Thank you to Tom Whittaker & Fraser Campbell for providing us with this guest blog as part of Burges Salmon AI Editorial Month at techSPARK.
You may have heard about AI governance. However, most of the conversations focus either on countries and large organisations who have the resources available to invest, or about concerns that regulation may stifle innovation and growth, especially for small and medium sized enterprises (SMEs).
That doesn’t need to be the case. AI governance can play a practical and important role for SMEs. In this article, we look at what AI governance is and key aspects of AI governance.
Understanding AI Governance
When we talk about AI governance, what we mean is the framework, policies and processes organisations use to manage AI systems throughout their entire life cycle.
Key things to know are:
- There is no one-size fits all approach. SMEs will need to consider what is right for them, especially to reflect the constraints under which they operate and their strategy.
- AI governance does not need to be complicated. A SME may have other governance in place, such as for data and privacy, and which can adapt. There is no need to re-invent the wheel.
- AI governance will change over time, reflecting the organisation’s changing operations as much as to reflect the changing AI technologies, use cases and laws.
Key things for SMEs and founders to think about when it comes to AI
Objectives and Principles
What are the purposes of the organisation’s AI governance? These are the governance framework objectives. They are important because they will drive the remainder of the AI governance design and direction.
These objectives should align with the overall organisational goals, such as commercial and operational objectives.
Further, an organisation should consider when the objectives will be reviewed, who determines them and how they are documented.
The objectives also mean that AI governance will be tailored to each organisation, recognising that different organisations operate differently and have different priorities.
For example, a retail business may focus on enhancing customer experience through AI-driven recommendations and so may want an AI governance framework that helps integrate AI systems into existing products, makes sure different teams understand core requirements, and focuses on key issues such as accuracy and transparency. In contrast, a company developing AI-driven solutions (perhaps to sell to a retail business) may see AI governance as core to its ability to engage with customers and investors, and as part of its long-term value proposition, whilst also recognising that it needs to be ready to pivot its market, including potentially to a regulated one.
Some organisations also establish responsible AI ‘principles’. Just because an organisation can do something doesn’t mean they should. These principles can help organisations navigate those potentially difficult decisions, deciding which route to take (or not take) and how to get there. For example, an employee-owned company may value employee engagement with significant decisions, such as the use of AI to manage future work rather than new hires.
Inventory
How does an organisation know which AI systems it has which fall within its AI governance framework? Sometimes this can be captured in an individual’s or a team’s memory. However, when organisations get to a certain size or have many AI systems to work with, a written record of AI systems and related information may help. This is known as an AI inventory.
Not all AI systems necessarily need to go into an AI inventory. For example, a company may provide its employees with a phone, but there is no obvious need to record that the phone uses AI to help predictive text or remembering passwords.
What matters instead is that the organisation considers what relevant AI systems need to be recorded in light of the organisation’s AI governance objectives and other needs (discussed below).
What is captured in an AI inventory? This depends on what the organisation needs to understand to achieve its objectives and meet its obligations. This could be at a holistic level, to understand what its operations looks like, and also at a granular level, for each relevant AI system. Types of information could include the name of an AI system, vendor information, what related documents exist and where (e.g. contract, deployment information, training materials), and who is responsible for the AI system.
For many SMEs, it may be the case that the inventory is relatively small and straightforward. But it is important to recognise that as the SME grows, there is a chance for its use of AI to grow, so it’s important to get these foundations right.
People, Policies and Processes
Effective AI governance requires clear identification of roles and responsibilities within the organisation. For example, who is responsible, accountable, consulted, and informed about specific AI systems and the organisation’s governance? Further, is this clear across the organisation so everyone is on the same page?
Organisations may also want to consider their policies and processes for AI systems, whether those are new or existing processes. For example, if an AI system goes wrong, how is that escalated and to whom? Is an impact assessment required before an AI systems is procured or used? How does the organisation maintain human oversight of its AI systems? As above, is everyone on the same page?
Organisations need to be mindful of how they manage their policies so that they are kept up to date, easy to access and apply, and are consistent.
Further, businesses may want to consider technical standards and frameworks for AI systems and their management such as ISO 42001.
Regulations, Laws, and Contracts
Regulatory and legal compliance may affect what the organisation can sell, where, and how. It is also potentially relevant to an organisation’s customers, and they will seek to cover their legal risk and set the parties obligations out clearly in the contracts.
There are different ways to approach this. Some organisations look simply to the laws in their respective market and seek to comply. There will be some legal issues which are more likely to be a concern, such as data privacy or IP, so they may focus more so on those. Some choose a more proactive approach to preparing for legal compliance, some wait until they think they really have to comply. For those operating across multiple jurisdictions, they may decide to find which appear to be the most ‘onerous’ and align their business model and products with that, assuming that it will therefore meet the requirements in the other jurisdictions.
Businesses should recognise that things change. They may want to enter a new geography or regulated market, meaning they need to adapt to new requirements. Also, there is a risk of new regulation, especially for AI, that may affect what businesses can do. Horizon scanning can help to help future proof the business.
SMEs have a lot to think about. Nowadays, that is likely to include AI – whether and how they use it, what their competitors are doing, and what the market expects. Governance programmes may appear to some as burdensome and stifling. However, at their heart, they are there to help an organisation realise the opportunities of AI whilst mitigating the risks. As some argue, RAI (responsible AI) is an enabler of better ROI.