Adapting to AI Risks: Essential Cybersecurity Program Updates

To download this tip sheet as a PDF, click here: Adapting to AI Risks: Essential Cybersecurity Program Updates

Artificial intelligence (AI) is reshaping cybersecurity, bringing both new threats and opportunities. This checklist equips IT and cybersecurity leaders with actionable steps to address AI risks while leveraging its defensive potential.

1. AI Risk Assessment

• Inventory AI Technology
  Identify and document all AI systems, models, and tools used in your organization, including third-party services and personal devices.
• Evaluate AI-Specific Threats
  Assess vulnerabilities unique to AI, such as adversarial attacks, model poisoning, or data leakage from training sets.
• Regulatory Compliance Check
  Ensure AI implementations meet applicable regulatory and industry standards (e.g., GDPR, CCPA, NIST AI RMF).
• AI Research and Collaboration
• Stay informed about emerging AI risks and solutions by engaging with industry groups and research initiatives.

2. Deploy AI Security Controls

• Budget for AI Security
  Allocate funding for securing AI systems and developing related capabilities.
• Research and Implement Security Controls
  Identify security controls specific to the AI technology in use at your organization. Review, implement and audit controls consistently. Update existing security controls to address new risks introduced by AI, if needed.
• Access Controls
  Restrict access to datasets and AI systems based on least privilege principles.

3. Communication and Crisis Management

• Deepfake Response Plan
  Develop strategies for identifying and mitigating the impact of deepfake content targeting your organization.
• Stakeholder Engagement
  Keep executives and board members informed about AI-related risks and your mitigation strategies.
• Public Relations Preparedness
  Prepare for AI-enabled misinformation or disinformation campaigns with proactive communication plans.

4. Incident Response Updates

• Plan for AI-Specific Scenarios
  Update incident response plans to address AI-specific threats, such as deepfakes or AI generated phishing attacks.
• Train Your Team
  Conduct tabletop exercises focused on AI-related attack scenarios.

5. Workforce Training and Awareness

• AI Awareness Training
  Educate employees on AI risks, such as synthetic media and automated social engineering.
• Educate Security Staff
  Provide advanced training for cybersecurity staff on defending against AI-driven threats.
• Encourage Ethical AI Use
  Promote responsible AI usage and establish clear internal policies.

6. Policy and Governance Updates

• AI Governance Framework
  Establish a governance framework to oversee AI-related security risks and ethical considerations.
• Regular Audits
  Audit AI systems and processes for compliance, effectiveness, and security.
• Incident Reporting Channels
  Create clear channels for reporting AI-related incidents or vulnerabilities.

7. Enhanced Threat Detection and Response

• Leverage AI for Detection
  Use AI-driven tools to identify patterns of anomalous behavior and emerging threats.
• Threat Intelligence Integration
  Incorporate AI-focused threat intelligence feeds into your security operations, when appropriate.

8. Vendor and Supply Chain Risk Management

• Vendor AI Assessment
  Assess the security posture and practices of vendors. Add questions to vendor vetting programs designed to identify and track usage of AI and related risks.
• Evaluate AI Products
  Regularly review the security of AI products and services in order to identify and control risks, and take advantage of security features when available.
• Contractual Safeguards
  Include clauses addressing AI security, data protection, and intellectual property in vendor agreements.