Visibility and guardrails to help ensure NIS2 compliance across GenAI apps

Client overview

The Commission for Regulation of Utilities (CRU), located in Ireland, was established in 1999 and operates within a policy and statutory framework set by the government with responsibility for economic regulation and customer protection in the energy and water sectors, as well as regulation of energy safety. Its responsibilities include maintaining the security of supply, ensuring efficient network delivery and promoting generation competition, innovation and the supply of electricity and natural gas. CRU also operates the wholesale market of electricity, jointly with the Utility Regulator, located in Northern Ireland, on the island and is responsible for the economic regulator for public water and wastewater services.

The organisation was taking its first steps in using AI and wanted to ensure they had full visibility of how AI would be used.  

The challenge

The CRU management and IT organisations wanted to position the organisation as a frontrunner within the Irish public sector by becoming an early adopter of AI services. With a workforce comprised entirely of knowledge workers, the objective was to harness innovative capabilities and enhance productivity. This vision required the establishment of a secure, dynamic environment that could foster innovation and support the seamless integration of a diverse range of GenAI applications, and support and enhance the existing security capabilities of the organisation. 

The management and security teams recognised early on that this necessitated compliance with required frameworks (such as NIS2).Given the organisation's critical regulatory function, it was essential to implement robust guardrails to prevent data leakage across a multitude of GenAI applications. Consequently, leadership prioritised gaining comprehensive visibility into GenAI usage to ensure that as adoption grew, it did so within a framework of consistent and secure governance.

Client testimonial

"With NROC, we gain real‑time visibility into how GenAI is being used across the organisation, reducing risk while enabling teams to work productively. Its strengthens our security posture by proactively identifying sensitive‑data risks and enforcing consistent governance across all GenAI interactions.” — John Lynn, ICT Manager and CISO, CRU

The solution

The primary objective was to find a solution that could seamlessly enhance and integrate into their existing security tools and give them clearer, more comprehensive insights into how different GenAI apps were being used. 

Setting guardrails was the other big objective so they were able to reduce risk by asking/blocking prompts that contained sensitive or confidential data that should not be put into GenAI apps. Understanding that different teams have different needs, they did not want to put a universal block in place but have ability to control which groups get access and which don’t. 

To address these objectives and parameters, the company implemented NROC Security, a comprehensive governance and guardrail solution designed specifically to bridge the gap between employee productivity and enterprise-grade data protection in the context of GenAI usage.

Record fast deployment

NROC Security’s deployment and admin documentation were tested when doing the Proof of Concept and again when rolling it out to production. The team was able to implement the POC installation without any help from outside of the IT department, and then seamlessly rolled it out to full organization. The only support requested was to review the GenAI policies.

In Windows environment, NROC Security’s network-based solution was faster to deploy than any endpoint-based alternative:

• Proxy auto-configuration setting and certificate was deployed using MS Intune
• User authentication was realised with a EntraID SSO with no endpoint dependency
• No interoperability testing was needed against any pre-existing endpoint software, agents or browser plugins

Insight into GenAI usage

NROC Security provided first understanding to the level of AI adoption in the organisation. Initially, the organisation had been officially guiding employees to use only one sandboxed GenAI app due to security concerns for data leakage. NROC Security allowed them to see what was used in the organisation and have a meaningful dialogue with the employees for their needs and ideas with using more than one GenAI app. With the ability to see every GenAI app used, with employees authenticated on a company ID, the company got a better understanding of usage and were able to identify the best use cases and most proficient prompters.

Protection against data leakage with real-time user guidance

A unique feature of NROC Security’s platform was its ability to protect against data exposure in the GenAI app’s native user experience and guide users when classified content was detected. The solution provides guidance to the end users in real-time should there be e.g. proprietary or PII information i n the prompts. At the same time, NROC Security platform ensures CRU has fullNIS2 compliance for GenAI usage.

Conclusion

GenAI for employee productivity is a learning-by-doing endeavor for both the employees and security leaders. Successful adoption required freedom for employees to explore how GenAI can help them get more done, faster. At the same time, the security and management teams needed to see what is happening and mitigate any known security risks. NROC Security helped this organisation strike the right balance.

By combining deep visibility with real-time data protection, NROC Security transformed personal productivity GenAI from a security risk and governance challenge into a channel for responsible innovation.