Generative AI is rapidly becoming part of companies’ daily operations. While some organizations are naturally more cautious than others, almost all end up using it for reasons of productivity and task simplification. The problem is that, in many cases, this adoption happens without a real assessment of the risks involved.
But is it dangerous to use? It can be. To address this challenge, Balwurk has developed an innovative framework that allows organizations to evaluate, in a systematic and objective way, the risks associated with the use of generative AI.
A framework to measure risk based on real business value
The methodology created by Balwurk is based on a risk matrix that crosses two key dimensions: probability of failure and potential business impact.
The process unfolds in two phases:
- Characterization of the AI solution under analysis.
- Assessment of the risk of its use within the context of each organization.
The result classifies the risk as low, medium, or critical, with each level accompanied by corresponding mitigation recommendations.
“At this moment, there is no independent entity that labels the risks of using these technologies. The same solution can be used in a thousand different ways, with very different risk levels. Our framework was designed to fill that gap,” explains João Teixeira, Cybersecurity Engineer at Balwurk.
Open and collaborative model
One of the most distinctive aspects of this framework is its transparent and collaborative approach.
Balwurk decided to make the methodology publicly available, reinforcing its position of awareness and oversight regarding the adoption of AI.
“We want to contribute to a safer cyberspace. By making this framework publicly available, we not only provide organizations with practical tools but also gain real-world cases and feedback that allow us to evolve the solution,” adds João Teixeira.
This open approach ensures transparency and broad access for all organizations interested in responsibly evaluating the use of generative AI.
Generative AI: real risks and maturity challenges
Despite the growing use of these technologies in Portugal, Balwurk warns that the national market still lags behind in risk awareness when compared to the European reality.
Among the main risks identified are:
- Leakage or permanent loss of sensitive information.
- Impact on business continuity.
- Reputational damage.
The risk is transversal across all sectors, from banking to public administration, and depends mainly on the technological maturity and cybersecurity culture of each organization.
From concept to integrated tool
Balwurk plans to evolve this framework into a comprehensive tool capable of integrating:
- Risk assessment
- Compliance verification with regulations such as the AI Act, NIS2, and DORA
- Dynamic security testing applied to generative AI models
“Making informed decisions is fundamental. This framework ensures that decision-makers do not adopt generative AI blindly: it helps them understand the risks and make conscious, confident choices,” concludes João Teixeira.
