The adoption and use of artificial intelligence is challenging risk management experts as they try to remain in step with the pace of change while protecting their businesses and organizations from any emerging threats related to the technology.

From setting up systems to segregate proprietary data (see related story below) to developing company-wide use guidelines, organizations are taking a range of measures to manage exposures emerging from the adoption of AI.

Regulation is also seen as a major potential exposure as governments worldwide move to support and manage AI adoption (see related story below).

Brokers need to stay ahead of emerging risks, said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

“This is happening so fast. The threats are emerging as we speak. The regulation is doing the same. The insurance industry is evolving … so risk management overall has to pay attention to that dynamic,” he said.

This may require marshaling an array of specialized knowledge, Mr. Farley said.

“Think about the attorneys that you’re going to need for compliance. Think about the potential need to engage data scientists to help you truly understand the nature of these AI platforms. There’s going to be the need for some specific, targeted expertise around AI risk management,” he said.

The AI framework developed by the National Institute of Standards and Technology is a sound place to start, he said. “The NIST framework is highly regarded as one of the frameworks to model your security around,” he said.

“NIST has put out an artificial intelligence framework that’s relatively comprehensive and really helps anyone to orient on the need to provision and govern,” said Maria Long, New York-based chief underwriting officer at cyber insurer Resilience.

The NIST AI Risk Management Framework was released on Jan. 26, 2023, to help manage risks associated with artificial intelligence. The Institute has also published the NIST AI RMF Playbook and an AI RMF Roadmap and on March 30, 2023, launched its Trustworthy and Responsible AI Resource Center.

Ms. Long also emphasized the need for diverse expertise. “You have to have the right stakeholders in place. It’s your data privacy officer, it’s your chief information security officer. It could even be stakeholders from various business units.”

Some very large organizations have implemented governance frameworks and AI governance committees to drive how AI will be used and which tools will be used, said Rob Malone, New York-based U.S. head of cyber for Axa XL.

Governance frameworks are typically drafted by legal teams, with input from information security, risk management and compliance functions, and in some cases data science teams, Mr. Malone said.

Organizations are establishing cross-functional teams spanning privacy, legal, compliance, risk, implementing technology focused on governance and enabling responsible adoption at scale, said Will Lehman, Bloomington, Indiana-based global director of risk management at Cook Group and a board director of the Risk & Insurance Management Society.

They are “formalizing AI governance through clear policies, defined use cases, approved tools, and data boundaries,” he said.

Rachel Thuerk, Waltham, Massachusetts-based vice president, risk management, for Benchmark Senior Living, emphasized privacy as a chief concern for the company because it holds customer data governed by the U.S. Health Insurance Portability and Accountability Act. Such data is kept separate from AI tools, she said.

“Our health care data is our main privacy and cyber security risk. As long as we keep it isolated from AI tools, I don’t think that AI leads to a dramatic increase to our internal risk,” she said.

“We have adopted the first rudimentary tools, but in a controlled way,” said Moulay Elalamy, senior vice president, information technology for Benchmark.

The number of people testing or using AI tools at Benchmark is known and there are no free versions of software deployed — everything is licensed and license holders are known to Mr. Elalamy, he said.

Zurich U.S. has centralized AI tools available for employee use in its “AI Lounge,” said Barry Perkins, Chicago-based chief operating officer for Zurich U.S. Tools become available after a “multi-pronged” assessment, which evaluates for factors including data security, he said.

At catastrophe modeler Karen Clark & Co., staff are able to experiment with AI tools but “nobody is going to use it for anything without going through a process,” to vet and evaluate the technology, said Boston-based company founder and president Karen Clark.

AI tools are used for isolated unit operations, such as database queries, but not within KCC’s code base, Ms. Clark said. “It can do relatively simple tasks and isolated tasks,” Ms. Clark said.

Industry sources also recommended having a clear, accessible AI policy for staff.

“It’s entirely appropriate and beneficial for an organization to have an acceptable use policy around generative AI,” said Greg Eskins, Miami-based global cyber product leader at Marsh Risk. Such a document can serve as a training guide for the uninitiated, “to make very clear the dos and don’ts around the use of the tools specifically for work purposes,” he said.

Having written AI governance is “really important,” said Henry Gardener, chief risk officer at Markel. “You’d want to make sure that the policy was clear enough and that the principles are simple enough that everyone can follow it,” he said.

“We have this specific document called AI use and governance. It’s a policy document that’s kept accessible for all staff and outlines the process for new tools,” said George Beattie, London-based head of innovation for CFC.

Training is also important, Mr. Gardener added. “What we try and do is make sure that we’re giving access to a lot of training.”

Staff should be trained on appropriate prompts when using AI, Ms. Long said.

