The Expert View: Innovating in IT and AI… Without the Opportunity Cost

The surge in AI adoption has renewed focus on a familiar IT security dilemma: how can businesses embrace new technologies without exposing themselves to unacceptable risks? That was the topic of a recent TEISS dinner briefing at the House of Lords in London, sponsored by BT and Netskope, where senior executives discussed how security teams can safeguard data and privacy while allowing innovation to flourish.

 

Lee Stephens, Principal, Security Advisory Services at BT, set the tone, warning that “the pace of change will continue to create new challenges for security.” Ross Manley, Manager of Solutions Engineering at Netskope, added that while security is vital as businesses depend more on technology, “if you put too much in the way of users, they will find alternatives.” He pointed to Secure Access Service Edge (SASE) as one option to deliver protection without unnecessary friction.

 

The wide-ranging discussion revealed both the complexity of the challenge and the pragmatic strategies emerging to address it.

 

AI innovation: new capabilities, new exposures

Few technologies have advanced as rapidly as generative AI (genAI), but its promise is accompanied by distinct risks. Executives pointed to several emerging threats companies must navigate, particularly in regulated sectors where reliability is essential.

 

One concern is hallucination: the tendency of large language models (LLMs) to produce inaccurate or inconsistent results. In regulated industries, the inability to guarantee repeatable outputs makes it hard to adopt the technology.

 

Copyright adds further complexity. A representative from the publishing sector highlighted risks around both the data fed into models and the outputs produced. Companies worry proprietary content may be used in training, while output may infringe on third-party intellectual property.

 

Meanwhile, AI also creates new threats: bad actors could exfiltrate data or produce convincing phishing campaigns using AI tools. One delegate also warned about ‘model collapse’, as AI systems increasingly train on data generated by other models, potentially degrading accuracy. And as companies experiment with autonomous “agentic AI” systems, decision-making processes become more opaque and harder to audit.

 

Balancing innovation with risk management

 

Despite these concerns, few businesses can forbid genAI outright. Commercial pressures and employee enthusiasm make adoption inevitable. As several attendees noted, if security teams block access, employees often turn to personal devices or unsanctioned tools.

 

The more effective approach is to channel AI use into secure, structured frameworks supported by education, governance and controls. One organisation described a tiered certification programme that trains employees on the safe use of AI according to their roles and data access levels.

 

Technical controls also play a role. By deploying internal AI systems with guardrails, for example limiting the data that models can access, organisations can reduce the appeal of shadow IT while still delivering useful tools. Governance frameworks, established early, provide clear rules for adoption, while ongoing monitoring ensures compliance.

 

Modern security: the role of SASE

 

The pace of innovation brings pressure to continue to modernise security, and Secure Access Service Edge (SASE) is one tool gaining traction. As Ross Manley explained, SASE combines security and network management, offering a more flexible approach that became especially valuable during the pandemic’s shift to remote work.

 

Throughout the discussion, executives stressed the need to reduce friction for users. When security controls are too cumbersome employees, and sometimes customers, seek workarounds. “If you make it too hard for people to do the right thing, they’ll find another way, and that often won’t be secure,” one attendee said.

 

That said, not all friction is unwelcome. A banking executive noted that visible security measures can reassure customers their data is being protected. This balance between minimising inconvenience while still signalling strong protections is central to modern security design.

 

Convincing boards to fund security measures can be difficult precisely because successful security prevents incidents from occurring. As one delegate observed, a breach at a competitor often becomes the most persuasive argument for investment.

 

Security also intersects with culture. Well-supported employees, provided with the right tools and user experience, are less likely to become insider threats. A satisfied workforce, several noted, is itself a form of risk mitigation.

 

Measuring the value of innovation

 

Even when AI delivers clear productivity gains, quantifying its value can be challenging. Simple use cases, like automating customer service triage, offer obvious efficiency metrics. But more ambitious projects, such as using genAI to assist with software development, present subtler risks.

 

Some expressed concern that overreliance on AI-generated code could erode internal expertise, making it harder to spot flaws. “If you lose the ability to recognise bad code,” one warned, “you risk building vulnerabilities into your systems without knowing it.”

 

Tightly scoped deployments, with clearly defined business goals, emerged as the most practical approach. Netskope’s own internal policy focuses on targeted use cases, where progress can be measured, Mr Manley said. Mr Stephens shared a simple ‘three Is’ formula: Inform users of risks, Incentivise best practice, and Instruct where necessary.

 

In an environment where both opportunity and threat are accelerating, this mix of pragmatism, education and clear boundaries may prove the surest path to safe innovation.

 

---

To learn more, please visit: www.bt.com and www.netskope.com.