Let us make it simple: All GenAI risks can be grouped into three high level risk categories (as explained win this document). These three buckets will help better understand GenAI risks and to apply strategy recommendations below.
Traditional Tech Risks
These risks are associated with network infrastructure on which GenAI models and applications run. These risks always existed and are not specific to AI. These include, but not limited to:
- Network architecture
- Operating systems vulnerabilities
- Applications design
- Identity and access management
- Denial of service
- Web applications (OWASP top 10 for web apps)
- Ransomware
Recommendation: Continue using traditional controls to manage these risks.
GenAI Amplified Risks
These risks always existed but use of GenAI has either amplified these or created a new dimension to these risk. These include, but not limited to:
- Data leakage and information disclosure
- Amplified privacy concerns
- Global compliance to regulations
- Incident detection & response
- Supply chain attacks
- Resource exhaustion and denial of service
Recommendation: To deal with these risks, security teams need to update and enhance their traditional controls
Newly Introduced Risks
These risks are completely new and very specific to use of GenAI. New methods are needed to identify and manage these risks. These include:
- Prompt injection
- Jailbreaking
- Hallucinations
- Legal liability of pre-trained models
- Training data and model poisoning
- Excessive agency over taking actions
Recommendation: New controls, governance, and tools are needed to manage these newly introduced risks.
Recent Posts
- GenAI Risk Categories
- Ten Best Practices for Cybersecurity Risk Management
- Run LLM Models on Macbook – Part II
- Post-Quantum Cryptography Resources
- Run LLM Models on a Macbook