1. Do risk assessment and consider equity impacts

Assess and consult

For moderate- and high-risk: consult with CDT

Procure and productize

Start ongoing monitoring and create product roadmap

This section helps you understand and interpret the risk level criteria defined in the GenAI Risk Assessment in a consistent way. It clarifies best practices and offers plain language suggestions on how to identify GenAI risks.

A guided workflow demonstrates how to self-assess GenAI risk and engage with the California Department of Technology in consultations on moderate/high risk use cases. It explains the principles that will guide GenAI risk assessment in California.

Your department has identified a GenAI use case and determined that a GenAI tool could potentially benefit your program. Next, you must account for and mitigate risks by conducting a risk assessment that documents potential risks to consider before procuring your GenAI use case.

The California Department of Technology (CDT) has developed the Generative Artificial Intelligence Risk Assessment to guide state entities through a thorough risk assessment of a proposed GenAI tool before it moves toward procurement. This assessment was developed based on the National Institute of Standards and Technology’s AI Risk Management Framework, the State Administrative Manual (SAM), and the State Information Management Manual (SIMM).

The GenAI Risk Assessment classifies a GenAI tool as “Low,” “Moderate,” or “High” risk based on the GenAI solution, the data underlying it, and how the department wants to use the tool. A moderate- and high-level risk assessment workflow is shown below. As you can see, GenAI tools assessed as low-risk can be largely managed using existing policies and governance frameworks. GenAI tools assessed as moderate- or high-risk require additional CDT support and guidance so that your department can safely and responsibly deploy the tool.

If needed, CDT can assist in a brief and informal pre-consultation to provide individualized guidance and recommendations to prepare customers to successfully complete the Risk Assessment requirements.

Department CIOs must conduct a risk assessment for all GenAI purchases, whether intentional or incidental.

Generative Artificial Intelligence Risk Assessment is a requirement for state entities to complete when pursuing GenAI projects.

Start with an overview of Generative Artificial Intelligence Risk Assessment (SIMM 5305-F) workflow.
Review California’s GenAI risk management principles.
Review how to do a risk assessment.
If you need assistance, contact your CDT Customer Engagement Services Account Lead, or email CDTGenAIIntakeRequest@state.ca.gov to discuss your questions and needs.

Consider equity impacts

If your organization has an equity or external affairs lead with experience in equity, it’s a good idea to include them on your GenAI team. It’s a good idea for them to be part of the problem statement development process.

Choose the outcome of your risk assessment to move to the next step

Low risk

CDT consultation is available on request. It is not required. CDT reserves the right to audit and consult on low GenAI risk levels with potential higher risk concerns.

Moderate or high risk