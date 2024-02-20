AI governance in our company – who is responsible?

Have you, following the DPO and CISO, already appointed an "AI Officer"? For most organizations this will not be necessary for tackling compliance of the AI developments, but you still need to have appropriate governance. After having discussed our 11 principles for a responsible use of AI and risk assessments, we now explain what you should look out for and what steps you should take in terms of governance for ensuring a legal and ethical use of AI. This is part 5 of our AI series.

In simple terms, governance concerning a legal and ethical use of AI means that a company defines who has which tasks, powers and responsibilities in relation to the use of AI and the implementation of AI projects and which rules and procedures need to be complied with. This ensures that everything runs smoothly, that important goals can be achieved and that no unwanted risks are taken. Achieving this with regard to compliance is not easy, especially in the field of artificial intelligence, for three reasons:

First, AI affects many topics and areas of the company. Sales can use AI, as can customer service, research and development, human resources and so on. Even with regard to specific questions, such as whether a certain application is permissible, answers must be sought in a wide variety of legal areas – from data protection to intellectual property law to unfair competition law to contract and criminal law.

Second, there is still a lot of uncontrolled growth when it comes to AI in many companies. In contrast to the introduction of cloud technologies, for example, which in many places was driven "bottom-up" from IT, artificial intelligence is a technology where "business" and even the management itself comes up with new ideas – and wants them to be implemented.

Third, from a legal perspective, there is little transparency regarding the tools and infrastructure used for the deployment of AI and the corresponding knowledge. Which version of ChatGPT is suitable from a data protection perspective, and which version of Microsoft Copilot? Our list discussing the various offerings in part 2 of our series resulted in huge feedback from far beyond Switzerland, which shows that there are still a lot of unanswered questions here and that many do not really know what they should and may do.

How is a compliance or legal department that is suddenly swamped with requests supposed to provide a reasonable answer within a reasonable time? This has to settle down and, above all, be regulated and organized, i.e. companies have to define their guidelines (not only legally, but also technically, such as the platform issue) and regulate responsibilities and procedures. This is what we currently do most often with our clients, apart from assessing specific projects, providers and tools.

One other remark: Proper governance is not only necessary with a view of ensuring compliance, but all other goals an organization may have, as well. While we in the following will focus on compliance governance, similar processes, rules and structures will also help in achieving other goals in relation to the use of AI.

Who is responsible for AI compliance?

This raises the question of who in the company is responsible for the topic. At least with regard to legal issues, this has not really been determined in many places. However, we are seeing certain trends among our clients. They include the fact that the topic of AI compliance is now primarily assigned to those who already take care of data protection compliance. It is true that AI can also affect other areas of law, such as copyright law. However, as many companies are primarily users of AI technologies that are already available on the market, these other legal issues are somewhat less prominent for them than for those who offer AI products themselves (we will discuss separately the changes that result from the AI Act).

In many cases, we believe it also makes sense for AI compliance to be coordinated internally with those who are already responsible for data protection. They will usually already have the most experience: Many of the central concerns and approaches that relate to a legally compliant, ethical and risk-aware use of AI are already well known and established in data protection. Examples include the principles of transparency, accuracy and self-determination. Similarly, in data protection, there is already a lot of experience with two compliance tools that are now also becoming important in the field of AI: records of processing activities and data protection impact assessments. We recommend the former to our clients for their internal AI applications, and the latter represents a proven methodology for assessing and addressing risks that are also well suited to AI projects (see Part 4 of our series). It is therefore not surprising that most of the regulatory recommendations on the use of AI to date have come from supervisory authorities in the area of data protection.

The EU AI Act will also add the spectrum of product regulation to the use of AI (especially for those companies that are considered to be providers) and a number of cases in which companies will have to introduce certain standard checks, such as whether a particular project could result in a prohibited AI applications, whether one of the special obligations that are imposed on deployers of AI (e.g. when using AI-generated content for public information) need to be complied with, or whether the intended AI application is considered "high-risk" under the AI Act.

