Embracing the Risk and Opportunity of AI & Cloud.pptx

Editor's Notes

• #2: Good morning, everyone, I am so excited to welcome you to today's webinar, proudly hosted by Symptai Consulting Limited. Together, we will explore the captivating realm of AI and Cloud where we will focus on embracing the risk of opportunities associated with both.
• #4: " In our digital age, the pace of change is relentless, and businesses around the world are striving to keep up. Today, we're going to delve into a dynamic intersection: the synergy between Artificial Intelligence and Cloud Computing, aptly termed "AI & Cloud: The Sweet Spot – SaaS." Our journey doesn't stop there; it continues to the backbone of this transformation, focusing on "Data & Infrastructure." But transformation, as we all know, is not without its challenges and risks. We'll also explore the critical subject of “ Impact on the organization Risk Profile" and discover how it can be managed effectively. Furthermore, we will discuss how we can help you to “Prepare for AI and Cloud adoption" in this fast-paced landscape. So, we hope you eager to embark on this exciting journey through the realm of agile risk management, where speed, innovation, and the seamless integration of AI and Cloud technologies become the keys to success in our ever-evolving digital landscape.
• #5: Artificial Intelligence (AI) and Cloud Computing, when combined, create a powerhouse of innovation. AI leverages the vast computational resources of Cloud platforms to process data, learn, and make intelligent decisions, paving the way for transformative solutions that were once unimaginable.​
• #6: Cloud computing is a revolutionary technology that has transformed the way businesses operate by simplifying operations while improving efficiency and productivity. It is a good consideration for businesses to adopt to stay competitive in today’s fast-paced digital economy Types of Cloud Technologies Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Types of Artificial Intelligence Technologies Machine Learning Artificial General Intelligence Natural Language Processing (ChatGPT)
• #7: Cloud computing is a technology that allows individuals and organizations to access and use computing resources over the internet. Instead of owning and maintaining physical servers and data centers, users can rent or subscribe to cloud services provided by cloud service providers (CSP). Types of Cloud Technologies Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Scalability: SaaS solutions are built on cloud infrastructure, which allows organizations to scale their software applications easily. This means that as a business grows or needs change, the software can adapt to accommodate increased usage or new features. Cost-Efficiency: With SaaS, organizations can avoid the significant upfront costs associated with purchasing and maintaining on-premises software and hardware. Instead, they typically pay a subscription fee, which can be more cost-effective in the long run. Accessibility: SaaS applications are accessible over the internet, enabling users to access their software and data from virtually anywhere with an internet connection. This accessibility fosters collaboration and remote work. SaaS examples: Google Workspace, Zoom, Dropbox
• #8: Types of Artificial Intelligence Technologies Machine Learning Artificial General Intelligence Natural Language Processing (ChatGPT)
• #9: The impact that AI can have on businesses can be classified as nothing less than profound as it is transforming the way companies operate and create new opportunities for growth. With its ability to process vast amounts of data, AI is able to boost key performance metrics such as revenue, productivity, business growth, digital transformation, and efficiency.
• #10: "In today's digital landscape, the convergence of Artificial Intelligence (AI) and Cloud Computing is reshaping industries. AI harnesses the scalable power of Cloud platforms to fuel its learning and problem-solving capabilities, ushering in a new era of data-driven innovation and efficiency.“ We will now take a look into use cases for AI and Cloud.
• #11: PayPal's implementation of AI-powered SaaS fraud detection yielded significant results: Fraud Reduction Fewer False Positives Enhanced User Experience Proactive Fraud Prevention
• #12: Canva’s use of cloud computing illustrates how smaller organizations can harness cloud infrastructure to achieve global reach, support collaboration, optimize resource usage, and foster innovation without the need for a large IT infrastructure team or substantial upfront investments.
• #14: 1.Data is the fundamental building block of AI and cloud initiatives. It serves as the foundation upon which these technologies operate. 2.Data fuels the generation of valuable insights and intelligence. AI algorithms rely on data to extract patterns, trends, and predictions. 3.Informed decision-making hinges on the quality and availability of data. Data-driven decisions are more precise and result in better outcomes. 4.Data serves as a catalyst for innovation in AI and cloud technologies. It sparks the development of new solutions, applications, and business models.
• #15: .Organizations harness data to inform and guide decision-making processes. Data provides the evidence and insights needed to make informed choices. 2.Data analysis helps organizations uncover trends and patterns within their operations and markets. Trends can be historical, real-time, or predictive, allowing proactive responses. 3.Data-driven models and algorithms enable organizations to predict future outcomes and scenarios. Predictive analytics empowers proactive strategies and risk mitigation. 4.Data-driven insights lead to operational optimizations. Organizations identify areas for improvement, efficiency gains, and cost reductions.
