A Framework for AI Strategy and Governance

Introducing Our Author

Supra Appikonda, Co-Founder and COO at 4CRisk.ai, brings his decades of experience deploying regulatory, compliance and risk solutions for large companies.  He draws on his extensive expertise to share how organizations can build effective AI strategies and governance leveraging their current processes, supplemented by Trustworthy AI processes.

‍

Why Do We Need AI Strategy & Governance?

AI strategy and governance should not exist in a vacuum, but rather be embedded within existing enterprise, business and IT strategy and governance models, extending them to address very specific concepts required for AI deployments.  By embedding AI principles into existing processes, the organization can move with greater speed and confidence to assess opportunities to embrace AI that have potential to help the organization reach its goals.  

In essence, this is a natural part of continuous improvement and adaption within an evolving regulatory, contractual, and legal compliance and technology landscape. The principles of responsible and trustworthy and AI need to be explicitly defined, understood, and incorporated into business strategy and governance and to ensure they are appropriately covered in the enterprise framework.  AI is a new technology, with many rapidly evolving dimensions, so the requirement to continuously improve as technological, societal and legal requirements evolve will be essential for success.  

How Does an AI Strategy Differ from any other business or IT Strategy?

Business strategy and AI strategy are interconnected, but they focus on different aspects of business process, time horizons, metrics, technology and level of detail. Bottom line: business strategy sets the overall direction and goals, and AI strategy identifies how AI technology can be used to achieve those goals.  

Business Strategy is high-level and focuses on a longer-term view, with a broad scope, encompassing all aspects of the organization, including marketing, research and development, finance, IT, operations, and human resources.  Executives define the vision, mission, overall goals and direction of the enterprise, considering target markets, competition, and how to create sustainable competitive advantage and increase stakeholder value.

When leadership considers AI’s impact on business strategy, they ask key questions:

• What AI technologies must we adopt, in what timeframes, to re-create our business?
• How is our competition leveraging AI, successfully, and unsuccessfully?
• What are the impacts of AI to people, processes and technologies in our organization?
• What AI technologies are proven, innovative or over the horizon?
• What do we need to understand, what principles do we need to adopt?
• What governance structures, processes and policies will guide us in our efforts?

‍

‍AI Strategy focuses on a deeper level of detail and specifically addresses how AI can be leveraged to achieve business objectives, identifying areas where AI can add value.  It focuses on specific AI technologies, data requirements, and effectiveness of implementation plans to execute the AI initiatives.  

Here are some key considerations unique to AI that must be considered when dovetailing with business strategy.  

• AI strategy may need to adapt more quickly as AI technologies evolve rapidly and more viable use cases arise. AI is a new technology, comprised of many domains:  Generative AI, Conversational AI, Super Intelligent AI, and more. Each are fast-evolving domains, where an advance in one domain can create breakthroughs in a related area, that exposes your organization to both new opportunities, and new threats.
• AI can introduce new risk and intensify existing risks, especially when AI is used by third parties or in systems that have been outsourced.  
• Existing governance structures require support to effectively identify, analyze, and implement controls for AI risks. Emergent risks may require a faster response than existing governance structures permit.
• Responsible and Trustworthy AI require a different kind of assessment on use of new AI technologies, including skills to assess models, algorithms and integrations.  
• AI introduces a new type of governance: Model governance. That will ensure AI models are selected, developed, trained, tested, deployed, and maintained in line with organizational goals and risk tolerances. Model Governance defines requirements for access controls, model versioning history, training, data controls, and model activity tracking.  
• The regulatory landscape for AI is complex and rapidly evolving, with formal and dedicated governance required to maintain compliance across jurisdictions. Existing laws and regulations, such as EU Data Privacy Act, HIPAA and GDPR, will also apply to models that use personal data or that assist or replace human decision-making.

Effective, integrated governance will help your organization deliver against your strategy while effectively escalating and remediating material AI risks. Organizations without effective governance leave themselves open to unacceptable risk and stalled initiatives.  

How Does an AI Governance Differ from Enterprise, Business or IT Governance?

AI Governance is a subset of enterprise governance, just as IT or Program Governance is a subset. Many governance programs overlap and interlock. The overall objective of good governance is to provide a system of rules, practices and processes that guide how a business domain is directed and controlled. Governance is essentially the framework that ensures the business operates in a responsible, ethical and efficient way.  

Enterprise Governance helps ensure strategic intent is understood by establishing a clear vision and long-term goals for the business, ensuring everyone is working towards the same objectives. It defines clear lines of accountability, responsibility for decision-making and financial management. It also establishes processes to identify, assess, and mitigate potential risks that could threaten the business.  

AI Governance applies to all initiatives, build or buy; it cannot be outsourced.

Business and IT Governance structures and processes operate under the umbrella of enterprise governance, and apply the principles of accountability, risk and compliance management within the scope of their domains to ensure the business adheres to relevant regulations, rules, laws and industry standards.

‍

AI Governance, specifically, defines a structured approach to managing, monitoring, and controlling the effective operation of a domain and human-centric use and development of AI systems. Packaged or integrated AI tools do come with risks, including biases in the AI models, data privacy issues, and the potential for misuse. A robust AI governance framework helps mitigate these risks by establishing guidelines and controls that align with the ethical standards and values of the organization. It promotes transparency, fairness and trust of stakeholders.

Effective governance structures incorporate these processes into their programs to address AI:

• Stakeholder Involvement: Include diverse perspectives from stakeholders across your organization and the extended enterprise who touch AI systems: developers, policymakers, ethicists, and the public ‍
• Use AI Principles to Prioritize and Conduct Impact Assessments: Conduct thorough assessments of potential social and ethical implications before deploying AI systems. ‍
• Define Clear Policies and Procedures: Establish clear policies and procedures for the selection, development, deployment, and use of AI systems. ‍
• Auditing and Monitoring: Implement audit and monitoring processes and controls to ensure AI systems adhere to your AI Principles, in particular, fairness, transparency, accountability, security, bias and potential risks. ‍
• Continuously Improve: The governance framework should be adaptable to keep pace with evolving legislation, AI technologies and societal needs.  

AI Strategy and Governance Framework Components – A Model You Can Use

Extending the Policy, Risk and Control Framework for AI

To successfully manage AI risks, you must align with your existing policy, risk and control frameworks and update them to include AI frameworks and processes.

• The risk management framework should include the definition of the risk categories to differentiate high-impact and high-risk AI models and systems from lower risk ones.
• AI governance needs to be aligned with the enterprise risk management framework and take advantage of its established processes and structure.
• AI governance needs to ensure that risk management implements sufficient oversight and effectively challenges the proposed use of AI systems, evaluates risks through the project lifecycle, and monitors production use of AI systems.
• The AI risk management framework should include an auditing process for third-party products. These can include any off-the-shelf AI-powered vendor products and prebuilt models.
• Ensure shared responsibilities between AI strategy and AI governance structures are explicit and well understood by all team members, for example, AI Principles, AI Centers of Excellence and AI risk categories and topics.  

Check out these related blogs and resources  

• https://www.4crisk.ai/post/developing-sustainable-and-trustworthy-ai-with-foundational-principles ‍
• https://www.4crisk.ai/post/ai-game-changer-specialized-language-models-the-safest-alternative-to-llms-for-regulatory-risk-and-compliance-programs
• ‍https://www.4crisk.ai/whitepapers/adopting-ai-strategy-governance-and-evaluation-best-practices