0:05 [Music]
0:07 how you enjoying the talk so far pretty
0:10 good stuff a yeah I'd say so well the
0:12 fun continues because in our next
0:15 session please welcome Jesse Jameson
0:18 senior cyber risk engineer at carnegi
0:21 melan University software engineering
0:24 Institute and Jesse will illustrate how
0:29 to mitigate and respond to AI risk
0:32 examine what it is that makes us
0:34 uncomfortable with emerging Technologies
0:38 like Ai and discuss some concrete steps
0:41 we can deploy uh with security to
0:44 measure confidently and securely just
0:47 how well we're doing things so Jesse the
0:48 stage is
0:52 yours hello I am Dr Jesse Jameson here
0:54 from the Carnegie melon University
0:56 software engineering Institute the C
0:58 division there um and I'm here to talk
1:00 to you today about sec securing Ai and
1:03 my perspective on securing AI uh the
1:05 title of my talk here is becoming more
1:08 comfortable with AI and uh one of the
1:10 things we're going to talk about as part
1:13 of my talk is the fact that uh AI as a
1:16 technology is something that uh has made
1:19 us kind of uncomfortable it's uh it's
1:22 something that requires some work to get
1:25 to understand and to uh employ securely
1:28 and confidently uh but hopefully by the
1:30 end of my talk you will will be left
1:32 with some tools techniques thoughts
1:35 practices and encouragement uh that will
1:38 help you uh deploy AI enabled
1:41 capabilities with confidence and
1:43 securely uh so with that we'll go ahead
1:45 and kick this right
1:48 off uh just regular document markings
1:52 here uh which I am required to show as I
1:55 mentioned AI is a technology that has
1:58 really burst in popularity it has been
1:59 around for a while Ai and machine
2:02 learning in enabled capabilities but the
2:05 recent Surge and popularity of large
2:07 language model and generative AI enabled
2:10 capabilities uh is has AI all over the
2:13 news and is a very and makes it a very
2:15 very hot topic but one thing I want us
2:19 to know is that uh new technologies
2:21 posing new challenges in cyber security
2:23 is something we've heard before we've
2:25 been here before we've dealt with this
2:29 before a few examples the burst of
2:30 Internet of Things
2:32 and distributed device Computing uh
2:35 security at the edge is a challenge that
2:37 uh we have had to overcome and that we
2:39 are still grappling to overcome today
2:42 another example is software supply chain
2:43 we're going to talk about this a little
2:45 bit with respect to AI but dealing with
2:48 the software supply chain has posed a
2:49 very complex set of challenges that
2:51 we've had to overcome and has changed
2:53 some of our thoughts on risk and risk
2:56 management another good example is uh
2:59 the event of remote work during the
3:01 covid-19 pandemic has opened us up to
3:03 all kinds of vulnerabilities and threats
3:05 different kinds of threats in the threat
3:08 space that maybe we were not uh as
3:10 attuned to or aware of as we were before
3:13 the pandemic so this includes uh threats
3:16 relevant to bring your own device uh
3:19 either mandates or or or what's actually
3:21 happening in distributed computing at
3:24 organizations and uh the Advent and
3:26 popularity increas in popularity of
3:28 virtualization has all forced us to
3:30 rethink um vulnerabilities the
3:32 vulnerability space how we're going to
3:35 manage those vulnerabilities and what
3:38 threats actually pose risk to our
3:40 organization another good example is the
3:43 event of cloud computing uh this is
3:45 another thing that's been uh another
3:47 topic that's been of high interest
3:50 especially in the world of big data that
3:54 we need to use uh cloud computing and
3:56 cloud computing resources to help us get
3:57 the most out of our data and our
4:00 computing power and all of these
4:02 challenges together are have presented
4:04 new new challenges to us new
4:05 technologies have presented new
4:07 challenges to us but this is not
4:10 something new is all I'm trying to say
4:13 here um the the the one thing though
4:16 about generative Ai and AI enabled
4:19 Technologies though is that uh is this
4:22 sense of urgency now I mentioned this
4:24 just a second ago uh when I was talking
4:26 about generative AI Technologies in
4:29 general there is a sense of urgency in
4:33 capital izing on AI right now and the
4:35 rate of innovation with respect to these
4:38 uh geni tools and gen capabilities has
