Navigating AI Risks

AI agents are not yet safe for unsupervised use in enterprise environments The German Federal Office for Information Security (BSI) and France’s ANSSI have just released updated guidance on the secure integration of Large Language Models (LLMs). Their key message? Fully autonomous AI systems without human oversight are a security risk and should be avoided. As LLMs evolve into agentic systems capable of autonomous decision-making, the risks grow exponentially. From Prompt Injection attacks to unauthorized data access, the threats are real and increasingly sophisticated. The updated framework introduces Zero Trust principles tailored for LLMs: 1) No implicit trust: every interaction must be verified. 2) Strict authentication & least privilege access – even internal components must earn their permissions. 3) Continuous monitoring – not just outputs, but inputs must be validated and sanitized. 4) Sandboxing & session isolation – to prevent cross-session data leaks and persistent attacks. 5) Human-in-the-loop, i.e., critical decisions must remain under human control. Whether you're deploying chatbots, AI agents, or multimodal LLMs, this guidance is a must-read. It’s not just about compliance but about building trustworthy AI that respects privacy, integrity, and security. Bottom line: AI agents are not yet safe for unsupervised use in enterprise environments. If you're working with LLMs, it's time to rethink your architecture.

I came across research last week that I genuinely cannot stop thinking about. In the logic of AI, "man" is to "programmer" as "woman" is to "homemaker." No one explicitly coded that bias into the system; the machines simply learned it from us. They mirrored our job postings, our articles, and our casual conversations and billions of our own blind spots fed into a black box until the algorithm started reflecting our worst habits back at us. Bias in AI isn't always malicious. But sometimes it feels like AI is being weaponized against women's safety at a scale. On platforms like X, a woman posts a photo and the replies are filled with prompts for AI tools to undress her (see the links in comments).These tools then publicly generate explicit, non-consensual images of real women who are students, mothers, leaders. We want to use AI. We must use AI but thoughtfully. And the information it is sharing is just a mere unfortunate reflection of our society. A society where women have fought their way up as they have been historically been reduced, objectified, and pushed to the margins but now those patterns are being encoded into new systems. When a tool can be used to violate a woman's dignity in seconds, that's a design and policy failure. My question is: Can we build AI that doesn't inherit the worst of us? I think we can. But only if the people building it are asking that question out loud before the product ships. #AI #GenderBias #WomenSafety

Two identical CVs. Both written by AI. Both sent to 1,000 people. The only difference: one was named James, one was named Emily. James’s CV got a 97% approval rating. Emily’s got 76% - and reviewers were TWICE as likely to question her competence. Twenty-two percent more likely to question whether she could even be trusted. The feedback on Emily’s CV: “She can’t even write a CV herself - not sure she has the skills to carry out the job.” The feedback on James’s CV: “He just needed a bit of help putting it together.” Same words. Same AI. Different gender. Different verdict. 🚨🚨🚨🚨 How are we STILL HERE?!?!? The study, by former Meta strategist Zehra Chatoo, was reported in Fortune on 10 May. And the most uncomfortable finding wasn’t from older reviewers. It was from Gen Z men. They were 3.5 times more likely to call Emily’s CV “weak.” The generation that is growing up with AI. The generation telling us AI is the great equaliser. The data says otherwise. Chatoo summarised it in a sentence I have not been able to stop thinking about: “When men use AI, we question their effort. When women use AI, we question their integrity.” This is not one study. Harvard Business School has the AI adoption gender gap at 25%. Brookings has found that 86% of the roles with high AI exposure and low capacity to adapt to displacement are held by women. The pattern is consistent and it is widening. The conclusion most people are drawing from this data is “women should be more confident with AI.” I think that misses the point. The bias isn’t in the technology. It is in the people reading the output. Women are not being irrational when they hesitate to use AI openly - they are reading the room accurately. The reputational cost of being seen to use AI is genuinely higher for them. The data confirms what they already sense. The answer is not to ask women to ignore that. The answer is to fix the people doing the judging. To name what is actually happening when an “Emily” CV gets called weak and a “James” CV gets the benefit of the doubt for the same words. To call out the Gen Z men perpetuating a bias they like to claim their generation has moved past. And for women in leadership reading this - use AI anyway. Lead anyway. Document your AI workflows openly. Train your teams in them. Make your usage visible in the rooms where decisions get made. The cost of stepping back from AI in this moment is far higher than the cost of stepping in. We have the data to prove it now. If this resonated, I write about the AI gender gap, ethics, and practical strategy for women in leadership every week in my newsletter. The link is here: https://lnkd.in/emWjxC9t

