As companies integrate these tools into their operations, it is essential to understand the potential risks.
By embracing these risks and implementing effective risk management strategies, organizations can leverage the full potential of these technologies while maintaining a safe and secure operating environment.
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Embracing the Risk and Opportunity of AI & Cloud.pptx
1. EMBRACING THE RISK AND
OPPORTUNITY OF AI & CLOUD
LIVE WEBINAR
A CONVERSATION SERIES
2. S Y M P T A I C O N S U L T I N G L T D .
About Symptai
60+
Team
Members
22
Countries
Served
400
Clients
Served
Years in Business
Cyber
Security
We help organizations develop
and implement information
security programs aligned with
their corporate strategy.
Transformation,
Compliance & Assurance
Assess and confirm the
appropriateness of controls to
safeguard business value and
meet compliance standards.
Risk & Data
Management
By designing and
implementing solutions to
combat financial crimes, we
help customers manage their
risks of fines and sanctions.
Data Privacy &
Protection
As customers utilize the data
they hold for strategic gains,
we guide them in managing
the risks associated with
privacy and data legislations.
Candour
Integrity
Curiosity
Extraordinary People
Exceptional Results
Core Values
3. S Y M P T A I C O N S U L T I N G L T D .
Embracing the
Risk and
Opportunity of
AI & Cloud –
What You’ll
Learn
1. Introduction to Cloud & AI
2. AI & Cloud: The Sweet Spot – Use Cases Across Industries
3. Enabler of Cloud and AI: Data
4. The Impact of AI and Cloud on the Corporate Risk Profile
5. Preparing for AI and Cloud Adoption
6. Questions & Answers
5. S Y M P T A I C O N S U L T I N G L T D .
What is Cloud
Computing?
Cloud computing, as defined by the National
Institute of Standards and Technology, is a model
for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider
interaction.
7. S Y M P T A I C O N S U L T I N G L T D .
What is Artificial
Intelligence?
Artificial intelligence (AI), as defined by the National
Institute of Standards and Technology, is the
capability of a device to perform functions that are
normally associated with human intelligence such as
reasoning, learning and self-improvement e.g.,
language models such as ChatGPT.
AI is a collection of cognitive services including
natural language processing (NLP), machine
learning (ML), and computer vision and indexing,
among others, that may help to achieve specific
business goals.
10. S Y M P T A I C O N S U L T I N G L T D .
Solution:
PayPal implemented an AI-powered
SaaS fraud detection solution that
utilized machine learning algorithms to
analyze transaction data in real-time.
PayPal’s AI-
Powered SaaS
Fraud Detection
PayPal, a global leader in digital payments, processes
millions of transactions daily. Ensuring the security of these
transactions is paramount to maintaining customer trust
and preventing financial losses due to fraud.
Challenges:
• Transaction Volume
• Complex Fraud Patterns
• User Experience
Benefits:
• Real-Time Analysis
• Behavioral Analytics
• Risk-Based Authentication
11. S Y M P T A I C O N S U L T I N G L T D .
Solution:
Canva leveraged cloud computing
services to address its scalability,
collaboration, and resource efficiency
needs.
Canva’s Adoption
of Cloud
Canva is a small organization that has developed a user-
friendly design platform used by individuals, small
businesses, and organizations worldwide.
Challenges:
• Scalability
• Collaboration
• Resource Efficiency
Benefits:
• Global Reach
• Real-Time Collaboration
• Cost Efficiency
12. S Y M P T A I C O N S U L T I N G L T D .
Solution:
The Barbados Ministry of Health
implemented an AI-powered predictive
healthcare system that leveraged data
to identify and support individuals at
high risk of developing NCDs.
Predictive Healthcare
in Barbados
Barbados, a Caribbean island nation, faced healthcare
challenges related to non-communicable diseases (NCDs)
such as diabetes and hypertension.
