AI will not wait for companies to get their policies in order

Legal and organizational questions of using generative artificial intelligence 

In the first part of the event, Eva Gostisa and Nejc Setnikar from the law firm Jadek & Pensa presented the legal framework of the AI Act, copyright, and personal data protection, and emphasized that the AI Act does not replace existing legislation but complements it. 

Using an AI tool therefore does not in itself mean compliant use of data. Companies often do not know exactly which data are being fed into the models, where they are stored, who is responsible for them, and whether they may later appear as part of generated content. 

With generative artificial intelligence, questions of liability, content ownership, and the possibility of reproducing data or copyrighted works arise quickly. The case of GEMA vs. OpenAI in Germany was mentioned, where a legal dispute is underway regarding the use of copyrighted texts in training models. 

And this is precisely where the biggest gap between companies’ expectations and the reality of the technology becomes apparent. Companies want clear answers regarding data use, accountability, and content ownership, while AI often answers only: »it depends«. 

The discussion on artificial intelligence therefore very quickly moves from the domain of regulation to a much more practical question: how much control companies actually have over their digital environment and whether they have basic processes, access rights, and security practices in order. 

The biggest risk is not AI, but an opaque digital environment 

In the second part of the event, I focused primarily on what artificial intelligence already means today for companies’ digital and information security. 

A telling paradox emerges quickly. Companies are working on AI strategies, policies, and productivity, yet many still do not have even the basic security processes in place. 

The greatest problems are still not caused by advanced technical attacks, but by poor practices, improvisation, and a lack of visibility into their own digital environment. 

In practice this means opaque access rights, password sharing among employees, infrastructure built on the principle of »as long as it works«, and insufficient oversight of domains, servers, and key systems. Such an environment is problematic not only from a security perspective, but also from the perspective of business accountability. When a company loses visibility over access, data, and responsibilities, it typically also loses the ability to respond effectively when an incident occurs. 

AI enables attackers to execute faster and more targeted attacks 

Artificial intelligence mostly does not create new types of attacks; it makes existing attacks cheaper, automates them, and accelerates them. Phishing messages are no longer full of grammatical errors and poor translations. Generative models enable the preparation of highly convincing communication in correct Slovenian, often even in the tone of a specific company or colleague. 

The same applies to gathering information about companies. From company websites, LinkedIna, job postings, publicly available disclosures, and media news, it is now possible to quickly compile a profile of employees, organizational structures, suppliers, and the technologies the company uses. What once required several days of research, AI accomplishes today in a matter of minutes. 

It is important to understand the broader context of digital security as well: 

• by far the largest share of attacks still starts with email,  

• small and medium-sized businesses are a significantly more frequent target of attacks,  

• and the average time to detect a breach often exceeds several months. 
   
  (Source: Verizon Data Breach Investigations Report 2025 and IBM Cost of a Data Breach Report 2024.) 

Therefore, the question is no longer whether companies use AI. Most already do. The key question is increasingly whether companies have sufficiently well-governed processes to safely govern its use. 

Digital security most often fails at the basics 

When we talk about digital security, many people still primarily imagine technically demanding attacks and complex hacker intrusions. In practice, however, most incidents still arise from basic security shortcomings and poor organizational practices. 

A large share of attacks still begins with email. Not because of advanced technology, but because of a single wrong click, an unverified attachment, or a convincing message that appears legitimate. This is precisely why email protection, multi-factor authentication, and basic security awareness among employees are becoming the minimum standard. 

Access rights also remain an important problem. Companies often know well how to grant someone access to a system, but think far less about how and when to properly revoke that access. When employees, agencies, or external providers change, active accounts often remain in systems that no one even knows exist anymore. 

The same applies to managing domains, servers, and infrastructure. Many companies still do not have a clear overview of who: 

• is the domain registrant,  

• manages the DNS records and  

• has administrative rights over key systems. 

As long as everything works, this is usually not a problem. The problem only arises in the event of an incident, a change of provider, or a loss of access. 

In security, therefore, the issue is most often not technology but organization. 

Security is not a technical function, but an organizational culture 

One of the biggest misconceptions about digital security is that it is primarily a technical domain handled by the IT department. In practice, however, the greatest differences between companies show up above all in organization, processes, and a culture of accountability. 

Technology by itself does not guarantee security. Even the best systems do not help much if the company lacks visibility into access rights, if employees use the same passwords for multiple services, or if key processes are carried out without clear rules and accountability. 

As with mountain safety, good equipment alone is not enough in digital security. What matters most is how the company thinks, how it makes decisions, and how prepared it is for unexpected situations. 

Backups also remain a major problem. Many companies believe they have backup set up, but far fewer actually verify whether data can be successfully restored. A backup that a company has never checked or test-restored often fails precisely when the company needs it most.  

The same applies to updates and vulnerability management. Attackers today often do not look for new holes in systems, but exploit old and long-known vulnerabilities that companies have not addressed in time. Regularly updating systems is therefore no longer a technical detail, but basic digital hygiene. 

In the end, the same pattern almost always emerges. The biggest problems are not caused by a lack of technology, but by a lack of transparency, accountability, and clearly defined processes. 

And this is precisely why digital security today is no longer just an IT topic. It is becoming a question of business accountability for the entire organization. 

Conclusion 

Today, AI is no longer just a topic of innovation, productivity, or the development of new services. It is increasingly becoming a topic of accountability. 

Legal. Organizational. Security. 

Most companies already use artificial intelligence—often much more than they think. This is therefore no longer a question of the future, but a question of the responsible management of data, access, and business processes. 

The biggest risk today is not that companies will not use AI. The biggest risk is that they will use it faster than they understand it, while attackers will know very well how to exploit its capabilities. 

The technology will not slow down. Companies will have to establish clear rules, responsibilities, and basic digital hygiene much faster if they want to use artificial intelligence safely, responsibly, and in a way that is sustainable over the long term. 

And this is precisely why digital security today is no longer just an IT topic. It is becoming part of corporate governance, organizational culture, and the responsibility of the entire organization.