GenAI: CIOs Take a Cautious Approach to Risks
The excitement around generative AI (GenAI) resembles a digital gold rush. While executive management and business units push for rapid adoption, CIOs are working to slow down the momentum in order to manage the associated risks.
Immediate Risks: Shadow AI
Shadow AI, or the unauthorized use of GenAI through personal accounts, is one of the main challenges for CIOs. According to a study, nearly one in two users continues to access GenAI tools via personal accounts for professional purposes.
“Today, it is impossible to avoid the topic of generative AI,” notes Lionel Chaine, CIO of Bpifrance.
“From the very beginning, this topic was raised at the executive management level,” adds Nicolas Siegler, Deputy CEO and CIO of Maif.
Despite strong enthusiasm, the return on investment remains unclear. A MIT study (The GenAI Divide: State of AI in Business 2025) found that 95% of companies see no measurable ROI. Benefits tend to emerge mainly after scaling relevant use cases.
CIOs Facing the Frenzy
Even without immediate ROI, nearly all organizations are testing these technologies on a large scale. The widespread use of ChatGPT and other LLMs by the general public encourages employees to bypass restrictions, often via smartphones or personal subscriptions.
CIOs must therefore balance adoption with control, managing:
- Regulatory and legal compliance
- AI-generated hallucinations
- Exposure of sensitive data
- HR and environmental impacts
- Budgetary risks
The Cigref has published several guides, including one dedicated to the practical implementation of the European AI Act, to help CIOs govern these uses effectively.
Governance and Prioritization of Use Cases
For Lionel Chaine, “out of 200 use cases proposed by the business units, around 20 have been put into production.” Governance is essential to reap the benefits of generative AI while minimizing risks.
Nicolas Siegler explains that Maif has established an “Ethical Digital” oversight committee to evaluate the HR, environmental, and ethical impacts of generative AI use.
Assessing Return on Investment
The ROI of GenAI varies depending on the type of use case:
- AI integrated into business processes: ROI is relatively straightforward to measure, although the final decision also depends on other factors.
- Horizontal AI (generating meeting minutes, summaries, or technical responses): studies estimate an average daily time saving of 50 minutes per user.
Some organizations prioritize reducing workload rather than direct efficiency gains, such as in Lorient, where a chatbot assists front-desk staff.
Awareness and Training Rather Than Prohibition
Faced with paid solutions that are sometimes inaccessible to all employees, some organizations focus on awareness and training:
- Crosscall: all unauthorized use is prohibited, but workflows are not blocked, aiming to make users responsible.
- Maif: secure access to Copilot Web, with monitoring of usage and prompt assistance.
- Agglomération de Lorient: an internal memo is circulated to staff to inform them of opportunities and risks.
Awareness initiatives also aim to prevent sensitive information from being shared through public AI tools.
Monitoring Hallucinations and Critical Risks
Generative AI is not perfect and sometimes produces hallucinations. The Cigref recommends clearly defining roles and responsibilities for critical use cases:
- Bpifrance: three levels of AI agents depending on data access (web, hybrid, internal).
- Maif: a “Maintaining Intelligent Conditions” system to monitor experimental chatbots and prevent deviations.
This monitoring helps mitigate cybersecurity risks and protect sensitive data.
Regulatory Framework and Cybersecurity
The AI Act requires transparency and data tracking. CIOs must also manage:
- Confidentiality and information security
- Environmental and energy impacts of AI workflows
- Prevention of malicious prompt injections
“To date, there is no equivalent of a firewall for generative AI,” notes Lionel Chaine.
Nicolas Siegler adds that Maif monitors the dark web to ensure no data leaks occur.
Risk management must therefore be holistic, covering confidentiality, security, hallucinations, and intellectual property.
Conclusion
CIOs play a balancing act: keeping up with innovation while limiting risks. Success relies on clear governance, active awareness programs, and continuous monitoring, allowing organizations to harness the potential of GenAI without compromising security, ethics, or compliance.
