Sign up for our free Threat Hunting Summit June 17 Register Here

Owning AI Risk: Hands-On Playbooks

Course Authored by .

Owning AI Risk: Hands-On Playbooks

This is a hands-on field course for security people who just became responsible for AI risk and need a working playbook by Monday morning. Over two days, you find shadow AI in your org’s expense reports, score AI agent vendors, draft an Acceptable Use Policy, write a one-page CISO brief, and walk out with a personal 90-day plan.

Course Length: 16 Hours

Includes a Certificate of Completion



Description

Your boss just dropped AI risk in your lap. Now what?

This is a hands-on field course for security people who just became responsible for AI risk and need a working playbook by Monday morning. Over two days, you find shadow AI in your org’s expense reports, score AI agent vendors, draft an Acceptable Use Policy, write a one-page CISO brief, and walk out with a personal 90-day plan.

Every student gets a free copy of Gears Don’t Guess: The Executive’s Practical Guide to Thriving in the Face of AI Hype and Risk (published September 2026). Students will receive a PDF version with enrollment, with a Kindle, audio, or softcover edition available from the instructor upon request.

  • System Requirements
    • Bring a spreadsheet you can work in (Excel, Google Sheets, or Numbers) with comfort using column filters and pivot tables.
    • Text-tool fans. If you prefer grep, sed, awk, Python, or your own scripts on the supplied datasets, go for it.
    • Observers. If you'd rather just watch, that works too. You follow along on the instructor's screen during the hands-on blocks and join the pair discussions and scenario challenges.
    • AI-tool users. If you want to use Claude Code CLI, Claude Desktop, OpenAI Codex CLI, Cursor, Aider, Continue, or another agentic environment with The Greenhorn (your over-eager GenAI intern) loaded on your own laptop, you can. The Greenhorn is released before class as a take-home; install instructions ship with your enrollment confirmation.
    • All students reach the same outputs.

Syllabus

Two days, eight modules, 14 instructional hours. Breaks built into the agenda; lecture chunks capped at 20 minutes; format rotates every ~20 minutes (lecture, pair discussion, try-it-now practice, scenario challenge, Q&A).

Day 1: Foundation plus Frameworks (Modules 1-4).

  • Module 1: Why AI Risk Is Your Problem Now. Name where AI risk lives in your stack in plain English your boss’s boss understands. Walk out with a one-page AI risk map for your own org. Know which of the three forces (people, vendors, agents) poses the greatest risk at home.
  • Module 2: Hunting Shadow AI Through Finance Records. Spot shadow AI purchases in your org’s expense reports faster than your CFO does. Run a spreadsheet-based pattern-matching analysis on a 3,000-line expense dataset and walk out with a method you can run on your own org’s expenses next week.
  • Module 3: Sorting Your Data. Build a one-page data classification draft for an AI use case in your org by lunch on Day 1. Know which data types AI is touching that your IT team has not noticed.
  • Module 4: The AIR-MAP Framework: Culture plus Core. Score your own org on a Lite Culture AIR-MAP. Score a specific use case on a Lite Core AIR-MAP. Know when to use each and how to talk about both with your boss.

Day 2: Advanced plus Action (Modules 5-8).

  • Module 5: Agent Security Deep Dive. Spot the 7 harness components in any AI agent system in under 5 minutes. Make a go-or-no-go call on a real agent vendor that you can defend. Know what to ask any agent vendor to separate plumbing from pitch.
  • Module 6: Acceptable Use plus Governance Plumbing. Draft an AI Acceptable Use Policy for your own org by module end. Identify the four plumbing components (specifications, scoped agents, human gates, data fences) in any AI deployment. Walk out with the diagnostic question that exposes AI vendor BS in one ask.
  • Module 7: Communicating Up to Your CISO. Write a one-page CISO brief that earns immediate sign-off, not a follow-up question. Set your CISO up for success in their next conversation with the CFO or board. Know the three practitioner-to-CISO communication failures to never repeat.
  • Module 8: The First 90 Days. Walk out with a personal 90-day plan for your AI risk lieutenant role. Know the three highest-impact actions to take in Week 1, in priority order. Leave with weekly and monthly cadences that keep the work alive past Day 90.

FAQ

Why Take This Class?

AI risk is showing up in every department. If you’re the security person who just got handed it, you need tools, not theory. This is the Monday-morning playbook:

  • A one-page AI risk map for your own org.
  • A method for hunting shadow AI ready to run.
  • An AI AUP draft for your own org.
  • A one-page CISO brief on a real finding.
  • A personal 90-day plan.
  • The Greenhorn: a CRO-provided AI assistant configuration pack you can install on your own laptop after class.
  • A free copy of Gears Don’t Guess.
Skill Level:

Intermediate.

You should already work in cybersecurity, infosec, risk, audit, or IT, with a few years of experience. No AI background needed. No coding background needed.

If you can run Excel pivot tables and column filters, you’ll move faster on the supplied datasets. You don’t need anything beyond a spreadsheet to get full value from the course.

Prerequisites:

At a minimum, you can discuss your own org’s security or risk program, read a vendor pitch and find red flags, and trade ideas with a partner.

Recommended (not required) pre-reading: Gears Don’t Guess Chapters 3 and 4 (about 50 pages, sent with your enrollment confirmation).

Recommended (not required) to bring: an org chart of your own org, a sanitized recent company-wide expense report, an AI use case you care about, an AI vendor pitch you’re evaluating. If you can’t bring any of those, we provide sample data.

Who Should Attend:

The in-house go-to person on AI risk. Or the person who just got volunteered for it.

Job titles: cybersecurity manager, senior cybersecurity analyst, GRC analyst, risk analyst, internal auditor, privacy officer, vCISO, MSSP team lead, security architect, IT director. Reports to a CISO or equivalent.

NOT a red-team or AI-exploit class. No prompt-injection labs. No jailbreaks. No malware. This is a defensive and governance set of playbooks.

Key Takeaways

By the end of two days, you’ll be able to:

  • Map where AI risk lives in your own org and rank the three forces (people, vendors, agents) by exposure.
  • Hunt shadow AI purchases inside an expense report at scale using a spreadsheet, not eyeballs.
  • Classify the data your AI use cases are touching, including the categories your IT team has not noticed.
  • Score your org’s AI culture and a specific use case on the AIR-MAP framework and defend the score to your CISO and your auditor.
  • Inspect any AI agent system and find the 7 harness components in under 5 minutes.
  • Score an agent vendor against the 7 Agent Security Problems and make a defensible go-or-no-go call.
  • Apply the four-part “show me the plumbing” diagnostic to expose AI vendor BS in one ask.
  • Draft an AI Acceptable Use Policy for your own org in 25 minutes.
  • Write a one-page CISO brief that earns immediate sign-off.
  • Build a personal 90-day plan for your AI risk lieutenant role, in priority order.

You also leave with The Greenhorn: a CRO-provided AI assistant configuration pack you can install on your own laptop with your own tool of choice and keep using past Day 90.

About the Instructor

Pixel splash background
Bio

Kip Boyle is a husband, dad, small business owner, and experienced cybersecurity hiring manager. Over the years, Kip has built many InfoSec teams in a variety of settings including as a captain on active duty in the US Air Force, as the CISO of PEMCO Insurance in Seattle, and vCISO in his own company, Cyber Risk Opportunities LLC. Kip is a primary author and leader of the open source “Cybersecurity Hiring Manager Handbook”. He’s also the co-host of The Cyber Risk Management Podcast and the co-host of the Your Cyber Path Podcast.

Related products

Shopping Cart

No products in the cart.