Answer yes if Machine Learning or Generative AI models are used anywhere within the services provided to your clients or anywhere that might touch client data. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people may use (e.g. Google Gemini or Microsoft’s Copilot), if they are used with client data to provide client services. If AI is used within some, but not all of the services you provide, you should answer yes. Please describe in the notes section which of your services use AI and a brief description of where and how AI is used in each service.
A regular review of how AI models and services are used within your organisation to provide services to clients — what workflows are supported, the client data used with those services, and how the results of AI processing are used — can help inform security and risk management controls
Typically an organisation’s Information Security function can assist, but there are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.