When Your AI Tool Becomes the Risk

In partnership with

Looking for unbiased, fact-based news? Join 1440 today.

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Subscribe to 1440 today.

The Problem with Trusting the Vendor

We're taught to trust reputable vendors. Google, Microsoft, AWS. They've got massive security teams, right?

They do. But AI systems are fundamentally different from traditional software. They can be manipulated in ways that bypass intended controls. A cleverly placed special character or prompt can turn a helpful tool into a malware generator.

The Gemini vulnerabilities proved something crucial: vendor security measures aren't sufficient anymore. You can't assume the AI tool is safe just because a major company built it.

Your job as PM? Add layers of verification that treat AI tools as higher risk until proven otherwise.

What the Best PMs Do Differently

Smart Cyber PMs approaching AI implementation do three things before anyone else even thinks about risk:

Build in additional security review phases. Extend your testing period specifically for AI tools. Run adversarial testing where your team actively tries to trick the system into doing something harmful.

Develop clear incident response procedures for AI-related security issues. What happens if your AI tool starts producing problematic outputs? Who gets notified? How quickly can you roll back? Document this before deployment, not during crisis.

Create an AI-specific section in your risk register. Traditional vulnerability categories don't capture AI risks well. Track things like prompt manipulation, training data poisoning, and model behaviour drift separately.

A Framework That Works

Before deploying any AI tool in your project, run it through this checkpoint:

Security Testing: Have we attempted to manipulate it beyond normal use? Who's responsible for adversarial testing?

Rollback Plan: Can we disable this instantly if problems emerge? What's the manual backup process?

Monitoring: How will we detect unusual outputs or behaviour changes? Who reviews AI-generated content before it's used?

Stakeholder Communication: If this tool becomes compromised, who needs to know immediately and what's our our message?

Document the answers. Review them quarterly, not just at launch.

Learning Through Real Scenarios

Common situation: Your team wants to use an AI coding assistant to speed up security script development. Vendor says it's enterprise-ready and secure.

Ineffective approach: Trust the vendor, deploy it widely, assume their security team has covered everything.

Effective approach: "Before we deploy, let's run two weeks of contained testing. Security team, please try to make it generate something it shouldn't. IT, document exactly how we'd shut this down if needed. Then we'll decide on deployment scope."

Often you'll discover the tool needs guardrails, monitoring, or limited access before it's truly ready for your environment.

The Gold standard for AI news

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

• Join the Superhuman AI newsletter - read by 1M+ professionals

• Learn AI skills in 3 mins a day

• Become the AI expert on your team

Start learning AI now