Use Outcome-Driven Metrics to Mediate GenAI Risks

Partner with business leaders to establish GenAI ODMs in six categories:

• GenAI use-case risk assessments show how much security processes help reduce the impacts of deploying high-risk use cases without proper risk assessment and treatment.

• Data readiness demonstrates how prepared the organization is to use existing data assets in its GenAI applications and how secure they are.

• GenAI application security showcases the protections in place over the organization’s in-house-developed GenAI applications.

• GenAI quality assurance ensures GenAI applications are assessed to validate data quality through large-language-model (LLM) prompts to minimize bias and hallucinations.

• Third-party cybersecurity risk management shows how well-protected the organization is from risks related to GenAI from vendors and other partners supporting its business value streams.

• GenAI skills and training demonstrates the value of preparing employees for safely, securely and ethically developing and using commercial, off-the-shelf GenAI-enabled applications.

Gartner for Technical Professionals (GTP) is a specialized service that provides in-depth technical research and insights tailored to the needs of IT professionals and architects who are tasked with implementing technical domain strategies. Talk to Gartner to learn more.

Gartner’s AI trust, risk and security management (TRiSM) is a set of solutions to proactively identify and mitigate AI-related risks. It helps organizations govern and manage AI models and applications throughout their life cycles — and achieve business goals. The TRiSM framework ensures organizations’ AI applications and models are reliable, trustworthy, secure and protect the data leveraged and produced. 

AI TRiSM espouses six technical capabilities needed across all AI initiatives:

• Data protection 

• Content anomaly detection 

• Application security 

• Model management and model operations 

• Explainability and transparency 

• Adversarial resistance

The framework aligns with the six ODM categories and provides insight into potential data sources for GenAI-associated ODMs.

To be useful, ODMs must align to agreed-upon performance or protection levels. Without this alignment, an ODM is simply a data point without context that provides little insight into whether the outcome is good or bad.

A PLA is a construct that facilitates cybersecurity decisions between executives and IT and security decision makers. It frames a business decision to invest in measurable levels of protection at a defined cost. 

PLAs enable more effective business-led cybersecurity investment decision making by: 

• Putting cybersecurity investment into a business context.

• Balancing cost with protection levels.

• Engaging business decision makers.

• Establishing a concrete, measurable and enforceable expression of risk appetite and tolerance.

• Replacing estimates of impact and likelihood with measurable, observable results.

• Supporting the expression of security investments in a business or mission context.

Augmenting data points with business-centric narratives makes the insights ODMs provide relevant and actionable for board- and executive-level audience members. It also equips them to make effective, timely and defensible GenAI-related cybersecurity risk management and investment choices.

Use cybersecurity value stories — compelling narratives with supporting metrics that clearly demonstrate how cybersecurity outcomes generate business value — to clarify how ODM data relates to your audience’s strategic objectives. Effective value stories:

• Align with the business objectives outlined in the organization’s approved GenAI use cases.

• Reflect the GenAI business and cybersecurity risk outcomes desired.

• Are concise and easy to understand.

• Are tailored to the audience’s priorities