3Actions for senior leadership Leaders’ decision-making on AI adoption should be guided by security considerations Leaders are responsible for ensuring that adoption of AI technologies aligns with their organization’s goals and objectives, and that the risks that arise fall within the scope of their organization’s risk tolerance. Cutting through the hype to understand risk and reward Before making any decision to deploy AI into core operations, businesses need to ensure that the benefit is commensurate with costs and risks. To be sure of this, businesses need to take the potential risks of AI system failures (either accidental or due to malicious attacks) into account. Because of the speed of AI evolution, the risk-reward balancing decision may need to be reviewed on a frequent basis. Promoting AI security-by- design and by-default Because AI is rapidly evolving and security standards are relatively immature, business leaders should be aware that some products are likely to be less secure than others, and should therefore be approached with more caution. Leaders should demand robust third-party risk management and use the organization’s purchasing power to promote AI security-by-design and by-default. Embedding AI cyber risks into cross-organizational risk management Managing AI-related cyber risks effectively requires a multidisciplinary approach. Technology and security teams alone cannot prevent incidents from occurring. Front-line business teams need to assess the potential business impacts, and specialists – e.g. in HR and/or legal teams – need to assess the potential liabilities that might arise. They have a significant role to play in establishing contingent mitigation. Such multidisciplinary arrangements may already be embedded within the organization’s enterprise risk management. If not, they will need to be created bespoke to AI challenges.Managing the decision-making process in a large organization can be complex. Some organizations may have a central AI policy, with divisional or local leadership responsible for decision-making within that policy. Smaller organizations may be able to operate a flatter governance structure, with decisions being made by the boardroom. In both cases, it is important to be very clear about where accountability for cyber risks sits. Ensuring adequate investment in essential cybersecurity operations Leaders need to ensure adequate investment in the cybersecurity controls and tools that are needed to protect AI systems, and ensure that the business is prepared to respond to and recover from disruptions. Chief information security officers need to be empowered to challenge both technology teams and business teams seeking to embed the technology within their operations. Security teams should be equipped with the necessary resources to adapt their capabilities and address new threats arising from AI use within the organization. Innovation investments for AI should be coupled with security investments to ensure that security is embedded throughout the AI system life cycle. This approach will help organizations define a reusable approach for mitigating complex technology risks, leaving them better prepared for future disruptions. Engaging with national and sector-specific strategies and standards Business leaders should be aware of the rapidly changing regulatory environment (particularly that relating to the markets they operate in). It will be necessary to consider how the specific local and regional AI contexts – including strategies and standards – impact business operations and risks. Additionally, relevant controls will need to be put in place to ensure businesses are meeting their obligations. For many, this will mean not only a watching brief on legal and regulatory compliance matters, but also on emerging threats and technological risks. Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards 12

Artificial Intelligence and Cybersecurity Balancing Risks and Rewards 2025