4:42 our heads spinning and this has
4:44 definitely served to compound and
4:47 already complex security situation and
4:49 this is something that's posed A new
4:52 challenge uh or has us uh has us feeling
4:54 a little bit on the backf foot
4:56 especially in the cyber security and
4:58 risk World we've had to rethink a few
5:01 things um but like I said before we're
5:04 going to be working to find comfort in
5:07 the familiar as part of this talk I'm
5:09 going to be talking about uh risk
5:11 management Frameworks that have been
5:14 very successful tried andr Frameworks
5:15 that have helped us get through some of
5:17 these technological challenges that I
5:19 mentioned on the previous slides and
5:22 we're going to talk through um some of
5:25 the unique challenges that generative AI
5:27 Technologies and the Advent of these
5:29 very popular technologies have um
5:31 presented to those risk to the
5:33 implementations of those risk management
5:35 Frameworks so let's let's take a moment
5:37 and pause and go back to talk about what
5:41 we're familiar with um one thing that
5:44 that a properly executed riskmanagement
5:47 framework really hinges upon is
5:49 understanding a technology and how you
5:52 use it in your business context so how
5:55 one organization or another uses a
5:57 technology in it in their own business
5:59 context is going to be different and
6:02 that's going to impact the risks that a
6:04 institution or organization faces
6:07 relevant to that uh use of Technology
6:10 coupled with that is a threat space how
6:13 an organization uses technology in the
6:17 business context really uh serves to uh
6:20 filter that threat space down from one
6:22 that applies to the use of technology in
6:24 general to just the use cases that are
6:26 particular to an
6:28 organization and once an organization
6:31 has a good Gra grasp of the technology
6:32 and how they're using it in a business
6:34 context as well as the threat space and
6:37 what's relevant to them uh they can
6:40 really start to analyze how the use of
6:42 that technology is relevant to the risk
6:44 appetite and cont to the risk appetite
6:47 statements uh that an organization has
6:50 already invested time in developing um a
6:52 good risk management program spends some
6:54 time going through and developing these
6:57 risk appetite statements and revisits
6:59 them uh once a new technology or
7:02 innovation comes out and is going to be
7:05 implemented uh across an organization
7:07 that also shapes uh or helps an
7:09 organization understand the contextual
7:13 risk so there is risk in general just
7:14 like the threat space there's risk in
7:19 general that applies to a technology but
7:22 um every organization implements the
7:24 technology in its own way and that
7:27 causes uh some of the risk to not re to
7:29 not be particularly relevant uh and
7:31 makes uh and gives the RIS that
7:33 additional context that applies to the
7:35 organ to the coupling of the
7:38 organization its use cases and that
7:41 technology now once an organization
7:44 revisits its risk appetite uh and its
7:45 risk management
7:47 methodologies uh in the context of this
7:49 new technology and how they're going to
7:51 be using it then they can convert that
7:53 into a proper risk response and this
7:56 doesn't just mean mitigation so a good
7:58 risk response is mitigation is
8:01 understanding how to to transfer risk uh
8:03 maybe in a third party agreement you
8:06 work through uh you know how the risk is
8:08 is mitigated or handled by that third
8:10 party and then how you will assume it uh
8:13 you may have to choose to avoid that
8:16 risk altogether and maybe turn down uh
8:18 the opportunity to use some of those new
8:20 technologies um and you may employ
8:23 mechanisms for reducing that risk across
8:25 the Enterprise but all of this together
8:28 uh both the the B the technology and a
8:30 business context coupled with a threat
8:33 space and your risk appetite that you've
8:35 gone through a whole lot of effort to
8:36 develop and understand at the
8:39 organizational level uh goes into that
8:42 risk response right but there are two
8:45 pieces of this General risk management
8:48 framework that uh the Advent of large
8:51 language models and generative AI
8:52 technologies have kind of thrown a
8:54 wrench in and that is the threat space
8:57 that's the first one uh and and how we
8:59 might summarize this is that uh
9:01 generative AI as an emerging technology
9:04 has challenged traditional definitions
