Cyber Security

Should AI-related risks be a separate domain or part of the IT Risk Assessment?

SU Asked by Susan Davis · 15-08-2025
0 upvotes 11,586 views 0 comments
The question

With the rapid adoption of Generative AI in our marketing department, I’m seeing new vulnerabilities like prompt injection and data leakage. As a CRISC professional, should I be creating a separate "AI Risk Framework," or is it better to integrate these into our existing IT Risk Assessment processes? I’m worried that treating it as "special" will lead to silos in our GRC reporting.

3 answers

0
PA
Answered on 22-08-2025

Integration is always the better path for long-term governance. In late 2024, my firm updated our "Technology and Security" domain controls to include AI-specific sub-categories. We didn't build a new silo; we just expanded our existing "Data Privacy" and "Third-Party Risk" assessments to ask questions about model training data and output validation. If you treat AI as a separate entity, you'll likely miss the "interconnected" risks—like how an AI vulnerability could lead to a traditional SQL injection. Stick to the CRISC principle of a unified enterprise risk view.

0
RO
Answered on 25-08-2025

Do your current "Acceptable Use Policies" cover AI tool usage, or are you waiting for the Risk Assessment to be finished first? Often, the policy change is the easiest "Quick Win" risk response while you're still figuring out the technical controls.

SU 28-08-2025

Robert, that’s a fair point. We actually pushed a "shadow AI" policy update last week to ban the input of PII into public LLMs. Patricia, your advice on expanding the "Third-Party Risk" section is gold. Most of our AI risk comes from the vendors we're already using who just added "AI features" overnight. I'll focus on updating our vendor due diligence questionnaires to include model transparency and data retention clauses, keeping it all under the existing GRC umbrella.

0
MI
Answered on 30-08-2025

AI is just another "Technology" asset in the CRISC Domain 4. Apply the same lifecycle controls you would for any other critical software or cloud service.

PA 02-09-2025

Exactly, Michael. The "Asset Identification" step of the risk assessment is where most people fail with AI. You can't manage what you haven't inventoried.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session