PASTA – Solving Stealth GPT
What is the Stealth GPT?
The term “GPT” seems to have struck a chord in a way that AI and all the previous incarnations never have, driven by the popularity and remarkable powers of ChatGPT. Every analyst and journalist is blogging and tweeting about it, there are a slew of conferences and events, and a surprising number of books have already been published, several written by ChatGPT.
With the explosion of GPT, there is now an explosion of GPT apps alongside ChatGPT. In addition to these, I would like to propose that a new term, “Stealth GPT”, should be added to the lexicon. As the name suggests it does its job — quietly, unseen, and unnoticed. Essentially, the Stealth GPT refers to GPT services being consumed by business users without the knowledge, permission or support of the CIO and the IT department.
Consumers are Business People Too
Business people are embracing the ideas of GPT like never before, fueled by ChatGPT. They can see immediate value to their business from the applications and services being offered. As the GPT apps become easier to develop, there seems to be no limit to what is being provided, much of which is packaged in a very compelling, slick user experience.
When the business user is provided with these elegant services as a consumer it is inevitable that they bring them to work. Is it any surprise business users are signing up and ignoring the (seemingly) staid and boring applications provided by the IT department?
A long time ago when I was CIO at a large U.K. central Government organization we surveyed the IT infrastructure and discovered over 2,500 unsupported business-created applications on PCs and servers; MSAccess databases, spreadsheets, custom apps, on and on. Of the 2,500 that were discovered, a staggering 500 were mission critical.
With the Stealth GPT it is impossible to discover which applications or services are being used except by getting every user to “fess-up” to the IT department. And don’t forget all the mobile apps?
Why is it an Issue, and for Whom?
Stealth GPT sounds like a perfect way of reducing the workload and improving efficiency. Hundreds of innovative entrepreneurs are providing GPT apps or training to make it easier to use ChatGPT for business problems at little or no cost to the business. IT departments should see GPT as an ally, because embracing it will make them appear far more responsive to the business; however, Stealth GPT seems to be having the reverse effect.
Too much has been talked about the business- IT divide. Unfortunately, the Stealth GPT has driven an even greater rift between business and IT. It is exposing, as far as the business side is concerned, the lack of flexibility, agility and responsiveness of corporate IT departments. From the CIO’s perspective you can see the risks (operational, compliance and integration) of using some of these GPT apps, and it simply underlines how cavalier and naïve business users are.
The key issue here is that there are a set of questions that need to be asked before starting to use GPT apps. There are questions that you have been asking on-premise and cloud software vendors for years. There are now additional GPT-related questions.
But most, if not all, business users who are starting to make decisions to use a GPT app are not even aware of the questions to ask.
What are the Risks?
The organization is exposing itself to three key risks due to the Stealth GPT.
- The first: IP / security. With a cloud app it is clear who owns the data and the security risks. But with GPT apps, it is still a gray area between who owns the IP for the GPT-generated result. And in some cases the IP that was used as the prompt is in doubt, if it was just copied and pasted from a blog, ebook or download offering “1,001 ChatGPT Prompts That Will Make You a Millionaire”.
- The second area is compliance risk. Your ISO quality and data security accreditations are based around a set of policies which should be adhered to by all staff. What contracts and security policies are your staff inadvertently breaching by using a GPT app? What are the implications on your business?
- And third, reputational risk. If, or when, that GPT app no longer provides good results, or the data you entered in prompts becomes public knowledge, (for example the recent Samsung case) what will that do for the reputation of your company? How will it impact the relationship with your customers — in private — or in public? Trust is the most valuable asset.
What Can be Done About it?
GPT cannot be ignored.
The genie is out of the bottle. GPT is here to stay. As long as business users have a browser or a phone then the problem exists.
Is the simple solution to ban its use? No. That will drive the Stealth GPT ever further underground. Business users will use it on their personal phones.
So the solution to this problem comes from the most unlikely of places: the Italian kitchen and PASTA.
• P: Policy. What is the corporate policy for GPT? Remember, that “Unapproved GPT apps are banned” is not an acceptable answer. That will drive the Stealth GPT further underground. You need to scramble to get ahead and create policies that are pragmatic if they are going to be adhered to.
• A: Amnesty. You need to find out what business users are doing, but they are unlikely to tell you if they believe that they will suffer either in terms of their career or will be prevented from using the GPT apps. The Amnesty period needs to be less than a month to drive urgency and it needs to be very clearly and widely communicated. For example, after the Amnesty end date any use of GPT outside the Policy is a disciplinary offense.
• S: Support. End users need to believe that if they are honest in the information they give during the Amnesty it will be used to help them and support them. Therefore, IT needs to support them using the GPT app — NO MATTER how UNRELIABLE you believe (or know) that the it is. This will be very hard and require a huge level of self control.
• T: Technology Evaluation. This is a full evaluation, both technical and commercial, of the GPT apps being used. This is probably a non-trivial activity, based on the huge number of GPT apps that are being used and the time taken to really find out what is behind them.
• A: Adoption. Now you need to build your GPT apps strategy for the company. This may consist of many of the GPT apps currently being used but will also involve some users migrating from their chosen GPT apps to the corporate standard. Then you need to work hard to drive up the adoption of the chosen GPT app, but that is nothing new.
The Final Word
As the CIO, you need to sprint to get ahead of the ball through the policy, amnesty, and support phases. Only then are you in some level of control and can evaluate the true risk to the business of the Stealth GPT. After that the technology and adoption phases can and will take some time.
GPT is here to stay. Business users are voting with their browsers to use GPT apps, but they are often unaware of the risks that they are putting themselves and their companies under. PASTA is an acronym describing an approach to evaluate and control the risks of GPT in your corporation. As CIO, you need to be happy with your pasta al dente.