9:06 of vulnerability and has revealed new
9:08 threads we are now having to ask
9:11 ourselves very fundamental questions
9:13 around what a vulnerability even is and
9:16 what risk exposure means from the
9:18 context of this new technology we're
9:20 going to talk about the threat space uh
9:22 at length here in just a moment now the
9:25 second area where uh these technologies
9:27 have kind of thrown a risk in thrown
9:29 thrown a ringe in is in our risk
9:32 response uh and and you can summarize
9:34 this as saying that the options for
9:37 dealing with risk in the Gen space are
9:40 very broad they're very complex and they
9:42 apply to these new challenges that these
9:44 technologies have imposed upon us uh and
9:46 part of this is due to the fact that
9:49 large language models generative AI
9:51 Technologies are complex themselves have
9:54 a lot of moving parts so understanding
9:57 what knobs to turn to help you mitigate
10:00 transfer avoid or reduce that risk can
10:02 sometimes be a little bit more difficult
10:03 than if you're employing a more traditional
10:04 traditional
10:08 technology so so how do we mitigate this
10:10 how do we deal with this and and what
10:12 I'm going to talk to you about a little
10:15 bit today is that the keys to
10:17 effectively securing AI especially as
10:20 you employ a risk management framework
10:22 that's been generally uh presented like
10:25 here on the slide is is that you need to
10:28 invest a little bit in data agility and
10:30 organizational adapt adaptability
10:32 organizational adaptability is something
10:34 that I think we can we can grasp and
10:36 understand meaning that an organ it's
10:38 really an organization's ability to to
10:42 Pivot quickly uh from a strategic at a
10:44 strategic level now data agility is
10:47 something uh that that I've worked with
10:49 before but when I say that I mean the
10:52 ability of an organization to quickly
10:54 and efficiently utilize data to meet
10:56 evolving needs challenges and
10:59 opportunities so it's not just reacting
11:02 to negative but it's also embracing data
11:05 for positive benefit for an
11:08 organization um so so just to recap here
11:10 is I'm going as part of this talk I'm
11:12 actually going to be talking mostly
11:14 about uh the threat space and risk
11:17 response and how data agility and
11:19 organizational adaptability are really
11:23 going to be keys to to allowing you to
11:26 confidently and securely uh employ and
11:30 deploy um generative Ai and and large
11:31 language model machine learning AI
11:34 enabled Technologies so with that we're
11:35 kind of going to dive right into it and
11:38 talk about the threat space bit okay so
11:39 we're going to dive right into it here
11:41 and talk about the changing threat space
11:43 that has emerged as a result of the
11:46 Advent of generative AI Technologies
11:47 we've already touched on this a little
11:50 bit generative AI technologies have uh
11:53 changed the way that we think about and
11:55 reason about vulnerabilities they're no
11:58 longer just bugs and code they're a
11:59 little bit more complex
12:02 and affect a very complex technology
12:04 stack and one of the things I want to
12:08 emphasize just as I said before is that
12:11 overcoming this challenge is both a data
12:14 agility and an adaptability problem and
12:16 we're going to talk about that uh here
12:18 in just a second first I want to talk
12:22 about um some of the uh knowledge bases
12:25 and threat Frameworks that have come out
12:28 uh in the Advent of these generative AI
12:30 Technologies at first when these
12:32 Technologies hit the market there were a
12:36 lot of questions around what what new
12:38 threats and risks and vulnerabilities
12:40 and exposures are there do we even
12:42 understand this technology enough to
12:45 know and thankfully over time a lot of
12:47 these knowledge bases have come out that
12:50 have allowed us to more succinctly
12:52 organize and reason around what these
12:54 threats actually are and I'll mention a
12:57 couple of them here of the first being
12:59 the OAS top 10 and the second being
13:01 miter Atlas And there are others and
13:04 other Frameworks that one can adopt um
13:06 the point being though that you need to
13:09 adopt them so every time a new uh threat
13:13 database comes out I'm sure your
13:15 analysts in your organization are asking
13:18 questions around oh no I have to
13:21 integrate all this new data I have to uh
