The simple but critical rule that applies to all organizations is that their constituents must trust them, or the organization fails. The words are simple, but the execution is fraught – and that was before generative artificial intelligence became popular.

How might generative AI (or any form of AI) impact the trust that customers and partners have invested in your brand? What does that have to do with your business value? Maybe your business makes widgets, runs a bakery, or is a logistics organization. Your organization doesn’t create AI or anything remotely similar, such as machine language models. Your employees might occasionally use generative AI from one of the popular models, or build it into your commercially licensed applications, but it isn’t (yet) core to your business.

As generative AI becomes more prevalent, it opens entirely new avenues of risk for your organization. Those risks make it easier than ever to lose the trust your organization has built. Some common use cases help explain why:

• Privacy: You’re planning a gala to celebrate a critical milestone in your business. You want the invitations to be perfect. You use generative AI to help design the invitations, and they come out looking fantastic. As part of the design process, you uploaded client information to help the AI create more accurate information. That private information has now been made part of the public AI model, so anyone using the AI engine you did essentially has that private information as part of its model, and you will never control how they might use it. You have likely made the information discoverable by others. Thus, you have likely disclosed information without permission and permanently made it part of a generative AI model, exposing the organization to privacy claims.
• Situational use: Your business has a need to conduct research. There is a lot of conflicting information, and it will take days to read it all, and more time to validate it. A perfect use case for generative AI. It processes the information and provides useful results in mere minutes (or faster). Your business is ready to move forward! But: How does your business know the AI didn’t “hallucinate” – i.e., make something up – or that it only reviewed factual sources and not opinions, or a list of myths that the AI mistakenly understood to be facts? How does the business make critical decisions based on data it can’t validate?
• Deep fakes: Your founder’s words are foundational to your organization. Today it is easy to create an audio or video clip of anyone using just a few minutes of their video and voice recordings. What would the damage be if a video were to surface of the founder saying profits are more important than safety? Could your organization prove it was fake? Can you prove your current videos are real if challenged to do so?

These examples aren’t intended to argue that generative AI is bad. On the contrary, AI has a place in many organizations and can make your operations more cost-effective. But how does an organization manage the risk and improve its business value?

In principle, good cyber hygiene is part of the answer:

• Understand your risk
• Know your source (AI model)
• Permit authorized use only
• Validate the information

“As more companies embrace the use of AI, it is essential that they have a governance and managed risk management process in place,” urges CohnReznick’s Deborah Nitka, a senior manager focused on AI consulting. In other words:

• Has your organization performed a risk assessment of the use of AI relative to your potential use cases? Does the risk assessment incorporate generative AI?
• How does the risk change if the AI is on-premises or in a public instance?
• What type of data are your employees allowed to share with the AI? Does that information need to be validated, or are they empowered to share it?
• How do you make sure only authorized users access generative AI?
• Read more considerations in an earlier article on generative AI implementation and risk co-authored by Deborah and CohnReznick’s Adonye Chamberlain.

In addition to how your organization uses data and AI, you need to consider what third parties might be doing with it. Just as you have standard cybersecurity policy and contract language in place (you do have this, right?), you need to address AI through language in all your contracts. Your business should cover all forms of AI in its Acceptable Use Policy, or a stand-alone AI policy. Because we are at the early stage of AI adoption, many firms have taken the stance that AI is only allowed by exception, as they work to better understand the implications of its use and seek out professional expertise to help evaluate the risk and make sure the outcome delivers business value.

The risk and rewards of AI are real and can be consequential. AI is a technology, but to be successful, its adoption needs to be part of a cultural change.

Integrating AI into your business process is something CohnReznick can help you with, by helping your business understand the risks, rewards, and process changes. We can help you with an implementation that is designed to fit your business model and your risk appetite. We see AI not as just another “tool in the toolbox,” but one that – when properly understood and harnessed – enables you to change how your tools operate and deliver value, if you properly mitigate the risks.