Artificial Intelligence and Cybersecurity Balancing Risks and Rewards 2025

Questions for business leaders to consider It is crucial for business leaders to define and communicate key parameters within which decision-making on AI adoption and its associated cybersecurity can be conducted. This set of questions is designed to guide them in assessing their current strategies, identifying potential vulnerabilities and cultivating a culture of security within their organizations. 1. Has the right risk tolerance for AI technologies been established and is it understood by all risk owners? The organization might choose to be an early mover, recognizing the potential risks, or might take a more conservative approach. In both cases, there is a need to oversee the management of cybersecurity risks before, during and after the deployment of AI systems. The oversight and leadership scrutiny should generate evidence that AI risks are well understood, that stretch scenarios have been considered and that choices are in line with the wider risk tolerance of the business. 2. Is there a proper balancing of the risks against the rewards when new AI projects are considered? It’s crucial to assess how the potential upsides of AI projects align with the strategic direction of the business, when balanced against the novel risks these technologies might introduce. The potential rewards should be well qualified, and consideration should be given to the potential risks in any decision to use in operations. 3. Is there an effective process in place to govern and keep track of the deployment of AI projects within the organization? This is particularly challenging in complex organizations in which experimentation and deployment may be occurring in multiple departments and subsidiaries. A clear process should be defined for making decisions on AI projects (including when to move them from experimentation to operational use). It is also important to monitor live AI systems to make sure users are not inadvertently exposing the organization to additional risk. 4. Is there a clear understanding of the organization-specific vulnerabilities and cyber risks related to the use or adoption of AI technologies? There are novel vulnerabilities associated with AI technologies such as data-poisoning, inference engine sabotage and prompt jailbreaking. These could lead to operational disruption and data loss, or could exacerbate issues such as a lack of explainability and reliability, or potential for bias. A comprehensive risk assessment is required to identify the vulnerabilities of the AI systems and potential impact of compromise on the business. Timely access to relevant threat intelligence and advice will support greater situational awareness of the organization’s risk exposure. 5. Is there clarity on which stakeholders within the organization need to be involved in assessing and mitigating the cyber risks from AI adoption? There must be involvement from relevant front- line business teams, from legal, risk, audit and compliance, and from communications and technology. The various ways in which the AI is embedded into the operational and decision- making processes of the business need to account for the possibility of security failure, and mitigating controls put in place around deployment and operation need to limit the potential impact of adverse cyber events. The relevant accountable stakeholders should be identified. Clear responsibilities need to be set for AI-related cyber risks, and associated duties need to be clarified should a cyber incident occur. 6. Are there assurance processes in place to ensure that AI deployments are consistent with the organization’s broader organizational policies and legal and regulatory obligations (for example relating to data protection or health and safety)?  Proposals for new AI deployments need to be tested to ensure compliance with wider organizational policies. Formal sign-off by relevant accountable stakeholders within the organization may be required. This review process will need to be revisited as the technology and its business use evolve. Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards 13