Information security in enterprise environments is typically framed using the CIA triad: Confidentiality (only authorized people access information), Integrity (data hasn't been altered or corrupted), and Availability (systems and data are accessible when needed). For AI systems managing sensitive nonprofit data, all three dimensions matter.
Confidentiality breaches occur when unauthorized people access sensitive donor or beneficiary data. Integrity failures happen when data is corrupted or AI models are adversarially manipulated to produce false results. Availability failures occur when systems fail, preventing staff from accessing AI tools they depend on. Effective enterprise AI security addresses all three.
Enterprise AI security is not a technical function isolated to IT—it's an organizational responsibility spanning leadership, technology, operations, and culture. Security failures at scale affect entire organizations and erode stakeholder trust.
Understanding threats is the first step toward defense. AI systems face distinctive threat categories beyond traditional software.
AI models learn from training data. If an attacker can corrupt training data, the resulting model produces biased or incorrect predictions. Example: if an attacker adds fake beneficiary records with exaggerated needs to program evaluation datasets, AI models might learn to inflate severity estimates. Detection: validate training data quality, monitor for statistical anomalies in training datasets, include data validation in model training workflows.
Attackers craft specific inputs designed to fool AI models. A charitable donor's record might be slightly modified (name variant, different address version) to manipulate propensity scores. Detection: monitor for unusual input patterns, test model robustness against perturbations, implement input validation rules.
An attacker might query an AI system repeatedly to reverse-engineer the underlying model, then use that stolen model externally or for attacks. Mitigation: rate-limit API queries, monitor for unusual access patterns, contractually prohibit competitors from using systems.
An attacker might determine whether specific individuals are in training datasets, violating privacy. If someone learns their data was used in an AI model without consent, trust erodes. Mitigation: implement differential privacy (mathematical techniques adding noise to protect individual records), limit model transparency about training data, contractually restrict external model access.
Compromises of AI vendors (cloud platforms, model libraries) can cascade into your organization. Mitigation: vendor security assessment, contractual security requirements, continuous monitoring of vendor security posture.
Comprehensive risk assessment evaluates likelihood and impact of potential harms, then prioritizes mitigations.
Systematic risk identification involves: threat brainstorming (what could go wrong?), vulnerability assessment (what weaknesses exist?), asset identification (what are we protecting?), and scenario development (if threats exploited vulnerabilities, what impact?). Risks span technical (database breach), operational (staff misconfiguration), process (inadequate access controls), and governance (lack of oversight).
Not all risks deserve equal resources. Risk prioritization matrices typically plot likelihood vs. impact: high-impact, high-likelihood risks get immediate attention. High-impact, low-likelihood risks require contingency planning. Low-impact risks might be accepted. This framework ensures resources address highest risks first.
Mitigation: Take actions reducing likelihood or impact (encryption reduces breach impact). Acceptance: Understand risk and proceed anyway (small organizations might accept certain risks they lack resources to mitigate). Avoidance: Don't pursue initiatives with unacceptable risks. Transfer: Buy insurance to transfer financial consequences of certain risks.
Conduct a risk assessment for a major AI initiative your organization is considering: Identify 5-10 potential threats. For each, estimate likelihood (low/medium/high) and impact (low/medium/high). Plot on 3x3 matrix. For high-priority risks (high likelihood or high impact), develop mitigation strategies. This exercise crystallizes abstract security thinking into concrete planning.
Security controls are specific actions reducing risk. The NIST Cybersecurity Framework organizes controls across five functions.
Understand what you're protecting: asset inventory (what systems, what data), data classification (what's sensitive?), and risk assessment (what could go wrong?). You can't protect what you haven't identified.
Implement safeguards: access controls (who can access what?), encryption (protecting data in transit and at rest), secure configurations (systems hardened against common attacks), training (staff understand security responsibilities).
Identify breaches and unauthorized activity: monitoring systems for intrusions, detecting unusual access patterns, alerting to anomalies. Detection assumes breaches will occur; the question is how quickly you find them.
When incidents occur, respond effectively: incident response procedures (defined steps minimizing damage), communication protocols (who tells whom), investigation (understanding what happened), remediation (fixing the problem).
Restore normal operations: restore systems from backups, validate data integrity, implement improvements preventing recurrence.
Access controls are foundational to security. Determine who can access what, under what conditions, and enforce consistently.
Authentication confirms identity (you are who you claim). Authorization determines what authenticated users can do (you can access donor records but not finance data). Multi-factor authentication (MFA)—requiring something you know (password) plus something you have (authenticator app) or something you are (biometric)—significantly improves security. Authorization should follow principle of least privilege: users get minimum access needed for their role.
Passwords are weak security controls—people reuse them, share them, and forget them. Better approaches: Single Sign-On (SSO) centralizing authentication across systems, eliminating password proliferation; API keys for system-to-system authentication; OAuth for delegated access. Enforce strong password policies when passwords are necessary: minimum length (12+ characters), complexity (mix of types), regular changes.
Prevent single individuals from controlling critical operations. No one person should both approve grants and record grant payments; no one person should both modify data and audit changes. Segregation prevents fraud and catches errors.
Encryption converts readable data into unreadable form using keys. Only holders of correct keys can decrypt.
