Understanding the Risks of AI-Only Strategies

☢️Manage Third-Party AI Risks Before They Become Your Problem☢️ AI systems are rarely built in isolation as they rely on pre-trained models, third-party datasets, APIs, and open-source libraries. Each of these dependencies introduces risks: security vulnerabilities, regulatory liabilities, and bias issues that can cascade into business and compliance failures. You must move beyond blind trust in AI vendors and implement practical, enforceable supply chain security controls based on #ISO42001 (#AIMS). ➡️Key Risks in the AI Supply Chain AI supply chains introduce hidden vulnerabilities: 🔸Pre-trained models – Were they trained on biased, copyrighted, or harmful data? 🔸Third-party datasets – Are they legally obtained and free from bias? 🔸API-based AI services – Are they secure, explainable, and auditable? 🔸Open-source dependencies – Are there backdoors or adversarial risks? 💡A flawed vendor AI system could expose organizations to GDPR fines, AI Act nonconformity, security exploits, or biased decision-making lawsuits. ➡️How to Secure Your AI Supply Chain 1. Vendor Due Diligence – Set Clear Requirements 🔹Require a model card – Vendors must document data sources, known biases, and model limitations. 🔹Use an AI risk assessment questionnaire – Evaluate vendors against ISO42001 & #ISO23894 risk criteria. 🔹Ensure regulatory compliance clauses in contracts – Include legal indemnities for compliance failures. 💡Why This Works: Many vendors haven’t certified against ISO42001 yet, but structured risk assessments provide visibility into potential AI liabilities. 2️. Continuous AI Supply Chain Monitoring – Track & Audit 🔹Use version-controlled model registries – Track model updates, dataset changes, and version history. 🔹Conduct quarterly vendor model audits – Monitor for bias drift, adversarial vulnerabilities, and performance degradation. 🔹Partner with AI security firms for adversarial testing – Identify risks before attackers do. (Gemma Galdon Clavell, PhD , Eticas.ai) 💡Why This Works: AI models evolve over time, meaning risks must be continuously reassessed, not just evaluated at procurement. 3️. Contractual Safeguards – Define Accountability 🔹Set AI performance SLAs – Establish measurable benchmarks for accuracy, fairness, and uptime. 🔹Mandate vendor incident response obligations – Ensure vendors are responsible for failures affecting your business. 🔹Require pre-deployment model risk assessments – Vendors must document model risks before integration. 💡Why This Works: AI failures are inevitable. Clear contracts prevent blame-shifting and liability confusion. ➡️ Move from Idealism to Realism AI supply chain risks won’t disappear, but they can be managed. The best approach? 🔸Risk awareness over blind trust 🔸Ongoing monitoring, not just one-time assessments 🔸Strong contracts to distribute liability, not absorb it If you don’t control your AI supply chain risks, you’re inheriting someone else’s. Please don’t forget that.

"Our analysis of eleven case studies from AI-adjacent industries reveals three distinct categories of failure: institutional, procedural, and performance... By studying failures across sectors, we uncover critical lessons about risk assessment, safety protocols, and oversight mechanisms that can guide AI innovators in this era of rapid development. One of the most prominent risks is the tendency to prioritize rapid innovation and market dominance over safety. The case studies demonstrated a crucial need for transparency, robust third-party verification and evaluation, and comprehensive data governance practices, among other safety measures. Additionally, by investigating ongoing litigation against companies that deploy AI systems, we highlight the importance of proactively implementing measures that ensure safe, secure, and responsible AI development... Though today’s AI regulatory landscape remains fragmented, we identified five main sources of AI governance—laws and regulations, guidance, norms, standards, and organizational policies—to provide AI builders and users with a clear direction for the safe, secure, and responsible development of AI. In the absence of comprehensive, AI-focused federal legislation in the United States, we define compliance failure in the AI ecosystem as the failure to align with existing laws, government-issued guidance, globally accepted norms, standards, voluntary commitments, and organizational policies–whether publicly announced or confidential–that focus on responsible AI governance. The report concludes by addressing AI’s unique compliance issues stemming from its ongoing evolution and complexity. Ambiguous AI safety definitions and the rapid pace of development challenge efforts to govern it and potentially even its adoption across regulated industries, while problems with interpretability hinder the development of compliance mechanisms, and AI agents blur the lines of liability in the automated world. As organizations face risks ranging from minor infractions to catastrophic failures that could ripple across sectors, the stakes for effective oversight grow higher. Without proper safeguards, we risk eroding public trust in AI and creating industry practices that favor speed over safety—ultimately affecting innovation and society far beyond the AI sector itself. As history teaches us, highly complex systems are prone to a wide array of failures. We must look to the past to learn from these failures and to avoid similar mistakes as we build the ever more powerful AI systems of the future." Great work from Mariami Tkeshelashvili and Tiffany Saade at the Institute for Security and Technology (IST). Glad I could support alongside Chloe Autio, Alyssa Lefaivre Škopac, Matthew da Mota, Ph.D., Hadassah Drukarch, Avijit Ghosh, PhD, Alexander Reese, Akash Wasil and others!

