Found this during a routine review. Analysts discovered that pasting alert context into an AI tool cut triage time significantly and started doing it because it worked, which is a reasonable thing to do when you are under pressure to move faster.
The problem is that alert context includes internal hostnames, IP ranges, user identities and sometimes partial log data, none of which was supposed to leave the environment. No policy covered it because the productivity gain was not something that had been thought through when the AI use policy was written.
Now trying to figure out how to give them a sanctioned version of the same capability without the data handling risk, which is harder than it sounds because the whole point is that the external tool is faster than what we have internally.
[link] [comments]