When AI Meets Security: The Blind Spot We Can't Afford Working in this field has revealed a troubling reality: our security practices aren't evolving as fast as our AI capabilities. Many organizations still treat AI security as an extension of traditional cybersecurity—it's not. AI security must protect dynamic, evolving systems that continuously learn and make decisions. This fundamental difference changes everything about our approach. What's particularly concerning is how vulnerable the model development pipeline remains. A single compromised credential can lead to subtle manipulations in training data that produce models which appear functional but contain hidden weaknesses or backdoors. The most effective security strategies I've seen share these characteristics: • They treat model architecture and training pipelines as critical infrastructure deserving specialized protection • They implement adversarial testing regimes that actively try to manipulate model outputs • They maintain comprehensive monitoring of both inputs and inference patterns to detect anomalies The uncomfortable reality is that securing AI systems requires expertise that bridges two traditionally separate domains. Few professionals truly understand both the intricacies of modern machine learning architectures and advanced cybersecurity principles. This security gap represents perhaps the greatest unaddressed risk in enterprise AI deployment today. Has anyone found effective ways to bridge this knowledge gap in their organizations? What training or collaborative approaches have worked?

"This white paper offers a comprehensive overview of how to responsibly govern AI systems, with particular emphasis on compliance with the EU Artificial Intelligence Act (AI Act), the world’s first comprehensive legal framework for AI. It also outlines the evolving risk landscape that organizations must navigate as they scale their use of AI. These risks include: ▪ Ethical, social, and environmental risks – such as algorithmic bias, lack of transparency, insufficient human oversight, and the growing environmental footprint of generative AI systems. ▪ Operational risks – including unpredictable model behavior, hallucinations, data quality issues, and ineffective integration into business processes. ▪ Reputational risks – resulting from stakeholder distrust due to errors, discrimination, or mismanaged AI deployment. ▪ Security and privacy risks – encompassing cyber threats, data breaches, and unintended information disclosure. To mitigate these risks and ensure AI is used responsibly, in this white paper we propose a set of governance recommendations, including: ▪ Ensuring transparency through clear communication about AI systems’ purpose, capabilities, and limitations. ▪ Promoting AI literacy via targeted training and well-defined responsibilities across functions. ▪ Strengthening security and resilience by implementing monitoring processes, incident response protocols, and robust technical safeguards. ▪ Maintaining meaningful human oversight, particularly for high-impact decisions. ▪ Appointing an AI Champion to lead responsible deployment, oversee risk assessments, and foster a safe environment for experimentation. Lastly, this white paper acknowledges the key implementation challenges facing organizations: overcoming internal resistance, balancing innovation with regulatory compliance, managing technical complexity (such as explainability and auditability), and navigating a rapidly evolving and often fragmented regulatory landscape" Agata Szeliga, Anna Tujakowska, and Sylwia Macura-Targosz Sołtysiński Kawecki & Szlęzak