Your AI project will succeed or fail before a single model is deployed. The critical decisions happen during vendor selection — especially in fintech where the consequences of poor implementation extend beyond wasted budgets to regulatory exposure and customer trust. Financial institutions have always excelled at vendor risk management. The difference with AI? The risks are less visible and the consequences more profound. After working on dozens of fintech AI implementations, I've identified four essential filters that determine success when internal AI capabilities are limited: 1️⃣ Integration Readiness For fintech specifically, look beyond the demo. Request documentation on how the vendor handles system integrations. The most advanced AI is worthless if it can't connect to your legacy infrastructure. 2️⃣ Interpretability and Governance Fit In financial services, "black box" AI is potentially non-compliant. Effective vendors should provide tiered explanations for different stakeholders, from technical teams to compliance officers to regulators. Ask for examples of model documentation specifically designed for financial service audits. 3️⃣ Capability Transfer Mechanics With 71% of companies reporting an AI skills gap, knowledge transfer becomes essential. Structure contracts with explicit "shadow-the-vendor" periods where your team works alongside implementation experts. The goal: independence without expertise gaps that create regulatory risks. 4️⃣ Road-Map Transparency and Exit Options Financial services move slower than technology. Ensure your vendor's development roadmap aligns with regulatory timelines and includes established processes for model updates that won't trigger new compliance reviews. Document clear exit rights that include data migration support. In regulated industries like fintech, vendor selection is your primary risk management strategy. The most successful implementations I've witnessed weren't led by AI experts, but by operational leaders who applied these filters systematically, documenting each requirement against specific regulatory and business needs. Successful AI implementation in regulated industries is fundamentally about process rigor before technical rigor. #fintech #ai #governance

AI use in 𝗔𝗡𝗬 government is 𝗡𝗢𝗧 a partisan issue - it affects 💥everyone.💥 I am just as excited about the opportunities that AI can bring as those that are leading the way. However, prioritizing AI without strong risk management opens the door WIDE to unintended consequences. There are AI Risk Management Frameworks developed (take your pick of one) that lay out clear guidelines to prevent those unintended consequences Here are a few concerns that stand out: ⚫ Speed Over Scrutiny Rushing AI into deployment can mean skipping critical evaluations. For example, NIST emphasizes iterative testing and thorough risk assessments throughout an AI system’s lifecycle. Without these, we risk rolling out systems that aren't fully understood. ⚫ Reduced Human Oversight When AI takes center stage, human judgment can get pushed to the sidelines. Most frameworks stress the importance of oversight and accountability, ensuring that AI-driven decisions remain ethical and transparent. Without clear human responsibility, who do we hold accountable when things go wrong? ⚫ Amplified Bias and Injustice AI is only as fair as the data and design behind it. We’ve already seen hiring algorithms and law enforcement tools reinforce discrimination. If bias isn’t identified and mitigated, AI could worsen existing inequities. It's not a technical issue—it’s a societal risk. ⚫ Security and Privacy Trade-offs A hasty AI rollout without strong security measures could expose critical systems to cyber threats and privacy breaches. An AI-first approach promises efficiency and innovation, but without caution, it is overflowing with risk. Yes...our government should be innovative and leverage technological breakthroughs 𝗕𝗨𝗧...and this is a 𝗕𝗜𝗚 one...it 𝗛𝗔𝗦 𝗧𝗢 𝗕𝗘 secure, transparent, and accountable. Are we prioritizing speed over safety? -------------------------------------------------------------- Opinions are my own and not the views of my employer. -------------------------------------------------------------- 👋 Chris Hockey | Manager at Alvarez & Marsal 📌 Expert in Information and AI Governance, Risk, and Compliance 🔍 Reducing compliance and data breach risks by managing data volume and relevance 🔍 Aligning AI initiatives with the evolving AI regulatory landscape ✨ Insights on: • AI Governance • Information Governance • Data Risk • Information Management • Privacy Regulations & Compliance 🔔 Follow for strategic insights on advancing information and AI governance 🤝 Connect to explore tailored solutions that drive resilience and impact