How companies should proceed

A company needs to address at least these three elements to handle the use of AI in terms of governing compliance:

Policy (Part 1): There are legal and non-legal requirements. The former are predetermined, while the latter – typically referred to as "ethics" – must be decided by the company itself. Each company will have to define its own ethical principles in this area; there is no universal set of guidelines. For our clients, we have developed the "11 Principles", which we discussed in Part 3 of our series and which can form a basis for a comprehensive discussion about the guidelines a company wants to develop for itself in order to regulate the use of AI in substance and organizationally; they cover the entire spectrum of topics usually addressed today. The first step in the process for the actual implementation within an organization is to define the principles that a particular company wishes to adhere to. By principles, we mean, in addition to rules concerning the organization and procedures for dealing with AI (see below), on the one hand, setting for which conduct is prohibited and which conduct is required, each with exceptions (example: How transparent do we want to be with regard to the use of AI?) and guidelines on how requirements can be implemented and assessed (example: What is the quality standard we require when using an LLM? When is it sufficiently explainable for us?). The second point is often a challenge in practice.

Companies should define several standard procedures for AI. The first concerns the introduction of new AI applications (or changes to existing AI applications): On the one hand, it serves to check the project for compliance with the company's legal and other requirements, and on the other hand, it serves risk management. We have already partly described how the latter works in part 4 of our series. Accordingly, a company will have to instruct its employees to report any use of AI to the defined contact point in advance and have it checked or demonstrate that the compliance requirements are met. In larger companies, we recommend carrying out the compliance check in at least two stages. In the first, early stage of a use case, a rough preliminary check is carried out according to the "traffic light principle" - green, amber and red; the DPO, CISO and other specialists should provide their recommendations to the business owner (or its project team) to consider, including the legal dead ends and pitfalls they will certainly see when even doing only a preliminary assessment; it will allow the business owners to better understand their homework. An in-depth check only takes place later. It is also helpful to provide the business with pre-approved AI infrastructure options, such as permitted AI models and implementation use case examples that are known to work. Standard Procedures (Part 2): In order not to lose the overview and keep track of the AI technologies used and their internal owners, we also recommend keeping an inventory with all AI applications listed in it, a so-called Records of AI Activities or "ROAIA". This approach has already proven itself in data protection. A ROAIA can of course be combined with the records of processing activities as per data protection law. However, the aspects to be recorded in a ROAIA are slightly different (e.g. the AI models used in each case); a free template can be found in our GAIRA tool, which can be downloaded here.

In order not to lose the overview and keep track of the AI technologies used and their internal owners, we also recommend keeping an inventory with all AI applications listed in it, a so-called Records of AI Activities or "ROAIA". This approach has already proven itself in data protection. A ROAIA can of course be combined with the records of processing activities as per data protection law. However, the aspects to be recorded in a ROAIA are slightly different (e.g. the AI models used in each case); a free template can be found in our GAIRA tool, which can be downloaded here. Standard Procedures (Part 3): A further standard procedure concerns the monitoring of AI in use and the reporting of incidents when using AI. We are also familiar with this from data protection law. Unless there is also a breach of data security under data protection law (known as a data breach), there is currently no obligation to report AI incidents. However, from the perspective of a responsible use of AI, a company should actively monitor their AI usage, track incidents and oblige employees to report them; this allows timely intervention and is part of good risk management.

A further standard procedure concerns the monitoring of AI in use and the reporting of incidents when using AI. We are also familiar with this from data protection law. Unless there is also a breach of data security under data protection law (known as a data breach), there is currently no obligation to report AI incidents. However, from the perspective of a responsible use of AI, a company should actively monitor their AI usage, track incidents and oblige employees to report them; this allows timely intervention and is part of good risk management. Standard Procedures (Part 4): Further standard procedures could include handling requests from persons affected, training employees and monitoring internal compliance with the relevant rules.

Even though there is currently a hype with regard to the topic of artificial intelligence, it seems clear that AI will play an increasingly important role in the corporate world and companies will need to get involved in how to use AI even if only for not falling behind their competitors. Establishing sound AI governance is therefore not only a question of compliance, but also a step towards exploiting the full potential of the technology while minimizing risks. In our experience in advising our clients, the current great interest in promoting the use of AI represents a very good opportunity to also create the necessary guidelines, organization and processes for compliance and thus governance – at least if this can be shown to be enabling instead of slowing down AI applications.