15 weeks left before the first rules of the AI Act come into effect. Struggling with where to start on AI implementation and compliance? Start with a multidisciplinary team; conduct an AI inventory; carry out AI Impact Assessments; draft AI policies; amend contracts, policies, and data protection documents to reflect AI’s role in your organisation. Ensure your team is trained in AI literacy, as required under the AI Act. To navigate AI implementation and compliance under the EU AI Act, companies must begin by understanding its scope and risk-based approach. The Act categorises AI systems into prohibited, high-risk, or general-purpose. Prohibited AI systems (the first rules coming in) include those exploiting vulnerabilities or engaging in certain AI emotional recognition. High-risk systems, such as those used in management of critical infrastructure, require strict oversight, including documentation, risk assessments, and ongoing monitoring. General-purpose AI systems, widely used across industries, may also face regulatory scrutiny due to their broad impact. The first step for companies is conducting a comprehensive AI inventory. This involves cataloguing all AI systems in use or under development to determine their classification under the AI Act. Through this inventory, companies can assess their compliance obligations and identify any systems that may need modification or discontinuation to meet the Act’s standards. Data protection is a cornerstone of AI compliance. The AI Act mandates that data used in AI systems be high quality, representative, and free from bias. This is especially crucial for high-risk systems, which must undergo continuous risk assessments to protect fundamental rights. GDPR compliance is also essential for any AI system that processes personal data, and companies must ensure their data governance strategies focus on transparency, accountability, and safeguarding individual rights. Contracts are a critical component of AI implementation. Organisations must revisit and amend contracts to address how AI impacts their legal and operational frameworks. These amendments should explicitly cover liability for AI-generated decisions, intellectual property ownership of AI-generated outputs, and data protection compliance. Contracts must minimise legal exposure. Additionally, intellectual property issues around AI, such as ownership of outputs or the use of third-party data, should be clearly defined in these agreements. Following the AI inventory, companies must conduct an AI impact assessment. This assessment includes both a Data Protection Impact Assessment (DPIA) and a Fundamental Rights Impact Assessment (FRIA). The extraterritorial scope of the AI Act means that even non-EU companies must comply if their AI systems impact the EU market. Non-compliance can result in significant fines, making early compliance essential. 15 weeks left to comply.

Every AI failure you've read about traces back to one of these risks. Not a bug. Not bad luck. A known, named, predictable category of risk that every AI team should already be tracking. Here's the AI Risk Periodic Table, mapped across 10 categories every founder, product leader, and enterprise team needs to understand. 𝟭. 𝗠𝗼𝗱𝗲𝗹 𝗥𝗶𝘀𝗸𝘀 Hallucination, bias, drift, overfitting, underfitting, error propagation. The model itself fails before anyone touches it. 𝟮. 𝗗𝗮𝘁𝗮 𝗥𝗶𝘀𝗸𝘀 Mislabeling, source risk, synthetic data risk, duplicate data, data leakage, consent risk, quality loss. Bad data breaks good models. 𝟯. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗶𝘀𝗸𝘀 Jailbreaks, prompt injection, adversarial attacks, API abuse, token theft, supply chain risk. Every AI system is a new attack surface. 𝟰. 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 Governance failure, compliance risk, regulatory risk, policy failure, ownership gap, explainability gap. The stuff that gets companies fined or sued. 𝟱. 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗥𝗶𝘀𝗸𝘀 Scaling, cost overrun, latency, deployment, documentation, integration, rollback gaps. Where production AI quietly bleeds money. 𝟲. 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝗽𝘂𝘁𝗮𝘁𝗶𝗼𝗻 𝗥𝗶𝘀𝗸𝘀 Reliability, reputation, customer trust loss, revenue impact, ROI failure, strategy misalignment. The risks the CFO cares about most. 𝟳. 𝗛𝘂𝗺𝗮𝗻 𝗮𝗻𝗱 𝗘𝘁𝗵𝗶𝗰𝗮𝗹 𝗥𝗶𝘀𝗸𝘀 Fairness, trust gap, ethical risk, automation bias, job displacement fear. The risks that decide whether anyone actually uses your AI. 𝟴. 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 Monitoring gaps, audit gaps, alert failure, logging gap, metric blindness, validation gaps. If you can't see it, you can't fix it. 𝟵. 𝗔𝗴𝗲𝗻𝘁𝗶𝗰 𝗔𝗜 𝗥𝗶𝘀𝗸𝘀 Agent autonomy risk, tool misuse, memory risk, goal misalignment, delegation risk, multi-agent failure, loop failure. The newest, most underestimated category in 2026. 𝟭𝟬. 𝗙𝗮𝗶𝗹-𝗦𝗮𝗳𝗲 𝗥𝗶𝘀𝗸𝘀 Kill switch gap, feedback gap, evaluation failure, red teaming gap. The layer that decides whether AI fails gracefully or catastrophically. 𝗧𝗵𝗲 𝗯𝗶𝗴 𝗶𝗱𝗲𝗮: Most AI teams worry about hallucinations. The best teams worry about all 70+ of these, with a system to monitor each one. AI isn't risky because it's new. It's risky because most teams have never mapped its risks. This table is that map. Which risk is your team underestimating right now? Repost to help another AI leader plan smarter.