Challenges Faced:
• NCD Prevalence
• Limited Resources
• Preventative Care
Benefits Gained:
• NCD Prevention
• Reduced Healthcare Cost
• Improved Quality of Life
15. The Impact of AI & Cloud on
the Corporate Risk Profile
16. S Y M P T A I C O N S U L T I N G L T D .
The Changing
Profile of
Technology Risk
Source: Agile, Resilient & Transformative – Global IT Internal Audit Outlook, KPMG International, 2021
17. S Y M P T A I C O N S U L T I N G L T D .
The Impact on the Corporate Risk Profile - Cloud
Source: Thales 2023 Cloud Security Study
18. S Y M P T A I C O N S U L T I N G L T D .
Impact on the
Corporate
Risk Profile -
Cloud
Risks that may arise from the utilization of Cloud
Computing, include:
• Data
• Platform-related
• Speed of Security Automation
• Vendor/Third Party
19. S Y M P T A I C O N S U L T I N G L T D .
Some potential risks of the use of Cloud technologies (as
addressed in the NIST SP 800-144 Framework industry
standard) include:
• Governance
• Legal, Regulatory and Compliance
• Trust
• Architecture
• Identity and Access Management
• Software isolation
• Data Protection
• Availability
• Incident Response
Impact on the
Corporate
Risk Profile -
Cloud
20. S Y M P T A I C O N S U L T I N G L T D .
Risks that may arise from the utilization of AI Technology,
include:
• Security Threats
• Impaired Fairness
• Performance and explainability risk
• Vendor/Third Party
• Privacy Concerns
Impact on the
Corporate
Risk Profile -
AI
21. S Y M P T A I C O N S U L T I N G L T D .
The NIST AI 100-1 Framework proposes that for AI
systems to be trustworthy and reduce risk exposure with
use, they need to be responsive in some key areas:
• Valid and Reliable
• Safety
• Secure and Resilient
• Explainable and
Interpretable
• Privacy-Enhanced
• Accountable and
Transparent
• Fair – With Harmful Bias
Managed
Impact on the
Corporate
Risk Profile -
AI
Safe
Secure &
Resilient
Explainable &
Interpretable
Privacy-
Enhanced
Fair – With
Harmful Bias
Managed Accountable
&
Transparent
Valid & Reliable
22. S Y M P T A I C O N S U L T I N G L T D .
AI Risk
Management
Framework -
Core
23. S Y M P T A I C O N S U L T I N G L T D .
Summary of Risks
Related to AI &
Cloud Adoption
Data
Platform-Related
Speed of Security
Automation
Data Protection &
Privacy
Security Threats
Impaired Fairness
Performance and
Explainability
Vendor/Third Party
Privacy
For Cloud: For AI:
Industry Guidance: NIST 800-144 NIST AI RMF 1.0
Good morning, everyone, I am so excited to welcome you to today's webinar, proudly hosted by Symptai Consulting Limited. Together, we will explore the captivating realm of AI and Cloud where we will focus on embracing the risk of opportunities associated with both.
" In our digital age, the pace of change is relentless, and businesses around the world are striving to keep up. Today, we're going to delve into a dynamic intersection: the synergy between Artificial Intelligence and Cloud Computing, aptly termed "AI & Cloud: The Sweet Spot – SaaS." Our journey doesn't stop there; it continues to the backbone of this transformation, focusing on "Data & Infrastructure."
But transformation, as we all know, is not without its challenges and risks. We'll also explore the critical subject of “ Impact on the organization Risk Profile" and discover how it can be managed effectively. Furthermore, we will discuss how we can help you to “Prepare for AI and Cloud adoption" in this fast-paced landscape.
So, we hope you eager to embark on this exciting journey through the realm of agile risk management, where speed, innovation, and the seamless integration of AI and Cloud technologies become the keys to success in our ever-evolving digital landscape.
Artificial Intelligence (AI) and Cloud Computing, when combined, create a powerhouse of innovation. AI leverages the vast computational resources of Cloud platforms to process data, learn, and make intelligent decisions, paving the way for transformative solutions that were once unimaginable.
Cloud computing is a revolutionary technology that has transformed the way businesses operate by simplifying operations while improving efficiency and productivity. It is a good consideration for businesses to adopt to stay competitive in today’s fast-paced digital economy
Types of Cloud Technologies
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Types of Artificial Intelligence Technologies
Machine Learning
Artificial General Intelligence
Natural Language Processing (ChatGPT)
Cloud computing is a technology that allows individuals and organizations to access and use computing resources over the internet. Instead of owning and maintaining physical servers and data centers, users can rent or subscribe to cloud services provided by cloud service providers (CSP).
