Introduction: Myself and how my experience building vulnerability management programs altered my views on risks.

Seeing the Forest: I discuss the common focuses of security programs, and how headlines can influence reactions and prioritizations. Then introduce some of the largest breaches of the past few years and highlight how AI actually played into those breaches.

Building Blocks: Before I can get to risk modeling I introduce the tools needed to understand your own risks: inventories, topologies, data flow diagrams, and relationships with the teams that own the above. However this is a ‘trick’ and I reveal that building those blocks causes you to threat model without even realizing it which is why I harp on documenting everything you find throughout building those blocks.

Prioritization: To properly prioritize what risks you accept, first you need to understand the feasibility and likelihood of AI being exploited. As well as what impact its use would have on the business: can revenue still be generated, what services go offline, can an attacker pivot and make things worse, how long would it take to recover, ect. Understanding how your business operates, and what's interconnected is key to building your priorities.

Mitigation: It’s not always possible to eliminate all of your risks which is why we mitigate them as best as we can. I explain how mitigation can come from two forms: making a AI harder to exploit, or decreasing the likelihood of a threat taking place.

Acceptance: Security staff cannot accept risks, oftentimes executives insist that we do or insist on mitigations that are unsatisfactory to security teams. When executives are presented with a risk acceptance document outlining the potential impacts and potential better mitigations that can be implemented. That way we can CYA.

AI Inventoring: Just inventorying what AI tools you have isn’t enough, they can be used in so many different ways in different configurations, how do you document how they are used while preventing too much disruption and upset from the executive suite?

Wrap up: recap that there are always new threats, vulnerabilities, and AIs that someone might want to onboard, so don’t get derailed from your priorities.