7. Existing Risk

In the world of business and technology, risk management is a well-defined and practiced profession that has evolved in time to ensure prosperity. Risk managers develop expertise to help identify and assess risk, then formulate mitigation strategies. If you are new to risk management, you can begin to approach it by considering your own approach to risk taking based on personal experience: do you have high risk tolerance, willing to try something that has a degree of failure in order to achieve something great, or are you risk adverse, unwilling to step out of a comfort zone due to the worst-case scenario?

Risks are often associated with uncertainty of the future, referring to the potential for loss or harm, and the negative consequences when a threat occurs. You can find many example definitions of risk and the circle of risk is a particularly interesting one to study.

Threat landscape

The threat landscape in 2024 includes espionage, influence operations, supply chain compromise, social engineering, insider risk, temporary or permanent destruction, malware, and exploitation of digital media channels - to name just a few. This is before we introduce AI, which brings a new angle unique to AI technologies but also changes the potential methods and impacts of all existing threats.

Technical debt

The teams that support existing technologies may spend more effort keeping the lights on, than driving productivity and security improvements for their business. Here are just a few identifiers of an organization that is suffering from technical debt:

• Multi-factor authentication (MFA) not applied everywhere, to everything – too many exceptions accounting for special use-cases.
• Patch management is done on demand instead of fully automated, due to the risk of failure.
• Network and workload isolation projects fail because of legacy protocols, lack of layered topology, and complex integrations.
• Lack of, or immature, data labeling structure to identify the most valuable and sensitive business and customer information, and no enforcement of data loss prevention technologies.
• Insider risk is not seen as a top priority and lacking the detections.
• No enterprise architecture oversight to ensure technology continues to meet business needs.
• Lack of DevSecOps to consistently update and replace aging software standards and increase automation.

There are other examples, but it's a good starting list to consider. You can't tackle them all at the same time, but you can ensure AI systems follow your new standards and implement regular reviews and updates to continually improve the baseline and start to retire systems that cannot keep up with new standards.

Data protection

One of the most beneficial projects any organization can undertake is the identification and labeling of their most valuable data. What is valuable data? that is dependent on the organization and how information is used to drive business outcomes. There is also toxic data - information that has little value but could cause harm to the organization if mishandled.

Introducing AI to an existing organization may not increase the risk of data handling, but it certainly highlights any issues and concerns that existed before but hadn't been addressed.

You can see my latest insights on data protection by viewing the recording of the Microsoft Build conference talk BRK226.

Here is my favorite quote from this chapter:

The book is available now on Amazon - Guardians of AI: Building innovation with safety and security.

In the next newsletter we will explore some of the key insights from Chapter 8: AI Harms & Risks.