Duurzaam inzetbaar
Personal attention is essential in every learning journey
From doubt to direction: how Wendy found her next career step After seven years working…
Read more
Blocking AI Is Not an Option: Time for a New Perspective on Security
For many organizations, AI has become the major security issue of the moment. Powerful tools are readily accessible via the web, and employees are naturally inclined to start using them. But what is safe?
According to Natasja Pieterman, Head of Cybersecurity at Capgemini Netherlands and Learning Consultant at Capgemini Academy, a new perspective on security is essential. Blocking AI is virtually impossible—and undesirable. The real challenge is to encourage employees to experiment with technology in the right way and to provide them with proper guidance.
For Natasja, a career in IT security was the logical outcome of a carefully considered journey. After completing a law degree, she pursued business administration, followed by a master’s degree in business processes and IT. In this field, she found exactly what suits her: the intersection of systems, processes, and organizational challenges. She has now spent fifteen years working at the crossroads of IT, systems management, and security, and for the past two years has led the cybersecurity department at Capgemini Netherlands.
In recent years, Natasja has witnessed a drastic transformation of the IT landscape. IT management used to be straightforward. Employees worked from fixed locations on tightly controlled desktops with a limited number of applications. Today, employees work from multiple locations and with various devices—mobile and otherwise—both company-issued and personal.
Moreover, powerful tools are just a few clicks away online, and employees can easily find alternative routes when organizations do not provide certain software.
Against this backdrop, AI has become the central security challenge for many organizations. “Blocking AI is no longer an option.”
Natasja, you’ve been working in IT and security for many years. What is fundamentally different today compared to, say, five years ago?
“Previously, security was mainly about your own processes, your own applications, and your own data management. That’s no longer the case. Employees now operate far outside the systems provided by organizations, moving beyond the traditional, controlled environments. As a result, organizations have far less visibility into which tools employees are using, what data they are entering, and where that data ultimately goes.”
Where does this issue become most apparent?
“Clearly with AI. These applications are easily accessible online. People are familiar with tools like ChatGPT and similar apps and think, ‘I can use this for my work too.’ They use it, for example, to create presentations or draft policy documents. That’s logical—it helps boost productivity and simplifies everyday tasks.”
And why is that a problem?
“AI applications rely on input. Whatever you feed into them is used to generate answers, perform analyses, or create content. The more information you provide, the better the output. But in doing so, you are also exposing information. Many models store input and use it to improve themselves—and even reuse it in outputs. That’s where the risk arises.
For example, if you’re creating a presentation with revenue and profit figures and use AI to help, you want to be certain that sensitive data doesn’t leave your organization.”
So AI can’t be trusted. Should it just be banned?
“For a long time, that was the default reaction—but it doesn’t work. As I mentioned, AI significantly enhances productivity. Once employees experience these benefits, they don’t want to go back. You can impose a total ban as an IT administrator, but in practice, it’s ineffective. Employees will find ways to access AI tools, and IT will have limited visibility into their usage.”
If banning doesn’t work, how do you maintain control?
“The role of IT administrators is still highly relevant. First, you need to understand how these applications work. Not all apps—or the models behind them—are the same. You need to know what happens to the data you input. Where is it stored? Does it remain within your organization? Is it stored in Europe, China, or the United States? Under what conditions?
Contracts and control mechanisms vary significantly by vendor and even by model. ChatGPT, for instance, offers subscriptions where data may be used for model training, as well as options where it is not. It’s up to IT administrators to separate the wheat from the chaff and determine which tools are safe and under what conditions.”
But even then—how can you be sure vendors adhere to their claims?
“Once data is processed outside your organization via online systems, you can never be 100% certain. That’s why it’s essential not only to select vendors carefully but also to weigh productivity against risk. This balance differs by organization.
A scale-up may accept some data leakage in exchange for speed and innovation, while a government organization cannot afford any risk of sensitive data exposure. There is no one-size-fits-all model.”
Even with approved tools, employees may still experiment with other AI apps, right?
“Exactly. During a training session, someone once told me that Microsoft Copilot was allowed while ChatGPT was blocked. I asked, ‘So you don’t use ChatGPT at all?’ The room fell silent. The honest answer was: ‘Of course we do. If Wi-Fi blocks it, we switch to our phone hotspot.’
So rules are difficult to enforce in practice?
“That’s a key point—and very different from the past. If you simply say what is allowed and what isn’t, employees will feel restricted and find alternatives. It’s not enough to set rules. You must explain why something is considered risky and how that informs application policies.”
Can you clarify that?
“Sure. If you tell someone, ‘You’re not allowed to enter that room,’ they might do it out of curiosity. But if you explain that the room contains radiation that could harm them and others, they’ll avoid it completely. The same applies to today’s IT landscape.
If people understand which environments are relatively safe and when something becomes risky, they’re much more likely to follow guidelines.”
So IT security is about awareness as much as rules?
“Absolutely. Organizations are used to assessing risks in terms of processes and applications. But with AI and similar technologies, culture and behavior play a much bigger role.
It’s not just about technology—it’s about how people use it, the decisions they make, and how much autonomy they feel. That requires a different approach from IT security professionals. They must not only enforce boundaries but also actively guide employees in using technology responsibly and safely.”
So in summary: prohibit where necessary and enable where possible?
“I’d phrase it slightly differently. Security should not hinder daily work. Organizations need to move forward, and security should enable that safely.
Everything that can be secured technically should be secured. What cannot be secured may need to be prohibited. But beyond that, it’s crucial that employees understand the reasoning behind decisions and know the safe space within which they can operate.”
“Ultimately, you make a real difference when people understand what is safe, why boundaries exist, and where they have freedom to act. Only then does security become not a barrier to innovation, but a condition for it.”
Is perfect security ever achievable?
“No. IT security is like securing your home: you do the best you can, but if a burglar is determined, they might still get in. The goal is to make your home secure enough that it’s not worth the effort—and the burglar moves on.
To achieve that, culture and technology must go hand in hand.”
