Gen AI Security Check: 15 Key Questions for Vendors

If you are adding generative AI solutions to your contact center tech stacks, there is no such thing as “an overabundance of caution.”

When evaluating new software solutions with Gen AI, think of yourself as a bouncer.

You’ve seen those big, burly guys outside of the hottest night spots, right? They stand blank-faced, with their arms crossed and accept zero nonsense.

You want to be like them.

But instead of keeping riffraff out of the VIP areas, you’re defending your company and customers from mishandled information, data breaches and AI hallucinations.

A recent study by IBM’s Institute for Business Value showed that 94% of C-suite leaders consider the security of AI solutions a top priority. But it also reported that 69% put innovation ahead of that same security.

And while 47% saw Gen AI as a tool to “help improve the time to detect and respond to cyber threats,” the exact same percentage were “concerned that adopting Gen AI in operations will lead to new kinds of attacks.”

We're in uncharted territory when it comes to AI.

That’s why a bit of extra caution goes a long way.

As a “bouncer” you can’t waive solutions through the front door just because Gen AI is famous, and everybody’s heard of it. You have a responsibility to serve and protect… and that starts with asking lots of questions.

Evaluating software solutions has always required a fair share of due diligence. But the addition of generative AI adds fresh anxiety to the already complex CCaaS tech landscape.

It is easy to get seduced by the bold promises of AI. Contact center leaders are under constant pressure to improve metrics and deliver results.

Few can resist the idea of virtual assistants that work all day and night at lightning speed. But it's critical to understand how you can put customer information and company data at risk.

First, start with these three internal questions...

What specific tasks or issues will gen AI address?

Set objectives that align with business goals. Will you use AI for customer service automation, content creation or decision support? Treat Gen AI like a new employee. Give it a job description with responsibilities and expectations.

How will Gen AI integrate with our existing systems?

Will your solution connect seamlessly? Or will it need a workaround? Consider APIs, data exchange protocols, and the modification of existing workflows.

How will we train and provide support for staff using Gen AI?

Ensure your teams understand how to use the technology. This should include discussions about compliance and security.

Once you understand how AI will fit your business goals, it’s time to build a list of questions for AI vendors.

Your list may vary, but here’s a solid dozen to get started:

Understand how Gen AI handles and processes sensitive customer information, including personal and financial data. Compliance with regulations such as GDPR, CCPA, HIPAA (if dealing with health-related information), and other relevant data protection laws is crucial.

How do you ensure compliance with global data protection regulations (e.g., GDPR, CCPA. HIPAA)?

• Why it matters: Compliance protects your organization from legal penalties or damage to its reputation. Strong compliance features demonstrate a vendor's commitment to privacy and security.

Can you detail the data encryption methods used during data transmission and at rest?

• Why it matters: Asking about encryption practices for data in transit (as it's sent) and at rest (when stored) evaluates a vendor's ability to safeguard sensitive customer information.

What policies and procedures do you have in place for data access and how do you ensure that only authorized personnel can access sensitive information?

• Why it matters: Make sure that the right people have the right access for the right reasons. Effective control is crucial for minimizing the risk of data breaches from both external attacks and internal threats.

The risk of data breaches is a significant concern when integrating Gen AI into your call center operations. It’s important to understand what security measures are in place to protect against unauthorized access, hacking, or other cyber threats.

Where is the data stored, and what are the physical and logical security measures in place at these locations?

• Why it matters: Knowing the physical and logical security measures of data storage locations ensures that the vendor’s facilities adhere to high-security standards.

Do you utilize public, private, or hybrid cloud services for data storage, and how do you ensure their security?

• Why it matters: Understanding the cloud infrastructure used (public, private, hybrid) is key to evaluating the potential risks and security measures needed.

What policies and procedures do you have in place for data retention and deletion?

• Why it matters: Effective data retention and deletion policies help manage the lifecycle of data, ensuring legal compliance and reducing the risk of retaining unnecessary sensitive information.

Model training and maintenance are crucial for ensuring that customer interactions remain efficient, personalized, and effective. Regular training updates keep the AI models relevant and accurate to changing customer behaviors and preferences.

How do you ensure the security and privacy of data used in training your AI models?

• Why it matters: It's important to make sure that customer data used for training AI models is not exposed to unauthorized access or misuse. Securing training data also builds trust that customer information is handled responsibly.

What measures are in place to prevent biased outcomes from your AI models?

• Why it matters: Bias in AI models can lead to unfair or discriminatory outcomes, affecting customer satisfaction and causing reputational damage. Ask about bias mitigation strategies to ensure that AI models provide equitable and fair service.

How do you manage updates and maintenance for AI models to ensure they remain effective and secure over time?

• Why it matters: AI models need to evolve. Regular updates and maintenance are crucial to maintain the longevity and effectiveness of AI solutions in dynamic environments.

AI isn’t perfect. Mistakes will be made, and you’ll need to understand why. Get clarity on how decisions made by the AI are derived, particularly for sensitive customer interactions. The ability to audit and explain AI decisions is crucial for accountability, troubleshooting, and compliance.

Can your AI system provide explanations for its decisions or outputs?

• Why it matters: Transparency in AI decision-making is crucial for building trust with users, fulfilling regulatory requirements (such as GDPR's right to explanation), and identifying potential biases or errors in the AI system.

What level of detail do the explanations include, and are they accessible to non-technical stakeholders?

• Why it matters: Explanations must be detailed and understandable to non-technical users, including customer service representatives and customers themselves.

How do you ensure the AI system remains explainable as it evolves with further training and updates?

• Why it matters: Continuous explainability is essential for long-term trust and compliance, ensuring that the AI's decision-making process remains transparent, even as the system grows more sophisticated.

The integration of Gen AI into CCaaS environments requires a meticulous approach to security and compliance. Like vigilant bouncers guarding the gates to exclusive venues, CCaaS leaders must rigorously evaluate potential Gen AI solutions to protect data integrity and customer privacy.

Given the rapid evolution of technology and the novel threats that come with it, you need to stand firm. Stay tough. Accept zero nonsense.

Because as we venture further into the era of Gen AI, the burden of responsibility lies with CCaaS leaders. It’s up to you to ask the right questions and educate yourself (and your staff) to ensure that the drive for business innovation does not outpace the commitment to information security.

This article first appeared on ICMI.