GenAI Risk Categories

Let us make it simple: All GenAI risks can be grouped into three high level risk categories (as explained win this document). These three buckets will help better understand GenAI risks and to apply strategy recommendations below.

Traditional Tech Risks

These risks are associated with network infrastructure on which GenAI models and applications run. These risks always existed and are not specific to AI. These include, but not limited to:

  • Network architecture
  • Operating systems vulnerabilities
  • Applications design
  • Identity and access management
  • Denial of service
  • Web applications (OWASP top 10 for web apps)
  • Ransomware

Recommendation: Continue using traditional controls to manage these risks.

GenAI Amplified Risks

These risks always existed but use of GenAI has either amplified these or created a new dimension to these risk. These include, but not limited to:

  • Data leakage and information disclosure
  • Amplified privacy concerns
  • Global compliance to regulations
  • Incident detection & response
  • Supply chain attacks
  • Resource exhaustion and denial of service

Recommendation: To deal with these risks, security teams need to update and enhance their traditional controls

Newly Introduced Risks

These risks are completely new and very specific to use of GenAI. New methods are needed to identify and manage these risks. These include:

  • Prompt injection
  • Jailbreaking
  • Hallucinations
  • Legal liability of pre-trained models
  • Training data and model poisoning
  • Excessive agency over taking actions

Recommendation: New controls, governance, and tools are needed to manage these newly introduced risks.

Recent Posts

Subscribe to Blog

About Rafeeq Rehman

Consultant, Author, Researcher.
This entry was posted in AI, Risk Management and tagged . Bookmark the permalink.

Comments are closed.