How to Think About Risk in Generative AI: It’s Not As New As You Think

Written By Andrew Alaniz

Everyone’s talking about Generative AI—what it can do, what it might break, and what it means for security and compliance. There’s a lot of noise. But let’s simplify things.

From a risk perspective, most of what people are calling “GenAI risk” really falls into two categories we’ve been managing for years:

 

1. Third-Party Risk

If you’re already sending your data to a vendor—and you’ve done your due diligence, locked in solid contracts, and have appropriate controls in place—then using that vendor’s new GenAI features probably doesn’t introduce much additional risk.

It’s not a new vendor. It’s just a new capability. As long as your agreements cover things like data use, confidentiality, and model training exclusions, your residual risk likely hasn’t changed much.

Bottom line: If you already trust the vendor with your data, and the paperwork backs it up, GenAI shouldn’t feel like a leap of faith.

 

2. Data Risk

This is where things can get more nuanced.

If you’ve already been sharing sensitive or regulated data with a vendor, and your contracts cover usage and protections, then enabling GenAI features may not shift your risk significantly.

But if you haven’t been sending that kind of data—and GenAI creates new ways to input it—you need to pause and think:

  • Do you have internal controls or user guidance to prevent sensitive data from being shared?

  • Are there technical safeguards (like DLP or prompt filtering) in place?

  • If not, do you need to rework your contracts to address this?

This really comes down to two things: data discipline and clear boundaries. Without them, GenAI doesn’t just increase risk—it increases uncertainty.

 

What Can You Do Right Now?

  • Start with visibility. Know where GenAI is showing up in tools you already use.

  • Classify before you prompt. Be clear on what kinds of data are okay to input—and what isn’t.

  • Ask vendors the right questions. Is prompt data stored? Used for training? Who has access?

  • Tighten contracts if needed. Make sure GenAI use is covered under your existing data terms.

 

Final Thought

There’s also a business lens to this conversation that often gets skipped: Will using GenAI save money or generate revenue?

If the answer is no—or you can’t measure it yet—then now may not be the time to overhaul your controls or rush into implementation. Not every new tool deserves your attention right away.

At the end of the day, GenAI doesn’t introduce some brand-new category of risk. It just puts a new spotlight on third-party risk and data risk—things you’re already managing.

If your foundation is solid, GenAI doesn’t need to be disruptive. It just needs to be deliberate.

Andrew Alaniz
Previous

The Reality of Phishing Simulations
Next

Defending Against Scattered Spider