But the security benefits of GenAI can only be realized when organizations build a solid foundation for
            how  the  technology  should  work  throughout  the enterprise.  Before  deploying  AI,  organizations  must
            establish robust policies for AI deployment and standards for AI use. Employees should have full clarity
            on acceptable use of AI tools and technologies, including knowing which behaviors are restricted and
            what  disciplinary  actions  would  be  for  violating  those  restrictions.  These  policies  not  only  define
            operational boundaries but also facilitate corrective measures in case of violations.



            Defining models and cost management

            Deciding which AI models to deploy is pivotal to establishing a firm foundation for security. Organizations
            aligned with tech giants may have different preferences, influenced by cost and compatibility. Security
            often functions as a cost center, requiring strategic decisions on model usage to avoid financial pitfalls.
            Clarity on model selection facilitates effective cost management and consistent outcomes.

            As you roll out these language models, you must train them on what information they can consume from
            your enterprise and what they cannot. Depending on the role of the agent, what information do you want
            it to give to the requester?

            AI systems must be continuously validated to verify secure operations just as security would validate that
            controls and stop-gap measures work correctly in non-AI systems. Organizations must establish checks
            and  balances,  confirming  that  AI  systems  create  secure  code  and  produce  secure  outcomes.  This
            diligence prevents unintended data exposure and reinforces cybersecurity frameworks. Organizations
            must ensure that third parties can’t access customer information that store associates or online stores
            use to personalize shopping experiences, as that information is a competitive advantage that could help
            other businesses.



            Conclusion

            Through informed decision-making and strategic planning, retail CISOs can turn potential threats into
            opportunities, transforming GenAI from a perceived risk into a valuable asset. Comprehensive policies
            and  rigorous  validation  processes  are  essential  to  enhance  cybersecurity.  Consulting  with  EY
            professionals can provide valuable guidance in securing AI deployments and protecting against evolving
            threats. By leveraging AI responsibly, retail CISOs can transform perceived threats into opportunities,
            strengthening their defenses and safeguarding their businesses.

            The views reflected in this article are the views of the author and do not necessarily reflect the
            views of Ernst & Young LLP or other members of the global EY organization.












            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          96
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.