How executives can build a responsible AI framework

Defining AI governance frameworks and accountability structures

Responsible AI requires a comprehensive AI governance strategy, backed by a clear accountability structure, to ensure AI systems are developed and operated in line with the organization's core values. These steps outline how to move from AI principles and policies to responsible AI systems that comply with applicable regulations.

1.     Identify your organization's guiding principles

Responsible AI requires a set of carefully articulated principles that serve as a foundation for developing, deploying and operating AI systems. These principles typically focus on accountability, transparency, fairness, inclusiveness, security, privacy and compliance to achieve ethical, unbiased outcomes. They should also align with the organization's long-term goals and business objectives, as well as applicable regulations and standards.

2.     Translate principles into governance policies

To incorporate principles into the AI lifecycle, organizations need actionable policies that provide concise, technical and quantifiable guidelines for applying those principles to AI workflows. These policies provide the structure for aligning AI initiatives with the organization's values and priorities. For example, if one principle focuses on transparency, a policy might require the system to automatically generate model and data cards documenting how the model and data are being used.

3.     Implement the structural elements for responsible AI

This step involves putting in place the elements that enable organizations to move forward with AI initiatives, and it often partially overlaps with the first two steps. For example, organizations should form an AI governance committee and establish communication channels, define AI use cases and acceptable risk tolerance, and create a framework for identifying and classifying risks. Consider adopting an established governance framework, such as the NIST AI Risk Management Framework (AI RMF).

4.     Define a role-based accountability and security structure

Responsible AI requires clearly defined roles and responsibilities to ensure accountability throughout the AI lifecycle, with ownership assigned to all AI systems at every stage. Consider using the responsible, accountable, consulted, and informed (RACI) matrix to specify who is responsible and accountable for the work, and who should be consulted and informed. Organizations should also adopt a zero-trust security framework to protect these systems and ensure compliance with applicable rules and regulations.

5.     Operationalize policies in the AI lifecycle

This step involves integrating policies into various AI workflows to ensure governance standards are enforced at every stage. For example, organizations might include metrics in their observability platform that measure bias, accuracy and model performance, or build an explainability pipeline that automatically generates model cards or Shapley values based on the SHapley Additive exPlanations (SHAP) technique. The tools used to support AI initiatives are critical to this process -- for instance, Fiddler AI for observability or Credo AI for AI governance enforcement.

6.     Foster a culture of responsible AI

The people that plan, build, operate and validate AI systems are integral to any AI initiative. They need training and education tailored to their specific roles to fully understand the organization's AI principles and operate in accordance with those values. They also need to understand the regulatory environment in which the organization operates. Responsible AI also requires full commitment from leadership and open communication with the various stakeholders and users.

These steps provide only a foundation for developing AI initiatives and should be modified and expanded to meet each organization's needs. A well-defined governance and accountability strategy is essential to minimizing risk and successfully incorporating core principles in AI operations.

Enforcing transparency and compliance in the infrastructure layers

Responsible AI requires a robust infrastructure, including hardware, software, networks and services, to enforce the transparency and compliance requirements defined in the governance framework. Transparency covers how an AI system is developed, how it operates, and how it makes decisions. Compliance means the system and its data operate in accordance with applicable laws and regulations.

The infrastructure layers work together to ensure transparency and compliance, with each playing a vital role.

Data storage and management

An organization's data governance framework ensures data quality, security, privacy and regulatory compliance, while facilitating data and metadata management and lineage tracking. AI governance should integrate seamlessly with the organization's larger data governance framework, while accounting for AI-specific requirements such as maintaining transparency into where data comes from and how it is processed.

AI model development and operations

The model layer is responsible for the AI model lifecycle. AI governance policies should be integrated into the model's development, training, deployment and operations, with the ability to track model behavior and output over time. Each stage should be fully monitored, documented and aligned with applicable AI principles, such as transparency, accountability and explainability.

Security and access controls

The AI infrastructure and environment should be fully protected in accordance with the requirements specified in AI policies and applicable regulations. Security and access controls should be role-based, adhere to the principle of least privilege, and account for factors such as multi-tenant environments and geographically dispersed workloads.

Deployment and runtime

This layer requires careful attention to AI governance requirements for transparency and accountability, while supporting real-time monitoring for issues such as drift, fairness, performance, reliability and policy violations. Organizations should also log model inputs, outputs, inferences and AI decision-making processes, ensuring those logs are immutable and accessible as determined by compliance and accountability requirements.

