When cybersecurity expert Asela Waidyalankara opened the newest version of ChatGPT – ChatGPT 4.0 – in late March with its enhanced image-processing capabilities, he did not expect it to generate an almost exact replica of a physical bill he had photographed with just one prompt.
Waidyalankara’s grocery bill totalling Rs. 3,000 was able to be altered with minimal effort with the use of Artificial Intelligence (AI) to now show a price total of Rs. 10,000. AI not only changed the total, but also adjusted individual line items to reflect the new amount, with extremely minimal noticeable faults in the spelling of the town in which he had made his purchase.
What seemed like a harmless test raised serious questions about the ease with which such tools could be exploited, Waidyalankara explained.
“It wasn’t just the manipulation itself that was concerning, but the potential consequences of such alterations can easily go unnoticed, from fraudulent claims to the broader impact on business and governance,” he said.
Posted on his LinkedIn page, this post sparked numerous conversations, with professionals across industries, CEOs, board members, and others calling for a deeper discussion on how AI could be used maliciously.
Democratisation of AI
The Sunday Morning Business spoke with Waidyalankara to examine how prepared Sri Lankan businesses and governance structures are for the era of AI-generated content.
He began by emphasising the global nature of the AI revolution. “It’s not just Sri Lanka; the entire world is grappling with these changes in AI,” he noted. He pointed to California and Colorado as key examples of regions that are already taking legislative action to address the growing impact of AI technologies. These regions are attempting to regulate AI tools that are, in many cases, freely accessible to the public.
“What we’re witnessing is the democratisation of AI,” Waidyalankara explained. “What used to be limited to a small community of researchers and computer scientists has now exploded into the hands of anyone, from undergraduates to professionals, somewhat rightfully so.”
This ‘consumerisation’ of AI, as Waidyalankara calls it, is a double-edged sword. On one hand, it has opened up exciting possibilities for creativity and innovation. On the other hand, it has created a host of new challenges, particularly in the realm of security and ethical concerns.
The case of Studio Ghibli
As AI tools become more widely available, so too does the potential for misuse. Waidyalankara also highlighted the growing debate surrounding copyright in the age of AI, referencing the sudden surge of Studio Ghibli-fied images people across the world have been generating with their own images and data.
With the trend, people who would have otherwise not posted their images on social media or have minimal digital footprints, have now exposed themselves, or rather their unique identity and data to a company that states that it does not guarantee the safety or confidentiality of the information uploaded, according to Waidyalankara.
Extending the conversation to the risk involved with altering important documents, with bills being a more low-risk item, Waidyalankara pointed out that users may even unwittingly expose their own confidential information or that of their companies to the Large Language Model (LLM), leading to broader security implications.
“Who owns content created by AI? What happens when AI is used to create something that was once exclusively human? These are legal and ethical dilemmas that we are still figuring out,” he said.
Global strategies to regulate AI
To help address these concerns, various countries and companies are working on strategies to regulate AI-generated content. Waidyalankara pointed to China’s approach as one worth noting.
“In 2021, China introduced strict regulations that required all AI-generated content to be clearly marked with a watermark,” he shared. “This is one way to address the problem of ‘synthetic content,’ which is content created by AI rather than humans. While there is always the possibility of removing the watermark, at least it provides a starting point for transparency.”
He also pointed to the European Union’s (EU) leading role in AI regulation through the AI Act, marking the first of its kind in terms of global legislation. This act, introduced in 2024, is centred around a risk-based approach to AI usage, particularly in high-risk settings such as social scoring and lower-risk settings such as content generation.
However, Waidyalankara pointed out that the definition of ‘high-risk’ and ‘low-risk’ was still murky, and such distinctions could potentially lead to abuses in certain contexts, especially in less regulated environments.
He elaborated on the fluidity of the situation, noting that while different countries had made strides in regulating AI, the global landscape remained disjointed. For instance, countries like India, Vietnam, and the Philippines are contemplating AI acts similar to the EU’s, but with considerations tailored to local needs and challenges.
Waidyalankara’s insight is that while there is some movement, the speed of technological innovation is far outpacing the ability of lawmakers to keep up.
Govt. countermeasures inadequate?
To gauge the Government’s progress on countering AI manipulations in documents and other media, The Sunday Morning Business spoke to Computer Society of Sri Lanka Vice President Indika De Zoysa.