Humans should review or verify any product of an AI system before it becomes available to the public.

“There must be an appropriately trained human that carries the appropriate skill set in the loop at all times,” said Resilience’s Ms. Long.

Mr. Lehman offered the phrase “Co-pilot, not auto pilot.”

“One of the cornerstones around AI risk management would be to have a human in the loop. If you don’t, you’re blindly trusting the output, which, in my view, is a big mistake,” said Gallagher’s Mr. Farley.

---

Regulatory frameworks evolve as AI Adoption surges

As the world races to adopt artificial intelligence, regulators are working to keep up with the pace of change.

Officials in Europe and the United States have begun moving to help guide the adoption of the powerful new technology by issuing guidelines surrounding the adoption and deployment of AI.

The EU AI Act was first proposed in April 2021 “to ensure better conditions for the development and use of this innovative technology,” according to the website of the European Parliament. The act entered into force on Aug. 1, 2024.

In the U.S., states have started crafting and issuing regulations, with five states — California, Colorado, New York, Utah and Texas — enacting legislation. Many more states are in various stages of implementation (see map), in some ways mirroring the rollout of cyber breach regulations.

“It’s very similar to what happened with cybersecurity regulations. We had GDPR passed in Europe and then all the state laws passed. A similar sort of thing is starting to play out around AI,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

California was the first state to pass a mandatory database notification law in 2003, he said.

“We saw 50 states follow over about a 15-year period and now you can almost see a similar situation playing out around AI regs by state. California has already got their law in place. I’m a student of history, and I believe if it doesn’t repeat, it certainly rhymes,” Mr. Farley said.

Regulations are being developed at a faster pace than expected, said Jeff Kulikowski, New York-based executive vice president, cyber and professional liability leader at Westfield Specialty, a subsidiary of Westfield Insurance.

“We’ve seen AI regulation start in Europe, and now we’re starting to see more state and federal legislatures and agencies focus on AI in the U.S.,” he said.

AI regulation is important and inevitable, said Henry Gardener, chief risk officer at Markel.

“The pace of adoption has been faster by regulators because they’ve seen that need and they’re moving as fast as they can towards putting sensible things in place. The difficulty for them is that the target keeps moving,” he said.

Widespread and accelerating adoption of AI tools is spurring regulators to act, Mr. Kulikowski said.

“People want clarity,” he said.

Westfield Specialty encourages its policyholders to remain abreast of regulatory developments and compliance. “We tell our insureds that you have to stay on top of the regulatory aspect to help mitigate risk” Mr. Kulikowski said.

Policyholders want coverage for compliance, said Rob Malone, New York-based head of cyber for Axa XL. “We’re being asked most often about regulatory coverage, very broad regulatory coverage,” Mr. Malone said.

The EU AI act is being cited by policyholders but “they want broad, blanket coverage for any other similar regulation governing the use of AI. We’re seeing that much more now than we did even last year,” Mr. Malone said.

---

Data governance drives process for information risk management

Effective data governance plays an integral role in managing exposures related to artificial intelligence, insurance industry sources said.

Companies must prioritize protecting proprietary information when adopting AI, they say.

“I’d say data governance is at the center of all this. That is really something that should be instituted upon adoption” of any AI tools, said Maria Long, New York-based chief underwriting officer at cyber insurer Resilience.

Ms. Long recommends that privacy exposures be evaluated before using AI tools for work process and efficiency.

“Part of data governance is knowing if that AI agent is using the entered data to train its algorithm,” she said.

To both preserve the confidentiality of customer data and comply with privacy regulations, such as the European Union’s General Data Protection Regulation and numerous other statutes, users must establish systems that confine data to within their own organizations.

One way to help accomplish this is to segregate artificial intelligence systems, said Barry Perkins, Chicago-based chief operating officer for Zurich U.S.

Zurich segments, or ring-fences, its data and it is not shared outside the company. This includes customer data, which is highly regulated, he added.

“We want to be making sure that what we put in a (large language model) and what we get out stays within the dedicated version of that for Zurich, and it doesn’t go out to either our competitors or into the world,” Mr. Perkins said.

At CFC, employees “do not put any confidential information into any AI system or program until we have brought something in-house that is essentially ringfenced,” said George Beattie, London-based head of innovation for CFC.

AI model vendors have commercial agreements that allow segregation of data, he said.

“We can create a confined data space in which our data is not going to leak out into the wider world. That was an obvious thing for the AI vendors to do, because without it, corporates wouldn’t step in,” Mr. Beattie said.

Discussions about confidentiality may precede discussions about the capabilities of the technology, he said.

Some AI platforms also permit companies to opt out of the collection of data used to train the models, Ms. Long said. Such service levels are typically enterprise-level subscriptions, she said.

Source link