AI and Regulations: Integrating AI Governance into Company Policies
The integration of AI governance within organizational policies is becoming increasingly crucial as companies grapple with the complexities of artificial intelligence. Recent discussions at conferences have highlighted the gaps in understanding how to structure effective AI governance frameworks.
Three-Tier Governance Structure
A robust governance framework can be structured in three tiers:
- AI Safety Review Board: This board is responsible for establishing classification standards for AI systems, ranging from A1: safety-critical to D: minimal impact. It defines essential safety properties such as interpretability, robustness, and verifiability. Additionally, the board sets compliance classifications, creates policies about different risk types, defines metrics, and ensures security compliance.
- MLOps: Operations & AI Safety Teams
- Safety Team: This team applies classifications, defines procedures for accuracy testing, conducts cybersecurity checks, and manages incident response.
- Operations Team: Responsible for building test scripts, running solutions, monitoring performance, fixing bugs, and recording incidents.
- Audit AI Team: This team reviews AI behavior, investigates critical cases, performs gap analysis, and develops implementation strategies.
Practical Strategies for Implementing Governance
To effectively implement AI governance, organizations should consider the following strategies:
- Leverage Existing Frameworks: Integrate AI governance into established cybersecurity or quality governance frameworks, rather than creating new systems from scratch.
- Adapt Data Compliance Roles: Transform existing data roles into their AI equivalents, such as DPO (Data Protection Officer) to AIPO (AI Privacy Officer), and data custodian to AI custodian.
- Use Free Templates: For organizations lacking governance frameworks, utilize available templates like NIST AI RMF, ISO/IEC TR 5469:2024, or the UK’s 10 AI governance principles.
- Optimize Policy Length: Smaller organizations (50-200 employees) can achieve 92% compliance with 25-page policies, while larger companies may require 70-100 pages. Each additional page could increase annual costs by $1,000.
- Automate Safety Procedures: Implementing automated testing and monitoring can significantly reduce manual efforts and enhance efficiency.
- Integrate with Existing Testing: Incorporate AI-specific tests into existing unit testing frameworks instead of developing separate processes.
Rules of Thumb for AI Governance
- Favor simpler AI models in production due to their lower risk profiles.
- Provide teams with increased training in governance and cybersecurity.
- Recognize that AI governance certifications (e.g., ISO) will become increasingly vital.
- Include “champions” in engineering teams to promote governance practices.
- Allocate 5-10% of operational costs for cybersecurity and 4-8% for governance processes in budget planning.
As organizations navigate the complexities of implementing AI governance, these structured approaches and strategies will help ensure compliance and safety in AI operations.