• #16: As with any technology there are associated risks and challenges, and we will now discuss how some of these may be addressed from a risk and assurance perspective. ​ ​ Sometimes organizations in the space are apprehensive about engaging these emerging technologies due to perceived risks and a lack of readiness around these technologies. Let’s talk a little then about how these technologies may be leveraged, while still having reasonable assurance/comfort around how attendant risks are being handled/addressed.  ​
• #17: Key Points The continued importance of resilient Cyber Security Controls, IT General Controls and Data Governance The relativity high prominence of Cloud Governance  The formal inclusion of emerging technology such as AI/ML and blockchain on audit plans The impact of the external environment on an organization’s control posture
• #18: According to 2023 Cloud Security Report Global Edition
• #19: According to the Thales 2023 Cloud Security Report, Global Edition:
• #20: Data related risks include the possibility of data breaches (Unauthorized access/disclosure/acquisition), data leakage (siphoning out of sensitive info /inadequate Data loss Prevention) and data loss (failure to have adequate backup of data) Platform related risks such as mis –configuration of the cloud environment, insecure application interfaces (APIs), lack of control over data repositories. Speed of Security automation related to confidentiality, integrity and availability of cloud-based resources. Here there is the need to ensure adequate access controls and monitoring are in place, use of multifactor authentication to prevent issues such as account hijacking (An exploitation of a valid network session for unauthorized purposes) through phishing, malware attacks; Also prevent Insider threats. Vendor/Third Risks – Have a robust Vendor Management framework where Industry standard are followed re Contracts, proper attestation in place, carry out adequate due diligence (Not because Vendor is name brand or established in the market, we can we allow ourselves to reduce our vigilance and due diligence). Also need to consider risk of vendor going out of business and required controls to mitigate that.
• #21: Governance – Adequate policies, procedures, standards and guidelines for application development and provisioning. Compliance - Laws and regulations that impose security and privacy obligations on the organization as it relates to cloud initiatives e.g. data location, privacy and security controls, records management, and electronic discovery requirements. Trust – Ensure that service arrangements have sufficient visibility into the security and privacy controls and processes employed by the cloud provider. ownership rights over data. account hijacking through phishing, malware etc. Architecture - Understand the underlying technologies that the cloud provider uses to provision services. Identity and Access Management - Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization. Software Isolation - Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization. Data Protection – Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data. Take into consideration the risk of collating organizational data with that of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value. Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider. Availability - Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, ensuring they meet organization’s continuity planning requirements. Incident Response - Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization
• #22: The more we change, the more things remain the same. AI innovation have similar risk exposures hich we have previously encountered along with some new ones. Risks related to Security threats – Including vulnerabilities in AI systems that may be breached, exploited or used maliciously. Controls employed include Model hardening, performing adversarial testing to filter questionable responses. Impaired fairness – Algorithmic bias; misrepresentation of generated content as human-created. Leads to confusion and deception of users. Control - Perform fairness and bias testing. Disclose use of AI to users. Use bias detection tools & identification tools. Performance and Explainability risk - Inability to explain model outputs appropriately and model inaccuracies. Makes auditing the algorithms and output difficult due to obscurity. Cf fake news trend Third party risk – Risks associated with the use of third-party AI tools. The need to evaluate third party risk and ethics/ prevent sharing of proprietary data/ prevent vendor lock-in (in case vendor goes out of business etc. ) Privacy concerns - Unauthorized use/disclosure of personal or sensitive information. Implement measures to protect sensitive data. Control – Appropriate access controls to restrict model and data access.
• #23: Generative AI (GenAI) which is more than just ChatGpt, enables the creation of new unstructured content, such as text, images, etc. can be instrumental in automating various Risk & Compliance activities. Based on research by McKinsey, they expect a 30% increase in productivity across risk and compliance functions in deploying Generative AI Some use cases being explored within the risk management and complinace space include Virtual Expert, Ops Automation, Code Acceleration, Content Generation E.g. For Ops Automation Manual processes such as customer onboarding, loan application, KYC Implementing Generative AI doesn’t replace the existing goals and targets for organizations (e.g., digitization, big data analytics). This should be considered as a means to accelerate the goals, explore newer efficiency levers and drive innovation.
