11 Steps for Performing a Workplace Generative AI Audit
As organizations transition from casual experimentation to the daily use of generative artificial intelligence (AI) tools, particularly in human resources, the need for a thorough AI audit becomes increasingly evident. Just as companies regularly evaluate pay equity, wage and hour compliance, and data security, compliance teams may want to devote similar attention to promoting responsible and compliant AI usage across the enterprise. A well-planned AI audit can help identify potential legal, operational, and reputational risks before they escalate and can inform the preparation of relevant AI policies as well as the development of appropriate internal AI training.
Quick Hits
- As organizations increasingly integrate generative AI tools into daily operations, particularly in HR, AI audits are increasingly important for mitigating legal, operational, and reputational risks.
- Forming a cross-functional audit team and mapping out AI tools in use are key initial steps in conducting comprehensive AI audits to ensure responsible and compliant AI usage.
- Regular AI audits, including bias assessments and vendor contract reviews, help organizations stay compliant with evolving regulations and maintain transparency and data security in their AI initiatives.
Organizations may want to consider comprehensive AI audits at least annually if not quarterly, with targeted reviews triggered by new AI tool implementations, regulatory changes, or identified compliance issues. In general, organizations will want to observe a few common steps with respect to AI audits.
1. Identifying a Cross-Functional Audit Team
Beginning by forming a cross-functional audit team composed of representatives from compliance, human resources, information technology, legal, and any other department with a significant stake in AI usage allows diverse voices to participate in the audit and reduces the possibility of blind spots or conflicting directives among different departments. Typically, in-house counsel, the head of compliance, or an HR executive spearheads the audit, although the most suitable leader may vary according to the company’s size, industry, and existing AI initiatives. Depending on the circumstances, privilege considerations may warrant the engagement of outside counsel to lead the audit.
2. Conducting AI Use Mapping
Once the audit team is formed, employers may want to map out the AI tools and providers in use throughout the organization. The preparation of this type of inventory should closely mirror the data mapping process completed in connection with the organization’s data privacy program. This inventory should capture chatbot-style tools, automated decision-making software, data analytics platforms, and software that relies on machine learning in HR contexts. Examples of potentially in-scope AI tools include automated job screening platforms and candidate matching systems.
3. Identifying the Laws and Regulations Relevant to the Audit
In the absence of a single comprehensive national AI law in the United States, organizations may want to stay abreast of a rapidly evolving patchwork of federal, state, local, and international regulations. For example, New York City’s Local Law 144 requires bias audits for automated employment decision tools. Understanding these varied legal developments is an important compliance step.
Businesses may choose to categorize AI tools by risk level based on their potential impact on employment decisions, data sensitivity, and regulatory exposure. High-risk tools, such as those used for hiring, typically warrant immediate and thorough review.
4. Assessing Potential Bias
Even when AI tools are used with the best of intentions, bias can emerge from historical data imbalances, flawed training methods, or other underlying design issues. After completing an AI use inventory, organizations may want to conduct a detailed bias assessment of each AI tool. Methods to detect and mitigate bias involve both technical reviews and interviews with key stakeholders.
5. Maintaining Transparency and Proper Documentation
Organizations that utilize internally developed generative AI tools may want to remain mindful of the need for transparency about how AI tools are developed, trained, and implemented. This includes documenting the data sources used to train the tools and capturing the parameters of AI models.
6. Reviewing Vendor Contracts
Organizations that employ third-party AI solutions may want to carefully examine vendor contracts. Key factors to look for include provisions that address liability for bias claims and adherence to privacy and data security standards.
7. Updating Internal AI Use and Governance Policies
Organizations may wish to implement or refine an internal AI use policy that applies organizationwide. Such policies typically identify company-approved AI tools, outline acceptable uses, and include compliance obligations and oversight procedures.
8. Assessing and Implementing AI Use Training
Organizations may wish to confirm that employees who handle or rely upon AI tools are granted role-appropriate training before they engage with these technologies. Training modules might emphasize data ethics, privacy risks, and responsible use.
9. Ensuring Data Privacy and Security
Given the often-sensitive data processed by AI-driven systems, organizations may want to institute strong data protections at every stage of the AI lifecycle. This includes restricting access to sensitive personal information and preventing inadvertent disclosure.
10. Providing Disclosures and Notifications
Finally, organizations may wish to ensure that relevant stakeholders receive appropriate disclosures regarding AI usage. When AI plays a material role in screening candidates or influencing employment outcomes, disclosing that fact can help build trust.
11. Establishing Ongoing Monitoring and Metrics
Beyond the initial audit, continuous monitoring of processes and outcomes is crucial to track AI performance and compliance. Key performance indicators typically include bias metrics, accuracy rates, and compliance incident reports. Feedback mechanisms for employees to report AI-related concerns can be an important quality control tool.
By following this comprehensive framework for auditing AI tools, organizations can significantly reduce the risk of legal pitfalls, preserve data security and integrity, and enhance confidence in their AI-driven initiatives. With thoughtful preparation and cross-functional collaboration, HR teams and in-house counsel can shape a compliant, fair, and forward-thinking AI environment.