Data moving between systems (user to server, server to server) should be encrypted. HTTPS for web traffic, encrypted VPNs for remote access, encrypted database connections. This prevents eavesdropping on network traffic.
Data stored on servers should be encrypted. If an attacker gains physical access to servers or steals disk drives, encrypted data remains unreadable without keys. Encryption keys should be managed separately from encrypted data (don't store keys on same server as encrypted data).
Encryption security depends entirely on key security. Keys must be: generated securely (using cryptographic random number generators), stored securely (restricted access, encrypted when possible), rotated periodically (changing keys to limit damage from key compromise), and destroyed securely (when no longer needed). Key management services (AWS KMS, Azure Key Vault, Google Cloud KMS) handle this complexity for you.
Most enterprise nonprofits rely on external vendors (cloud platforms, CRM vendors, AI providers). Vendor security directly affects your security.
SOC 2 is an audit standard assessing vendor controls around security, availability, processing integrity, confidentiality, and privacy. Type I audits vendor systems at a point in time. Type II audits over a period (typically 6+ months), assessing whether controls operate consistently. Type II is more meaningful. Ask vendors for SOC 2 Type II reports. If a vendor providing financial or sensitive data management lacks SOC 2, this is a red flag.
ISO 27001 is an information security management standard. Certification indicates the vendor has implemented and maintains a comprehensive information security program. This is particularly important for vendors handling sensitive data.
Create a vendor security questionnaire asking about: security controls (encryption, access management, monitoring), compliance (SOC 2, ISO 27001, industry-specific requirements), incident response (how do they handle breaches?), data protection (how long do they retain data? where is it stored?), and business continuity (what's their backup and disaster recovery capability?). Require vendor completion and review responses seriously—they reveal vendor maturity.
Breaches happen. Organizations that plan respond better—minimizing damage, recovering faster, maintaining stakeholder trust.
Designate a team with clear roles: Incident Commander (overall authority), Technical Lead (investigating technical aspects), Communications Lead (managing internal and external communication), Legal/Compliance (ensuring regulatory compliance), and Finance (tracking costs). During incidents, clear authority and roles prevent chaos.
Documented procedures for incident response include: detection and reporting (how are incidents reported?), assessment (what's the scope and severity?), containment (stop the attack), investigation (understand what happened), remediation (fix the problem), recovery (restore normal operations), and post-incident review (what did we learn?). Run tabletop exercises simulating incidents before real breaches occur—these reveal gaps in planning.
Plan communication to different audiences: staff (what they need to know to help respond), donors (especially if their data was breached), funders (compliance requirements), regulators (if legally required), and media (if public attention occurs). Different audiences need different messages at different times. Develop templates in advance so you're not writing communications while crisis unfolds.
Technical controls are insufficient—human behavior enables most breaches. Phishing (fake emails tricking staff into revealing credentials) is the most common attack vector. Comprehensive security training includes:
All new staff receive security training: password management, recognizing phishing, handling sensitive data, reporting suspicious activity. Training is mandatory, not optional.
Monthly or quarterly security awareness messages (newsletters, lunch-and-learns, tips) keep security top-of-mind. Current-event security awareness (educating about recent breaches and lessons) increases relevance.
Send fake phishing emails to staff, tracking who clicks malicious links. Staff who fall for simulations receive additional training. This approach identifies vulnerable staff and reinforces awareness.
Compliance with internal policies and external regulations requires ongoing monitoring and verification.
Regular audits (quarterly or annually) assess compliance with security policies, data governance policies, and regulatory requirements. Internal audits are baseline; external audits by third parties provide independent assurance.
Automated tools scan systems for vulnerabilities (known security weaknesses). Vulnerability scanning should be continuous—new vulnerabilities are discovered regularly. Prioritize fixing critical and high-severity vulnerabilities immediately.
Authorized attackers attempt to breach your systems. Penetration testing reveals vulnerabilities that automated scanning might miss and assesses whether controls actually prevent unauthorized access. Annual or biennial penetration testing by external firms provides valuable assessment.
No security program is perfect. Cyber liability insurance transfers some financial risk of breaches to insurers. Policies typically cover: notification costs, credit monitoring for affected individuals, forensic investigation, legal defense, and breach response costs. Insurance cannot eliminate need for security but provides financial backstop.
Conduct a comprehensive security risk assessment for your organization's enterprise AI implementation: Identify 15-20 potential threats (data breaches, system failures, unauthorized access, etc.). For each, estimate likelihood and impact. Develop a risk prioritization matrix. For the highest-priority risks, develop specific mitigation strategies (technical controls, process changes, policy changes). Document your assessment and present mitigation plan to leadership.
Enterprise AI security protects the Confidentiality, Integrity, and Availability of sensitive organizational and stakeholder data. Threat modeling identifies what could go wrong. Risk assessment prioritizes mitigation efforts. Security controls frameworks organize comprehensive protection across identification, protection, detection, response, and recovery. Access management and encryption provide foundational controls. Vendor security assessment extends security to external partners. Incident response planning and communication prepare for breaches. Security training engages staff. Compliance monitoring ensures adherence. Cyber liability insurance provides financial backup. Organizations implementing these elements comprehensively protect themselves and stakeholders from AI-related security harms.
Enroll in CAGP Level 4 to deepen your skills in organizational-scale AI implementation, measurement, and strategy.
Explore CAGP Levels