![[Presentation Materials]
I gave a presentation titled "Let's Think About How Risk Management Should Be in the AI Era" at the CCoE Practitioners Community Kansai.](https://images.ctfassets.net/ct0aopd36mqt/1dD7b8HkT2sbiJzUIewMTD/e5cdc6f33c4fdd9d798f11a4564612ff/eyecatch_developersio_darktone_1200x630.jpg?w=3840&fm=webp)
[Presentation Materials] I gave a presentation titled "Let's Think About How Risk Management Should Be in the AI Era" at the CCoE Practitioners Community Kansai.
This page has been translated by machine translation. View original
Hello, I'm Arahira (@eiraces) from the Cloud Business Division.
At CCoE Practitioners Community Kansai #9 held on July 16, 2026, I gave a presentation on the theme "Thinking About How Risk Management Should Be in the AI Era."
Session Slides
Supplement
Among the various things required of CCoE / AI CoE, I have the impression that the mission of "wanting an environment where AI can be used safely" is frequently assigned.

While AI has been deployed, stories about risks from AI usage becoming apparent have become more prominent.

I feel that there are quite a few environments where usage status is not being captured (no mechanism to observe it), and I believe information should be obtained as much as possible.

I also briefly touched on the core functions of NIST AI RMF (AI Risk Management Framework).
Details are described in the following blog, so please refer to it as well.
This is entirely my personal opinion, but I think it is better to give up on trying to reduce risk to zero, and it will come down to finding a line that the organization can accept.
If the benefits outweigh the drawbacks, I feel that accepting the risks after properly communicating them is also an option.

Security concerns are endless, but the "requests" distributed within the organization can sometimes be addressed by distributing additional md files.
These rules are better left not strictly managed, and when strict control is desired, for Claude, they are moved to guardrails such as writing them in settings.json.
Examples of recommendations and requests (SHOULD):
・Refer to internal guidelines and confirm rules according to the type of application being created
・Leave a README including owner information, data destinations, and processing details for any created applications
・Record architecture decisions in an ADR (Architecture Decision Record)

I hope this entry is helpful to someone.
This has been Arahira from the Consulting Department of the Cloud Business Division!
References
