AI Risks You Should Know About. Does Your Company Need an AI Strategy?

_ Carlos Salgadoon Posted on

This week I got the call that always makes me uncomfortable: “Carlos, we’ve been asked for documentation about our AI systems and we don’t even know what we have or how to classify them. Can we get fined?”

The short answer: yes. And it could end your business.

At Delbion we’ve been auditing systems for more than 20 years, and in the last year the pattern repeats: companies that have adopted AI at full speed (ChatGPT for customer service, machine learning automations, predictive analytics…) but have no idea of the cybersecurity risks they’re assuming.

And worse: they also don’t know that the European AI Act is already here, with fines of up to 35 million euros.

Peligros de usar IA sin auditoría

Does it sound familiar? Keep reading. 👇

3 AI risks we see in most audits:

1️⃣ Your HR employee just uploaded 50 resumes to ChatGPT

Two months ago I audited a company that was using generative AI to “streamline processes”. Sounds good, right?

Until we discovered that the HR team was copying complete resumes into ChatGPT to generate summaries. Confidential contracts in AI tools to write emails. Sales data on free platforms to make reports.

El problema: ninguna de esas herramientas tenía un contrato DPA (Data Processing Agreement), y los datos estaban siendo utilizados para entrenar modelos de terceros.

Result: Potential GDPR breach. If any of that data leaks or is misused, the company is responsible.

The problem: none of these tools had a DPA (Data Processing Agreement), and the data was being used to train third-party models.

2️⃣ Shadow AI: The marketing department installed 3 AI plugins without notifying IT

Do you remember when we talked about “Shadow IT”? Those systems that departments implement without IT knowing.

Well now we add: Shadow AI.

Browser extensions with integrated AI. Chrome plugins for automatic writing. Third-party APIs connected to CRM or ERP without security review.

In my last audit we found 7 AI tools that no one in IT knew about. Seven. And some had known prompt injection vulnerabilities (basically, manipulating AI instructions to make it do things it shouldn’t).

The risk? Wide open backdoors.

3️⃣ “I didn’t know this was high risk” – Fine: 35 million euros

The European Union AI Act is not the future. It’s the present.

Since 2024 there are obligations already in force, and by 2027 the complete framework will be implemented.

What many companies don’t know: their AI systems probably fall into the “high risk” category without them realizing it.

Do you use AI to select candidates? High risk.

Do you have an automated credit scoring system? High risk.

Do you use AI to evaluate employee performance? High risk.

And if you get the classification wrong… you could face up to 35 million euros in fines or 7% of your global annual turnover (whichever is greater). It’s no joke. We see it in companies we thought were “fine”.

How to protect your company (without dying in the attempt)

After 20 years auditing and certifying companies under ISO 27001, ENS and now with AI Act, I can tell you that the solution is not complicated. It’s methodical.

Here’s your AI survival checklist:

AI systems inventory – Make a list of EVERYTHING that uses AI in your organization (yes, include those plugins marketing installed without notice)

Classify the risk – Does your AI make decisions about people? Evaluate if it’s high risk according to the AI Act

Clear usage policies – Document what your employees can and CANNOT do with AI tools

ISO 27001 access controls – Implement A.9.1 controls to limit who uses which tools

FRIA (Fundamental Rights Impact Assessment) – Mandatory for high-risk systems

Auditable documentation – Record all decisions made by AI (the AI Act will ask you for 10-year logs)

AI incident plan – If your chatbot goes crazy or there’s a data leak, what do you do? NIS2 requires you to report within 24 hours

If you answered “I don’t have this” to more than two points, I recommend an audit. Now.

Secure AI is not optional: it’s your competitive advantage

There’s a pattern that repeats:

Companies that get ahead of regulations win.

Those that wait to get fined… lose time, or worse: money and reputation.

At Delbion we work with the principle of audit + implement + certify. We don’t just tell you what’s wrong. We help you fix it and prove it with recognized certifications (ISO 27001, ENS, AI Act compliance).

Because in the end, what matters is not just complying. It’s building AI systems that your customers can trust.

The question is not if your company needs an AI audit.

The question is: when are you going to do it?

Because in cybersecurity, waiting can be expensive. 🚨

Free webinar: how to integrate AI securely in your organization

We’re preparing a free webinar for February 5 at 5:00 PM (Spanish time). Comment “Webinar” and we’ll send you the information to attend and have clarity about AI risks.

Tell me in the comments what AI tools you’re using and if you’ve thought about the impact of the AI Act on your organization. 👇

#Ciberseguridad #InteligenciaArtificial #AIAct #ISO27001 #NIS2 #CumplimientoNormativo #SeguridadDigital #Delbion #AuditoríaIA #GDPR

Tranquilidad de usar IA después de una auditoría

Leave a Comment

Your email address will not be published. Required fields are marked *