To effectively govern AI and mitigate the risks to different populations, organizations must establish diverse AI governance committees to establish policies, define risk levels and organizational risk posture, evaluate use cases, and ensure human involvement for high-risk processes. 

Though most organizations can agree that having an AI governance committee is crucial to the use of responsible AI, it can be overwhelming to know where to start. To give an example, we’ll use this blog to outline how OneTrust established its AI governance committee, along with considerations for establishing a committee in your business.

Key questions for establishing an AI governance committee

We’re at this key point of AI evolution where the future of AI highly depends on whether the public will trust AI systems and companies that use them. OneTrust is fully committed to the adoption and responsible use of human-centric AI systems that adhere to our core company values, ethical principles, and put people first. 

Gradual integration of AI systems throughout our business ecosystems and widespread adoption of AI systems will fundamentally change the way we operate as a business. OneTrust decided early on to establish a dedicated internal AI governance committee to oversee our efforts of building a robust AI governance program. The goal of this committee is to ensure our current and future use of AI systems conforms with OneTrust responsible AI principles, regulatory standards, and best industry practices. 

Involvement 

The first step to forming your committee is determining who in your organization will be involved. 

Here are key questions to consider for the involvement stage:  

• Who is involved?
  
  
• How did you determine participants?

OneTrust’s AI governance committee includes representatives from the key functional areas of the organization, including Legal, Ethics & Compliance, Privacy, Information Security & Architecture, Research & Development, and Product Engineering & Management. Members of the committee have diverse skillsets, experiences, and backgrounds because we believe that cross-functional knowledge sharing is key to an effective AI governance program. 

Tackling AI governance challenges requires engagement of individuals who come from a variety of specialized backgrounds. Responding to the new challenges posed by modern innovation often requires creative solutions that can be delivered when individuals representing different areas of expertise come together and bring their unique perspectives to the table. 

Making sure you have a diverse committee will help you come up with the creative solutions and thoughtful response that an AI governance program requires. 

Governance 

Once your committee is formed, it’s time for it to govern your program. A lot falls into this category, but some key questions for the governance stage are: 

• How does your organization define AI systems? 
  
  
• How do you define risk levels? 
  
  
• How do you ensure human oversight for high-risk systems? 
  
  
• What is your organization’s stance on generative AI systems like ChatGPT? 

Defining AI is an important building block of AI governance programs. We see the tech and business communities, academics, and legal scholars all coming up with different definitions for digital brains. Even AI may be utilized to define itself; when asked for the definition of AI, ChatGPT says: “AI is the simulation of human intelligence in machines that are programmed to perform tasks that typically require human intelligence, such as visual perception, speech recognition, decision making, and natural language processing.” It’s well articulated and highlights the essence of what AI stands for.

At OneTrust, we consulted existing AI regulatory frameworks and decided to use the definition of AI outlined in the EU AI Act. We consider new AI standards rolled out in the EU as the most advanced set of AI governance standards that shape the direction of AI policy globally.

The definition of AI systems in the EU AI Act refers to a software-based application that’s developed with one or more of the AI-embedded techniques or approaches like machine learning, statistical, logical, and/or knowledge-based approaches, and Bayesian estimation and search and optimization methods. 

This definition also specifies that an AI system can generate outputs such as content, predictions, recommendations, or decisions influencing the environments that humans interact with.

How does OneTrust define AI risk levels?

In a similar vein, our internal AI governance program also adopted the AI risk classification system outlined in the EU AI Act. Following the guidelines set forth in the AI Act, we put AI systems into four risk categories:

1. Unacceptable AI system: AI systems that are classified as too risky for consumption; e.g., social scoring of individuals based on their monitoring over time and that may lead to detrimental or unfavorable treatment of individuals. These systems are prohibited by the AI Act. 
   
   
2. High risk AI systems: AI systems that pose a high probability of risk of harm to the health and safety, or a risk of adverse impact on fundamental rights of individuals; e.g., recruitment or selection of candidates for employment (including for advertising, screening, or filtering applications, evaluating candidates during interviews or tests), making decisions on promotion and termination of employment, task allocation applications, and monitoring and evaluating performance and behavior of employees.  
   
   
3. Low or minimal risk AI systems: AI systems that don’t pose known risks of harm to the health and safety or risk of fundamental rights to individuals. Examples of such systems include spam filters and inventory management systems. 
   
