GenAI risk assessment workflow at a glance

  1. Identify the problem statement of the use case (for example, see Identifying use cases)
  2. Do some market research in relevant tech solutions, including GenAI. Identify why your department feels GenAI is helpful over other solutions (such as conventional AI or traditional data analytics).
  3. Use the Generative Artificial Intelligence Risk Assessment to document risk considerations for the GenAI use case. Your entity’s Chief Information Office and Chief Information Security Officer will need to sign it.
    • Not sure of a GenAI tool’s risk level? State entities can use the decision flow chart to help with self-assessment of the risk level. This decision flow chart will ask a series of questions regarding the data type, the intended use of the GenAI, and magnitude of risks to evaluate an initial risk level. State entities are responsible for conducting a thorough risk assessment to explain the risk classification level they assign.
    • If needed, CDT can assist in a brief and informal pre-consultation to provide individualized guidance and recommendations to prepare customers to successfully complete the Risk Assessment requirements.
  4. If your department classifies the GenAI use case as “Low” risk:
  5. If your department classifies the GenAI use case as “Moderate” or “High” risk:
    • Your department must consult with CDT so that you can understand your risk assessment in order for you to design your risk management plan for the GenAI tool under consideration.
      • Using California’s GenAI Risk Management Principles as a guide, your department must develop a risk mitigation strategy to show how the moderate or high risk of the GenAI tool will be adequately mitigated, monitored, and managed prior to procurement and on an ongoing basis.
    • Your department’s CIO, AIO, or your designee will submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal.
    • The consultation process will consist of a conversation to address the business needs and risks of using GenAI. Solicitations that contain a “Moderate” or “High” risk GenAI solution may not be released, or a contract executed, without a CDT consultation.
    • Assign a GenAI subject matter expert from your department to help facilitate the CDT consultation and contract management. A GenAI subject matter expert is someone who has completed the required technical and business training offered through CalHR to appropriately identify and evaluate the benefits and risks of GenAI technology.

Risk assessment workflow

Diagram contains the 5305-F Risk assessment workflow and presents questions for high, moderate, and low risk.