Due Diligence and Ongoing Monitoring

Good Afternoon!

I am hoping this group could shed some light on thoughts and potential processes around what you are doing with ChatGPT/AI and the integrations and APIs that could be a part of the relationship. How and what would a due diligence review look like?

Your insights are greatly appreciated!

Thank you!

Alicia Gristmacher

Hi Alicia - We use the NIST CSF's Supply Chain Risk Mgmt framework (ID-SC.1 - ID.SC-5) for our TPRM program, where the NIST AI Risk Mgmt Framework corresponds well for determining strategies and control improvement methods to help address the potential risks of AI types of services (and similar): https://www.nist.gov/itl/ai-risk-management-framework 

I'd recommend reviewing that framework and determining how you can evolve or mature your existing program to account for those methodologies.

Ultimately I'd suggest convening with an internal work group (such as a Risk & Security Committee) to discuss the development of a formal Artificial Intelligence Policy that you can then lead efforts for developing supporting standards and procedures, including the risk evaluation processes you build or tie into existing ones. To not have such internal requirements and guidance in place for your org's collective operations will only further expose you to ptoential risks in a space that many are already reactively trying to understand and manage. Being as proactive as possible at this point is a sound approach :)