How the C-suite can foster a risk-aware approach to GenAI implementation

Many business leaders are excited about the opportunities GenAI offers to their organizations, from making the day-to-day activities of their employees more efficient to enabling more responsive and dynamic engagement with their customers. But they’re also concerned about how to protect their companies against the emerging threats associated with GenAI, especially threat actors using it to amplify their campaigns. They recognize refreshed risk management practices, especially in the area of cybersecurity, are going to become more vital as GenAI rapidly drives increases in the scale and complexity of cyberattacks. 

Successfully navigating the opportunities and challenges related to GenAI can be a complex and challenging endeavour requiring holistic engagement across the organization and its ecosystem participants. CIOs and CISOs are especially keen to ensure that a company’s GenAI approach considers a full continuum of factors—from the need to build stakeholder trust in how GenAI is being used to the need to enhance resilience within cybersecurity operations to reduce potential threats. 

In this article, we explain how a risk-aware approach can enable your company to make the most of GenAI, highlight activities you can use to get started and share questions CIOs and CISOs should consider as their organizations move forward.

52% of business and tech leaders expect GenAI to lead to catastrophic cyberattacks in the next 12 months.

2024 Global Digital Trust Insights Survey, PwC

Taking a risk-aware approach to GenAI

At its simplest level, GenAI generates content. This means that to use it effectively you need to be able to trust and validate the content that’s generated. At the same time, organizations need to be able to show your customers and other stakeholders (e.g. regulators, supply chain partners) they can trust how you’re using GenAI, the guardrails you’re using to protect sensitive information and your resilience to GenAI-driven cyber events. 

At PwC Canada, we leverage a risk-aware approach for implementing all types of innovative technologies, including AI, machine learning and GenAI. A risk-aware approach provides as a foundation for asking appropriate questions and making the investments needed to implement GenAI safely, securely and effectively. Below, we identify six activities aligned with a risk-aware approach that you can use as a starting point so your organization is well positioned to create value from GenAI while better managing your risks.

Number one

Understanding current and pending compliance obligations and developing policies and guidelines to support risk managed GenAI implementation

If you haven’t already done so, establish clear policies and guidelines for your organization around the use of GenAI. Existing jurisdiction and industry-specific AI and GenAI frameworks, guidelines and draft and final regulations (e.g. the Edge Principles, Canada’s Artificial Intelligence and Data Act, the OECD’s AI Principles, the US’s Blueprint for an AI Bill of Rights, the EU’s AI Act) can be a great place to start when it comes to defining your organization’s GenAI policies and guidelines.

Like with almost any technology, it’s also important to establish a strong foundation of trust for the GenAI solutions and tools your organization decides to implement. As you embark on your GenAI journey, start by focusing on governance—particularly data governance and security. Take time to develop and define relevant governance processes and controls to implement across your organization so you can better identify, monitor and mitigate your GenAI risks. This can help you enhance trust and build resilience without creating gaps in your safeguards and guardrails.

Explore PwC Canada’s Responsible AI framework to guide your organization’s trusted, ethical use of AI.

Number one

Use a phased approach to implementation

Using a phased approach to GenAI implementation will give you the agility to test your approach and adjust your course as needed prior to full implementation. This can help you minimize unexpected process, control and technology gaps once you implement GenAI more broadly. A phased approach might include activities like:

  • Establish guidelines for the selection of GenAI use cases: Develop guidelines and policies to help govern the identification and prioritization of GenAI use cases. This process should incorporate a security and risk review so your company can assess new business capabilities using both a value lens and a privacy and security lens. For example, this might include reviewing a potential use case from the perspective of an attacker to pinpoint potential risks and identify ways to make activities more secure.

  • Secure your foundation first: Validate that your foundational cloud infrastructure is securely managed and maintained and that there are effective controls in place. Enabling additional GenAI services on top of a weak foundation can present additional hurdles to securing your end-to-end AI workload. By strengthening your foundation, you can mitigate these risks. 

  • Leverage appropriate support technologies: Identify relevant technologies that can help you enhance the security and risk management associated with your GenAI implementation. For example, if you plan to use GenAI for development purposes, assess what technologies you might need to invest in to conduct robust vulnerability assessments (e.g. vulnerability management solutions and tools) and whether you should incorporate third-party vulnerability reviews.

  • Conduct pilot testing: Incorporate pilot testing into your implementation roadmap so you can test whether policies, procedures and use case guidelines work effectively. This will let you assess your GenAI use in terms of value (e.g. outcomes, time saved), trust (e.g. accuracy, reliability) and operational resilience (e.g. data protection, vulnerabilities). It will also allow you to identify any stumbling blocks or gaps that need to be addressed prior to full implementation.

  • Finalize policies and guidelines: Following the pilot testing phase, update and finalize your GenAI policies, guidelines and controls processes. These can then be used to support your broader implementation of GenAI.

  • Incorporate ongoing improvements: Assess your GenAI activities and risks on a regular basis to enable new challenges or vulnerabilities to be quickly identified and addressed.