• #24: Unauthorized/Inaccurate access which may impact confidentiality and integrity of sensitive customer information. Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data. Execution, delivery and process management – Configuration issues, data entry errors, failed/erroneous transactions, Incomplete operating procedures, Negligent loss or damage to client assets, task mis performance Business Disruption and System Failure – Hardware/software failures, system outage, data recovery failure, utility disruption, natural disasters, continuity issues Information Security – malicious cyber attacks, security breaches, data loss, Fraud Detection & Prevention – Internal/External fraud, Account takeover, theft, impersonation, misappropriation of assets Regulatory and Compliance – legal issues, vendor disputes, regulatory and compliance breaches
• #25: For AI systems to be trustworthy and thereby reduce negative AI risks they need to be responsive in some key areas and considerations given to the associated risks. Valid and Reliable - Are outputs true? Is there objective evidence that requirements have been fulfilled? Correctness of AI systems over the lifetime of the system. Validity and reliability of AI systems are assessed by ongoing testing or monitoring of performance. Safety - Loss of Human Influence over AI technology. Improved through responsible design, development & deployment. Responsible decision making by deployers and end users . Secure and Resilient – Can models withstand unexpected adverse events and changes? Is there adequate data governance and data security? Can AI systems maintain confidentiality, integrity and availability? Resilience is ability to return to normal after adverse event, security includes protocols to avoid, protect against and respond/recover from attack. Explainable and Interpretable – Explain complexity of AI models and data used. Reduce potential for fraud and data breaches. Adequate documentation describing how AI systems function – enable more thorough audit, monitoring & governance. What? How? Why? Privacy Enhanced – Risks due to enhanced data aggregation capability for AI systems, unauthorized disclosure of sensitive data, endpoint security, ensuring AI communicates with trusted sources, ensuring compliance and adherence to applicable laws and regulations e.g., EU GDPR and Jamaica Data Protection Act. Accountable and Transparent – Extent to which info about an AI system and its output is accessible to users thereby increasing confidence in the AI system. Accountability presupposes transparency. Fair with Harmful Bias Managed – Risk related to managing human bias introduced inadvertently during AI data processing. Address issues to do with fairness, equity and equality and prevent discrimination e.g in use of demographic data
• #26: For AI systems to be trustworthy and thereby reduce negative AI risks they need to be responsive in some key areas and considerations given to the associated risks. Valid and Reliable - Are outputs true? Is there objective evidence that requirements have been fulfilled? Correctness of AI systems over the lifetime of the system. Validity and reliability of AI systems are assessed by ongoing testing or monitoring of performance. Safety - Loss of Human Influence over AI technology. Improved through responsible design, development & deployment. Responsible decision making by deployers and end users . Secure and Resilient – Can models withstand unexpected adverse events and changes? Is there adequate data governance and data security? Can AI systems maintain confidentiality, integrity and availability? Resilience is ability to return to normal after adverse event, security includes protocols to avoid, protect against and respond/recover from attack. Explainable and Interpretable – Explain complexity of AI models and data used. Reduce potential for fraud and data breaches. Adequate documentation describing how AI systems function – enable more thorough audit, monitoring & governance. What? How? Why? Privacy Enhanced – Risks due to enhanced data aggregation capability for AI systems, unauthorized disclosure of sensitive data, endpoint security, ensuring AI communicates with trusted sources, ensuring compliance and adherence to applicable laws and regulations e.g., EU GDPR and Jamaica Data Protection Act. Accountable and Transparent – Extent to which info about an AI system and its output is accessible to users thereby increasing confidence in the AI system. Accountability presupposes transparency. Fair with Harmful Bias Managed – Risk related to managing human bias introduced inadvertently during AI data processing. Address issues to do with fairness, equity and equality and prevent discrimination e.g in use of demographic data
• #28: The AI Risk Management Framework Core provides outcomes and actions that enable dialogue, understanding, and activities to manage AI risks and responsibly develop trustworthy AI systems. As illustrated in Figure , the Core is composed of four functions: GOVERN, MAP, MEASURE and MANAGE. Govern- Address full product lifecycle, adequate policies and procedures, roles and responsibilities Map- Establishes the context to frame risks related to an AI system. What is the direction of the innovation and potential risks and controls to mitigate Measure- Quantitative, qualitative and mixed method tools & metrics. How we assess the identified risks Manage- Allocating risk resources to mapped and measured risks Risk management should be continuous, timely, and performed throughout the AI system lifecycle dimensions.
• #29: Governance – Adequate policies, procedures, standards and guidelines for application development and provisioning. Compliance - Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements. Trust - Establishing clear, exclusive ownership rights over data. Institute a risk management program to meet emerging needs e.g., to prevent account hijacking through phishing, malware etc. Architecture - Understand the underlying technologies that the cloud provider uses to provision services. Identity and Access Management - Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization. Software Isolation - Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization. Data Protection – Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data Availability - Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, ensuring they meet organization’s continuity planning requirements. Incident Response - Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization
• #30: Governance – Adequate policies, procedures, standards and guidelines for application development and provisioning. Compliance - Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements. Trust - Establishing clear, exclusive ownership rights over data. Institute a risk management program to meet emerging needs e.g., to prevent account hijacking through phishing, malware etc. Architecture - Understand the underlying technologies that the cloud provider uses to provision services. Identity and Access Management - Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization. Software Isolation - Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization. Data Protection – Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data Availability - Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, ensuring they meet organization’s continuity planning requirements. Incident Response - Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization