Artificial Intelligence and Cybersecurity Balancing Risks and Rewards 2025

4 There are several contextual factors that may influence the risk exposure of organizations adopting AI:Understanding how the organization’s context influences the AI cyber riskSteps towards effective management of AI cyber risk Evaluating the cyber risks resulting from AI adoption is essential for all organisations intending to innovate. This chapter presents a set of steps for implementing oversight and control of cyber risks related to AI adoption and use. It is designed to be used by senior risk owners within an organization. The steps aim to guide the assessment of cybersecurity risks resulting from the adoption of AI technologies, and the implementation of the necessary mitigations. The decision-making process will, in many cases, be iterative. Senior risk owners should revisit risk-reward evaluations after analysing the potential impact scenarios. The process starts with an assessment of the AI risk context of the organization, and ends with the deployment of leading practices throughout the AI life cycle. Step 1 Characteristics influencing the cyber risks faced by organizations adopting AI FIGURE 2 Creator of its own AI modelsLevel of AI autonomyNature of businessGeographical context Threat context – Provider to others – Early adopters versus more conservative users – Level of local innovation/ service provision– Level of oversight by humans – Level of influence on critical processes (and explainability of influences) – Risk tolerance– Size/resource (including for cybersecurity) – Sector – Safety-critical functionalities – Downstream dependencies on business processes – Adversarial context (see threat actors context)– (Stable) cybersecurity and related regulations/legislation – Operational collaboration bodies/ networks, e.g. threat- intelligence sharing – Local market for cybersecurity products and services – Compliance with (various competing) standards – Infrastructure sovereignty (versus outsourced capability)– Capability/resource – Intent – Frequency – CredibilityAI outputs drive critical business processes autonomously Consumer of AI services AI outputs inform decision-making by humans Critical infrastructure organization Non-critical infrastructure organization High national/ regional cybersecurity capacity Limited national/ regional cybersecurity capacity Politically motivated sabotage Cybercriminals and activistsPosition in the AI supply chain and appetite for innovation Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards 14