Artificial Intelligence and Cybersecurity Balancing Risks and Rewards 2025

Position in the supply chain and appetite for innovation: Organizations leading in AI innovation (either as sellers or consumers with market-leading capabilities) are likely to face risks from using newer technologies that may contain undiscovered vulnerabilities. More conservative users that procure more mature AI technologies may face fewer risks, as more will be known about vulnerabilities and effective control practices. Nature of business: Which sectors the business operates in can affect their risk exposure. For example, critical national infrastructure organizations may be more likely to face high threat levels from attackers motivated by high harm potential or value, and to be subject to cybersecurity regulation. The size of the business could influence its resources for implementing AI risk mitigation, while the level of dependence from other businesses downstream affects the extent to which impacts of compromise might propagate. Geographical context: Where the organization is conducting business will have a strong influence on their cybersecurity posture and residual cyber risk. The level of cybersecurity capacity of the country may influence the level of cybersecurity regulation that the organization is subject to. This might also affect the organization’s access to a skilled professional workforce – though this might be less of an issue for large multinational organizations – and the availability of trusted sovereign cybersecurity infrastructures or threat/intelligence sharing channels. Level of AI autonomy: Where autonomous AI drives business processes without human oversight, this may create greater risk. Lower risk is faced when there is little autonomy or strong human oversight to limit risk propagation. Threat context: The type of threat actor faced by an organization determines the level of risk. More capable, resourced and motivated threat actors will create greater risk for potential victims. It is necessary for organizations to consider how these risk contexts apply to them. This then informs later steps, during which the potential risks and impacts will be identified. There may be a lack of clarity around the true benefits of AI technologies, as use cases are still in development, making accurate risk-reward analysis challenging. However, understanding the business drivers for the implementation of AI technologies will help to promote understanding of the expected rewards that are being sought. Research by the AI Governance Alliance has informed categorization of the opportunities that generative AI is perceived to be creating for businesses:17 –Enhancing enterprise productivity –Creating new products or services –Redefining industries and societies (e.g. making sectors such as healthcare more efficient and responsive to market changes – e.g. accelerating drug discovery). It is essential to build understanding of the proposed integration of AI in the business. This should incorporate which systems, processes, information and data is involved, as well as which stakeholders and why. Key questions can help organizations to develop an understanding of the new risk exposure that the use of AI might bring: 1. What parts of the business might be dependent on AI and could be impacted should the AI systems be compromised? 2. What key business value, e.g. revenue, reputation, process efficiency, need to be protected? 3. Might the deployment of AI put crown jewels – assets of greatest value to the organization – and broader critical assets and processes at risk? 4. What new assets and processes related to the AI system itself need to be protected? New technology brings the potential for new vulnerabilities. These typically fall into the following categories: –Inherent software vulnerabilities –Vulnerabilities introduced by humans’ configuration and use of the technologies, particularly since this may require new and untrained practice –Vulnerabilities in interfaces with other digital systems, e.g. weak links between software, hardware, operating systemUnderstanding the rewards Identifying the potential risks and vulnerabilitiesStep 2 Step 3 Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards 15