Types of Cloud Technologies
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Scalability: SaaS solutions are built on cloud infrastructure, which allows organizations to scale their software applications easily. This means that as a business grows or needs change, the software can adapt to accommodate increased usage or new features.
Cost-Efficiency: With SaaS, organizations can avoid the significant upfront costs associated with purchasing and maintaining on-premises software and hardware. Instead, they typically pay a subscription fee, which can be more cost-effective in the long run.
Accessibility: SaaS applications are accessible over the internet, enabling users to access their software and data from virtually anywhere with an internet connection. This accessibility fosters collaboration and remote work.
SaaS examples: Google Workspace, Zoom, Dropbox
Types of Artificial Intelligence Technologies
Machine Learning
Artificial General Intelligence
Natural Language Processing (ChatGPT)
The impact that AI can have on businesses can be classified as nothing less than profound as it is transforming the way companies operate and create new opportunities for growth.
With its ability to process vast amounts of data, AI is able to boost key performance metrics such as revenue, productivity, business growth, digital transformation, and efficiency.
"In today's digital landscape, the convergence of Artificial Intelligence (AI) and Cloud Computing is reshaping industries. AI harnesses the scalable power of Cloud platforms to fuel its learning and problem-solving capabilities, ushering in a new era of data-driven innovation and efficiency.“ We will now take a look into use cases for AI and Cloud.
Canva’s use of cloud computing illustrates how smaller organizations can harness cloud infrastructure to achieve global reach, support collaboration, optimize resource usage, and foster innovation without the need for a large IT infrastructure team or substantial upfront investments.
1.Data is the fundamental building block of AI and cloud initiatives.
It serves as the foundation upon which these technologies operate.
2.Data fuels the generation of valuable insights and intelligence.
AI algorithms rely on data to extract patterns, trends, and predictions.
3.Informed decision-making hinges on the quality and availability of data.
Data-driven decisions are more precise and result in better outcomes.
4.Data serves as a catalyst for innovation in AI and cloud technologies.
It sparks the development of new solutions, applications, and business models.
.Organizations harness data to inform and guide decision-making processes.
Data provides the evidence and insights needed to make informed choices.
2.Data analysis helps organizations uncover trends and patterns within their operations and markets.
Trends can be historical, real-time, or predictive, allowing proactive responses.
3.Data-driven models and algorithms enable organizations to predict future outcomes and scenarios.
Predictive analytics empowers proactive strategies and risk mitigation.
4.Data-driven insights lead to operational optimizations.
Organizations identify areas for improvement, efficiency gains, and cost reductions.
As with any technology there are associated risks and challenges, and we will now discuss how some of these may be addressed from a risk and assurance perspective.
Sometimes organizations in the space are apprehensive about engaging these emerging technologies due to perceived risks and a lack of readiness around these technologies. Let’s talk a little then about how these technologies may be leveraged, while still having reasonable assurance/comfort around how attendant risks are being handled/addressed.
Key Points
The continued importance of resilient Cyber Security Controls, IT General Controls and Data Governance
The relativity high prominence of Cloud Governance
The formal inclusion of emerging technology such as AI/ML and blockchain on audit plans
The impact of the external environment on an organization’s control posture
According to 2023 Cloud Security Report Global Edition
According to the Thales 2023 Cloud Security Report, Global Edition:
Data related risks include the possibility of data breaches (Unauthorized access/disclosure/acquisition), data leakage (siphoning out of sensitive info /inadequate Data loss Prevention) and data loss (failure to have adequate backup of data)
Platform related risks such as mis –configuration of the cloud environment, insecure application interfaces (APIs), lack of control over data repositories.
Speed of Security automation related to confidentiality, integrity and availability of cloud-based resources. Here there is the need to ensure adequate access controls and monitoring are in place, use of multifactor authentication to prevent issues such as account hijacking (An exploitation of a valid network session for unauthorized purposes) through phishing, malware attacks; Also prevent Insider threats.