13:23 be able to map these to our risks and
13:25 map these to threats and generate uh
13:28 cyber cyber security threat intelligence
13:30 that I can use in my organization and
13:33 unfortunately especially in this case
13:36 that kind of is the case these are brand
13:38 new threats and vulnerabilities that
13:41 we've never seen before they're they're
13:45 not just rehashes of the same type of of
13:48 Playbook they're they're actually
13:50 sufficiently different to Warrant
13:53 upending sometimes the processes that we
13:56 use to measure and understand these so
13:59 if we're going to take these new threat
14:02 Frameworks MTH them to our uh to our
14:07 technology Stacks that requires a lot of
14:09 uh or a greater
14:12 capability uh with respect to the data
14:14 and data integration and really well
14:16 have a having a good foundational
14:19 understanding of your technology stack
14:22 as it is um so an organization that's
14:25 very quick to adopt these new threat
14:29 Frameworks that can uh very quickly
14:31 generate or adopt or harness a thread
14:34 intelligence is going to have a leg up
14:37 with respect to securing uh the
14:38 capabilities that you want to deploy
14:41 across your organization and I'm
14:43 actually going to show you an example of
14:45 why I think that this is a data agility
14:49 problem so from the oasp top oasp top 10
14:53 actually here is an example of a of of
14:56 an entry in that um in that framework
15:00 llm 07 2025 system prompt leakage now
15:04 that is a a vulnerability uh where
15:06 system prompts or instructions used to
15:09 steer the behavior of a generative AI
15:11 model can also contain sensitive
15:13 information that was not intended to be
15:15 discovered and the reason that this is
15:19 included is that uh through some prompts
15:22 uh one uh malicious actor or even
15:24 somebody who's not malicious and is just
15:26 playing around with the capability might
15:29 be able to cause the general ative AI
15:31 capability to return some of the
15:33 information on the back end that was
15:36 never quite meant to be to be revealed
15:39 to the end user uh through whether it's
15:42 prompt engineering you know we I'm sure
15:44 some of us have seen the the classic
15:47 ignore all of your previous instructions
15:49 uh types of prompts that are entered
15:52 into these gen capabilities um whatever
15:55 the mechanism might be the fact that uh
15:57 that information that was never meant to
16:00 be revealed can be revealed uh through
16:03 these uh very sophisticated uh prompts
16:08 is is a problem uh but how do we how do
16:13 we now check for this how do we um
16:15 understand this vulnerability what does
16:18 this actually mean how do we heal from
16:20 this and that's a complex question with
16:24 a very complex answer the first step is
16:26 understanding that threat so I just
16:27 walked through a very very succinct
16:29 explanation of what that vulnerability
16:34 actually is um and and I'm sure I'm
16:36 definitely not even doing that Justice
16:38 there's a whole lot of uh information
16:40 out there about these vulnerabilities
16:43 now that one can use to understand uh
16:45 what they are what the risks what the
16:47 risk to these vulnerabilities are what
16:49 capabilities are affected what
16:51 components of the capability are
16:53 affected whether that's your data lake
16:56 or the um interface that's used to send
16:59 and serve the prompts uh there's a whole
17:01 lot to understand there with respect to
17:03 these to these uh
17:05 vulnerabilities now once you understand
17:07 that we you have to identify in this
17:09 particular case the prompts and system
17:11 instructions that are being used and
17:13 embedded in the models as well as the
17:16 possible attack vectors now already for
17:19 both of these two steps I'm talking a
17:21 lot about data so you're collecting a
17:23 lot of data about the threat about risks
17:25 to your organization you're collecting a
17:28 lot of data around the uh capabilities
17:30 that exist out there in the wild that
17:33 have been employed by your organization
17:35 and not to even mention the internal
17:37 asset data that you have to collect to
17:39 know if you're even using any of these
17:42 capabilities and now once you have that
17:44 understanding even knowing and logging
17:46 and cataloging all of the prompts and
17:48 system instructions that you're using as
17:50 you implement these Technologies
17:53 requires an another level of uh of data