Number three

Validate the agility of your security operations

In tandem with your other activities, assess the resilience and agility of your security operations centre and whether you have the capacity, capabilities, skills, tools and technologies need to be able to quickly identify and respond to possible GenAI-driven cyberattacks (e.g. high volumes of spear-phishing emails). Proactively work to address any identified gaps so you can enhance your organization’s cybersecurity posture and resilience. 

As part of this process, you should also consider how you could use GenAI to improve your organization’s cyber defences, including augmenting threat detection and analysis, enhancing cyber risk and incident reporting, and empowering adaptive controls. More specifically, GenAI tools can be used to: 

  • Undertake investigations and data collection: You could use GenAI to improve the speed of your intelligence gathering, which could improve your cybersecurity capacity, the scale of your investigations and the speed of your responsiveness. Generated outputs could be used to support the work of your human team members, and this could, in turn, enhance value to your organization while improving employee job satisfaction. 
  • Test cyber defences: You could use GenAI as a purple team to conduct more frequent testing of your security posture to make sure your environment is well protected against critical and emerging threats.
Number four

Provide appropriate GenAI training

Employees’ level of training can be a key risk factor when it comes to a company’s use of GenAI. As you plan your GenAI implementation, consider how you’ll educate and train employees across your business so they understand your GenAI guidelines and processes and are equipped to use any solutions and tools effectively. Employees should also be made aware of the risks associated with using GenAI inappropriately. As part of any training, include education on the use of GenAI by threat actors and how employees can protect themselves from being exploited as threat vectors.

75% of business and tech leaders believe GenAI-driven processes within an organization will increase employees’ productivity within the next 12 months.

2024 Digital Trust Insights Survey, PwC
Number one

Understand how your supply chain partners are using GenAI

While your organization may have a robust process for managing GenAI responsibly, you can’t assume the same will be true of all the companies in your supply chain. Consider how you can incorporate GenAI considerations into your contracting processes and security assessments so you can better understand how your supply chain partners are using GenAI, any policies and controls they have in place and whether and how their use of GenAI could affect your operations and data. This can help you better manage your third-party risk exposure and, potentially, enhance trust in your third-party relationships.

Number six

Work with your alliance partners to leverage ecosystem learning

Work with your alliance partners to understand their experience with AI and GenAI, and investigate whether they have any capabilities, tools, experiences and leading practices that could accelerate your GenAI implementation. This could help you identify GenAI opportunities you may not have previously considered, while also helping you identify any blind spots you may have missed when considering your GenAI implementation strategy, operations and tactics.

Asking the right questions

CIOs, CISOs and board members have different roles when it comes to driving GenAI approaches and managing risks. Asking the right questions will help you make the most of opportunities while managing your risks.

Man looking at computer

If you’re a CIO

  • How will GenAI impact your organization's digital transformation? Using GenAI to enable your employees can lead to higher employee satisfaction and improve value to customers.
  • How are you making sure every GenAI use case is reviewed for security and risk? Remember, success isn’t just about tech. It's about building new business capabilities with security at the forefront.
  • GenAI is evolving quickly—how will you manage ongoing advancements and the risks they’ll bring? Recognizing that GenAI will keep evolving is key to staying on top of your opportunities and risks.
Woman looking at phone

If you’re a CISO

  • How can you use GenAI tools for investigations, data collection and as a purple team to stay updated against the newest threats? Using GenAI defensively can be a gamechanger.

  • How are you making sure individuals in your organization are educated, trained and certified on how to use GenAI in a compliant way? Education and training can help keep your employees from becoming one of your biggest GenAI risks.

  • How are you adjusting your security posture to respond to the rapidly evolving threats associated with GenAI itself and those generated by it? A modern and agile security operations capability is more critical than ever.
Woman looking at phone

If you’re a member of a board

  • How are you keeping GenAI on the board's agenda? It's essential to understand GenAI’s strategic implications, both in terms of opportunities and risks.

  • What are the risks of not integrating GenAI securely, and how are you mitigating them? Without a secure GenAI strategy, employees might resort to potentially unsafe alternatives.

Ignoring GenAI isn’t an option, so make it a gamechanger

Employees around the world are already using GenAI. While a simple network block might work in the short term to protect your employees from using corporate devices to access GenAI solutions, you risk losing visibility and control as your employees use their own mobile and personal devices to access GenAI tools. 

The best place to start when it comes to GenAI is to lay the foundation needed to build trust in how your company has designed your GenAI solutions and in how you’ll be using them and any generated outputs. By taking time to develop a risk-aware strategy for GenAI, including governance and cybersecurity, and a secure pathway for your employees to use GenAI capabilities, you can establish the trust you need to get the most out of GenAI and strengthen your cyber resilience. If you get it right, GenAI can be a gamechanger.

We bring together a community of solvers to tackle our clients’ biggest challenges.

Let’s keep the conversation going.

Follow PwC Canada

Contact us

Charles Eckert

Charles Eckert

Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada

Tel: +1 416 815 5274

Peter Hargitai, CPA, CA, CITP

Peter Hargitai, CPA, CA, CITP

Partner, National Digital Risk Solutions Leader, PwC Canada

Tel: +1 416 941 8464

Asif Qayyum

Asif Qayyum

Digital Risk and Assurance Leader, PwC Canada