Aulafy
Courses/AI security and evaluation/Generative AI Risk Map

Generative AI Risk Map

An AI system is not secure because it "seems to answer well." It is secure when you know what can fail, how you measure it, who is accountable, and what controls reduce the harm.

  • Separate technical, legal, operational, and user risks.
  • Use a simple map inspired by NIST: govern, map, measure, and manage.
  • Decide when an AI app can be published and when it must remain in pilot.

Four questions before publishing

  • Govern: who decides, who reviews, and what is prohibited.
  • Map: which users, data, tools, and decisions the system touches.
  • Measure: which tests check for errors, bias, privacy, and abuse.
  • Manage: which limits, logs, permissions, and processes reduce risk.

Minimum risk card

TerminalCode
riesgo:
  nombre: "responder con información médica inventada"
  sistema: "chatbot de atención"
  usuarios_afectados: ["clientes", "equipo soporte"]
  datos: ["preguntas", "historial de tickets"]
  probabilidad: media
  impacto: alto
  controles:
    - limitar dominio
    - responder con fuentes
    - abstención si no hay evidencia
    - revisión humana en casos sensibles
  tests:
    - preguntas sin evidencia
    - instrucciones maliciosas
    - datos personales en prompt
  responsable: "equipo producto"
  fecha_revision: "2026-07-03"