There are instances when we encounter a clear before-and-after moment that prompts us to reassess our most fundamental assumptions. Custom GPTs, a tool that allows users to create their own MPT designs using personal data and practice plugins, were recently introduced by OpenAI. This month, OpenAI unveiled these innovative tools. With the assistance of some wiki links, my grandfather can now accomplish a task that previously required an entire R&D team or a robotics startup in just five minutes.
Moreover, these GPTs possess the capability to act on behalf of the user. Through OpenAI’s close collaboration with Zapier, thousands of plugins are at your disposal, enabling AI to swiftly access your CRM, enhance your ERP, or monitor your servers. You might question how the AI gains authentication to interact with all these companies. That’s a valid query, but we’ll delve into that later.
You might be pondering, “This is impressive, but it may not be suitable for our highly regulated, security-focused enterprise.” While it may be concerning, there are ways to manage it. You may have previously prohibited chatgpt at the community level and are now actively seeking to add more bots to the blacklist.
Enter Microsoft. At its Ignite event last week, Microsoft introduced Copilot Studio, its distinctive no-code GPT solution. This platform encompasses all the functionalities provided by the OpenAI tool, such as the option to upload files as a knowledge base, chat functionality for configurations, and seamless plugin integrations. Users can link their Copilots with Microsoft 365, Azure SaaS, and various other business methods through Copilot Studio. User emulation is employed for this connectivity, enabling the Copilot to act on behalf of users.
The challenge with these user impersonation bots generated by Microsoft is that they are unstoppable. Due to their indistinguishable appearance in logs, discerning between AI-generated activities and user-triggered processes is impossible. Copilots are hosted as applications in your M365 environment, eliminating concerns about network-level blocks. Individuals utilize their business credentials to authenticate into these Copilots. Ultimately, Copilots operate within the realm of business, unlike GPTs.
How Did This Rapid Transformation Occur?
It didn’t happen overnight. For years, major players like Microsoft, Amazon, UiPath, and ServiceNow have been developing low-code/no-code platforms that simplify the creation of business applications. These companies have crafted numerous integrations, visual designers, automated production deployments, and service-based credential sharing.
Chatbots reign supreme in the realm of low-to-no-code platforms. Why bother with scripting when you can effortlessly construct, share, monitor, switch, and embed your application within the business, directly on top of business data, using a pre-installed platform?
A crucial aspect to consider is the ease with which no-code software can be created today. Platforms like the Energy Platform have been leveraged by both expert developers and enterprise users in recent years to develop millions of new business applications, some of which handle sensitive data and facilitate critical business processes. While some companies have started centralizing the development of GenAI apps within engineering teams, this alone may not suffice. It is imperative to focus on what users are creating as well, given the sheer volume of customers and the simplicity with which applications can be generated.
Where Should We Begin?
Fortunately, an increasing number of companies have already integrated citizen development (business users creating apps) into their application security frameworks, with some of their insights shared publicly. Industry standards have emerged to outline, define, and propose solutions for security vulnerabilities associated with low-code/no-code applications.
The absence of code does not imply the absence of vulnerabilities, especially inherent ones. However, it often signifies a lack of oversight, presence, and software development life cycle (SDLC) practices. Whether our personnel are developing a GPT or Copilot, they are doing so frequently and in large numbers. Security leaders are faced with two options: either embrace this trend immediately and incorporate these new developers into the security framework, or adopt a wait-and-see approach and hope for the best.
