In the first half of 2023, generative AI adoption in organisations went from a curiosity to a mainstream reality. Employees are using ChatGPT, Copilot, and similar tools for drafting, summarising, coding, and analysis — often without formal policy, without governance processes, and without the organisation understanding what data is being shared with these services or what the risk implications are.
This is the emerging technology risk challenge in its current form. And it is not unique to generative AI — cloud adoption went through the same cycle a decade earlier, shadow IT has been an ongoing challenge for longer than that, and the next technology wave will produce the same pattern. New technology is adopted faster than governance follows. Risk that was not on anyone’s radar becomes material before the risk management framework has caught up.
Why Emerging Technology Risks Are Different
Established technology risks are manageable in part because they are well-understood. The risk of a ransomware attack on an unpatched Windows server is characterised in thousands of incident reports and security advisories. The risk profile of standard cloud infrastructure is documented extensively by providers, researchers, and regulators.
Emerging technology risks are different because their risk profiles are not fully established. The long-term data privacy implications of training large language models on corporate data are not fully characterised. The supply chain risks of widely adopted open-source AI frameworks are not well-enumerated. The regulatory treatment of AI-generated outputs in regulated industries is still being established. Risk management frameworks built on historical data and established threat catalogues do not capture these risks well.
A Practical Approach to Emerging Technology Risk
Establish visibility before governance. The first step is knowing what emerging technologies are being used — not what is approved, but what is actually in use. Organisations that prohibit shadow IT without monitoring for it do not have visibility; they have a policy and an assumption. Network monitoring, SaaS discovery tools, and periodic employee surveys all provide visibility that policies alone do not.
Apply precautionary risk assessment to high-sensitivity applications. For emerging technologies being used in proximity to sensitive data — personal data, financial data, intellectual property — apply a precautionary risk assessment before use rather than after adoption. This does not require a comprehensive risk profile; it requires asking whether the specific use case, with the specific data involved, creates exposures that are material and that can be addressed through controls or require prohibition pending further assessment.
Define clear governance for adoption decisions. Emerging technology adoption should have a defined governance pathway — someone responsible for assessing new technologies, criteria for what requires formal review versus what can be adopted immediately, and a process for escalating technologies with uncertain or potentially material risk profiles. This governance does not need to be burdensome, but it needs to exist.
Monitor the evolving risk landscape. For technologies in active adoption, the risk profile continues to evolve as research accumulates, incidents occur, and regulatory guidance develops. Emerging technology risk management is not a one-time assessment — it requires ongoing monitoring of the threat and regulatory landscape and periodic reassessment of adopted technologies.
At Bitsecura, we help organisations develop risk management approaches that are responsive to emerging technology — building governance processes that provide appropriate oversight without blocking beneficial adoption. If you are managing AI, cloud, or other emerging technology adoption and need to get the risk governance right, reach out here.
Bitsecura provides IT risk management and enterprise risk advisory services. Learn more about our IT risk management services.