Access to AI is not the same as being ready for it

Beazley's experts say the businesses adopting AI fastest are the least protected

Access to AI is not the same as being ready for it

Transformation

By Branislav Urosevic

The federal government is putting $700 million behind small and medium-sized businesses to help them access AI – but access and readiness are not the same thing, according to Denis Panariti (pictured left), head of financial lines at Beazley Canada.

"The funding solves the access problem, but not the readiness problem," Panariti said. "Because having access to something doesn't mean you're ready to use it."

He said the pace of adoption is likely to outrun the governance frameworks that should be guiding it.

"They're going to use it before they fully understand the power and some of the limitations that come with it," he said.

Panariti outlined four things every business should have in place before deploying AI, regardless of size.

The first is a clear policy on what data can and cannot be entered into AI models. He said most SMEs have little understanding of where their data ends up once it enters a public model, and without that boundary, the exposure starts before the tool has produced anything useful.

"At the very minimum, we need to define what data can and can't be entered into the models," he said.

The second is an approved list of vendors. When employees pick their own AI tools without oversight, the company has no way to assess what it is exposed to – and ungoverned tool use is already one of the fastest-growing sources of cyber exposure for SMEs.

"We need to approve a set of vendors so that people aren't off using their own," he said.

The third is a process for reviewing and questioning AI outputs rather than accepting them at face value. Panariti said over-reliance on automated decisions without human scrutiny is one of the fastest ways to create liability.

The fourth is training, and he said it may be the most important.

"We need to upskill employees on the real risks of using AI," he said. "Whether that's data leakage or hallucinations, there's a real need for people to become AI literate."

Ahmed Javaid (pictured right), regional manager for cyber risks at Beazley Canada, said governance has to go further than writing policies and filing them. The test is whether those policies are actively enforced, regularly updated, and put under pressure.

"You can implement all the core controls," Javaid said. "But if you don't have a strong culture around risk management and governance around how you're managing your systems, you are always going to struggle."

He said that includes testing employees through simulated phishing campaigns and keeping up with a threat landscape that has shifted significantly. Deepfakes have made social engineering attacks harder to detect and more damaging when they succeed.

"Deepfakes are becoming so much more prevalent and so much more real that the way that we used to think about social engineering has completely evolved," Javaid said.

Panariti said the governance process should not be fast – and at Beazley, it wasn't.

"It took me longer to go through the governance process, rightfully so, than putting some of these tools together," he said. "Because we want to make sure that the people involved, and the people it affects day in, day out, see the benefits and don't get negatively affected by the tool."

Some carriers are building readiness support directly into their offerings. Beazley's cybersecurity arm has introduced AI readiness assessments designed to help policyholders define their AI objectives and align them with their regulatory and risk frameworks before deploying the technology. The insurer has also launched an exposure management service that continuously monitors a company's external attack surface to flag vulnerabilities as they emerge.

Javaid said the tools are not just for the benefit of policyholders – they help Beazley manage the exposures it is taking on across its own book. But for SMEs that lack the budget or internal expertise to build a strong risk management framework from scratch, having a carrier that offers that support can prove invaluable when transferring your risk.

"As the AI for All mandate continues to evolve, there's an opportunity to incorporate minimum security guidance for SMEs," Javaid said. "A careful approach could help ensure the rollout is successful and sustainable."

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!