   
4. General purpose AI system: AI systems that use generative AI (GenAI) technology to create original content. Examples of such systems include technology that summarizes long form content, autonomously creates software code, and generates digital images from natural language. 

How does OneTrust ensure there is human review for high-risk processes? 

OneTrust’s AI Use Policy (which will be rolled out shortly) doesn’t allow prohibited AI systems; that same policy sets the processes for assessing the use of all other risk categories. We leverage OneTrust Third-Party Risk Management (TPRM) tools and developed AI-risk extensions to our existing risk assessment templates. Using this process, we’re able to assess AI-linked risks, which in some instances are connected to other standards, like privacy, information security, and ethics risks domains. 

While the TPRM process is highly automated, there’s always a human involved in reviewing assessments and following up in case there is an issue. We developed and are now testing internally modified versions of Privacy Impact Assessments (PIAs) that include questions about known AI-risks when assessing AI systems and our AI service providers. 

These pre-built templates are an effective tool for identification of some of the new AI-linked compliance challenges, like the explainability of an AI system’s processing algorithm or adequacy in disclosures of personal information processed by AI systems. 

AI systems that use higher risk data, like HR systems that usually include more personal information, must be vetted through the assessment process. This ensures that we gain the right level of visibility into how these systems are operated, what data is used, and whether the system provider followed the regulatory requirements and industry best practices when developing the system. 

What’s OneTrust’s policy and stance toward generative AI tools like ChatGPT? 

Our general policy is to support the use of AI systems, including generative AI tools, as long as they’re thoroughly vetted, and reasonable guardrails are put in place to manage the known risks. 

Using our third-party risk assessments process, we’re able to scan for any risks and approve the use of AI-tools that are aligned with our internal AI Use Policy, including our Responsible AI principles. Rather than banning the use of generative AI, we’ll implement the same vetting protocols as we do for any other category of AI applications. 

Risk assessments for AI systems will cover the whole spectrum of associated risks, including privacy and information security architecture. Based on the results of these assessments, we can make the decision on whether or not to allow the use of that AI application. 

We recognize that we might not be able to completely eliminate the identified AI risks in every case – instead, we’ll turn our attention to how we can mitigate known risk and share best practice approaches for users of those systems. 

For example, in OneTrust’s forthcoming AI Use Policy, we warn the users to be aware that content produced by GenAI is not entirely reliable and may not be accurate and that general purpose AI systems may mistakenly produce outcomes that may be inappropriate. We further alert users they should use caution and discretion before sharing, publishing, or otherwise using outcomes produced by GenAI systems. 

Finally, we advise users that data produced by AI systems under no circumstances shall be used as a substitute for legal, financial, or any other professional advice. We are looking into educating the users of AI systems through AI risk awareness training that is part of the overall AI risk mitigation controls we will roll out to our workforce by the end of this year. 

Cadence & structure 

The work of your AI governance committee will be ongoing, but it is helpful to have a set cadence for regular meetings. As you’re setting up your processes, consider these key questions:

• How often will the AI governance committee meet?
  
  
• How will the meetings be structured? 

How often does the AI Governance committee meet? 

Currently, OneTrust’s AI Governance Committee is set to meet once quarterly. This cadence may be adjusted if we decide that there is a business necessity for more frequent meetings. That said, a full committee meeting is not the only way the AI Governance committee conducts its business at OneTrust. 

If the Committee must make a decision on some initiative or policy, such voting is facilitated by electronic means where each committee member can vote. At the current stage, most of the AI Governance work is conducted in the smaller groups, e.g., by Information Security, Compliance, or Privacy teams. Ad hoc meetings in smaller groups play an important role in making sure that we make progress in governing our AI program.

How are meetings structured?

The Committee’s meetings are intended to focus on discussions and decision making around the key areas of responsibility, which include reviewing and approving AI-linked projects and initiatives, developing AI governance policies and procedures, and monitoring that the use of AI aligns with OneTrust Responsible AI principles and values.

Getting started with AI governance

Although standing up an AI governance program can seem overwhelming at the start, taking it one step at a time and making sure you have the right team in place goes a long way. To learn how OneTrust can support you in your AI governance journey, request a demo today.