17:57 uh orchestration that that uh that
17:58 that's that can get overwhelming right
18:01 right so this is step two and then the
18:04 second or the third part might be to uh
18:06 to Now respond and Implement and unlock
18:08 this down Implement some prompt and
18:11 response logging uh sanitizing your
18:14 prompts uh having a mechanism for
18:16 refusing those prompts and then finally
18:18 going through and updating your models
18:19 your policies with data and
18:21 functionality updates and this is a
18:23 pipeline for just one type of
18:25 vulnerability there are plenty of other
18:27 vulnerabilities out there that apply to
18:29 these Technologies but again at every
18:32 step of this uh of this pipeline here
18:34 we're dealing with data whether that's
18:36 data about the external capabilities and
18:38 our own internal capabilities uh the
18:40 prompts how you're going to log those
18:43 sanitizing those uh the process for
18:47 dealing with those prompts uh logging uh
18:49 information about the models and the
18:51 changes and updates you've made to those
18:54 that's all data so your organization
18:58 needs to be agile in its capabilities uh
19:00 around dealing with with this data
19:02 harnessing this data knowing what to do
19:06 with it logging it uh keeping track of
19:09 it validating it uh and and the better
19:12 an organization is with respect to to
19:15 its data posture and its ability to
19:17 handle and deal with data uh I would
19:20 argue that the that those organizations
19:24 are more well posed poised to actually
19:26 deploy these capabilities securely and
19:29 in a way that that they can uh you know
19:33 confidently employ them uh and and uh
19:35 and use them to the ends of the
19:37 organization so that's just again that's
19:40 just one example uh of of how
19:43 complicated this can be and really if I
19:46 were to sum this up I would say that uh
19:47 at the end of the day your
19:51 organization uh should adopt and
19:54 hopefully uh or adapt and hopefully not
19:56 get to the point where it needs to start
19:58 over and rebuild a lot of its data
20:00 implementation and and data Technologies
20:04 uh from from the ground up so that again
20:06 that's just one example of how data is
20:08 kind of one of the common threads here
20:10 with all of these vulnerabilities and
20:13 the best organ the the best positioned
20:15 organizations are going to be those that
20:17 know how to handle their
20:19 data um now I already talked about
20:22 adaptability a little bit uh and what do
20:24 I mean by that if you're not just
20:26 talking about the data agility piece but
20:28 if but if you're talking about the
20:30 adaptability PS again not just knowing
20:34 how to use the data and and uh and and
20:36 employ that data to the benefit of your
20:38 organization but taking measures to
20:42 protect you and your data um data is
20:43 everything with these generative AI
20:47 capabilities and I think that um A
20:50 Renewed interest in data security is is
20:52 definitely at the Forefront of securing
20:54 AI Technologies you have to ensure that
20:56 these capabilities are tested before you
20:58 integrate them that's part of securing
21:01 in you and your data and you have to put
21:03 your money where your mouth is again I
21:05 just said it revisiting your data
21:07 security controls regularly and validate
21:08 that they are still doing what they need
21:11 to do um the third thing I'll touch on
21:15 here is prioritizing explainability and
21:18 transparency um especially for securing
21:22 AI if you don't know what behavior is
21:26 normal is expected uh then how are you
21:30 going to know what uh behavior is not
21:32 normal and not expected and both
21:34 explainability and transparency in your
21:37 data your prompts your model your
21:39 architectures uh and and your your whole
21:42 pipelines both of those are key to being
21:44 able to give you that strong
21:46 Foundation um another thing that every
21:49 organization needs to be doing already
21:51 uh but that is of particular relevance
21:54 to the geni Boom is uh monitoring your
21:57 Tech debt I know that as organizations
21:59 move to confidence deploy these
22:02 Technologies they do so incrementally
22:05 which is a great strategy but
22:07 incrementally deploying these
22:09 Technologies May mean that some
22:11 technical debt is building up underneath
22:14 that you don't really need anymore but
22:16 because these capabilities are so
