1 43 45 48

Agefi Luxembourg - juin 2026

AGEFI Luxembourg 44 Juin 2026 IA & Tech W hile organizations already have established controls for thirdparty, cyber and data protection risks, AI introduces a new layer of challenges centering around design, algorithmic behaviour, data privacy&protection and performance. Addressing these risks does not require entirely new frameworks, but the disciplined extension of existing riskmanagement practices to embedAIspecific controls across the full system lifecycle, in linewith the spirit of the EUAI Act. Artificial intelligence has moved decisively into the operating core ofmodernorganizations. It supports actual businessdecisions across credit rating&man­ agement, fraud detection, customer interaction, re­ cruitment and strategic analysis. Inmany firms it is embedded in everyday decisionmaking. Across theEUwe’ve been clear thatAI driven inno­ vation in everyday decisionmaking must be bal­ anced by governance, oversight and control. It is important that firms understand the risks it creates andwhether theycandemonstrate effective controls across the entire lifecycle. For boards and executive committees, governance should go beyond AI drivenproductivity, usingAI as ameans to address resource shortages and awareness but also risk management across ofAI systems. Governance of AI is a relevant topic across busi­ nesses in Luxembourg. The country’s economy is anchored in highly regulated sectors, especially fi­ nancial services, where governance, outsourcing and operational resilience are already critical disci­ plines. AI adoption is accelerating, while gover­ nance practices lag innovation. Organizations that succeed under the AI Act will not be those that focus purely on compliance, but those that treat it as a catalyst to build structuredAI riskmanagement capabilities andfind the right bal­ ance between control of AI systems andAI driven innovation. A riskbased approach that forces discipline TheActintroducesariskbasedframeworkthatclas­ sifiesAI systems according to their potential impact. Some uses are prohibited, others are classified as highrisk and subject to strict requirements, while many remain lightly regulated. This model places classification at the center of AI governance. Before controls canbedesigned, organizationsmust under­ stand the nature of their AI systems, how they are usedandtheriskstheygenerate.Thisisoftenunder­ estimated.Manyfirms still treat riskassessment as a downstreamactivity. Under theAct, classification is a frontend discipline. Misclassifying a use case or failing to classify it at all is a governance failure. Why AI risk is different AI risk overlaps with traditional technology risks. However, it also introduces new dimensions. AI systems are not just technical tools, but also socio­ technical systems. They embed assumptions, learn from data and influence decisions that affect indi­ viduals, markets and institutions.As a result, risks may remain invisible. Asystemmay continue to operate while its perfor­ mance degrades, its outputs become biased, or its use diverges from its intended purpose. Human oversight may exist formally but erode in practice, as users increasingly rely on automated outputs. AI riskmust thereforebeassessedacross three layers: Traditional IT and operational risks Modelspecific risks such as bias and performance drift Broader risks to trust, fairness and rights. This layered nature of risk is what makesAI gover­ nance fundamentallydifferent. Key traditional risks categories that emerge under the AI Act include thirdparty risk, cyber risk and data protection risk. Thirdparty risk Most organizations rely on externalAI providers. This introduces dependency on systems that are often opaque and difficult to challenge. They do not understand how these thirdparty systems work. Thirdparty risk is already extremely essen­ tial, across the financial service sector, given the re­ quirements of the DORA. In Luxembourg’s financial sector, where outsourc­ ing and grouplevel solutions are common, this risk is particularly acute. Cyber risk AIexpandsthecyberthreatlandscape.Systemscan be manipulated through adversarial inputs, data poisoning, or prompt injection.At the same time,AI is usedby attackers to increase the scale and sophis­ tication of cyberattacks. This creates a shiftfromsecuringapplications tose­ curing the fullAI lifecycle fromtrainingdata tode­ ployment and monitoring building on existing cybersecurity frameworks and regulatory expecta­ tions under regimes such as