How the C-suite can foster a risk-aware approach to GenAI implementation

Understanding current and pending compliance obligations and developing policies and guidelines to support risk managed GenAI implementation

If you haven’t already done so, establish clear policies and guidelines for your organization around the use of GenAI. Existing jurisdiction and industry-specific AI and GenAI frameworks, guidelines and draft and final regulations (e.g. the Edge Principles, Canada’s Artificial Intelligence and Data Act, the OECD’s AI Principles, the US’s Blueprint for an AI Bill of Rights, the EU’s AI Act) can be a great place to start when it comes to defining your organization’s GenAI policies and guidelines.

Like with almost any technology, it’s also important to establish a strong foundation of trust for the GenAI solutions and tools your organization decides to implement. As you embark on your GenAI journey, start by focusing on governance—particularly data governance and security. Take time to develop and define relevant governance processes and controls to implement across your organization so you can better identify, monitor and mitigate your GenAI risks. This can help you enhance trust and build resilience without creating gaps in your safeguards and guardrails.

Explore PwC Canada’s Responsible AI framework to guide your organization’s trusted, ethical use of AI.

Use a phased approach to implementation

Using a phased approach to GenAI implementation will give you the agility to test your approach and adjust your course as needed prior to full implementation. This can help you minimize unexpected process, control and technology gaps once you implement GenAI more broadly. A phased approach might include activities like:

• Establish guidelines for the selection of GenAI use cases: Develop guidelines and policies to help govern the identification and prioritization of GenAI use cases. This process should incorporate a security and risk review so your company can assess new business capabilities using both a value lens and a privacy and security lens. For example, this might include reviewing a potential use case from the perspective of an attacker to pinpoint potential risks and identify ways to make activities more secure.

• Secure your foundation first: Validate that your foundational cloud infrastructure is securely managed and maintained and that there are effective controls in place. Enabling additional GenAI services on top of a weak foundation can present additional hurdles to securing your end-to-end AI workload. By strengthening your foundation, you can mitigate these risks. 

• Leverage appropriate support technologies: Identify relevant technologies that can help you enhance the security and risk management associated with your GenAI implementation. For example, if you plan to use GenAI for development purposes, assess what technologies you might need to invest in to conduct robust vulnerability assessments (e.g. vulnerability management solutions and tools) and whether you should incorporate third-party vulnerability reviews.

• Conduct pilot testing: Incorporate pilot testing into your implementation roadmap so you can test whether policies, procedures and use case guidelines work effectively. This will let you assess your GenAI use in terms of value (e.g. outcomes, time saved), trust (e.g. accuracy, reliability) and operational resilience (e.g. data protection, vulnerabilities). It will also allow you to identify any stumbling blocks or gaps that need to be addressed prior to full implementation.

• Finalize policies and guidelines: Following the pilot testing phase, update and finalize your GenAI policies, guidelines and controls processes. These can then be used to support your broader implementation of GenAI.

• Incorporate ongoing improvements: Assess your GenAI activities and risks on a regular basis to enable new challenges or vulnerabilities to be quickly identified and addressed.

Validate the agility of your security operations

In tandem with your other activities, assess the resilience and agility of your security operations centre and whether you have the capacity, capabilities, skills, tools and technologies need to be able to quickly identify and respond to possible GenAI-driven cyberattacks (e.g. high volumes of spear-phishing emails). Proactively work to address any identified gaps so you can enhance your organization’s cybersecurity posture and resilience. 

As part of this process, you should also consider how you could use GenAI to improve your organization’s cyber defences, including augmenting threat detection and analysis, enhancing cyber risk and incident reporting, and empowering adaptive controls. More specifically, GenAI tools can be used to: 

• Undertake investigations and data collection: You could use GenAI to improve the speed of your intelligence gathering, which could improve your cybersecurity capacity, the scale of your investigations and the speed of your responsiveness. Generated outputs could be used to support the work of your human team members, and this could, in turn, enhance value to your organization while improving employee job satisfaction. 
• Test cyber defences: You could use GenAI as a purple team to conduct more frequent testing of your security posture to make sure your environment is well protected against critical and emerging threats.

Provide appropriate GenAI training

Employees’ level of training can be a key risk factor when it comes to a company’s use of GenAI. As you plan your GenAI implementation, consider how you’ll educate and train employees across your business so they understand your GenAI guidelines and processes and are equipped to use any solutions and tools effectively. Employees should also be made aware of the risks associated with using GenAI inappropriately. As part of any training, include education on the use of GenAI by threat actors and how employees can protect themselves from being exploited as threat vectors.

Understand how your supply chain partners are using GenAI

While your organization may have a robust process for managing GenAI responsibly, you can’t assume the same will be true of all the companies in your supply chain. Consider how you can incorporate GenAI considerations into your contracting processes and security assessments so you can better understand how your supply chain partners are using GenAI, any policies and controls they have in place and whether and how their use of GenAI could affect your operations and data. This can help you better manage your third-party risk exposure and, potentially, enhance trust in your third-party relationships.

Work with your alliance partners to leverage ecosystem learning

Work with your alliance partners to understand their experience with AI and GenAI, and investigate whether they have any capabilities, tools, experiences and leading practices that could accelerate your GenAI implementation. This could help you identify GenAI opportunities you may not have previously considered, while also helping you identify any blind spots you may have missed when considering your GenAI implementation strategy, operations and tactics.