𝐀𝐈 𝐫𝐢𝐬𝐤 𝐢𝐬𝐧’𝐭 𝐨𝐧𝐞 𝐭𝐡𝐢𝐧𝐠. 𝐈𝐭’𝐬 𝟏,𝟔𝟎𝟎 𝐭𝐡𝐢𝐧𝐠𝐬. That’s not hyperbole. A new meta-review compiled over 1,600 distinct AI risks from 65 frameworks and surfaced a tough truth: most organizations are underestimating both the scope and structure of AI risk. It’s not just about bias, fairness, or hallucination. Risks emerge at different stages, from different actors, with different incentives: • Pre-deployment design decisions • Post-deployment human misuse • Model failure, misalignment, drift • Unclear accountability across teams The taxonomy distinguishes between human and AI causes, intentional and unintentional behaviors, and domain-specific vs. systemic risks. But here’s the real insight: Most AI risks don’t stem from malicious design. They emerge from fragmented ownership and unmanaged complexity. No single team sees the whole picture. Governance lives in compliance. Development lives in product. Monitoring lives in infra. And no one owns the handoffs. → Strategic takeaway: You don’t need another checklist. You need a cross-functional risk architecture. One that maps responsibility, observability, and escalation paths, before the headlines do it for you. AI systems won’t fail in one place. They’ll fail at the intersections. 𝐓𝐫𝐞𝐚𝐭 𝐀𝐈 𝐫𝐢𝐬𝐤 𝐚𝐬 𝐚 𝐜𝐡𝐞𝐜𝐤𝐛𝐨𝐱, 𝐚𝐧𝐝 𝐢𝐭 𝐰𝐢𝐥𝐥 𝐬𝐡𝐨𝐰 𝐮𝐩 𝐥𝐚𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐡𝐞𝐚𝐝𝐥𝐢𝐧𝐞.

𝟱 𝗥𝗶𝘀𝗸𝘀 𝗧𝗵𝗮𝘁 𝗖𝗼𝘂𝗹𝗱 𝗪𝗶𝗽𝗲 𝗢𝘂𝘁 𝗠𝗼𝘀𝘁 𝗔𝗜 𝗔𝗽𝗽𝘀 Most AI apps that VCs have shoveled dollars into are merely a thin veneer of UX on top of an AI model Here are five risks those AI apps face: 𝟭. 𝗗𝗮𝘁𝗮 𝗖𝗲𝗻𝘁𝗲𝗿 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 (e.g., AWS, Google Cloud, Microsoft Azure) Role: Provides the computing power needed to train and run AI models. Risk: High costs and limited access to large-scale GPU clusters. Startups face dependency on big cloud providers with little pricing power or leverage. 𝟮. 𝗛𝗮𝗿𝗱𝘄𝗮𝗿𝗲 𝗟𝗮𝘆𝗲𝗿 (e.g., NVIDIA chips) Role: Powers AI training and inference with GPUs. Risk: Hardware supply is constrained. Heavy reliance on NVIDIA creates a chokepoint and barrier to entry. Rising costs and potential shortages limit experimentation for smaller players. 𝟯. 𝗙𝗼𝘂𝗻𝗱𝗮𝘁𝗶𝗼𝗻 𝗠𝗼𝗱𝗲𝗹𝘀 (e.g., OpenAI, Anthropic, Google DeepMind) Role: Provide the base models (e.g., GPT, Claude) that others build upon. Risk: Most startups are just API wrappers with no control over foundational model behavior, performance, pricing, or app-killer features. Changes to API terms or model availability can kill dependent businesses overnight. Foundational models can — and have — completely killed entire categories of apps by simply rolling out a new feature. 𝟰. 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺-𝗮𝘀-𝗮-𝗦𝗲𝗿𝘃𝗶𝗰𝗲 (e.g., Microsoft Azure OpenAI integration) Role: Acts as a bridge layer for companies to access foundation models easily. Risk: Being locked in to Microsoft or other providers reduces flexibility and makes startups vulnerable to shifts in pricing, access limits, or strategic redirection by platform owners. 𝟱. 𝗔𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗟𝗮𝘆𝗲𝗿 (AI Startups / Products) Role: End-user tools and applications that deliver AI-driven features. Risk: Rapid commoditization. Without proprietary data or deep workflow integration, most apps lack staying power. Low retention, high churn, and feature copycatting by incumbents make survival difficult. 𝗖𝗼𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻: Each layer of the AI stack presents a risk multiplier. Most AI startups operate at the most fragile layer (applications), without owning the infrastructure, models, or data. ✅ Successful AI apps will either own data or models or build deeply embedded solutions that solve real problems and can't be easily cloned. #AI #Startups #VentureCapital #AIApps #TechRisk #DeepTech #ProductStrategy

