Balancing Innovation and Security While Implementing AI

AI has brought transformative opportunities to finance teams, offering tools to automate processes, enhance decision-making, and uncover insights. Yet, discussions about AI inevitably circle back to one pressing concern: data privacy and security. 

Finance leaders play a critical role in ensuring safe AI usage across their organizations. By collaborating with IT and compliance teams, CFOs can drive secure and responsible AI adoption without shouldering the burden of data security alone.

In this issue, I’ll explore the key risks of AI implementation in finance, compare security features across AI subscription levels, and share a real-world example of crafting an effective AI usage policy. Let’s dive in to discover how to embrace AI’s potential while safeguarding your organization’s most valuable assets.

The Balanced View: What CFOs Need to Know About Security and Privacy When Using AI

It’s not the CFO’s job to manage every aspect of security, but understanding the nature of risks associated with AI is essential. This knowledge enables CFOs to lead meaningful conversations with security and compliance teams, foster a responsible approach to AI usage within the finance team, and develop the awareness needed to identify and flag potential issues to IT when they arise. By building this foundation, CFOs can help ensure AI adoption is both innovative and secure.

Let’s explore the key risks CFOs face when implementing AI in financial processes:

Data Privacy Concerns

1. Sensitive Data Exposure
   AI tools often process vast amounts of data. Without safeguards, uploading financial details, client records, or proprietary models could lead to unintentional leaks. For example, LLMs may retain parts of interactions for training purposes unless data-sharing restrictions are in place.

2. Regulatory Implications
   Compliance with laws such as GDPR and HIPAA can be jeopardized if confidential financial data is shared with public-facing AI models. A lapse here could result in fines and reputational damage.

Security Threats

1. Prompt Injection
   Malicious actors can craft inputs to manipulate an AI's logic, bypassing safeguards or exposing sensitive data. For instance, a cleverly designed prompt might trick an AI into revealing confidential information.

   

2. Jailbreaking
   Jailbreaking involves bypassing AI’s built-in restrictions to perform unauthorized actions. For example, an employee might upload sensitive financial documents in unintended formats, such as screenshots, to circumvent security protocols.

   

3. Adversarial Attacks
   Hackers may subtly alter input data to deceive AI systems, potentially skewing predictions or analyses and leading to financial losses.

4. Data Poisoning
   During AI model training, attackers could introduce corrupt data, impairing the model’s reliability. This could result in inaccurate forecasting or decision-making in financial contexts.

Privacy Attacks

1. Membership Inference Attacks
   These aim to identify whether specific data was part of an AI model’s training set, risking the exposure of sensitive details.

2. Personally Identifiable Information (PII) Leakage
   LLMs might inadvertently reveal PII, such as client names or transaction details if such data was present during training.

Understanding the risks is just the first step. Mitigating those risks and establishing a safe, responsible AI usage environment is an ongoing process. It involves classifying use cases, crafting a comprehensive AI usage policy, selecting and configuring the right software, setting up appropriate access controls, providing thorough training for employees, and continuously monitoring AI usage. This cross-functional effort demands collaboration across teams, and it’s an area where AI-savvy CFOs can make a significant impact by driving alignment, ensuring compliance, and fostering innovation.

Bridging the Gap: CFOs and IT Teams in AI Implementation

To mitigate these risks, CFOs must lead informed, collaborative discussions with IT and security teams. These conversations should align AI usage with organizational priorities, build robust safeguards, and promote a culture of accountability.

1. Clarify Use Cases and Requirements
   Clearly define financial objectives for AI adoption—whether automating forecasting, improving compliance reporting, or enhancing decision-making. This allows IT teams to tailor solutions effectively.

2. Address Data Governance
   Work with IT to establish guidelines for data handling, including:

   • Anonymizing sensitive data before inputting it into AI tools.

   • Implementing access controls to restrict who can upload and retrieve data.

3. Ensure Compliance Readiness
   Collaborate with IT to ensure AI tools meet regulatory requirements. This includes assessing how vendors handle data and ensuring contracts align with your organization’s compliance policies.

4. Lead by Example
   CFOs set the tone for responsible AI use by adhering to data-sharing policies and using vetted tools for financial tasks. Publicly advocate for secure AI platforms and highlight their benefits.

5. Create Shared Accountability
   Establish cross-functional working groups that include finance, IT, and compliance stakeholders. Regularly review AI use cases, identify risks, and refine policies as a team.

CFOs can’t be solely responsible for managing security risks, but understanding the nature of these risks, demonstrating responsible behavior, and promoting this behavior within their teams is vital. By leading with accountability and fostering a culture of collaboration with IT and compliance teams, CFOs can create a secure framework for AI adoption. This approach not only mitigates risks but also empowers organizations to leverage AI’s transformative potential responsibly and effectively.

AI Tool Spotlight: Security Features of the Main Public LLMs

Enterprise-Level Security Settings

Enterprise-level AI subscriptions prioritize robust security and compliance measures, catering to organizations with stringent data protection needs. These plans typically offer advanced encryption for data in transit and at rest, SOC 2 certification or equivalent, and clear policies preventing data retention or reuse for training purposes. Administrative controls, including role-based access and audit logs, ensure that organizations can manage usage transparently and enforce internal compliance. Enterprise plans are designed to meet regulatory standards like GDPR or HIPAA, making them ideal for finance teams handling sensitive and regulated data.