NIS2. Data protection risk The AI Act does not replace GDPR. Both frame­ works apply simultaneously. ManyAI use cases, suchas recruitment, credit scor­ ing,orfrauddetection,raisecomplexdataprotection issues, including profiling, transparency and lawful processing. AI governance must therefore integrate legal, pri­ vacy and technical perspectives. Managing these separately is no longer viable. Beyond the typical risks that come with technology systems, the sociotechnical nature of AI and the adaptivenatureofthealgorithmsunderlyingAIsys­ tems give rise to new risks design risk, algorithmic risk and performance risk. Design risk Some of the most significant issues arise during design, for instance when key requirements may nothavebeencapturedatthedesignstageorwhen there is a clear need to explain AI output and an opaque model is selected during development whichdoes not allowfor that. Choicesmade at the outset i.e.,model type, explainability,humanoversightandperfor­ mance thresholds, determine whether a systemcanmeetregulatoryexpectations. Retrofittingcontrolslaterisoftendiffi­ cultorineffective.Designisthereforea critical control point. Algorithmic risk Biasremainsoneofthemostvisible AI risks, but also one of the least pre­ ciselymanaged. Bias can arise from data, model design or deploy­ ment context. In financial services, it can directly im­ pact fairness, customer outcomes and regulatory compliance. The challenge is tomove fromgeneral awareness to measurable controls such as testing, monitoring and documentingpotential impacts. Performance risk UnliketraditionalITsystems,AIfailuresmaynotbe immediatelyvisible.Systemscancontinuetoproduce outputswhile their qualitydeteriorates. Thiscreatestheriskof“silentfailure”.Organizations mustthereforemonitornotjustsystemavailability,but output quality, driftanddecision integrity. Automationcanalsoweakenhumanoversightover time, creating a feedback loop between model drift anddeclininghuman challenge. Adapting our existing enterprise risk management systems to addressAI specific risk Overthelastfewyears,inLuxembourgandacrossthe EU, via frameworks suchasDORA, andNIS2,we’ve gonetogreatlengthstobuildholistic,regulationsand best practicedriven control frameworks to manage traditionalriskssuchasthirdparty,cybersecurity,and data protection risks. ThenewerAIspecificrisksthatAIgivesrisetoi.e.,de­ sign,algorithmicandperformancerisksrequireatten­ tion. Thus, the real challenge lies in operationalising controls for the AIspecific layer. The most efficient way to drive compliance and mitigate these newAI specificriskswouldbetoadaptourexistingenterprise risk management frameworks to cater toAI specific risks. Belowareways todo it. Shiftcontrolsupstreamtoaddress designrisk byem­ bedding a “design by principle” approach moving governance from postimplementation validation to preimplementationdesignassurancei.e.,addressing design risk before development or procurement be­ gins. Inpractice: Definethepurpose,stakeholdersandacceptableout­ comes before solution selection. Build in controls to define explainability, human oversight and auditability requirements at the de­ sign stage. Factor in regulatory and business requirements when setting the level of model complexity and se­ lectingAImodels.Thisbringsinaflavorofriskbased thinking intoAImodel selection DefineconditionsunderwhichanAIusecaseshould not proceed i.e., “Nogo” criteria. Moving fromawareness controls tomeasurement­ based controls to manage algorithmic risk . Algo­ rithmic risk and its biases cannot be managed through policy alone. It must be measured, tested and evidenced. Inpractice: Construct datasets that are representative, relevant and free fromunintended proxies to aid data gover­ nance. DefinecriteriatocheckfairnessofAImodelsandtest thesemodelsacrossdifferentpopulationsegmentsto test biases. Maintain transparency on model constraints and data quality by documenting assumptions and limi­ tations. WorkwithRiskManagementandCompliancefunc­ tions to reviewmodel outcomes anddrive and inde­ pendent challenge. This helps extend existing model risk management practices to include criteria such as fairness and ex­ plainability. Continuouslymonitor performancerisk ,sinceitcan­ not be addresses via a oneoffvalidation only. Unlike traditional applications, AI systems require ongoing performance oversight. Inpractice: Build a performance monitoring frameworks and metrics to track accuracy, drift, and output quality over time. Trigger thresholds and alerts by defining when in­ terventionor