Vendor/Third Risks – Have a robust Vendor Management framework where Industry standard are followed re Contracts, proper attestation in place, carry out adequate due diligence (Not because Vendor is name brand or established in the market, we can we allow ourselves to reduce our vigilance and due diligence). Also need to consider risk of vendor going out of business and required controls to mitigate that.
Governance – Adequate policies, procedures, standards and guidelines for application development and provisioning.
Compliance - Laws and regulations that impose security and privacy obligations on the organization as it relates to cloud initiatives e.g. data location, privacy and security controls, records management, and electronic discovery requirements.
Trust – Ensure that service arrangements have sufficient visibility into the security and privacy controls and processes employed by the cloud provider. ownership rights over data. account hijacking through phishing, malware etc.
Architecture - Understand the underlying technologies that the cloud provider uses to provision services.
Identity and Access Management - Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization.
Software Isolation - Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization.
Data Protection – Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data. Take into consideration the risk of collating organizational data with that of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value. Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider.
Availability - Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, ensuring they meet organization’s continuity planning requirements.
Incident Response - Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization
The more we change, the more things remain the same. AI innovation have similar risk exposures hich we have previously encountered along with some new ones.
Risks related to Security threats – Including vulnerabilities in AI systems that may be breached, exploited or used maliciously. Controls employed include Model hardening, performing adversarial testing to filter questionable responses.
Impaired fairness – Algorithmic bias; misrepresentation of generated content as human-created. Leads to confusion and deception of users. Control - Perform fairness and bias testing. Disclose use of AI to users. Use bias detection tools & identification tools.
Performance and Explainability risk - Inability to explain model outputs appropriately and model inaccuracies. Makes auditing the algorithms and output difficult due to obscurity. Cf fake news trend
Third party risk – Risks associated with the use of third-party AI tools. The need to evaluate third party risk and ethics/ prevent sharing of proprietary data/ prevent vendor lock-in (in case vendor goes out of business etc. )
Privacy concerns - Unauthorized use/disclosure of personal or sensitive information. Implement measures to protect sensitive data. Control – Appropriate access controls to restrict model and data access.
Generative AI (GenAI) which is more than just ChatGpt, enables the creation of new unstructured content, such as text, images, etc. can be instrumental in automating various Risk & Compliance activities.
Based on research by McKinsey, they expect a 30% increase in productivity across risk and compliance functions in deploying Generative AI
Some use cases being explored within the risk management and complinace space include Virtual Expert, Ops Automation, Code Acceleration, Content Generation
E.g. For Ops Automation Manual processes such as customer onboarding, loan application, KYC
Implementing Generative AI doesn’t replace the existing goals and targets for organizations (e.g., digitization, big data analytics). This should be considered as a means to accelerate the goals, explore newer efficiency levers and drive innovation.
Unauthorized/Inaccurate access which may impact confidentiality and integrity of sensitive customer information. Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
Execution, delivery and process management – Configuration issues, data entry errors, failed/erroneous transactions, Incomplete operating procedures, Negligent loss or damage to client assets, task mis performance
Business Disruption and System Failure – Hardware/software failures, system outage, data recovery failure, utility disruption, natural disasters, continuity issues
Information Security – malicious cyber attacks, security breaches, data loss,
Fraud Detection & Prevention – Internal/External fraud, Account takeover, theft, impersonation, misappropriation of assets
Regulatory and Compliance – legal issues, vendor disputes, regulatory and compliance breaches
For AI systems to be trustworthy and thereby reduce negative AI risks they need to be responsive in some key areas and considerations given to the associated risks.
Valid and Reliable - Are outputs true? Is there objective evidence that requirements have been fulfilled? Correctness of AI systems over the lifetime of the system. Validity and reliability of AI systems are assessed by ongoing testing or monitoring of performance.
Safety - Loss of Human Influence over AI technology. Improved through responsible design, development & deployment. Responsible decision making by deployers and end users .
Secure and Resilient – Can models withstand unexpected adverse events and changes? Is there adequate data governance and data security? Can AI systems maintain confidentiality, integrity and availability? Resilience is ability to return to normal after adverse event, security includes protocols to avoid, protect against and respond/recover from attack.
