In Part-I we discussed advantages, security and compliance consideration, challenges and governance aspects of AI. The Part-II is about developing AI policies. The many organization considering AI solutions need to focus on AI Governance and have AI Policy in place.
It’s not a surprise that every new cyber product we come across has something to do with machine learning (ML) and artificial intelligence (AI). The subject AI is of interest to everyone and many organizations are likely to buy or have already bought AI products without understanding the larger implications of adopting AI. AI within the organization’s need to be governed by policies, procedures as well as other consideration such as ethics, accountability, and transparency.
Gartner defines AI as “advanced analysis and logic-based techniques, including machine learning, to interpret events, support and automate decisions, and take actions.” The definition of ML from Stanford is “it is the science of getting computers to act without being explicitly programmed.” Simply put, ML is a sub-field of AI that includes techniques that enable machines to improve at tasks with experience.
AI Policy Considerations
The very important principle of developing AI policies is a consideration for the following:
- User Needs: Policy must address the basic requirement i.e. user needs and where the AI solutions could be used. The policy should provide clear guidance on the areas where the use of AI is allowed.
- Flexibility and Adaptability: The policies should be flexible and adaptable to align decision making with corporate principles
- Legal and Ethical Standards: Policies need to consider legal and ethical standards that will guide the decision-making process while developing or selecting AI solutions
- Fairness, Accountability, and Transparency: The policies should consider that AI Systems selected reflect human values such as fairness, accountability, and transparency.
- Privacy, Legal and Regulatory Requirements: The AI policy should include consideration for privacy as well as legal and regulatory requirements.
- Implications: The policies should address the implications and guide on resolving such implications while selecting or designing AI solutions. The implication areas could be HR, employment, infrastructure, stakeholder, data collection and processing, etc.
- Impact Assessment: The policies should include impact assessment requirements while deciding the adoption of AI technologies. The policy should provide and guide in deciding what is an acceptable impact of sharing or analyzing data and use of data.
- Data Security: The data is central to the ability of AI to work. The management needs to provide guidance on what data will be allowed for AI use and how it will be used. There is a need for control over the process as the processing of privacy data is controlled by the regulatory requirement as well as social and ethical issues.
- Regulations: Many governments are in the process of developing regulatory requirements. E. g. Autonomous Cars, Drone Technologies, etc. The policies need to be flexible and provide guidance to the user community on how to incorporate changing regulatory requirements.
- Inclusion: AI can improve or worsen inclusion. The policies need to address the use of AI and it should not cause discrimination or harm certain sections of society.
- Foreign Policy: The policies should also consider global governance. The use of AI needs to consider geopolitical risks, impact on trade, etc.
- External Facing Codes of Conduct: The customers, regulators, and the public at large may like to know more about the company’s policy while using AI solutions and the companies may consider developing an external-facing code of conduct.
- Use of Data: The use of data for AI needs to involve someone who has a deep knowledge of data. The guidance related to the use of data is driven by accuracy, completeness, uniqueness, timeliness, validity, relevancy, and representativeness. The policies need to provide data considerations. Here are a few examples:
- Availability of sufficient data for the model to learn
- Accuracy and completeness of the data
- Data security and permissions to use data
- Data is reliable and obtained from the right source
- Data is updated regularly
- Data sensitivity
In Part III we will deep dive into the AI initiatives internationally. We have sourced information from the articles and interviews published by Corporate Compliance and UK Government’s guide on using AI.
Reach out to contact@securetain.com if you have any questions.
Visit https://www.securetain.com/ or email contact@securetain.com to know more about our GRC, Audit and Information Security practice.
RELATED POST: Artificial Intelligence Governance Part I