Artificial Intelligence and Cybersecurity Balancing Risks and Rewards 2025

Many existing cybersecurity control frameworks that are not AI-specific remain relevant for addressing cyber risks associated with AI adoption. What may differ is the way in which these controls need to be applied to protect the AI system, as well as any potential gaps they leave for specific risks. Basic cyber hygiene is the foundation It is critical to have a secure foundation of existing cybersecurity controls in place – i.e. basic cyber hygiene – to manage the cyber risks related to AI adoption. Some key practices include: Avoiding vulnerabilities in the AI systems Robust threat and vulnerability management practices help remediate critical exposures detected across systems, including AI technologies. It must also be complemented by secure configurations of the underlying hardware and software. Limiting blast radius Implementing controls for protecting the perimeters of systems – such as segmentation of networks and databases, and data-loss prevention – help limit the impact of an initial compromise of AI systems. Accessing control Ensuring that the AI systems and the infrastructure hosting AI algorithms and data are protected by access controls such as multi-factor authentication and strong privileged access management (PAM). These should be embedded as foundational security measures. Third-party risk management Strong procurement processes for assessing the security of AI models and training data are also critical to avoiding integrity issues and reducing cyber risk exposures. Information sharing Organizations should collaborate with peers – across businesses and governments – to ensure that threat- and incident-sharing mechanisms take AI-related cyber risks into account. Education and awareness Leaders need to develop an understanding of both the opportunities and risks associated with AI, and invest in training programmes to enhance AI awareness, create an organization-wide culture of responsible AI adoption and help employees recognize potential risks. Training should be tailored to the role of employees. Mind the gaps: basic cyber hygiene is not enough Some existing critical control capabilities will need to be tailored and updated in order to mitigate the cyber risks related to AI adoption, while other critical control capabilities will need to be developed from scratch to adequately mitigate the cyber risks of AI adoption. Examples of the former are set out in Table 1 and examples of the latter in Table 2.Identifying options for risk mitigation Step 5 Example of existing control capabilities that need to be tailored TABLE 1 Control Description Inventory of enterprise devices and softwareEnsuring that all new assets (devices and software) relating to AI infrastructure (as well as the models) are inventoried Business critical asset mappingMapping the infrastructure supporting the new AI system – including databases and application programming interfaces (APIs) – to ensure that its criticality is understood and that it is protected accordingly Information governanceEnsuring that the application of AI to personal and other sensitive data does not undermine organizational information governance policies and data protection regulations Pre-deployment integrity processesTailoring security-by-design processes (such as hardening, secure coding, etc.) specifically for AI data, inference models and technologies. Business incident response strategyRefreshing incident response procedures and business continuity plans to account for the impacts of AI-related cyber risks Incident recovery tools and managementUpdating tools and playbooks for recovering AI systems that have been compromised (e.g. “roll-back” procedures for AI models) Defining the criteria under which AI should be switched off, if possible Exercising Adapting the exercises with AI-related cybersecurity incidents to cover all major scenarios Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards 19