Blog / March 09, 2023

Chatbot security: Conversational AI trustworthiness in the age of ChatGPT

Damián Hasse, CISO

Rahul Kukreja, Security Solutions Architect

lifestyle chatbot security

Conversational AI is rapidly transforming how business is done. But with great power comes great responsibility — and one of the biggest responsibilities is protecting users from security and privacy risks.

Thanks to advancements in conversational AI, like ChatGPT, creating sophisticated and natural-sounding chatbots has become easier than ever before. However, these advancements also come with essential questions around trust and responsibility.

Today, we'll discuss strategies for using this powerful technology in a way that prioritizes security and privacy, and responsible AI.

This post will answer the following questions: 

  • What is enterprise-grade conversational AI?
  • What are the fundamental elements of a trustworthy, enterprise-grade conversational AI?
  • Why are security and privacy crucial to trustworthiness?

Whether you're a seasoned AI expert or new to the field, this guide is designed to help you navigate the fast-moving world of conversational AI and make informed decisions when choosing a solution.

What is enterprise-grade conversational AI?

Conversational AI is the technology that allows machines to hold natural language conversations with users. For example, ChatGPT uses conversational AI to answer questions, hold discussions on a wide range of topics, and generate text based on prompts given to it by users.

Enterprise-grade conversational AI is explicitly designed for use in a business setting. Layering on top of large language models that power general conversational AI, like ChatGPT, enterprise-grade conversational AI often integrates with enterprise collaboration platforms, like Slack or Microsoft Teams, and popular enterprise portals, like Workday and ServiceNow, to surface the best information. Additionally, enterprise-grade conversational AI has been fine-tuned with additional domain- and enterprise-specific data to accurately respond to user queries with relevant results.

To offer a comparison: If you go to ChatGPT and ask it to add you to a sales distribution list, it won’t work. On the other hand, an enterprise-grade conversational AI like Moveworks would use the information at its disposal to know who you are, what your role is, and which distribution list you’re referring to. Then, it would interface with the relevant systems and add you to that list in moments.

As you can probably imagine, getting accurate and actionable responses like the example above requires gathering data from different systems in a company’s environment. As enterprise-grade conversational AI is often used in sensitive and business-critical situations that might involve employee data, financial transactions, or other critical operations, it’s unsurprising that security and privacy are paramount. And that begs the question: What makes conversational AI trustworthy?

What are the fundamentals of chatbot security?

When deploying conversational AI in an enterprise setting, there's more to consider than just the technology itself

Building trust into conversational AI means implementing proper data privacy protections throughout the platform to ensure that customers’ information remains secure. To make sure your conversational AI is trustworthy, you should consider eight fundamental elements as described below.

security diagram conversational ai platform flow Figure 1: Conversational AI platform overview detailing eight fundamentals of conversational AI trustworthiness.

1. Customer Trust

A conversational AI vendor should consider building customer trust by establishing and maintaining information security and privacy processes and mechanisms. This requires an explicit commitment from the executive leadership to continuously invest in such key initiatives in a timely manner. Ultimately, the vendor's goal should be to ensure that customers feel confident sharing their data.

Some questions to keep in mind:

  • Is there a dedicated security team? 
  • Who is the CISO? 
  • What is the subject matter expertise of the security team?
  • What formal security and privacy processes exist to safeguard data?
  • Is there an executive commitment to security and privacy efforts?
  • What in-built security and privacy features does the product have to offer?

2. Identity and Input Validation

You should ensure that the information exchanged between the bot and your environment is properly validated and that user identity is safeguarded. The conversational AI’s infrastructure should also be properly configured with secure defaults in place.

Some questions to keep in mind:

  • How are users’ identities validated?
  • How does the bot ensure that the information can only be accessed by the right users?
  • What validation exists for untrusted user input?

3. Access Control

In the context of conversational AI, proper access controls are key to ensuring that AI is making the information accessible to individuals who are authorized to access it. Moreover, the vendor should store customer data separately with permissions in place to ensure it is only authorized to users who absolutely need it. 

Some questions to keep in mind:

  • What type of data does the AI have access to?
  • How does the vendor limit access to your data?
  • What permissions are in place?
  • How is your data securely stored?
  • How are access controls reviewed?