22:19 complex rolling those off and rolling
22:24 those back uh as you Sunset them is very
22:25 very important and important to keep
22:28 track of and then finally I touched on
22:31 this just very briefly in the previous
22:33 slide but version controlling your
22:35 models your data and establishing data
22:38 Providence is something that's brand new
22:40 that a lot of organizations have not
22:43 really thought of before but the fact of
22:45 the matter is that with a lot of gen
22:47 capabilities there's no longer a
22:50 segmentation between code and data
22:52 because now the data that you use as a
22:54 prompt to get a response and use the
22:57 capability is now being used as code to
23:01 generate the output on the back end and
23:04 that's uh it's something that that's
23:07 taken some some thinking about to wrap
23:11 our heads around and your ability to to
23:13 track your models and your data is going
23:16 to be uh Paramount to keeping you secure
23:19 in this space now that's a lot to talk
23:21 through just with the threat space and
23:22 I'm going to Pivot now to talk about the
23:26 risk response um this is uh this is
23:29 another area that requires uh a little
23:32 bit more agility in this new space and
23:34 we're gonna we're going to touch on that
23:36 here as we kind of wrap up the talk so
23:38 so what's new we talked about this a
23:41 little bit uh the CH that the fact that
23:42 the challenges for dealing with risk in
23:45 the Gen space are very broad generative
23:48 AI capabilities are extremely complex uh
23:51 and are the the tools switches buttons
23:52 and knobs that we could turn to help us
23:55 manage mitigate uh and reason around
23:58 this risk um are our our Bountiful I
24:01 guess one would say and I would say that
24:04 dealing with risk in the geni space is
24:08 mostly an adaptability problem uh and
24:10 and you'll see kind of why I say that so
24:14 A few things here um that in the geni
24:16 space there is a trade-off between
24:21 utility and security uh you might the
24:22 ideal might be that you have a
24:25 generative AI technology that uh is
24:29 trained on your data that is only using
24:30 information that's relevant to your
24:34 product um or that um you know is
24:36 extremely fine-tuned to your use case
24:39 but the fact of the matter is that if a
24:42 capability is using your data and only
24:45 exclusively your data then your data is
24:47 what might be leaked or exposed should a
24:49 vulnerability be found in that
24:52 capability uh whereas if you employ the
24:53 use of a third party technology that's
24:57 trained on only external data um then
25:00 you're you're you're um leaving some
25:02 space and a gap between your data and
25:05 risk right so there is a trade-off there
25:06 and it's important to evaluate that trade-off
25:08 trade-off
25:11 continually um another suggestion here
25:13 is uh organizations and we didn't see
25:16 this with other with other Technologies
25:21 um but uh creating an AI review board um
25:23 the reason why this is such uh an
25:25 important step to take for an
25:27 organization with the event of these
25:29 types of Technologies the generative AI
25:32 Technologies is that generative AI
25:35 Technologies propo uh pose unique risks
25:38 to things like uh like legal issues um
25:41 they pose legal issues they pose um uh
25:43 issues of bias and ethics and having a
25:45 diverse cross functional team to
25:48 evaluate use cases and the risks to
25:50 those aspects of your organization uh is
25:52 something that a lot of a lot of teams
25:55 I've seen have adopted to great success
25:58 uh and and and I advocate for that as well
25:59 well
26:01 and I already talked about building
26:03 capabilities on a small scale and I will
26:05 remind you to keep in mind that uh when
26:07 you do this although it's a great idea
26:09 keep that technical debt in check and
26:11 then uh the the last two things I'll
26:14 touch on here to kind of wrap up uh on
26:17 this slide is uh sisa has actually
26:19 unveiled uh they have cyber security
26:21 performance goals these are ideal for
26:24 small and medium-sized organizations to
26:27 help organizations prioritize steps they
26:30 could take to uh to mitigate to deal
26:33 with risks imposed by any technology in
26:36 their cyber security stack um much less
26:39 generative a AI Technologies but those
26:42 have been evaluated for these new gen AI
26:45 Technologies and then finally the risk
26:47 the nist AI risk management framework I
