Navigating Risk Management in the Age of AI

It’s widely recognized that artificial intelligence, specifically generative AI (GenAI), holds immense potential to revolutionize employee and customer experiences, offering speed, simplicity, and improved operational intelligence. However, implementing AI poses significant risks that could disrupt many companies’ business models and open them up to possible reputation, safety, bias, and compliance challenges -- and regulators have taken note.  

Around the globe, corporations and governments are grappling with addressing data security privacy, bias, and hallucination concerns while AI innovation and adoption accelerate. For instance, the United States Office of Management and Budget recently required all federal agencies to add a chief AI officer to their ranks, create an AI Governance Board, and submit annual reports. However, we are just in the beginning stages of seeing global regulations and frameworks take effect. AI is continuing to put pressure on risk boundaries, and regulations like last year’s SEC mandate, and the European Union’s AI Act have been created in direct response. Companies worldwide can count on more scrutiny and accountability. 

In this dynamic regulatory landscape, how can technology leaders effectively ensure compliance with evolving technology?  

Related:Humanity's Transcendence over AI

Navigating the Realities of Compliance  

Regulators know that guardrails must be put in place to ensure that companies are compliant and not exposing sensitive information. However, a lack of technological understanding from governments and constantly shifting legal definitions create a murky AI governance landscape, leaving much to chance in the meantime.  

AI’s rapid innovation often outpaces the policies in an organization’s AI governance framework, leading to compliance gaps and uncertainties. This complicates governance efforts and introduces inconsistencies in risk management practices across departments. If there’s a lack transparency into how AI models are trained, companies can run into visibility issues when identifying which department or application is putting sensitive data at risk and bears responsibility to fix.  

Another challenge lies in the interdisciplinary nature of AI risk, which encompasses technical, ethical, legal, and societal dimensions. Businesses have long understood that risk management should not be thought of in organizational silos, but making such changes can prove challenging, especially when AI is involved. This adds complexity to AI governance initiatives, requiring close collaboration between various stakeholders with diverse expertise. Take for example, GDPR. If an EU citizen requests that their personal data be deleted, the request affects all usage. If an LLM is using that data, there are legal, privacy, and technical implications if companies do not completely remove that data. GenAI works well on unstructured data (think images and biometric data), so controls designed for structured data (think social security numbers or addresses) aren’t effective.  

Related:AI, the Metaverse, and DEI in the Workplace

These examples demonstrate the need for a comprehensive AI governance framework, elevating the role of risk management into a dynamic strategic advisor that guides companies through new, unfamiliar, and changing terrain. 

Accounting for AI in Risk Management  

Effective risk management demands heightened visibility into the entire risk landscape, and the risk function plays a crucial role in ensuring responsible GenAI use and its alignment with ethical guidelines and legal requirements.  For example, third-party risk management practices need to capture AI usage, ensure appropriate monitoring of systems, and provide transparency and accountability across its practices. By defining your internal standards, you can then educate your partners on expectations for GenAI -- just as you do compliance requirements for cybersecurity and ESG.  

Related:Is an AI Bubble Inevitable?

IT, risk, and security teams also need to act in concert with one another, leveraging solutions that allow them to monitor every aspect of an organization’s deployment and use of AI, or GenAI, in real time to continuously defend against vulnerabilities. Teams must develop adaptable processes to swiftly respond to a wide range of challenges like GenAI usage by third parties, evolving AI regulation, API vulnerabilities, and LLM inaccuracies or hallucinations.  

As environments evolve to incorporate GenAI, companies must maintain vigilance. The best way to do this is to extend their risk management practices to AI. This means organizations must proactively assess risks, continuously monitor AI applications, identify new AI threats and exposures, evaluate AI’s impact on the business, train employees on AI best practices, and understand how to quickly adapt against an AI backdrop.  

Ensuring Thoughtful Consideration in AI Implementation 

As the AI risk landscape becomes progressively unclear, it’s important to remember that GenAI is far from a “set and forget” solution. Its adoption needs to be carefully and thoughtfully managed to avoid undue risk.  

To ensure ethical application and data safeguarding, a company’s first priority should be in controlling GenAI usage with clear guidance on internal best practices. Employees should know what is within the bounds of appropriate AI usage and why they shouldn’t work around the system, which ultimately puts the company at risk. 

At the same time, an AI Governance committee should be defining realistic policies and guidelines for usage both internally and by business partners. Operational best practices and AI governance are two sides of the same coin that ultimately determine success.  

If applied responsibly and with due diligence, the benefits of GenAI are unmistakable. By embedding risk management practices into the fabric of your development, deployment, and use of GenAI, organizations can foster trust, mitigate risks, and maximize the benefits of AI.