Many of the risks companies face these days feel like ideas that were science fiction just a few years ago. None feel like stepping into the unknown more than AI. Your IT department has likely already come up with safeguards against some of the risks associated with GenAI, but is your enterprise ready for AI risks that go beyond cybersecurity? AI is certainly the way of the future, but when you’re integrating AI into core operations, risks like data poisoning and reputational fallout are becoming enterprise-wide issues. Recognizing this shift, the National Institute of Standards and Technology (NIST) recently released updated AI-specific control overlays that expand the conversation beyond cybersecurity. These overlays integrate AI risk into NIST’s SP 800-53 framework to address areas like generative and predictive AI, multi-/single-agent environments, and AI development pipelines. The goal is to: Protect AI systems from manipulation or corruption. Mitigate adversarial AI use in cyberattacks. Leverage AI to strengthen cybersecurity operations. AI Risk Through the Lens of ERM NIST’s updated overlays introduce controls for threats like integrity attacks, model poisoning, and input manipulation. But they also go further, acknowledging risks that are harder to quantify, like bias, fairness, and governance gaps. These risks map directly to familiar enterprise categories: Operational risk: Generative AI tools may produce inaccurate or misleading outputs, creating workflow disruptions or decision-making errors. Reputational risk: Misuse of AI, especially in customer-facing applications, can erode trust and damage brand equity. Compliance risk: AI systems that mishandle personal data or fail to meet fairness standards may violate emerging regulations. For risk managers, these updates should serve as a signal that AI risks must be managed with the same attention as financial, operational, and compliance risks. The great news is that enterprise risk management (ERM) solutions like Origami Risk’s are set up to help catalog, assess, and monitor these risks using the same frameworks already in place for other strategic concerns. In this way, you can have a full view of core business risks that includes AI, rather than separating AI and categorizing it as solely an IT issue. The Human Element: Governance, Bias, and Reputation The risks of AI go beyond the technical issues they might cause. When using AI in parts of your business where it will interact with humans like a chatbot, or when it will make decisions for humans, there are extra risks. One of the most important shifts in the NIST’s guidance is the emphasis on human-centric risks. In this day and age, a company that seems to operate with bias or that has no accountability can quickly cause real financial and reputational problems. With that much at stake, AI risks need to be assessed at the board level, not just left to your IT department. Instead, managing these risks requires cross-functional collaboration with Legal, HR, Compliance, and Risk teams. Together they must define acceptable use, monitor outcomes, and ensure transparency. Otherwise, they open the organization to costly mistakes. For example, a tutoring company had to pay out a settlement of $356,000 following an age discrimination dispute with the U.S. Equal Employment Opportunity Commission. This tutoring company was using AI to screen applicants and the lawsuit contended that it automatically rejected female candidates over 55 and male applicants over 60, even though they were qualified. Thankfully, ERM platforms can facilitate this collaboration by providing shared visibility and structured workflows for AI oversight. Practical AI Risk Management Steps for Risk Leaders To translate NIST’s overlays into action, risk leaders can start with a few key steps: Map AI risks into your existing taxonomy: Align new AI-specific threats with enterprise risk categories to ensure visibility and accountability. Add AI risks to your enterprise risk register: Treat them like any other strategic risk with owners, controls, and monitoring plans. Engage diverse stakeholders: Include legal, HR, and compliance in AI risk management discussions to capture a full spectrum of concerns. Monitor bias and fairness like operational risks: Use metrics, audits, and feedback loops to track performance and intervene when needed. Preparing Your Org for the Risks of the Future So much is still up in the air about the potential benefits and risks of AI. And the technology is moving faster than many companies and governing bodies can keep up with. But disconnecting AI risk management from your overall risk management strategy can be a costly mistake. You don’t want to end up with a problem like Humana and UnitedHealth, both of which are accused of using problematic AI. The AI tool, nH Predict, is supposed to predict future medical needs. The lawsuits allege that the insurance companies are using the model to wrongfully deny care, despite a 90% error rate. Even though the companies say they keep a human in the loop to oversee AI, these lawsuits will still be costly and damage the companies’ reputations. Instead, being proactive and creating AI overlays now will give you an early opportunity to get ahead of regulation and scrutiny. While that may seem overwhelming, an ERM solution makes it easy to connect technical controls with enterprise-wide governance. That way you can ensure AI supports business goals without introducing unmanaged risk. Ready to protect your organization from the risks of the future? Check out how Origami Risk can help you build out an ERM program that meets your needs.