AI Risk Management: Lessons From the Cybersecurity Experience

A recent Debevoise blog says that because of the many similarities between cybersecurity risks and those posed by AI, there is much that AI risk managers can learn from the last decade’s worth of experience in managing cyber risks.  This excerpt points out that one thing organizations have learned from the cybersecurity experience is that operational risks need to be addressed before regulatory risks:

Cyber and AI share overlapping operational and regulatory risks.  In the early days of enterprise cybersecurity, businesses faced vague regulatory requirements and an uncertain enforcement landscape.  They found that the most effective approach was to prioritize operational cybersecurity risks (i.e., to protect the network and confidential data from unauthorized access), and once that goal was largely achieved, they would then gap assess their program to any applicable regulatory compliance standards.

This approach provides a good lesson for AI governance.  Given the still-evolving AI regulatory landscape, businesses should prioritize managing operational risks by ensuring that AI tools and use cases deliver value, perform as intended, and do not cause unexpected harm.  Once a business effectively mitigates operational risks, the business can then turn its attention to conducting a gap assessment against applicable regulatory requirements.

The blog also says that there are important distinctions between cybersecurity risks and AI risks, including the difficulty of pinpointing accountability for AI risk management in an organization:

Most businesses have a group that was hired and trained specifically to focus on managing cyber risk, with a single designated person in charge, usually the CISO, who is accountable to senior management.  By contrast, very few businesses have a single individual who is responsible for managing AI risk.  The cyber part of the AI risk management function naturally rests with the CISO, but other aspects of AI risk management may reside with the general counsel, head of risk, CCO, COO, CFO, and/or Head of HR, which is why many businesses have to establish a cross-functional AI Governance Committee that is collectively accountable for managing AI risk.