Availability is the name of the game when it comes to why artificial intelligence (AI) has stolen the show as one of the cornerstones of innovation for enterprises today – no longer with the barrier of studying to become a data scientist to apply these models to real business problems. Between January and September in 2023, LinkedIn reported a 60% increase in mentions of generative AI and GAI products and a “head of AI” role tripling in the past five years1. But with this increased footprint comes the call to action to consider the risks that are also brought on stage – to which, we have seen organizations taking steps forward to reduce these risks including taking on the development of an AI Threat Matrix for their organization.
What is an AI Threat Matrix?
While the name alone may have you visualizing a blockbuster movie, this tool is a lot more tactical than a room full of touchscreens and looping videos of zeros and ones on screen. Instead of acting out our favorite Hollywood cyber personas, security teams are working in collaboration with the enterprise to develop an AI threat matrix that connects the dots between the AI use cases (enterprise driven, third-party deployed, and shadow AI cases) and potential vulnerabilities / threats to the security and robustness.
The NIST AI Risk Management Framework 1.0, section 5.2 asserts that, “Outcomes in the MAP function are the basis for the MEASURE and MANAGE functions.” In this order, security teams identify the AI techniques and applications the enterprise is pursuing, and map against relevant attacks and threats as noted in MITRE ATLAS, OWASP Top 10, and AI risk and incident databases2,3,4,5,6. We have also seen the emergence of an AI Threat Matrix published by OWASP to identify threats and risks by stage of AI lifecycle in alignment with this practice as of February 2nd, 20247.
By taking the first step to scope and map scenarios, organizations can begin to communicate the very real risks that are introduced even if other responsible AI principles are being met like fairness or reliability tenants.