[Presentation Materials]
I gave a presentation titled "Let's Think About How Risk Management Should Be in the AI Era" at the CCoE Practitioners Community Kansai.

[Presentation Materials] I gave a presentation titled "Let's Think About How Risk Management Should Be in the AI Era" at the CCoE Practitioners Community Kansai.

As AI adoption in organizations advances, I gave a lightning talk about the importance of not aiming for zero risk but instead finding the line that an organization can accept, as well as how to utilize the NIST AI RMF.
2026.07.17

This page has been translated by machine translation. View original

Hello, I'm Arahira (@eiraces) from the Cloud Business Division.

At CCoE Practitioners Community Kansai #9 held on July 16, 2026, I gave a presentation on the theme "Thinking About How Risk Management Should Be in the AI Era."

https://ccoekansai.connpass.com/event/396837/

Session Slides

Supplement

Among the various things required of CCoE / AI CoE, I have the impression that the mission of "wanting an environment where AI can be used safely" is frequently assigned.

ScreenShot 2026-07-16 at 20.02.47

While AI has been deployed, stories about risks from AI usage becoming apparent have become more prominent.

image-20260716200511016

I feel that there are quite a few environments where usage status is not being captured (no mechanism to observe it), and I believe information should be obtained as much as possible.

image-20260716200620106

I also briefly touched on the core functions of NIST AI RMF (AI Risk Management Framework).
Details are described in the following blog, so please refer to it as well.

https://dev.classmethod.jp/articles/understanding-nist-ai-rmf/

This is entirely my personal opinion, but I think it is better to give up on trying to reduce risk to zero, and it will come down to finding a line that the organization can accept.
If the benefits outweigh the drawbacks, I feel that accepting the risks after properly communicating them is also an option.

ScreenShot 2026-07-16 at 20.13.41

Security concerns are endless, but the "requests" distributed within the organization can sometimes be addressed by distributing additional md files.
These rules are better left not strictly managed, and when strict control is desired, for Claude, they are moved to guardrails such as writing them in settings.json.

Examples of recommendations and requests (SHOULD):
・Refer to internal guidelines and confirm rules according to the type of application being created
・Leave a README including owner information, data destinations, and processing details for any created applications
・Record architecture decisions in an ADR (Architecture Decision Record)

ScreenShot 2026-07-16 at 20.18.03

I hope this entry is helpful to someone.
This has been Arahira from the Consulting Department of the Cloud Business Division!

References

https://www.nist.gov/itl/ai-risk-management-framework

https://dev.classmethod.jp/articles/security-on-software-development-with-generative-ai/


そのCCoE、つくって終わりになっていませんか

ガバナンスのルールも組織ポリシーも、整えた直後はちゃんと機能する。でも運用が属人化すれば、CCoEはいつのまにか形だけに。ベンダー依存から内製へ踏み出すために、中の人として実行まで伴走する。立ち上げと定着の進め方を、無料資料にまとめました。

CCoE総合支援

CCoE立ち上げ資料をダウンロード

Share this article