retraining is required. Assesswhenhumanreviewisoverriddenorignored via humanoversight effectivenessmetrics. Capture failures that donot necessarily result in im­ mediate impact by constantly logging incidents and nearmisses. Thismoves organizations fromaonetimevalidation to ongoing supervisionofAI systems inproduction. Tosmoothen integrationofAI specific risk intoenter­ prise riskmanagement, first steps include: Extending model risk management frameworks to AI use cases. Embedding AI controls into change management andproduct approval processes. Aligning responsibilities across business, risk, com­ pliance and technology. Ensuring traceability throughdocumentation, audit trails and reporting. The objective is not to create new layers of complex­ ity, but to ensure that AIspecific risks are systemat­ icallycapturedwithinexistingcontrolenvironments, with clearly defined humanintheloop oversight ensuring that critical decisions remain reviewable, challengeable and ultimately accountable. Ultimately, managing AIspecific risks is less about introducing entirely new frameworks and more about adapting existing governance disciplines to a newclass of risk. Organizations that succeedwill be those that treat design as a control point, measure rather thanassume fairness,monitor rather thanval­ idate only once and finally, embed AI governance measures rather than isolate them. These measures will transformAI riskmanagement froma theoreti­ cal requirement into an operational capability and one that factors inAI specific risk. Abdelhay TOUDMA Partner, Governance, Risk&Compliance Leader Johann LOBO SeniorManager, Governance, Risk&Compliance EYLuxembourg ManagingAI Specific Risks in the Spirit of the EUAIAct L e 4 juin 2026, la startup luxembourgeoise MON5, spécialisée dans la cyber­ sécurité industrielle, a remporté la finale nationale de la Startup World Cup Luxembourg 2026, organisée par EY. Cette victoire lui permettra de représenter le Luxembourg lors de la finale mondiale de la compétition organisée par Pegasus Tech Ventures, où le vainqueur pourra décrocher un investisse­ ment de 1 million de dollars. Cette édition a réuni sept startup aux profils variés : CRAB Traceability Sys­ tems, Deelan, MON5, Scrioo, So.cool, STARGATE et TechNovator. Après les présentations des candidats, le jury a choisi MON5 pour la pertinence de son positionnement, la qualité de sa techno­ logie et sonpotentiel de développement sur unmarché en forte croissance. Fondée par 5 initiateurs, MON5 cible un segment souvent négligé : les PME industrielles. Alors que les grandes entreprises disposent déjà de solutions de cybersécurité avancées, de nom­ breuses petites et moyennes structures doivent faire face à des exigences régle­ mentaires croissantes sans disposer dʹoutils adaptés. La société entend répondre à ce besoin grâce à une plate­ forme spécialisée dans la surveillance et la protection des systèmes industriels. Sa technologie repose sur une expertise développée en interne autour des pro­ tocoles OT (Opera tional Technology), utilisés pour piloter lesmachines, équi­ pements automatisés et lignes de pro­ duction. Grâce à des fonctions de cartographie des actifs, de surveillance en temps réel et de détection compor­ tementale, MON5 affirme pouvoir identifier des menaces souvent invisi­ bles aux solutions traditionnelles. Pour Maurizio Ghisolfi ( cf. photo), fondateur de lʹentreprise, le moment est particulièrement favorable. Entre la montée des risques cyber et le dur­ cissement des réglementations euro­ péennes, la demande pour ce type de solutions ne cesse de croître. Lʹobjectif est désormais dʹaccélérer le développement de lʹentreprise, de renforcer ses équipes et de poursuivre son expansion à lʹinternational. Les organisateurs ont salué le niveau particulièrement élevé de cette édi­ tion. Romain Swertvaeger, représen­ tant dʹEY Luxembourg, a souligné que le jury avait dû départager des projets très différents mais tous de grande qualité. Il estime que MON5 sʹest dis­ tinguée par sa vision claire, sa maîtrise technologique et lʹexistence dʹun véri­ table marché pour son offre. Créée par Pegasus Tech Ventures, la Startup World Cup est lʹune des plus importantes compétitions internatio­ nales dédiées aux startup. Organisée dans plus de 60 pays, elle offre aux jeunes entreprises innovantes une visibilité mondiale et lʹopportunité de se mesurer aux meilleurs projets entrepreneuriaux lors de sa finale internationale. MON5 remporte la StartupWorld Cup Luxembourg 2026 ©EY

RkJQdWJsaXNoZXIy Nzk5MDI=