Cyber

Artificial intelligence (AI) adoption is fast becoming a strategic necessity for modern businesses. With adoption continuing at pace, a carefully considered strategy is essential for gaining or maintaining a competitive advantage, managing downside risk and addressing the continued regulatory, legal, ethical and operational complexities presented by AI.

This article sets out the opportunities and risks associated with adopting AI, key aspects to consider in an effective framework for developing an AI strategy and what to look for in an AI services provider.

 

AI: Opportunity vs Risk

Organizational use of AI has increased markedly in the past year. This pace shows no sign of slowing, with Gartner stating that by 2026, more than 80% of enterprises will have used GenAI APIs, models and/or deployed generative AI (GenAI)-enabled applications in production environments.

AI is at the cutting edge of innovation, providing an array of opportunities for organizations to drive the speed and efficiency of operations, and helping to reduce costs. Alongside this, AI has the potential to reduce human error and improve the effectiveness of organization-wide oversight processes.

With data being key to organizational productivity, AI can dramatically increase the scale, speed and depth of data that can be analyzed. AI also offers many possibilities for automating and enhancing how companies communicate and connect with their existing and potential customers, providing additional opportunities to increase revenue and boost reputation. However, the opportunities offered by AI are closely matched by the risks. These include:

• Evolving Security Threats - While organizations are increasingly leveraging AI to their advantage, so are cybercriminals. Nearly 50% of organizations report adverse business outcomes related to AI usage, including data breaches. Cybersecurity threats related to AI continue to proliferate, with 87% of security professionals reporting that their organization encountered an AI-driven cyberattack in the past year.
• Lack of Relevant Skills - Thirty-three percent of enterprises highlight the lack of AI skills and expertise as a key barrier to effectively managing AI projects [Morning Consult 2023]. With relatively few experts knowledgeable or familiar enough with tools and techniques for managing mega datasets and related risk, accessing the relevant level of expertise required to effectively govern and manage AI can be challenging.
• Complex Regulatory Environment - New regulations relating to AI are creating a complex and still uncertain regulatory environment. Legal requirements such as the EU AI Act and various state laws in the United States require detailed compliance programs and frameworks, while the NIST AI Risk Management Framework demands a detailed understanding of how risk is measured and mitigated.
• Demanding Data Requirements - Obtaining the vast amount of data required to train some types of AI models has significant implications in terms of confidentiality, terms of use, patents, trade secrets and undisclosed or unknown conflicts regarding the datasets that are used.
• Vendor Management Issues - Vendor management can be a challenge for firms utilizing data from third parties, particularly if that dataset is used to inform trading decisions or recommendations for clients. 
• Biased Data - Allegations of bias and harm to individuals resulting from biased data can generate global media coverage and have a negative impact on a company’s reputation. 
• Lack of Transparency - Obfuscation of factors has the potential to lead to predictive outputs, or factually incorrect information from AI models (i.e., hallucinations) that could impact negatively on decision-making.
• Over-reliance on AI - The use of AI could lead to company employees becoming over-dependent on it, impacting their standard of work or decision-making.

 

Developing Your AI Strategy Framework

Deploying AI strategy at your organization involves the careful consideration of many different elements, including cost, security, personnel, compatibility, competitive position and ethical and regulatory dilemmas. An AI business strategy helps you to understand and handle these difficult questions. Some of the key considerations are outlined below.

 

Identify Your AI Goals

A critical first step to an effective AI strategy is to analyze what you want AI to do for your organization. What is the problem you are looking to solve? What is the value of having those problems solved by AI instead of your existing employees? For example, it may well be that several smaller models and deployments, separately trained for specific uses, will be better than a single AI tool.

 

Assess Your Organization’s Current Status

Once you understand specifically what you want to achieve from AI, the next step is to look at how your organization’s existing infrastructure and assets align with your goals. Start by building a comprehensive inventory of all AI systems deployed or in use by your company, including a brief description of what each one does. Key questions to ask at this stage include: Are all AI models in the organization identified and accounted for? How do AI models impact business risk and are they compliant with industry standards?

