360inControl® - Internes Kontrollsystem für das Digitale Zeitalter
  • Home
    • Your GRC solution available in no time!
    • Win more RFPs by strengthening GRC!
    • Master Cyber and Information Security topics
    • Make certification easy and affordable
    • Master the increasing regulatory requirements
  • Features
    • Internal Control System – ICS
    • Risk Management
    • Compliance Management
    • Audit & Assessment Management
    • Asset Management
    • Information Security – ISMS
    • Data Protection / Data Privacy
    • Action Item Management
    • GRC Process Blueprint
    • Use Cases
    • Consultancy & Services
  • About us
  • Contact
  • Book a Demo
  • BLOG
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Link to X
  • Link to LinkedIn
  • Link to Youtube
360inControl® - Blog | Heike Klaus/23. November 2023/Artificial Intelligence, Governance Risk & Compliance

ARTIFICIAL INTELLIGENCE - Governance, Risk and Compliance Implications Has more in common with us living beings than we think!

Nowadays, you get flooded with news and articles about Artificial Intelligence (AI). If you are a quality, risk, compliance, and data protection manager or have a role that needs to deal with this matter, you may be overwhelmed and wondering how to address it.

AI & human being

To make a long story short: The genie is out of the bottle. AI compliance and security never was fully controllable and never will be. The more systems become truly intelligent, the more uncontrollable they become.

AI has more in common with us living beings than we think!

Intelligence, by definition, develops its own ideas, takes decisions and interprets its own values and ethics. It is not possible to control it! We are far away from that point.

While Machine Learning as we have today still is somehow controllable, future real AI will not be. Due to the increasing complexity of systems and data volume, this is an illusion we have to say goodbye to.

Suppose you believe that AI will only make good decisions. Since everything is connected, this can’t be true because ethics kicks in.

For example, AI should be able to identify the biases in the data it is learning from to make it better. But it doesn’t. Humans must interfere to correct this.

Now, this is still possible. Will it be in the future?

We also never have full control over living beings (citizens, your kids, employees, customers, dogs, etc.), but rules and boundaries are set that they should abide by for the interaction between each other to work.

And the same approach needs to be taken for AI.

We asked ChatGPT to write a text under the following conditions:

“Create a text 100 words why AI Risks and compliance cannot be controlled”

AI am PC

START: AI risks and compliance cannot be controlled because AI technology is constantly evolving, making it difficult to predict and prevent all possible risks. As AI systems become more complex, they become harder to regulate, and their actions become increasingly difficult to understand or explain. Moreover, AI models are only as unbiased as their data and the algorithms used to train them, and the data used to train AI models may contain implicit biases that can perpetuate discrimination.

AI risks also include cybersecurity threats and potential misuse by bad actors, which are difficult to detect and prevent. Therefore, while AI compliance and risk management frameworks can help mitigate potential harms, they cannot entirely eliminate the risks associated with AI technology. END

The question is – what is the way forward?

We (humans) expect the challenges they face to be simple, straightforward answers. A “Silver Bullet”. Guess what? There is none. But there is also good news. What you need to handle the AI challenge is already established from an organization’s perspective. Some aspects need to be changed, some improved and some added if missing. There are two categories of controls for AI; the controls you need to implement if your organization is consuming AI and the controls required if your organization develops or enhances AI.

We have put together some essential controls to be considered for AI

  • Roles & Responsibilities

    Define accountabilities:
    Update roles and responsibilities in your organization to cover AI aspects.

  • CAPABILITIES

    Ensure know how and expertise
    • Ensure AI Subject Matter experts are available.
    • Role based AI training and awareness.
  • INVENTORY

    Know the company assets and their value
    • Mandatory auto updates and maintenance.
    • Self-enhancing systems must be known (AI relevance) and classified.
  • CLASSIFICATION

    Determine the values of your corporate assets
    • For corporate assets, the importance of data quality, integrity and classification gets more critical.
    • Assign AI-relevant compliance and regulatory requirements.
  • SYSTEM & DATA PURPOSE

    The organization has
    • to define the purpose of new data sets created by AI.
    • to ensure that systems only enrich and pass on those data as intended by definition (purpose).
    • to consider AI in the project management methodology.
  • RISK MANAGEMENT

    Update and enhance risk management 
    • to ensure the AI-relevant risk categories and risks are evaluated [harm to people, organization, and ecosystem].
    • that for AI Opportunities the risks are always assessed.
  • DEVELOPMENT

    Update and enhance
    • Development standards, Developer handbook to cover AI-relevant practices.
  • TESTING AND CHANGE MANAGEMENT

    Ensure 
    • that segregation of duty is given.
    • appropriate test practices and capacities for AI testing.
  • MONITORING

    All relevant
    • Key Performance Indicators (KPI) and Key Risk Indicators (KRI) are defined and continuously extended.
  • INCIDENT MANAGEMENT

    Manage Incidents by 
    • capturing AI-related incidents.
    • add a new incident category and/or sub-categories.
  • QUALITY MANAGEMENT

    Ensure
    • continuous improvement in controlling all aspects of AI.
    • following PDAC (Plan / Do / Act / Check).
  • LIABILITY

    Avoid any liabilities coming from AI
    • Built AI expertise in your legal department.
    • Ensure continuous monitoring of regulatory landscape.
    • Cover AI aspects in all contracts.

Legislations and standards to be considered!

This list does not claim to be complete. You can use this list to identify the relevance of your legislation in your jurisdiction and industry.

  • Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL LAYING DOWN HARMONISED RULES ON ARTIFICIAL INTELLIGENCE (ARTIFICIAL INTELLIGENCE ACT) AND AMENDING CERTAIN UNION LEGISLATIVE ACTS: LINK
  • NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0) LINK
  • ISO/IEC 23053:2022 LINK
  • ISO/IEC 23894:2023 LINK

We are more than happy to support you!

With 360inControl® we can support you in identifying the relevance of controls, updating controls and implementing AI relevant controls in your organization.

Interested in more information?

Book a Demo
  • Imprint
  • Data protection
  • Disclaimer
  • License Agreement and Terms of Usage
Winner of the Solution Award 2019
© Copyright - 360inControl®
  • Link to X
  • Link to LinkedIn
  • Link to Youtube
Link to: CREATE THE FOUNDATION FOR YOUR ISMS IN 10 DAYS Link to: CREATE THE FOUNDATION FOR YOUR ISMS IN 10 DAYS Timer ISMSCREATE THE FOUNDATION FOR YOUR ISMS IN 10 DAYS
Scroll to top Scroll to top Scroll to top
  • Book a Demo

  • Contact

  • Newsletter