a negative result. So I think it's important for people to wrap their heads around that.