Mario Cirillo
Chief Technology Officer, Kerv Transform|Kerv Transform
Have a question?
Get in touchPublished 22/05/25 under:
We’re all feeling the pressure to move faster with AI.
But here’s the part I’ve seen trip people up: no matter how good your AI ideas are, security will either enable them or block them. And in most cases, it’s the latter.
AI isn’t just another app you plug in. It’s a new layer on top of your entire business. If your security posture isn’t ready, the risk compounds fast. Over the last few months, my team and I have been speaking with and supporting many customers on their AI journeys. Below are the five common security pitfalls I see derailing AI projects before they even get started.
No clear data classification
AI needs access to data to be useful. But if you haven’t classified what’s sensitive, regulated, or internal-only, how can you decide what an AI tool should or shouldn’t access? Worse still, your users don’t know either. That means they’re feeding all sorts of things into chatbots and copilots that they probably shouldn’t.
Fix: Get a proper data classification model in place and tie it into access policies. If you don’t know your data, you can’t protect it. And you definitely can’t trust AI with it.
Lack of tenant-level controls
Lots of businesses are testing AI through personal accounts or non-managed environments. Think about someone setting up a ChatGPT account or using AI tools that aren’t linked to your Microsoft 365 tenant. This might seem harmless, but it’s a nightmare from a control and visibility perspective. You can’t apply DLP, audit access, or control the lifecycle of what’s being shared.
Fix: Keep AI inside your controlled environments. If you’re using Microsoft, this means deploying Copilot with the right tenant settings or using Azure OpenAI within your own boundaries.
Overexposed access rights
AI tools are only as secure as the permissions they inherit. If your environment already suffers from excessive access, like too many people with global admin rights or legacy systems left wide open, your AI tools will inherit those same risks. That means an AI agent could accidentally surface data from places it shouldn’t, just because permissions were never cleaned up.
Fix: Review and tighten permissions now. This isn’t an AI-specific problem, but AI will absolutely expose it.
Shadow AI creating blind spots
Another topic I shared is around Shadow AI already being in your organisation. From a security perspective, it’s a huge visibility gap. If employees are using AI tools that you haven’t sanctioned, you don’t know what data is being shared, what’s being stored, or whether your IP is walking out the door.
Fix: You can’t control what you can’t see. Use tools like Defender for Cloud Apps or CASB solutions to detect unsanctioned AI tools. Then educate your users and offer safer alternatives.
No incident response plan for AI misuse
What happens if someone uses AI to generate harmful content? What if sensitive data is leaked via a prompt? Or a model gets exploited through prompt injection? Most incident response plans weren’t written with this in mind. So even if you detect an issue, you’re left scrambling.
Fix: Update your incident response playbooks to include AI-specific scenarios. Make sure your SOC understands what to look for and where these tools live in your environment.
Final thought: Don’t let security be the blocker
Security can be the function that kills every good idea. Or it can be the thing that helps AI scale safely. We’ve seen both. And in every successful AI adoption story I’ve been part of, it’s clear that security wasn’t an afterthought. It was built in from day one.
Is Your Security Ready for AI? Let’s Find Out.
We’ve seen too many great ideas get blocked by avoidable risks. Before you launch, talk to our experts about how to secure your AI roadmap and avoid the most common pitfalls.
Speak to our expert today!Have a question?
"*" indicates required fields