Speaking from the perspective of his governmental and industry-level involvement in understanding the impact of AI, De Zoysa said that Sri Lanka did not have adequate countermeasures in place to grapple with the evolving effects of synthetic content developed by AI.
“Although the National AI Strategy draft has been published, threats on the end of security are rife. There is the Cybersecurity Bill, which is likely to be effective once enacted, but these legislations would need to evolve to adjust to the new developments in AI,” De Zoysa added.
“AI tech evolves day by day, and we need to make sure that the general public is also keyed into the risks involved in using freely available tools in the public domain. This is also an aspect the Government could be proactive on when it comes to countering the harm,” he noted.
De Zoysa further expressed hope that the setting up of the Digital Transformation Unit (DTU) and Data Protection Authority under the National Digital Economy Strategy 2030 would enable continuous and speedy adjustments to regulation and legislation.
Potential risks
From a local business standpoint, Waidyalankara highlighted potential risks for Sri Lankan companies as they adopted more digital practices.
He explained that many businesses in Sri Lanka still operated with a hybrid physical-digital model, such as cash on delivery transactions or WhatsApp-based bill reconciliations. He warned that the increased use of digital tools could lead to manipulation, fraud, and misrepresentation, especially in the absence of robust AI detection systems.
In particular, he pointed to the public sector, which still heavily relies on paper-based evidence. “Imagine a scenario where a procurement officer is presented with a document that looks perfectly legitimate but is actually AI-manipulated,” he said. “The problem is that there is no system in place to detect such manipulations.”
This concern also extends to the judiciary, where document authenticity plays a vital role in legal proceedings. Waidyalankara stressed that AI manipulation could undermine trust in crucial systems such as these, making detection a significant challenge.
He further addressed the complexities of AI-driven disinformation and misinformation, citing how easily AI could manipulate images and documents, making it difficult for the public to discern what was real. “The reality is that this technology is becoming so advanced that detecting AI-generated content is becoming increasingly difficult,” he remarked.
On a broader scale, Waidyalankara acknowledged the importance of AI literacy. “We need to understand that not everyone is equipped to identify AI-generated content,” he explained. “AI literacy is a crucial part of digital literacy, as it gives people the tools to understand the implications of AI on their personal and professional lives.”
White noting that countries like France were already prioritising AI literacy, he suggested that this focus should be adopted by others, including Sri Lanka, to prepare the population for the challenges ahead.
Looking ahead, Waidyalankara expressed cautious optimism about Sri Lanka’s AI strategy, particularly the AI framework that had been put in place. However, he voiced concerns about the pace of implementation, referencing the delay in the enforcement of the Personal Data Protection Act, originally set to be active by March.
“There has been a significant delay in implementation because the public sector has cited a lack of readiness,” he said. “But what can change in six months that couldn’t be addressed in the past two years?” In Waidyalankara’s view, the slow pace of regulation is a critical issue, especially when considering the rapid developments in AI.
Potential solutions
Waidyalankara also discussed the technical solutions being explored by companies and organisations.
“There’s a group called the Coalition for Content Provenance and Authenticity (C2PA), which includes major players like Adobe, Microsoft, and OpenAI,” he said. “They are working on technical standards to help identify and track AI-generated content, including using watermarking and creating digital libraries to archive content. This could potentially make it easier to flag synthetic content and ensure that it is being used ethically.”
Reflecting on the global movements towards realising better AI regulation, Waidyalankara expressed optimism about the progress being made, but stressed that there was still much work to be done in the local sense.
“The technical solutions are one part of the puzzle, but the regulatory frameworks are just as important. We need to ensure that businesses, governments, and individuals are equipped with the tools to handle the potential risks that AI brings,” he said.
Waidyalankara emphasised that Sri Lanka and many other nations must strike a balance between embracing the benefits of AI and managing its risks. “This is the time to digitise effectively, and not just for the sake of digitisation. We need systems that are secure, resilient, and capable of maintaining trust, especially in critical sectors like the judiciary and public administration.”
Waidyalankara further noted that the rapid evolution of AI required not only technological adaptation, but also a profound shift in regulatory and societal readiness. Without this, the risks of manipulation, fraud, and misinformation could become overwhelming. Sri Lanka, he argued, must act swiftly to ensure that the country was both digitally advanced and digitally secure.
Despite multiple attempts by The Sunday Morning Business, Sri Lanka Computer Emergency Readiness Team (SLCERT) officials declined to comment on the matter.