Observability and monitoring

Key stakeholders require real-time observability into AI systems at all stages to ensure adherence to the organization's principles and objectives in both the short and long term. Stakeholders should be able to continuously audit and analyze the AI infrastructure to identify potential issues, such as fairness degradation, performance problems, or discrepancies in model output, to ensure the AI environment operates within the organization's ethical boundaries.

The infrastructure layers enforce transparency and compliance throughout the AI system's lifecycle, transforming governance policies into actionable, measurable processes that can be monitored and audited.

Supporting responsible AI with the right platforms

To successfully implement AI governance, IT teams need tools that integrate governance policies into AI workflows. With the right platforms, administrators can deploy governance controls at scale, monitor operations, track data lineage, implement role-based access controls and detect bias throughout the AI lifecycle.

Numerous vendors now offer platforms that address these needs, spanning AI governance, observability and explainability. Decision-makers and IT teams should carefully vet tools against an organization's specific governance requirements and regulatory obligations. Once a platform is selected, those working with it should receive adequate training to maximize its value and ensure it supports the organization's responsible AI objectives.

Selecting metrics for ensuring responsible AI

IT teams must verify that AI systems conform to governance policies and comply with applicable laws, regulations and standards -- ensuring systems operate safely and reliably while producing results that are explainable and free from bias. A variety of metrics can help track, measure and validate AI system operations, falling broadly into three categories:

• AI assurance. These metrics ensure systems, models and processes are safe, fair, responsible, secure and ethical. They can measure classification fairness, detect discrimination based on factors such as gender or race, and track issues such as drift, transparency, explainability and robustness.
• Certification readiness. These metrics measure how close an AI system is to meeting requirements defined in standards such as the ISO/IEC 42001 or AI RMF, or emerging regulations such as the EU AI Act. They typically cover documentation completeness, regulatory compliance, policy adherence and data quality.
• Audit maturity. These metrics measure the extent to which an AI system demonstrates responsible AI practices, benchmarked against established models such as the MITRE AI Maturity Model or the Capability Maturity Model Integration (CMMI). They address issues such as governance, traceability, audit frequency, and evidence completeness.

By tracking these metrics, IT teams can identify risks more quickly and resolve issues before they escalate. Decision-makers should research available metrics carefully to determine which best serve their specific AI systems and governance requirements.

Implementing board-level reporting on AI ethics and compliance

Board members need a clear understanding of the organization's AI systems, including how they operate and what they produce. They also require visibility into associated risks and conformity with AI governance policies and applicable regulations.

When developing reporting strategies, IT teams should take a structured approach that delivers consistent updates on the organization's AI systems, supporting data and associated risks. Report planners can use the following guidelines when setting up a reporting strategy for their boards:

Set the stage for a reporting strategy

Understand board expectations, technical fluency and familiarity with AI ethics and compliance issues. Reporting should reflect risk appetite, business strategies, guiding principles, accountability structures and applicable regulations. Define report objectives and assign clear ownership for preparation and delivery.

Determine what information to include and identify reporting mechanisms

Reports should cover ethics and compliance status, adherence to guiding principles, model performance, safety evaluations, incident reports and audit readiness. These key metrics provide a snapshot of the current AI environment. Where necessary, pre-interpret complex data to make the information easier to understand.

Options for presenting information to board members include dashboards with KPIs and visualizations or PDF reports delivered by email or stored through a central repository. In some cases, report information can be conveyed in briefings, often in conjunction with other reporting mechanisms.

The reports should clearly describe the source of the data, such as logs and incident reports, and how the data was prepared for presentation. If data reliability is uncertain, those suspicions should also be disclosed in the report.

Determine how often to provide updated reports

There are no set rules for how often to deliver reports. Dashboards may provide real-time visibility, supplemented by more comprehensive reports at regular intervals, such as quarterly reports. Regardless of format, reporting should follow a consistent schedule with clearly defined content expectations.

Provide a mechanism for board member feedback

Board members should be able to easily respond to the reports and communicate with the people who generate them. They can ask questions about specific metrics, request additional information, recommend changes to the reporting structure, or provide open-ended feedback. Open communication and ongoing dialogue should be encouraged and supported.

Reporting structures should evolve as requirements and business priorities change. Governance teams must incorporate board feedback and adjust reporting practices to reflect shifting risk profiles, regulatory developments and strategic objectives.

Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.