Tag Archives: GRC

2025
Leave a comment
Artificial Intelligence, Info Security

Navigating AI Governance: Essential Frameworks & Principles (Part 2)

Following up on my previous post about foundational AI concepts, I’m back with Part 2 of my AI learning journey!

While Part 1 covered how AI works, this post tackles how we can use AI responsibly. A crucial side of AI goes beyond the technical aspects into: governance, ethics, risk management, and ensuring AI benefits everyone.

AI Generated

My AI Governance Notes

I’m sharing my notes below to help others navigate AI governance. These break down complex frameworks into digestible insights.

Note: These are personal notes, not comprehensive guides. Use them as a starting point for understanding responsible AI practices.

Key takeaway: AI governance isn’t about slowing innovation. It’s about ensuring innovation benefits everyone.

Frameworks, Standards, & More

  1. EU AI ACT (risk-based approach)
    • Risk Categories
      • Prohibited: Social scoring, subliminal manipulation, real-time biometric ID
      • High-Risk: Biometric systems, employment, education, law enforcement, healthcare
        • Requirements:
          • Risk management systems
          • Data governance & quality
          • Technical documentation
          • Human oversight
          • Accuracy & robustness
          • Conformity assessment & CE marking
      • Limited Risk: Chatbots, deepfakes (transparency required)
      • Minimal Risk: Everything else
  2. NIST AI RMF
    • Govern: Policies, roles, accountability
    • Identify: Context, risks, impacts
    • Measure: Testing, evaluation, benchmarks
    • Manage: Controls, monitoring, improvements
  3. GDPR + AI (focus on individual rights)
    • Article 22 – Automated Decisions:
      • Right NOT to be subject to solely automated decisions
      • Right to human intervention
      • Right to explanation
      • Right to contest
    • Article 35 – DPIA Required for:
      • High-risk AI processing
      • Systematic evaluation
      • Large-scale sensitive data processing
    • Article 6 – Legal Basis
      • Must have valid reason to process
        • Consent, Contract, Legal obligation, Vital interests, Public task, Legitimate interests
    • Article 25 – Privacy by Design
      • Build privacy into AI

AI Lifecycle Phases

  1. Planning: Define goals, assumptions, stakeholders, governance, context
  2. Design & Development: Choose architecture, feature selection, bias testing
  3. Testing: Validate fairness, robustness, simulate deployment
  4. Deployment: Monitor initial performance, HITL (Human-in-the-Loop) review
  5. Monitoring: Drift detection, incident response, retraining

Governance Principles

  1. Transparency – Openness on system operation
  2. Accountability – Clear responsibility chains
  3. Privacy & Security – Data protection built-in
  4. Fairness – Non-discrimination and bias management
  5. Human Oversight – Human control and intervention
  6. Reliability – Consistent and robust performance

AI Explainability

  1. Explainability: Reasons for specific outputs
  2. Transparency: Openness on system operation
  3. Interpretability: Human-understandable decision logic

Bias Types & Detection

5 Key Bias Types:

  1. Data Bias: Biased training datasets
  2. Label Bias: Incorrect or biased labeling
  3. Automation Bias: Over-reliance on AI decisions
  4. Outcome Bias: Discriminatory results
  5. Confirmation Bias: Seeking confirming evidence

Detection Methods:

  1. Statistical parity testing
  2. Equalized odds evaluation
  3. Demographic parity analysis
  4. Individual fairness measures

Common AI Governance Roles

  1. Governance Team: Oversight and policy
  2. Developer: Design, build, train models
  3. Validator: Independent testing and validation
  4. Compliance Officer: Regulatory adherence
  5. Data Scientist: Data analysis and modeling
  6. Human Reviewer: Final decision authority

Audit vs Test vs Monitor

  1. Audit: Post-deployment review (comprehensive assessment)
  2. Testing: Pre-deployment validation (before going live)
  3. Monitoring: Continuous ops review (ongoing surveillance)

When Problems Arise

  1. Bias Detected: Audit first
  2. Model Performance Declines: Audit first
  3. Discrimination Complaints: Audit first

Model Documentation Requirements

  1. Purpose: Why the model was built
  2. Data Used: Training data sources and characteristics
  3. Metrics: Performance and fairness measures
  4. Ethical Concerns: Identified risks and mitigations
  5. Deployment Context: Where and how it’s used

Risk Management Key Components

  1. Model Inventory: Catalog of all AI systems
  2. Tiering: Risk-based classification system
  3. Controls: Safeguards and mitigations
  4. Incident Response Plan: Procedures for problems

Human Oversight Levels

Human-in-the-loop: Human makes final decisions. High-stakes decisions.
Human-on-the-loop: Human monitors, can intervene. Medium-risk applications.
Human-out-of-loop: Automated with oversight. Low-risk, high-volume.

Trustworthy AI Characteristics

  1. Valid & reliable
  2. Safe, secure & resilient
  3. Accountable & transparent
  4. Explainable & interpretable
  5. Privacy-enhanced
  6. Fair with managed bias

Disclaimer: AI tools were used to assist with research and drafting portions of this content and study guide.

Tagged , , ,
Advertisements