GenAI risk assessment workflow at a glance
Plan and prepare
Assess and consult
Procure and productize
- Identify the problem statement of the use case (for example, see Identifying use cases)
- Do some market research in relevant tech solutions, including GenAI. Identify why your department feels GenAI is helpful over other solutions (such as conventional AI or traditional data analytics).
- Use the Generative Artificial Intelligence Risk Assessment to document risk considerations for the GenAI use case. Your entity’s Chief Information Office and Chief Information Security Officer will need to sign it.
- Not sure of a GenAI tool’s risk level? State entities can use the decision flow chart to help with self-assessment of the risk level. This decision flow chart will ask a series of questions regarding the data type, the intended use of the GenAI, and magnitude of risks to evaluate an initial risk level. State entities are responsible for conducting a thorough risk assessment to explain the risk classification level they assign.
- If needed, CDT can assist in a brief and informal pre-consultation to provide individualized guidance and recommendations to prepare customers to successfully complete the Risk Assessment requirements.
- If your department classifies the GenAI use case as “Low” risk:
- The CIO/AIO/Designee submits a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal, before procurement is awarded.
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- Required Generative Artificial Intelligence Risk Assessment
- Required Generative Artificial Intelligence (GenAI) Reporting and Factsheet (STD 1000), once received from the Bidder / Offeror / Contractor Information
- If completed, Privacy Threshold Assessment and Privacy Impact Assessments (SIMM 5310-C).
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- CDT reserves the right to audit and consult on "Low" GenAI Risk Levels with potential higher risk concerns.
- The CIO/AIO/Designee submits a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal, before procurement is awarded.
- If your department classifies the GenAI use case as “Moderate” or “High” risk:
- Your department must consult with CDT so that you can understand your risk assessment in order for you to design your risk management plan for the GenAI tool under consideration.
- Using California’s GenAI Risk Management Principles as a guide, your department must develop a risk mitigation strategy to show how the moderate or high risk of the GenAI tool will be adequately mitigated, monitored, and managed prior to procurement and on an ongoing basis.
- Your department’s CIO, AIO, or your designee will submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal.
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- Required Generative Artificial Intelligence Risk Assessment, Parts 1 and 2
- Part 2 includes privacy, security, transparency, and DEIA considerations for this GenAI use case.
- Required Generative Artificial Intelligence (GenAI) Reporting and Factsheet (STD 1000), once received from the Bidder / Offeror / Contractor Information
- Required mitigation plan
- If completed, Privacy Threshold Assessment and Privacy Impact Assessments (SIMM 5310-C)
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- The consultation process will consist of a conversation to address the business needs and risks of using GenAI. Solicitations that contain a “Moderate” or “High” risk GenAI solution may not be released, or a contract executed, without a CDT consultation.
- Assign a GenAI subject matter expert from your department to help facilitate the CDT consultation and contract management. A GenAI subject matter expert is someone who has completed the required technical and business training offered through CalHR to appropriately identify and evaluate the benefits and risks of GenAI technology.
- Your department must consult with CDT so that you can understand your risk assessment in order for you to design your risk management plan for the GenAI tool under consideration.