4. Hardened Infrastructure

Hardened infrastructure is crucial for a secure conversational AI platform. It dramatically reduces the risk of cyber attacks by eliminating common vulnerabilities that malicious actors could exploit. Implementing robust security measures and then regularly assessing and updating them is imperative to ensure resilience against threats.

Some questions to keep in mind:

  • Where is the customer data hosted, and how is it safeguarded?
  • What processes and mechanisms are implemented to ensure your infrastructure is properly configured?
  • What monitoring, alerting, detecting, and auditing tools are in place to identify potential threats to your infrastructure?
  • What evaluations are performed against the infrastructure, and on what cadence?

5. Data Handling

Conversational AI in an enterprise needs to access and process data to service requests and generate user-specific responses. Therefore, to successfully deploy a conversational AI, it is crucial to consider how it accesses and processes data to provide accurate and personalized responses. A reliable conversational AI should utilize machine learning (ML) to improve over time, requiring proper privacy-enhancing technologies to safeguard customer data.

Some questions to keep in mind:

  • How is customer data securely handled in transit and at rest?
  • What capabilities does the vendor have to delete data?
  • What machine learning capabilities exist to properly safeguard data?
  • How is customer data used for training the ML models?

6. Data Masking

In an enterprise environment, conversational AI should be capable of handling sensitive data to serve various use cases. However, users may inadvertently enter sensitive data that is not necessary for the conversational AI to do its job. Therefore, it is important to mask such sensitive data from being exposed.

Data masking ensures that sensitive customer data is concealed from people who might need to review or access data as part of their job, such as data annotators. A trustworthy conversational AI has this functionality to ensure that sensitive data is not exposed. 

Some questions to keep in mind:

  • What data masking capabilities are in place?

7. Industry Certification

One way to ensure that a conversational AI vendor is taking the necessary precautions is to see if they’ve obtained industry certifications and adhered to recognized security standards. These certifications demonstrate a commitment to safeguarding customer data and ensure that baseline security controls are in place to protect against potential breaches. The vendor should demonstrate its commitment to going above and beyond industry certifications.

Some questions to keep in mind:

  • What security and privacy certification does the vendor have?
  • Does the vendor go above and beyond certifications? 
  • How does the vendor think and care about security and privacy?

8. Responsible AI

Ensuring minimal bias in the development of ML models is a crucial factor in establishing trust in a conversational AI. Responsible AI practice involves ML developers ensuring that patterns learned from data do not perpetuate implicit or explicit biases. Anonymizing data, tuning models for fairness, and conducting bias-detection evaluations can show a vendor’s commitment to building a responsible AI, securing the platform while promoting fairness.

Some questions to keep in mind:

  • How does the vendor evaluate and mitigate possible bias in their ML models?
  • Does the vendor perform any fairness-focused model tuning?

Ensuring chatbot security for the enterprise

When it comes to conversational AI, C-level decision-makers face big decisions with enormous consequences. It's crucial to approach any AI development and deployment with responsibility and caution as more and more industries adopt these solutions.

At Moveworks, we've seen this technology's benefits firsthand, and we also recognize the importance of implementing robust security and privacy measures and ensuring unbiased machine learning models. 

By taking a thoughtful and informed approach to conversational AI that includes the fundamentals above, businesses can harness its power while protecting their users and promoting secure and responsible AI practices.

Moveworks prioritizes trustworthy conversational AI

From day one, Moveworks has been committed to ensuring the proper safeguarding of sensitive data in conversational AI. As a leader in the enterprise conversational AI space, we have been solving actual business problems for our customers, including DocuSignLuminis Health, and Broadcom, for years.

Our authenticated platform offers support through popular enterprise portals and collaboration platforms such as Slack, Microsoft Teams, and ServiceNow. Unlike other AI platforms, Moveworks leverages integrations with these native platforms instead of creating a standalone environment accessed by employees.

At Moveworks, security and privacy are not just industry best practices but top priorities. We go above and beyond to safeguard customer data with innovative data segmentation features on top of AWS S3. Check out our conversational AI trustworthiness whitepaper to see how Moveworks excels in each security area outlined above.

Contact Moveworks to learn how AI can supercharge your workforce's productivity.

Table of contents

Subscribe to our Insights blog