A year late to the thread, but I hope it is of some help to those who may need it.Here are some add-on risks besides what would apply from general controls already pointed out:IP leaks through procurement and contracting: RPAs that may be trained for specific industry may be an IP. So contractual clause should cover protection of such an IP.
ROI not in place: Bots in some cases may be replacing workers. Overall, there is a cost to keep them running not to mention the human(s) overseeing them. So, benefits realization should be in place to accurately measure the costs.Insecure code: At least one time there should be a code review to ensure there are no inherent backdoor.No audit trail: Clear audit trail to detect manipulated bot activity and to aid forensics investigation.Insecure configuration: Configuration repository should be controlled through versioning and monitoring.Credential theft: A secure credential vault should be used to prevent credentials theft.Lack of data classification: Bots should be setup to apply the classification of data.Licensing penalties: Bots may be scaled however licenses may not keep-up. If you have an rapidly scaling environment there should be efficient tracking to avoid penalties.