Explainable and Interpretable – Explain complexity of AI models and data used. Reduce potential for fraud and data breaches. Adequate documentation describing how AI systems function – enable more thorough audit, monitoring & governance. What? How? Why?
Privacy Enhanced – Risks due to enhanced data aggregation capability for AI systems, unauthorized disclosure of sensitive data, endpoint security, ensuring AI communicates with trusted sources, ensuring compliance and adherence to applicable laws and regulations e.g., EU GDPR and Jamaica Data Protection Act.
Accountable and Transparent – Extent to which info about an AI system and its output is accessible to users thereby increasing confidence in the AI system. Accountability presupposes transparency.
Fair with Harmful Bias Managed – Risk related to managing human bias introduced inadvertently during AI data processing. Address issues to do with fairness, equity and equality and prevent discrimination e.g in use of demographic data
For AI systems to be trustworthy and thereby reduce negative AI risks they need to be responsive in some key areas and considerations given to the associated risks.
Valid and Reliable - Are outputs true? Is there objective evidence that requirements have been fulfilled? Correctness of AI systems over the lifetime of the system. Validity and reliability of AI systems are assessed by ongoing testing or monitoring of performance.
Safety - Loss of Human Influence over AI technology. Improved through responsible design, development & deployment. Responsible decision making by deployers and end users .
Secure and Resilient – Can models withstand unexpected adverse events and changes? Is there adequate data governance and data security? Can AI systems maintain confidentiality, integrity and availability? Resilience is ability to return to normal after adverse event, security includes protocols to avoid, protect against and respond/recover from attack.
Explainable and Interpretable – Explain complexity of AI models and data used. Reduce potential for fraud and data breaches. Adequate documentation describing how AI systems function – enable more thorough audit, monitoring & governance. What? How? Why?
Privacy Enhanced – Risks due to enhanced data aggregation capability for AI systems, unauthorized disclosure of sensitive data, endpoint security, ensuring AI communicates with trusted sources, ensuring compliance and adherence to applicable laws and regulations e.g., EU GDPR and Jamaica Data Protection Act.
Accountable and Transparent – Extent to which info about an AI system and its output is accessible to users thereby increasing confidence in the AI system. Accountability presupposes transparency.
Fair with Harmful Bias Managed – Risk related to managing human bias introduced inadvertently during AI data processing. Address issues to do with fairness, equity and equality and prevent discrimination e.g in use of demographic data
The AI Risk Management Framework Core provides outcomes and actions that enable dialogue, understanding, and activities to manage AI risks and responsibly develop trustworthy AI systems. As illustrated
in Figure , the Core is composed of four functions: GOVERN, MAP, MEASURE and MANAGE.
Govern- Address full product lifecycle, adequate policies and procedures, roles and responsibilities
Map- Establishes the context to frame risks related to an AI system. What is the direction of the innovation and potential risks and controls to mitigate
Measure- Quantitative, qualitative and mixed method tools & metrics. How we assess the identified risks
Manage- Allocating risk resources to mapped and measured risks
Risk management should be continuous, timely, and performed throughout the AI system
lifecycle dimensions.
Governance – Adequate policies, procedures, standards and guidelines for application development and provisioning.
Compliance - Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements.
Trust - Establishing clear, exclusive ownership rights over data. Institute a risk management program to meet emerging needs e.g., to prevent account hijacking through phishing, malware etc.
Architecture - Understand the underlying technologies that the cloud provider uses to provision services.
Identity and Access Management - Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization.
Software Isolation - Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization.
Data Protection – Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data
Availability - Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, ensuring they meet organization’s continuity planning requirements.
Incident Response - Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization
Governance – Adequate policies, procedures, standards and guidelines for application development and provisioning.
Compliance - Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements.
Trust - Establishing clear, exclusive ownership rights over data. Institute a risk management program to meet emerging needs e.g., to prevent account hijacking through phishing, malware etc.
Architecture - Understand the underlying technologies that the cloud provider uses to provision services.
Identity and Access Management - Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization.
Software Isolation - Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization.
Data Protection – Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data
Availability - Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, ensuring they meet organization’s continuity planning requirements.
Incident Response - Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization