Gen AI solutions introduce enhanced risks and we must proactively deal with them and protect our clients (sensitive) data. This article will outline which risks are associated with GenAI solutions and what potential mitigation actions Unique takes (additional mitigation actions may be agreed upon individually with clients).

Unique is committed to effectively managing risks within the ISO 9001, ISO 27001 and ISO 42001 standards, ensuring the highest standards of quality and effectiveness. Unique has established a comprehensive risk management framework that is mandatory for all employees. This framework has been presented and agreed upon by our management team and acknowledged by the board of directors. It is regularly updated and reviewed by the DPO, CISO, management team, and board of directors.

Risk types and mitigation actions

Privacy Risk

Risk:

• Leakage of confidential or other sensitive data

Mitigation:

• Implement key risk qualification and risk acceptance processes

• Enhance risk management strategies, including:

  • Privileged Identity Management (PIM)

  • Identity and Access Management (IAM)

• Enforce strict contractual obligations with third-party vendors

• Restrict data storage to a single tenant or customer-managed tenant

• Opt-out of prompt checking features in Microsoft Azure OpenAI services

• Opt-out of contributing to training data for Microsoft Azure OpenAI services

Security Risk

Risk:

• Misuse of GenAI technology

Mitigation:

• Implement a comprehensive AI Governance Framework

• Conduct regular external audits to assess GenAI systems

• Establish and conduct bug bounty programs

• Implement Technical and Organizational Measures (TOMs) with access controls and monitoring and logging systems

• Protect and encrypt data at rest and in transit

• Regularly backup all GenAI-related data and systems and implement a disaster recovery plan

Accuracy Risk

Risk:

• Inaccurate or inconsistent output from Generative AI systems

Mitigation:

• Develop and implement comprehensive GenAI guidelines and policies

• Establish clear standards for output quality and consistency

• Implement robust Terms and Conditions (T&Cs)

• Establish a feedback loop mechanism

• Implement a Hallucination Check

Fairness Risk

Risk:

• Biased outputs and factually incorrect output

Mitigation:

• AI Governance Framework

• Incorporate Human-in-the-Loop (HITL) processes

• Attach references to AI-generated output to enable users to verify information independently

• Benchmarking

Legal Risk

Risk:

• Intellectual Property (IP) infringements and copyright violations

Mitigation:

• Address AI-related legal concerns in Contracts

• Include clear clauses on IP ownership and usage rights for AI-generated content

• Outline the legal responsibilities and limitations in the Terms and Conditions

• Clarify the extent of Microsoft's responsibility in cases of copyright infringement

Unique’s approach to risk management

Every Unique employee can detect and report risks in Unique’s risk registers (ISMS for IT risks and QMS for strategic, operational and financial risks, AI risk register for AI risks) according to ISO 27001, ISO 9001, ISO 42001 certification.

Unique is following a risk-based approach which involves regular reviews of key risks.

• Monthly risk review by CDO and CISO

• Quarterly risk review by the Executive Team

• Bi-annual risk review by the Board of Directors

• Annual re-certification by auditing company