Podcast Summary: Quantifying AI Risk – Yakir Golan on Turning Cyber Threats Into Business Intelligence

The Digital Executive | Coruzant Technologies
Date: November 14, 2025 | Episode: 1145
Guest: Yakir Golan, CEO & Co-founder of Kovrr
Host: Brian (Coruzant Technologies)

Episode Overview

This episode explores the rapidly growing need for quantifying AI and cyber risk at the enterprise level. Yakir Golan, CEO and co-founder of Kovrr, shares how his background in Israeli intelligence inspired a data-driven, systematic approach to risk. Golan details why moving from qualitative, subjective risk discussions to measurable, financial quantification is a game-changer, the barriers organizations face in that journey, and what the future of AI risk management will look like amid new regulations and increasing automation.

Key Discussion Points & Insights

1. Shaping a New Approach to Risk (01:40–04:21)

• Background Influence:
  • Golan’s intelligence experience taught him to “look at how small signals connect to larger patterns” (02:04) and to approach risk as “dynamic, interconnected and constantly evolving.”
  • Noted gap: Valuable threat data remained hidden from target organizations, inspiring him to “bridge that divide” by structuring raw data into actionable insight.
• From Military to Enterprise:
  • Emphasized the move from static, assumption-based risk models to a discipline of “continuous data collection, modeling and validation” (03:35).
  • Aim: Democratize access to real-time risk intelligence, equipping businesses with “the same level of situational awareness and quantifiable insights that intelligence agencies rely on” (03:55).

2. The Power and Challenges of Quantifying Risk (05:22–08:05)

• Why Quantify?
  • Golan: “When you quantify risk, it stops feeling abstract. Suddenly it turns into numbers people can talk about… The board can discuss and talk about. We all see the same picture” (05:28).
  • Quantification brings a “shared language” enabling precise prioritization, improved alignment, and better budget decisions.
• Barriers to Adoption:
  • Feels unfamiliar to many—parallels early days of cyber risk maturity.
  • AI adoption is moving faster than governance frameworks, making the starting point feel “fuzzy, even overwhelming” (06:35).
• How to Get Started:
  • “You do not need to start from zero. You can use the same governance playbook that works in cyber… begin with a structured control assessment… identify gaps and owners, add quantification as your data and intelligence advance and treat this as iterative practice” (06:54).
• Immediate Benefits:
  • Fast improvements in alignment and investment decisions, moving AI risk “from theoretical worry to a managed business issue” (07:57).

3. Underappreciated AI “Tail Risks” and Modeling Strategies (08:47–10:58)

• Examples of Tail Risks:
  • Rare but damaging events such as “large scale model manipulation, data poisoning in training sets, or even a systematic outage tied to a major AI service provider” (08:55).
• How Enterprises Should Start Modeling:
  • Start with “one or two clear high priority scenarios that everyone can understand” (09:15), e.g., model failure in business processes or data exposure by a third-party tool.
  • “The goal isn’t to capture everything at once, it’s to build the first directional view… tangible enough to begin shaping mitigation plans, funding, and risk strategy” (09:29).
• Quantification Matures Over Time:
  • Gradually add metrics like average annual loss, downtime duration, and the financial impact of AI-driven misinformation.
  • This approach enables boards to set clear risk thresholds: “No AI related event with more than 5% chance of exceeding a $5 million loss should be accepted” (10:27).
• Iterative Process:
  • Each modeling cycle “builds confidence, improves accuracy and helps leaders stay ahead of those high impact AI events instead of being surprised by them” (10:53).

4. Future of AI Risk Quantification and Regulatory Landscape (11:46–14:23)

• Global Trends:
  • Golan: “Boards, investors, and regulators are no longer satisfied with qualitative statements like ‘we’re monitoring AI risk.’ They want measurable evidence and clear demonstration of exposure, controls, and the potential financial impact” (12:11).
  • The EU AI Act and SEC cybersecurity disclosure rules are accelerating this transformation.
  • Example: European Central Bank now demands banks model the effects of major disruptions, “financial risk modeling becoming regulatory expectation” (13:22).
• What “Good” Will Look Like in 5–10 Years:
  • Being able to answer:
    1. What are our AI-related exposures?
    2. How much could they cost under realistic scenarios?
    3. What actions most effectively reduce exposure within our defined risk appetite?
• Kovrr’s Vision:
  • “Bringing financial discipline to technology risk,” allowing organizations to communicate exposure “in business and capital terms… to give leadership a quantified view that supports regulatory readiness, investor transparency and operational resilience” (13:54).

Notable Quotes & Memorable Moments

• On Risk Modeling Roots:

  “You’re trying to look at how small signals connect to larger patterns and how one detail on its own might not mean much, but together they all can tell a story.”
  — Yakir Golan (02:04)

• Quantification’s Core Value:

  “Numbers give everyone a shared language… you can rank exposure, see which controls are actually moving the needle and direct budget to the places with the highest return.”
  — Yakir Golan (05:36)

• On Starting the Journey:

  “You do not need to start from zero… begin with a structured control assessment… treat this as iterative practice rather than [a] one time project.”
  — Yakir Golan (06:54)

• Tail Risks:

  “What matters most isn’t identifying every possible scenario, it’s how you start modeling them.”
  — Yakir Golan (08:54)

• Regulatory Shift:

  “Investors and regulators are no longer satisfied with qualitative statements like ‘we’re monitoring AI risk.’ They want measurable evidence and clear demonstration of exposure, controls and the potential financial impact.”
  — Yakir Golan (12:11)

• A Vision for the Future:

  “Quantification will move from a best practice to a regulatory investor expectation... good AI risk management will mean being able to answer three questions clearly: What are our AI-related exposures, how much could they cost under realistic scenarios, and what action most effectively reduce the exposure within our defined risk appetite?”
  — Yakir Golan (13:33)

Timestamps for Important Segments

• 00:00–01:06: Intro, guest bio
• 01:40–04:21: Yakir’s background; how intelligence shaped his approach to risk
• 05:22–08:05: Why quantification is transformative; barriers to change
• 08:47–10:58: Modeling for rare/high-impact (“tail”) AI events; practical steps to start
• 11:46–14:23: The evolving regulatory/board landscape for AI risk; Kovrr’s forward-looking vision

Tone & Style

The conversation is direct, analytical, and accessible—balancing technical insight with very practical advice for enterprise leaders. Golan’s responses are measured and detailed, reflecting a strong belief in leveraging intelligence methodologies for actionable, business-ready risk management.

Summary for Listeners

This episode compellingly argues that quantifying AI and cyber risk is no longer optional—it's becoming a regulatory, board, and investor mandate. Yakir Golan, drawing on his intelligence background, outlines how organizations can move from abstract, subjective assessments to a measurable, shared understanding that informs budget, strategy, and mitigation. He offers practical frameworks for getting started and illustrates how the best-prepared organizations will iteratively adapt to rising threats, new technologies, and regulatory expectations. For enterprises looking to future-proof their AI and cyber risk management, this conversation is both a warning and a roadmap.