Loading...

AI: How to manage cybersecurity and data governance risks | Baker Tilly

artificial intelligence risk management

Webinar

AI: How to manage cybersecurity and data governance risks

April 16, 2024 · Authored by Mike Cullen, Samantha Boterman

Since OpenAI publicly released their ChatGPT tool in the fall of 2022, artificial intelligence (AI)—and, specifically, generative AI — has proliferated. With ever-increasing speed and complexity, new AI systems, vendors, platforms and capabilities have burst onto the scene.

With its promise to reduce inefficiencies, perfect operations and improve customer-facing products and services, organizations are employing AI in bolder and more creative ways each day.

By 2026, more than 80% of organizations will have used generative AI enabled systems—a dramatic increase from less than 5% in 2023. "Real Power of Generative AI: Bringing Knowledge to All.” Gartner, 17 Oct. 2023.

The benefits of AI

AI can accelerate decision-making processes, increase employee productivity, interact with customers, collect and organize vast amounts of data, make accurate predictions/forecasts and more.

Generative AI has already come a long way. In its comparatively short existence, it can already produce text, images, videos, presentations and even music in mere seconds. With all this creative ability, the question is not SHOULD your organization use AI, but WHEN and HOW.

Through these capabilities, generative AI can hopefully help organizations achieve their top objectives — reducing costs and increasing revenue in their core business, creating new business and/or sources of revenue, increasing the value of offerings by integrating AI-based features or insights and, in essence, creating more value without extraordinary effort.

And as with most technological innovations, this new creative power comes with new challenges and risks. Even if your organization is not implementing bleeding edge tools and techniques with AI, such capabilities are likely already in use by the software and service vendors that your organization relies on to accomplish its goals.

The challenges and risks of AI

AI has brought about new — and elevated existing — risks and compliance challenges that are increasingly specific to AI platforms. Organizations need to be proactive in their considerations of leveraging AI in a timely, efficient and responsible manner. Organizations should treat AI risk considerations as more than just afterthoughts and should appropriately adapt practices and approaches from existing control frameworks.

At the forefront of these risk considerations are two main themes: cybersecurity and data governance. As you consider the relevant risks facing your organization, ask these questions:

Mike Cullen

Mike Cullen

Principal

Related sections

Article Tags

artificial intelligence hitrust

Industry collaboration

HITRUST is actively engaging with AI industry leaders and external assessors (professional services firms like Baker Tilly) to identify new AI risks and threats, refine the safeguards needed to manage identified risks and continually improve AI assurance offerings.

Harmonization of AI resources

HITRUST is incorporating over four dozen AI-centric authoritative sources — i.e., externally developed, information-protection-focused frameworks, standards, guidelines, regulations or laws — into one harmonized framework (the HITRUST CSF®). These sources include ISO standards, NIST special publications, the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR) and even state-level items like the California Consumer Privacy Act (CCPA). Incorporating all these sources into one harmonized omni-framework allows organizations to focus on implementation instead of monitoring updates and combing through the fine print themselves.

Shared AI responsibilities

Coming in Q4 of 2024, HITRUST will leverage their proven shared responsibility model and inheritance program to:

Provide a relevant and actionable framework for assessing and managing AI shared responsibilities
Align control performance expectations between AI service providers and their user organizations
Enable inheritance of results of AI-centric control testing from AI service providers to their customers

AI security certification

Also coming in Q4 of 2024, HITRUST will offer an AI security certification to enable organizations to demonstrate the strength of their AI security program. The entire HITRUST assessment and certification portfolio is expanding to support the addition of AI controls and the issuance of an accompanying AI security certification to proactively address questions and concerns over AI security.

AI risk management reporting

Coming in Q3 of 2024, HITRUST’s AI risk management insights report will provide key inputs to specific conversations related to an organization’s AI risk management program. Adding a new “AI risk management” authoritative source into a HITRUST CSF assessment will add roughly 50 new AI risk management-focused requirements and includes scorecards, assessment results and narratives about the organization’s AI risk program against both of the following:

NIST AI Risk Management Framework (RMF) v1.0
ISO/IEC 23894:2023 - Information Technology - Artificial Intelligence - Guidance on Risk Management