On August 1, 2024, the European Union's AI Act came into force, bringing in new regulations that will impact how AI technologies are developed and used within the E.U., with far-reaching implications for U.S. businesses. The AI Act represents a significant shift in how artificial intelligence is regulated within the European Union, setting standards to ensure that AI systems are ethical, transparent, and aligned with fundamental rights. This new regulatory landscape demands careful attention for U.S. companies that operate in the E.U. or work with E.U. partners. Compliance is not just about avoiding penalties; it's an opportunity to strengthen your business by building trust and demonstrating a commitment to ethical AI practices. This guide provides a detailed look at the key steps to navigate the AI Act and how your business can turn compliance into a competitive advantage. 🔍 Comprehensive AI Audit: Begin with thoroughly auditing your AI systems to identify those under the AI Act’s jurisdiction. This involves documenting how each AI application functions and its data flow and ensuring you understand the regulatory requirements that apply. 🛡️ Understanding Risk Levels: The AI Act categorizes AI systems into four risk levels: minimal, limited, high, and unacceptable. Your business needs to accurately classify each AI application to determine the necessary compliance measures, particularly those deemed high-risk, requiring more stringent controls. 📋 Implementing Robust Compliance Measures: For high-risk AI applications, detailed compliance protocols are crucial. These include regular testing for fairness and accuracy, ensuring transparency in AI-driven decisions, and providing clear information to users about how their data is used. 👥 Establishing a Dedicated Compliance Team: Create a specialized team to manage AI compliance efforts. This team should regularly review AI systems, update protocols in line with evolving regulations, and ensure that all staff are trained on the AI Act's requirements. 🌍 Leveraging Compliance as a Competitive Advantage: Compliance with the AI Act can enhance your business's reputation by building trust with customers and partners. By prioritizing transparency, security, and ethical AI practices, your company can stand out as a leader in responsible AI use, fostering stronger relationships and driving long-term success. #AI #AIACT #Compliance #EthicalAI #EURegulations #AIRegulation #TechCompliance #ArtificialIntelligence #BusinessStrategy #Innovation 

Everyone is talking about Agentic AI. Very few are talking about what it means for security. As a CISO, this “Layers of AI” diagram is more than a tech roadmap, it’s a risk map. Each layer introduces new attack surfaces, new failure modes, and new governance gaps: 🔹 Classical AI & ML We learned to secure data, models, and pipelines. 🔹 Deep Learning & Generative AI We adapted to model theft, prompt injection, data leakage, and hallucinations. 🔹 Agentic AI (Memory, Planning, Tool Use, Autonomous Execution) This is different. Now AI doesn’t just suggest. It decides, acts, and executes. From a security lens, that raises hard questions: Who approves an agent’s actions? What happens when an agent uses the wrong tool? How do we audit decisions made across memory + autonomy? How do we stop “speed” from becoming a breach? 🔐 Security can’t be bolted on at the Agent layer. It must be embedded across every layer: Identity for agents, not just humans Least-privilege tool access Guardrails on memory and planning Continuous monitoring of autonomous actions 🚨 The biggest risk isn’t AI replacing people. It’s AI acting faster than our controls. As leaders, our job is clear: Enable innovation without surrendering control. How are you thinking about securing autonomous AI in your organization? 👇 Let’s discuss. Image Credit: Brij Kishore Pandey