We still need to engage "Brain"

Editors note 

I have been sick the last week with a throat infection.

As such I have had a brain fog and I have struggled to even write good AI prompts.

It did get me thinking though!

Over the course of the week I thought about the many people that have commented that you can just use AI to do Risk Management, whether that be chat GPT, Gemini or Claude…or whatever.

We are entering a real state of laziness where we are glued to the screen and we will agree with everything that the AI tells us. And to be honest in most cases their responses are convincing for sure.

Unless your entire business is completely automated, there is a point where you and others need to engage brain - and really think about what has been produced.

AI is great for generating risks, controls, and in some cases even some form of context.

But it never truly understands your business and the quirks and nuances that are critical to how your business operates.

This is something ‘You’ still need to do.

As such trying to retrofit AI generated output directly into your business in these cases most likely wont make you more efficient or better, rather make you a lot worse.

Even our controls engine and controls scorer which has been designed for businesses to create and compare their controls against industry standard - needs professional oversight.

No two AI answers are ever the same. They might be similar but they are never the same.

In one case our controls scorer scored a control weaker after remediation was put in place.

The core reasons for this were the entire context did not exist for this particular business persona.

Our team however knew as we had a greater and more human relationship with the business and we were able to assess and determine whether the AI response was accurate or not.

In this case we had more relevant data about this business than the AI tool did.

What makes us human will differentiate us from AI - at least for now.

AI-Generated Risk Registers: Helpful Draft or Dangerous Shortcut?

We are doing this now as part of daily life.

We refer to an AI bot on our computer, tablet or phone to tell us the answer.

We even rely on an AI bot to make us feel better and be our friend.

Same with risk and controls - we are outsourcing this to the AI bot. The Big 4 are doing it, so it must be right?

We did a lazy comparison between 2 agents. One running on Open AI and the other running on Gemini.

Both were given identical prompts and asked to score a control out of 10.

Each were given dimensions to follow and score with the average being the control score.

Control Articulation - how well it is written

Context - who is the control for, is this a business or an individual, regulated or mum and dad business …..

Standards - Mapping and alignment with international standards as a baseline

The control we compared was relating to governance and policies and procedures. I won’t bore you with the details here.

As much as I would like to be smug and say the models produced different results, annoyingly they produced similar analyses.

The initial set of governance controls was scored at approx. 5-10 (for both models), and after a control remediation they both scored 7.3.

But the reasoning and the journey to get there was different.

The context really sways the scoring system. In this particular case minimal context was given to each model. Neither model knows:

How big or small your business is

What your product or widgets are

What your critical processes are

Operational and risk teams sit in the same room only accessible via swipe card

Roger is actually the CISO and the CRO - because they are a smaller business, and because of his experience in both roles previously

The context window can be as big or as small as you want it to be.

At this current stage - you probably know more about your business than your AI tool or any AI tool knows, just because you possess more data.

This is where the true risk lies and AI cant solve for this right now.

Yes you can train your models

Yes you can give them more data out of your head

Yes you can give more context

But…..

this also has to be done over time and has to be carefully structured

as we then have to look at how AI models interpret the data provided

and whether that interpretation is consistent with how you or your business is operating.

There we go.

Can of worms opened.

Discussion for another day - if you are still awake.  

A full video will be available of the above tests

This weeks myth

**Note - Yes I think so eventually, at least the bad and lazy ones. I don’t think AI will replace those that think outside of the box, are curious and are willing to go down rabbit holes. Technology is creating a lot of rabbit holes which are creating unknown vulnerabilities, and threats we have never seen before.

Interesting Reading

Stuff to think about over coffee

Relying too heavily on gen AI outputs can create a false sense of security at a time when teams need increasing vigilance.

57% of chief risk officers (CROs) and chief financial officers (CFOs) say their organization’s use of gen AI will increase overall risk exposure

More than half of executives are concerned about the cost of computing resources and new cybersecurity threats.

Look to AI leaders to monitor gen AI deployments, conduct risk assessments, and report to executive leadership

84% of CROs and CFOs say reputational risk needs greater visibility at the board level.

Only 40% have a strategy in place to deal with compliance shortcomings.

organizations face myriad risks that could become firestorms in a flash.

Click here to have a full read

Thank you for joining our community as we look to share practical and thought provoking topics when it comes to technology and security.

If you haven’t already Click the signup button to subscribe and get the latest newsletter directly to your inbox.

We will do our best to provide well researched and tested theories. Please comment, agree, disagree, or share your own experiences.

We want this to be a safe space to share any opinions with the object of true learning and experiences.

Many thanks

Rohan