A (4:21)

Thank you, really appreciate that. And I think it's important. Both of us served in the military and I think it served us well. We learned a lot and I took away that. Your learning perspective from your military experience really made a big impact and you took that with you when you went into the civilian world. I like the goal here. You were trying to make everything measurable and all the work you were doing with that continuous data collection while always looking at ways to lower that risk and the cyber risk, the AI risk. And I think that's important. So thank you for sharing and Yakir Covert recently launched AI Risk assessment. I'm sorry, AI Risk Assessment and AI Risk Quantification module which gives organizations a way to model potential loss and build visibility around AI risk. Why do you believe moving from qualitative risk claims or concerned about AI risk to quantified metrics is a game changer? And what are the biggest barriers organizations face in making that transition?

B (5:22)

So when you quantify risk, it stops feeling abstract. Suddenly it turns into numbers. People can talk about, engineers can talk about it, GRC people, leaders can talk about it. The board can discuss and talk about. We all see the same picture and we can make decision without guesswork or subjectivity. Numbers give everyone a shared language and then AI risk from theory to something you can measure, compare and act upon. You can rank exposure, you can see which controls are actually moving the needle and direct budget to the places with the highest return. That shared language addresses the real problem because for years risk conversations lived in subjective scoring. Red, yellow, green, high, medium, low, Each team had a different definition which made the alignment tough and basically slow decisions. Which is the toughest outcome? Quantification Slipstack. It connects cyber and AI exports the financial operational outcomes the same way you evaluate any other business risk. It creates one language across security, grc, finance and the leadership of the organization. So why isn't everyone doing it today? Well first, it feels new. ARIS today reminds me of cyber a couple of decades ago. People sense it matters, but it still sounds niche or academic. Meanwhile, the reality is that AI is already added through day to day operations which means the stakes are real. And second, adoption is outpacing governance. Teams are ruling out gen AI features and pirates quickly. Policies, controls and oversight are still catching up. And in that environment, the starting point can feel fuzzy, even overwhelming. Well, the good news I have to say is you do not need to start from zero. You can use the same governance playbook that works in cyber. Begin with a structured control assessment to establish visibility. And with AI that typically means using the NIST AI, RMF or the ISO 42001 frameworks. And from there you build progressively track maturity over time, identify gaps and owners, add quantification as your data and intelligence advance and treat this as iterative practice rather than one time project. When organizations take that path, two things happen fast. One, alignment improves because everyone is looking at the same measures. And two, investment decision get better because you can show which action reduce expected loss. And this is how AI risk moves from a theoretical worry to a managed business issue.

A (8:05)

Thank you, I appreciate that and just highlight a couple of things that I thought were important. Obviously quantifying risk takes the abstract out of the conversation. Everybody can understand and ultimately you're lowering risk. It also creates that correlation with quantification, correlation between cyber AI risk to the financial aspect of the business. And I think that's really important. Yakir covers quantitative models account for rare high impact events and incident types across AI vectors. What are some of the tail risks in AI that you believe are underappreciated today? And what should enterprises begin modeling now to avoid surprises in the future?

B (8:47)

When we talk about tail risks and I we're really talking about those rare high impact events that can cause outsized damage. Things like large scale model manipulation, data poisoning in training sets, or even a systematic outage tied to a major AI service provider. But honestly what matters most isn't identifying every possible scenario, it's how you start modeling them. A lot of organizations assume they need massive data sets or advanced analytics to quantify iris, but that's not true. You can start small. You begin with one or two clear high priority scenarios that everyone can understand. Testing hub and not technical stakeholders alike. Maybe it's an AI model that fails in a critical business process. Maybe it's a third party AI tool that accidentally exposes customer data. The goal isn't to capture everything at once, it's to build the first directional view, sometimes tangible enough to begin shaping mitigation plans, funding, conversation and risk strategy. Once that foundation is there, you can start layering more granular metrics like average annual loss per scenario, high severity probabilities, downtime duration and even the financial impact of that bias or misinformation driven outputs. And over time, that evolving picture helps organization understand not just what could go wrong, but how much risk they are willing to tolerate. That's also the point where risk appetite becomes measurable. Boards can start setting thresholds, for example, deciding that the no AI related event with more than 5% chance of exceeding a $5 million loss should be accepted. That kind of clarity isn't possible without quantification. It shifts AI governance from being purely policy based to being performance based where you can actually measure how resilient you are. And just like with cyber, it's not a one time exercise, it's iterative. Each modeling cycle builds confidence, improves accuracy and helps leaders stay ahead of those high impact AI events instead of being surprised by them.

A (10:58)

Thank you, I appreciate that. And your quantitative model obviously helps senior leadership and boards understand and prepare for these risks. You mentioned a few of them. Obviously there's data poisoning, there's outages, downtimes, but what this does is it helps prepare for that mitigation planning, maybe budget downtime planning, that sort of thing. And I think that's important that people are ahead of the game because this stuff is inevitable. And Yakir, the last question of the day, if you're looking ahead five or 10 years, how do you envision the role of AI risk quantification evolving with regulation? Like in Europe, the EU, AI act, new business models and more automation across operations. What will good risk management look like in the future? And how will Cover's vision support it?

B (11:46)

We've actually seen this evolving before with cyber. So in the early days, risk quantification was what finally bridged the communication gap between technical teams, executives and regulators. It gave everyone a common language. Now the same transformation is starting to happen with AI boards. Investors and regulators are no longer satisfied with qualitative statements like we're monitoring AI risk. They want measurable evidence and clear demonstration of Exposure controls and the potential financial impact regulatory pressure is accelerating this shift. The EU AI act makes senior management explicitly responsible for AI oversight. That level of accountability means leaders have to understand risk in measurable, defensible terms. And that's exactly what quantification provides. In the U.S. for example, the SEC cyber disclosure rules already set the precedent for defining and reporting material risk. The same principle is coming to AI. Companies will soon have to quantify what constitutes a material AI event and show how they're mitigating it. In Europe, the European Central bank is taking this even further. Banks are now being asked to model how major destructions, unlike geopolitical shocks, cyber incident systemic failures would affect their capital reserves. That's financial risk modeling becoming regulatory expectation, not an optional exercise. It's only a matter of time before AI related scenarios are part of that list. So what does that mean for the future of AI risk management? In my perspective, the direction is clear. Quantification will move from a best practice to a regulatory investor expectation. Five and ten years from now, good AI risk management will mean being able to answer three questions clearly. What are our AI related exposures? How much could they cost under realistic scenarios? And what action most effectively reduce the exposure within our defined risk appetite? And that's where a cover's vision fits in. Our focus has always been on bringing financial discipline to technology risk. Just as we did with cyber, we're building the models that let organizations express AI exposure in business and capital terms. The goal is simple, to give leadership a quantified view that supports regulatory readiness, investors transparency and operational resilience. So AI becomes soaring, a managed source of value that is source of uncertainty and unpredictable loss.

A (14:23)

Thank you. I appreciate you unpacking that for us. Absolutely. Leaders, boards, investors are wanting this quantitative level of data so that it is measurable. And how do they or how do we mitigate future AI risks? Financial risk monitoring is now a requirement, as you mentioned, and it's so important. And when you again quantify things and speak a shared language and tie that correlation between the risk to the financials in the organization, people certainly pay attention. So I appreciate that. And Yakir, it was such a pleasure having you on today and I look forward to speaking with you real soon.

B (15:03)

All right, Brian, thank you so much. It's been a pleasure participating and I'm looking forward to keep listening to the next series.

A (15:10)

Bye for now.