Pro/Plus/Team Subscription Security Settings

Pro/ Plus and Team subscriptions cater to smaller organizations or individual users. While these tiers offer improved performance and accessibility compared to free versions, they lack enterprise-grade safeguards. Data retention policies often permit temporary storage for model improvement unless explicitly disabled. Encryption is standard but may not include advanced protections such as encryption at rest. Administrative controls are limited or absent, and compliance with industry regulations is not guaranteed.

For organizations handling sensitive or regulated financial data, enterprise-level subscriptions provide the necessary safeguards, such as advanced encryption, compliance certifications, and administrative controls.

Pro, Plus, and Team subscriptions are more accessible but lack some security features.

The exact AI setup and usage policy for any company depend on several factors, including the organization’s size, the sensitivity of the data involved, regulatory requirements, and the intended use cases for AI. Larger organizations handling highly sensitive or regulated data may benefit from enterprise-level subscriptions, which provide advanced security features, compliance guarantees, and robust administrative controls. On the other hand, smaller organizations or those exploring AI for non-critical tasks may find Pro, Plus, or Team subscriptions sufficient for their needs, provided they implement additional safeguards.

Case Study: The Main Clauses of an AI Use Policy

One of my recent clients, a medium-sized firm specializing in providing fractional CFOs, controllers, and accountants to its clients, approached me with the goal of adopting AI tools responsibly while safeguarding sensitive financial and client data. With around 30 employees, the company decided to implement Claude using a Team subscription, chosen for its affordable cost, collaborative features, and artifacts functionality that resonated with their team.

Here’s how we collaborated to draft a robust AI usage policy tailored to their operational needs and security priorities.

The Background and Challenge

During an AI Blend Workshop, I demonstrated how AI could streamline workflows like report generation, data processing and analysis, and stakeholder communication. The leadership team was enthusiastic about the potential efficiency gains but recognized the importance of safeguarding confidentiality and maintaining compliance.

After a thorough evaluation, the company selected a Team subscription for Claude as the most suitable option, given the company size and the scope of AI usage. While Claude’s Team subscription offers a strong starting point, it requires additional safeguards to address potential risks. To bridge these gaps, the leadership, IT, and compliance teams collaborated to develop a robust policy featuring clear data-sharing rules, access controls, and compliance measures.

The Key Clauses of the Policy

1. Tool Approval and Usage Guidelines
   Claude was selected as the sole approved AI tool for company-wide use under the Team subscription. Employees were instructed to avoid using unapproved AI platforms to ensure data consistency and security.

2. Data Sharing Protocols and Access Management
   The policy established clear guidelines on data usage:

   • Anonymized client data could be used within Claude to generate financial summaries, model scenarios, and perform other tasks.

   • Strictly prohibited information included personally identifiable information (PII), account numbers, passwords, or sensitive proprietary details.

   • Access to Claude was limited to designated employees, primarily senior staff, who completed mandatory training. Usage was logged and periodically reviewed by IT and compliance teams.

3. AI-Generated Outputs and Review
   All outputs generated by Claude had to be reviewed by a human before being used in client-facing reports or decision-making processes. This ensured accountability and reduced the risk of errors.

4. Audit and Compliance Checks
   IT team conducted monthly audits of Claude's usage logs to identify potential misuse. Updates to Claude’s terms of service were also monitored to ensure continued alignment with the company’s security and compliance needs.

5. Prohibited Use Cases
   The policy prohibited specific use cases, such as uploading raw financial data or proprietary client models directly into Claude.

6. Client Transparency and Contract Adjustments
   To maintain client trust, the company proactively informed all clients about its adoption of AI. The legal team crafted an amendment to client contracts outlining the AI’s role in workflows, ensuring transparency and legal alignment. Clients were given the option to opt out of having AI used in their projects. This approach reinforced trust and accountability while addressing client concerns.

7. Training and Employee Accountability
   Employees were required to attend quarterly training sessions on responsible AI use. They were also held accountable for adhering to the policy through regular compliance reviews and periodic updates to their knowledge base.

Implementing a clear AI usage policy and providing comprehensive training are essential steps in achieving responsible AI adoption in finance. Moreover, openly discussing potential risks, fostering a responsible approach, and ensuring alignment on the AI policy among all stakeholders—both within the leadership team and with clients—can significantly alleviate concerns.

This collaborative foundation not only builds trust but also paves the way for scaling AI implementation effectively.

Closing Thoughts

Security and compliance may not be as exciting as discussing efficiency gains or showcasing AI's incredible capabilities. However, without a solid foundation of responsible AI implementation, even the most powerful tools can become liabilities. By addressing these challenges head-on—crafting clear policies, collaborating with IT and compliance teams, and leading by example—CFOs can ensure AI becomes a trusted ally rather than a risk.

Balancing innovation with security builds a future where AI drives meaningful, sustainable success for your organization.

We Want Your Feedback!

This newsletter is for you, and we want to make it as valuable as possible. Please reply to this email with your questions, comments, or topics you'd like to see covered in future issues. Your input shapes our content!

Want to dive deeper into balanced AI adoption for your finance team? Or do you want to hire an AI-powered CFO? Book a consultation! 

Did you find this newsletter helpful? Forward it to a colleague who might benefit!

Until next Tuesday, keep balancing!

Anna Tiomina 
CFO & AI Enthusiast