 

Pinpoint Your Next Steps

Next, your organization needs to identify how your organization will progress from where it is now toward AI readiness. Getting there involves understanding what’s required to enable your systems, teams and third-party relationships to adapt to leveraging AI. Questions to ask at this stage include: How can the team and company processes be prepared to manage AI risks effectively and do your processes provide efficient business value aligned with AI strategy? For companies interested in deploying generative AI, one of the first decisions to explore is the choice between commercial large language models (LLMs) and open-source (often referred to as “open weight”) LLMs that are fine-tuned internally.

 

Understand Your Data

With AI being 95% data, 5% algorithm, understanding your data is critical. Equally critical is ensuring that strong data governance principles underpin all stages of data preparation and management. Robust controls over how data is accessed, shared and used are essential for ensuring compliance, accountability and ethical AI outcomes.

Key questions to ask around data include: Is some of your data subject to privacy regulations? Is it in a place where you can use it without having to move it (which is expensive)? Preparing and managing data for machine learning is a critical step that will dramatically improve your chance of building your competitive advantage with an AI program.

The first step in preparing data for machine learning is ensuring that it is collected and stored appropriately. Companies should confirm that they have the necessary infrastructure and tools in place to collect the data they need, whether that’s through manual entry, data imports or API integrations. Where personal, confidential or otherwise sensitive data is used, organizations should implement appropriate safeguards aligned with privacy-by-design principles. This includes data minimization, anonymization or pseudonymization where possible, and maintaining clear records of data provenance and consent.

The data should be stored in a secure, centralized and, ideally, permanent location that can be easily accessed by a machine learning team, with role-based access controls and regular audits to prevent unauthorized use or exposure. Clear policies should also define how data is retained, archived and disposed of once no longer required, ensuring responsible lifecycle management. Embedding these governance measures within the organization’s broader risk and compliance framework helps ensure that AI development and deployment remain both defensible and sustainable.

 

Identify Obstacles to Execution

• Operational - Once you have established your goals and your organization’s readiness to leverage AI, it is important to proactively identify specific roadblocks. For example, one issue could be ending prohibited AI systems development, deployment and use. If your systems inventory reveals prohibited systems, you need to act immediately. Actions could include stopping all further deployment or use of the systems, assessing the system to understand what parts or outcomes are prohibited, and finding other potential mitigation steps.
• Cultural - Another issue could be a lack of adequate risk-based AI literacy and training. The training that your organization ultimately decides to deploy will be much more focused and defensible if it is built and communicated on the basis of the actual AI systems in your inventory. This will allow you to provide valuable and relevant business and regulatory context for your training. Adapt it in meaningful ways for your users and employees, and update it as circumstances and business needs require.
• Regulatory - Further consideration involves navigating the increasingly complex regulatory environment surrounding AI. Organizations should ensure that their systems and processes align with evolving requirements such as the EU AI Act, UK guidance on AI assurance and sector-specific expectations from data protection and financial regulators. Conducting regulatory impact assessments, maintaining documentation that evidences compliance and assigning clear ownership for oversight within governance structures will help demonstrate accountability and reduce the risk of non-compliance.

By identifying key gaps and blocks early on, you can maximize the effectiveness of your AI framework. Key questions to ask at this stage include: Can we scale effectively as business accelerates and is the organization regularly assessing and monitoring the risks associated with AI models?

 

Leverage Compliance Requirements

The rise of AI has led to an accompanying rise in related regulations. While complying with varying regulations can present additional demands, it also offers opportunities for guiding and informing the development of an effective AI strategy.

One important regulation of this type is the European Union’s (EU) AI Act (the Act), which represents landmark artificial intelligence (AI) regulation from the EU designed to promote trustworthy AI by focusing on the impacts on people through required mitigation of potential risks to health, safety and fundamental rights. The Act introduces a comprehensive and often complex framework for the development, deployment and use of AI systems, impacting a wide range of businesses across the globe.

Another important regulation related to AI is the U.S. Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP) which outlines the foundation that legal and governance professionals should use when deciding on a programmatic approach to AI risk and compliance.