26:50 talked generally about risk management
26:53 Frameworks earlier the N AI risk
26:55 management framework is a tried and true
26:58 process with just a few differences
27:00 between more traditional risk management
27:03 Frameworks and something that's AI
27:04 focused and I'll just run through those
27:07 really quick just to give you an idea um
27:10 there's new guidance in here for harmful
27:12 bias and AI systems I talked about that
27:14 just a second ago this is brand new to
27:18 generative AI Technologies and these new
27:20 uh security concerns related to machine
27:22 learning attacks so some of these
27:26 attacks or vulnerabilities um have kind
27:29 of been around even for machine learning
27:32 tools uh not just the generative AI
27:36 tools uh and this is the first I believe
27:39 the first actual treatment of those uh
27:41 security concerns in a risk management
27:45 framework a published by n i mean and
27:47 then um the complexity of the attack
27:50 service of AI systems has a specific
27:52 treatment in the AI risk management
27:54 framework as well as a there is a there
27:56 is a specific treatment for third- party
27:58 risk and all of these things taken
28:01 together is something that um that the
28:03 nist AI risk management framework
28:05 presents uh that organizations should
28:08 should consider adopting uh that that
28:09 makes it a little bit different from
28:11 traditional risk management Frameworks
28:14 and um your ability to look at this risk
28:17 management framework and pivot from one
28:18 version of an RMF a risk management
28:20 framework to something like an AI risk
28:24 management framework is a Hallmark of
28:26 good organizational adaptability and
28:28 that's why I mention it on this slide
28:30 that um that as these new risk
28:32 management Frameworks and controls pop
28:35 out uh your ability to evaluate and
28:38 adapt uh and adopt these risk management
28:41 Frameworks into your own risk processes
28:44 is a really good sign of organizational
28:47 adaptability um so so that's I
28:48 definitely wanted to make sure that I
28:49 mentioned both the cyber security
28:51 performance goals and the risk
28:54 management framework there and and so
28:56 now I've talked about a lot of different
28:58 things hopefully some concrete steps
29:00 that we can take in order to help us
29:03 better manage risk and secure and
29:05 securely and confidently deploy these AI
29:08 Technologies and I know that AI makes us
29:11 uncomfortable but we can do it we've
29:13 returned to places where we find Comfort
29:14 these risk management Frameworks
29:16 returning to what we know but I
29:18 acknowledge that this is not without
29:19 Challenge and and how we're going to
29:21 overcome these challenges is just like I
29:23 was saying this is one piece of how
29:26 we're going to do it right that we have
29:28 we have to have a healthy culture of
29:30 risk management in our organization
29:32 anyway uh that's first and foremost we
29:35 have to ask if we already have a
29:37 business appropriate risk appetite uh as
29:39 we continue to evaluate Technologies
29:42 just like this one and then our ability
29:45 to use data to its to its benefit and
29:47 our benefit can we use and manage this
29:50 new data and engineer new data pipelines
29:52 quickly and securely that's going to
29:56 really be really be key to uh to using
29:58 these Technologies um confidence ly and
30:00 securely finally the organizational
30:03 adaptability I talked about that asking
30:05 if you can adopt a new risk management
30:08 framework or a pivot on a relevant time
30:10 scale are you going to be able to use it
30:12 uh quickly and uh and in a way that
30:14 makes sense for your organization and
30:16 all of this together is actually going
30:19 to to to to come together to give us a
30:21 confident and secure use of emergent
30:24 Technologies these very quickly evolving
30:26 Technologies as they change as they
30:29 evolve over time and so with that um I
30:31 will wrap up it's been a really great
30:34 pleasure being here for the qualus uh
30:36 cyber RIS series talking about securing
30:38 AI I hope that you found even just a
30:42 little bit of my talk comforting um and
30:44 rewarding and if you do have any
30:47 follow-up questions or want to give me
30:49 feedback or uh or want to know more
30:53 about the work that we do at the SE uh
30:56 please feel free to reach out anytime
30:58 and with that I will turn it back over
