Artificial Intelligence - 360inControl® - Internes Kontrollsystem für das Digitale Zeitalter

360inControl® - Blog | Heike Klaus/7. Dezember 2023/Artificial Intelligence, Governance Risk & Compliance

ARTIFICIAL INTELLIGENCE - Governance, Risk and Compliance Implications Has more in common with us living beings than we think!

Nowadays, you get flooded with news and articles about Artificial Intelligence (AI). If you are a quality, risk, compliance, and data protection manager or have a role that needs to deal with this matter, you may be overwhelmed and wondering how to address it.

To make a long story short: The genie is out of the bottle. AI compliance and security never was fully controllable and never will be. The more systems become truly intelligent, the more uncontrollable they become.

AI has more in common with us living beings than we think!

Intelligence, by definition, develops its own ideas, takes decisions and interprets its own values and ethics. It is not possible to control it! We are far away from that point.

While Machine Learning as we have today still is somehow controllable, future real AI will not be. Due to the increasing complexity of systems and data volume, this is an illusion we have to say goodbye to.

Suppose you believe that AI will only make good decisions. Since everything is connected, this can’t be true because ethics kicks in.

For example, AI should be able to identify the biases in the data it is learning from to make it better. But it doesn’t. Humans must interfere to correct this.

Now, this is still possible. Will it be in the future?

We also never have full control over living beings (citizens, your kids, employees, customers, dogs, etc.), but rules and boundaries are set that they should abide by for the interaction between each other to work.

And the same approach needs to be taken for AI.

We asked ChatGPT to write a text under the following conditions:

“Create a text 100 words why AI Risks and compliance cannot be controlled”

START: AI risks and compliance cannot be controlled because AI technology is constantly evolving, making it difficult to predict and prevent all possible risks. As AI systems become more complex, they become harder to regulate, and their actions become increasingly difficult to understand or explain. Moreover, AI models are only as unbiased as their data and the algorithms used to train them, and the data used to train AI models may contain implicit biases that can perpetuate discrimination.

AI risks also include cybersecurity threats and potential misuse by bad actors, which are difficult to detect and prevent. Therefore, while AI compliance and risk management frameworks can help mitigate potential harms, they cannot entirely eliminate the risks associated with AI technology. END

The question is – what is the way forward?

We (humans) expect the challenges they face to be simple, straightforward answers. A “Silver Bullet”. Guess what? There is none. But there is also good news. What you need to handle the AI challenge is already established from an organization’s perspective. Some aspects need to be changed, some improved and some added if missing. There are two categories of controls for AI; the controls you need to implement if your organization is consuming AI and the controls required if your organization develops or enhances AI.

We have put together some essential controls to be considered for AI

Roles & Responsibilities
Define accountabilities:
Update roles and responsibilities in your organization to cover AI aspects.
CAPABILITIES
Ensure know how and expertise
- Ensure AI Subject Matter experts are available.
- Role based AI training and awareness.
INVENTORY
Know the company assets and their value
- Mandatory auto updates and maintenance.
- Self-enhancing systems must be known (AI relevance) and classified.
CLASSIFICATION
Determine the values of your corporate assets

For corporate assets, the importance of data quality, integrity and classification gets more critical.

Assign AI-relevant compliance and regulatory requirements.
SYSTEM & DATA PURPOSE
The organization has

to define the purpose of new data sets created by AI.

to ensure that systems only enrich and pass on those data as intended by definition (purpose).

to consider AI in the project management methodology.
RISK MANAGEMENT
Update and enhance risk management

to ensure the AI-relevant risk categories and risks are evaluated [harm to people, organization, and ecosystem].

that for AI Opportunities the risks are always assessed.
DEVELOPMENT
Update and enhance

Development standards, Developer handbook to cover AI-relevant practices.
TESTING AND CHANGE MANAGEMENT
Ensure

that segregation of duty is given.

appropriate test practices and capacities for AI testing.
MONITORING
All relevant

Key Performance Indicators (KPI) and Key Risk Indicators (KRI) are defined and continuously extended.
INCIDENT MANAGEMENT
Manage Incidents by

capturing AI-related incidents.

add a new incident category and/or sub-categories.
QUALITY MANAGEMENT
Ensure

continuous improvement in controlling all aspects of AI.

following PDAC (Plan / Do / Act / Check).
LIABILITY
Avoid any liabilities coming from AI

Built AI expertise in your legal department.

Ensure continuous monitoring of regulatory landscape.

Cover AI aspects in all contracts.

Legislations and standards to be considered!

This list does not claim to be complete. You can use this list to identify the relevance of your legislation in your jurisdiction and industry.

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL LAYING DOWN HARMONISED RULES ON ARTIFICIAL INTELLIGENCE (ARTIFICIAL INTELLIGENCE ACT) AND AMENDING CERTAIN UNION LEGISLATIVE ACTS: LINK
NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0) LINK
ISO/IEC 23053:2022 LINK
ISO/IEC 23894:2023 LINK

We are more than happy to support you!

With 360inControl® we can support you in identifying the relevance of controls, updating controls and implementing AI relevant controls in your organization.

Interested in more information?

Book a Demo