I've been digging into the latest NIST guidance on generative AI risks—and what I’m finding is both urgent and under-discussed. Most organizations are moving fast with AI adoption, but few are stopping to assess what’s actually at stake. Here’s what NIST is warning about: 🔷 Confabulation: AI systems can generate confident but false information. This isn’t just a glitch—it’s a fundamental design risk that can mislead users in critical settings like healthcare, finance, and law. 🔷 Privacy exposure: Models trained on vast datasets can leak or infer sensitive data—even data they weren’t explicitly given. 🔷 Bias at scale: GAI can replicate and amplify harmful societal biases, affecting everything from hiring systems to public-facing applications. 🔷 Offensive cyber capabilities: These tools can be manipulated to assist with attacks—lowering the barrier for threat actors. 🔷 Disinformation and deepfakes: GAI is making it easier than ever to create and spread misinformation at scale, eroding public trust and information integrity. The big takeaway? These risks aren't theoretical. They're already showing up in real-world use cases. With NIST now laying out a detailed framework for managing generative AI risks, the message is clear: Start researching. Start aligning. Start leading. The people and organizations that understand this guidance early will become the voices of authority in this space. #GenerativeAI #Cybersecurity #AICompliance

Insightful Sunday read regarding AI governance and risk. This framework brings some much-needed structure to AI governance in national security, especially in sensitive areas like privacy, rights, and high-stakes decision-making. The sections on restricted uses of AI make it clear that AI should not replace human judgment, particularly in scenarios impacting civil liberties or public trust. This is particularly relevant for national security contexts where public trust is essential, yet easily eroded by perceived overreach or misuse. The emphasis on impact assessments and human oversight is both pragmatic and proactive. AI is powerful, but without proper guardrails, it’s easy for its application to stray into gray areas, particularly in national security. The framework’s call for thorough risk assessments, documented benefits, and mitigated risks is forward-thinking, aiming to balance AI’s utility with caution. Another strong point is the training requirement. AI can be a black box for many users, so the framework rightly mandates that users understand both the tools’ potential and limitations. This also aligns well with the rising concerns around “automation bias,” where users might overtrust AI simply because it’s “smart.” The creation of an oversight structure through CAIOs and Governance Boards shows a commitment to transparency and accountability. It might even serve as a model for non-security government agencies as they adopt AI, reinforcing responsible and ethical AI usage across the board. Key Points: AI Use Restrictions: Strict limits on certain AI applications, particularly those that could infringe on civil rights, civil liberties, or privacy. Specific prohibitions include tracking individuals based on protected rights, inferring sensitive personal attributes (e.g., religion, gender identity) from biometrics, and making high-stakes decisions like immigration status solely based on AI. High-Impact AI and Risk Management: AI that influences major decisions, particularly in national security and defense, must undergo rigorous testing, oversight, and impact assessment. Cataloguing and Monitoring: A yearly inventory of high-impact AI applications, including data on their purpose, benefits, and risks, is required. This step is about creating a transparent and accountable record of AI use, aimed at keeping all deployed systems in check and manageable. Training and Accountability: Agencies are tasked with ensuring personnel are trained to understand the AI tools they use, especially those in roles with significant decision-making power. Training focuses on preventing overreliance on AI, addressing biases, and understanding AI’s limitations. Oversight Structure: A Chief AI Officer (CAIO) is essential within each agency to oversee AI governance and promote responsible AI use. An AI Governance Board is also mandated to oversee all high-impact AI activities within each agency, keeping them aligned with the framework’s principles.

AI & Practical Steps CISOs Can Take Now! Too much buzz around LLMs can paralyze security leaders. Reality is that, AI isn’t magic! So apply the same foundational security fundamentals. Here’s how to build a real AI security policy: 🔍 Discover AI Usage: Map who’s using AI, where it lives in your org, and intended use cases. 🔐 Govern Your Data: Classify & encrypt sensitive data. Know what data is used in AI tools, and where it goes. 🧠 Educate Users: Train teams on safe AI use. Teach spotting hallucinations and avoiding risky data sharing. 🛡️ Scan Models for Threats: Inspect model files for malware, backdoors, or typosquatting. Treat model files like untrusted code. 📈 Profile Risks (just like Cloud or BYOD): Create an executive-ready risk matrix. Document use cases, threats, business impact, and risk appetite. These steps aren’t flashy but they guard against real risks: data leaks, poisoning, serialization attacks, supply chain threats.