Module 44: Emerging Technologies

CRISC Domain 4 — Technology and Security Section A 12–15 min read
Innovation increases capability.
Innovation also increases uncertainty.

Emerging technologies introduce:

  • New attack surfaces
  • New regulatory exposure
  • New dependency risks
  • New operational models
  • New control challenges

CRISC evaluates whether risk governance adapts to technological change.

This section tests forward-thinking discipline.

What the exam is really testing

When emerging technologies appear, CRISC is asking:

  • Was risk assessed before adoption?
  • Were governance controls updated?
  • Was concentration risk evaluated?
  • Was vendor dependency analyzed?
  • Were regulatory implications considered?
  • Was residual risk formally accepted?

Emerging tech increases inherent risk due to uncertainty.

Common emerging technology themes

CRISC may reference:

  • Artificial Intelligence (AI / ML)
  • Cloud-native architectures
  • Serverless computing
  • Internet of Things (IoT)
  • Blockchain
  • Robotic Process Automation (RPA)
  • API ecosystems
  • Edge computing
  • SaaS proliferation

You are not tested on configuration.
You are tested on risk implications.

Artificial Intelligence (AI) risk

AI introduces:

  • Model bias risk
  • Data quality risk
  • Explainability risk
  • Regulatory scrutiny
  • Intellectual property exposure
  • Automation over-reliance
  • Shadow AI usage

Governance must evaluate:

  • Data sources
  • Training integrity
  • Human oversight
  • Accountability
  • Model drift monitoring

CRISC may test lack of AI governance discipline.

Cloud-native & serverless risk

Modern architectures introduce:

  • Shared responsibility model complexity
  • Vendor lock-in
  • Region concentration risk
  • Identity federation risk
  • API misconfiguration exposure

Cloud does not eliminate risk — it redistributes it.

IoT risk

IoT introduces:

  • Device sprawl
  • Weak patching
  • Limited logging
  • Supply chain risk
  • Physical-to-digital exposure
  • Segmentation challenges

IoT often increases attack surface dramatically.

Blockchain & distributed ledger risk

Blockchain introduces:

  • Immutability challenges
  • Key management risk
  • Regulatory uncertainty
  • Integration complexity
  • Smart contract vulnerabilities

Immutability does not eliminate governance risk.

Automation & RPA risk

Automation can:

  • Scale errors rapidly
  • Amplify control weaknesses
  • Introduce dependency risk
  • Reduce human oversight

Automation increases operational speed — including failure speed.

Example scenario

An organization deploys generative AI internally without defining acceptable use policies or data governance controls.

Primary governance weakness?

A. Strong innovation
B. Failure to assess emerging risk before deployment
C. Reduced inherent risk
D. Strong KPI

Correct answer:

B. Failure to assess emerging risk before deployment

Emerging tech requires structured risk assessment.

Slightly harder scenario

A company centralizes all AI services under a single cloud provider without failover planning.

What is the PRIMARY architectural risk?

A. Strong mitigation
B. Vendor concentration and dependency risk
C. Lower inherent risk
D. Strong KCI

Correct answer:

B. Vendor concentration and dependency risk

Centralization without redundancy increases concentration risk.

Risk themes across emerging technologies

Common risk drivers include:

  • Increased complexity
  • Reduced transparency
  • Vendor dependency
  • Regulatory lag
  • Governance immaturity
  • Skill gaps
  • Overconfidence bias
  • Lack of monitoring

CRISC often tests overconfidence in new technology.

Governance response to emerging tech

Mature governance includes:

  • Pre-adoption risk assessment
  • Control gap analysis
  • Updated policies
  • Training & awareness
  • Monitoring frameworks
  • Vendor due diligence
  • Escalation discipline
  • Residual risk documentation

Innovation must pass through risk discipline.

Emerging risk vs known risk

Known risk:

  • Historical patterns
  • Established controls
  • Regulatory clarity

Emerging risk:

  • Limited precedent
  • Limited controls
  • Regulatory uncertainty
  • Unknown failure modes

Emerging risk often increases inherent risk until maturity improves.

Slightly uncomfortable scenario

Executives approve rapid AI adoption to remain competitive and instruct teams to “handle security later.”

What governance principle is MOST compromised?

A. Innovation agility
B. Risk governance consistency
C. KPI alignment
D. Threat modeling

Correct answer:

B. Risk governance consistency

Innovation does not override governance discipline.

Quick knowledge check

1) Emerging technologies primarily increase:

A. KPI performance
B. Uncertainty and inherent risk
C. Risk avoidance
D. Residual risk elimination

Answer & reasoning

Correct: B

New technology introduces uncertainty.

2) The FIRST step before adopting new technology should be:

A. Deployment
B. Risk assessment and governance review
C. Vendor contract signing
D. Marketing announcement

Answer & reasoning

Correct: B

Risk must be evaluated before implementation.

3) Over-reliance on automation most directly increases:

A. Human error
B. Systemic scaling of control failures
C. Risk avoidance
D. Inherent risk reduction

Answer & reasoning

Correct: B

Automation amplifies both success and failure.

Final takeaway

Emerging Technologies require:

  • Structured risk assessment
  • Updated governance frameworks
  • Vendor due diligence
  • Monitoring discipline
  • Concentration risk analysis
  • Residual risk acceptance
  • Regulatory awareness
  • Escalation readiness

Innovation shifts risk — it does not eliminate it.

CRISC rewards candidates who recognize that:

Uncertainty increases inherent risk until governance matures.

Up Next Section A Review: Information Technology Principles