Updated in September 2024, the ECCP includes a focus on AI and due diligence in M&A, with both being relevant to AI governance professionals. The updated ECCP introduces several key changes, including: the role of AI in corporate compliance programs, the importance of robust data privacy and security measures, mitigating the risk of biases and discrimination and the need for ensuring transparency and accountability in the use of AI. It also details a defensible, executable way to design an AI governance program.

To move beyond regulatory awareness toward implementation, organizations should design their AI governance for defensibility and accountability. This involves mapping regulatory obligations to practical controls and validation mechanisms, documenting model development and testing decisions, maintaining explainability and audit trails, and reviewing outputs regularly for bias or performance drift. Using recognized frameworks such as the NIST AI Risk Management Framework or ISO/IEC 42001 can help structure ongoing validation, assurance testing and incident response. Embedding these controls within enterprise risk, compliance and internal audit processes ensures that AI systems remain transparent, compliant and adaptable as regulations evolve.

 

Develop a Robust AI Policy

As part of a broader AI business strategy, deploying AI for employee or customer use will require the guardrails of an AI policy. Core aspects of company policy documentation should include product documentation, user guidance and rule setting around safe use of the tool(s), frequently asked questions and training materials. Companies can benefit by carefully managing the downside risk, preparing and labeling their proprietary data, gaining input from the widest possible group of users, using modularity to tailor machine learning applications to specific problems, and creating robust policy documentation.

An effective AI policy should also clearly define ownership and accountability, setting out who is responsible for AI oversight across governance, compliance, technology and operational functions. Establishing risk classification tiers for AI systems helps prioritize oversight and allocate controls proportionate to risk exposure. Alongside this, the policy should detail audit and review obligations, including requirements for maintaining documentation of model design, testing and validation, together with regular independent review cycles.

Policies should further specify incident response triggers, such as the detection of bias, unexpected outcomes, data breaches or regulatory non-compliance, alongside the escalation and remediation steps to be taken. To ensure defensibility, organizations should align their AI policy with recognized governance and assurance frameworks, such as the NIST AI Risk Management Framework or ISO/IEC 42001. Finally, embedding policy adherence into employee training and internal audit processes ensures that AI use remains transparent, accountable and aligned with evolving legal and ethical standards.

 

What to Look for in an AI Services Provider

With AI a fast-evolving arena that presents complex risks, organizations can safeguard their investment by working with specialist partners with proven real-world experience of enabling organizations to manage and mitigate the potential risks of AI. Key aspects to look for in this type of provider include:

• Holistic Services - Because AI is broad-ranging, spanning many business disciplines, look for a provider with the breadth of expertise to advise and support on areas including security and privacy, strategy, regulatory compliance and risk management. 
• Proven Expertise - As a new and fast-moving arena, it is essential to carefully gauge the depth of your prospective provider’s experience and knowledge in AI. Their services should be led by a team that can demonstrate proven AI strategy, security and risk expertise.
• Practical Testing Experience - Alongside up-to-date insight, a provider should have hands-on experience in AI vulnerability testing, helping to contribute to the growing body of knowledge around AI-related security risks. 
• Commercial Focus - Assess how your potential provider balances technical expertise and business insight. In a new area, it is vital that support is both practical and research-informed to ensure that your AI strategy is commercially-aligned. 
• Continuous Innovation - Ask your potential AI strategy specialist about their approach to research. For example, are they actively working on AI-related innovation that can help to advance the field of AI?

 

Harness the AI Opportunity with Kroll

At Kroll, we enable organizations to navigate the complex and changing landscape with AI risk advisory, assessment, implementation and managed services that enable legal, compliance, security and risk leaders to manage all aspects of their AI risk posture.

We empower companies to make AI a strategic initiative that fully considers its role in future market growth, the current threat landscape, changes in software development and customer demand for responsible, trustworthy products. From model security and privacy, regulatory compliance, smart governance and LLM/ML model testing to continuous monitoring and risk assessments, benefit from expert guidance to build trust in your program and your models, establish appropriate and defensible governance and compliance, protect privacy and mitigate cybersecurity concerns. Learn how Kroll can transform your AI strategy.

Get in Touch