Enabling Enterprise AI Adoption Through Next-Generation Governance

Introduction

Artificial intelligence (AI) has become increasingly important in the enterprise, thanks in part to the rise of generative AI (GenAI). While not a new technology or concept, AI (including machine learning) holds tremendous promise to transform various business functions and activities worldwide — from accounting and finance to cybersecurity, customer experience and more. In boardrooms and C-suite offices everywhere, AI is inspiring conversations on reimagining how the business operates.

Realising AI’s opportunities, measuring and managing both benefits and risk, becomes difficult without appropriate and effective guardrails in place. Such guardrails, more commonly referred to as governance, are critical — not to slow down AI adoption and implementation, but rather to accelerate and optimise its responsible and effective use throughout the enterprise while creating new opportunities.

By implementing effective governance frameworks and policies, organisations can efficiently recognise, comprehend and measure the potential risks and opportunities associated with AI. This enables them to align their governance practices with the specific use cases they have identified and agreed upon, and ultimately make well-informed decisions regarding the utilisation of AI.

In this paper, we share some best practices for aligning AI efforts with the foundational elements of a strong AI governance program, starting with forming an advisory board and defining use cases.

First things first — select an advisory board and use cases

Most organisations are familiar with governance. They already have policies in place for various technology solutions that can serve as a guide for effective AI governance. Additionally, the lessons learned from establishing governance for other business processes and technologies can expedite the development of an efficient AI governance approach and framework.

The foundation for AI governance begins with people who, in this case, will form an advisory board that should guide and promote the adoption of this rapidly evolving technology to meet business needs. The advisory board typically includes senior managers, legal counsel, compliance managers and experts from across the organisation who understand the business’s defined goals and the importance of driving transformation.

The role of an advisory board

An advisory board, which might also be called a steering committee, is primarily responsible for providing strategic direction and oversight and ensuring alignment with the organisation’s broader mission and objectives. The advisory board should define the vision and objectives for deploying AI in the organisation and outline the opportunities and risks.

Ultimately, the advisory board is responsible for identifying the key areas where AI can be beneficial, and it promotes adherence to ethical guidelines and regulatory compliance. It also ensures that the aspects of the AI governance framework align with legal requirements, industry standards (for example, NIST AI RMF controls), the company’s ethics, and moral principles such as transparency, fairness and security.

It is critical for the advisory board to represent leaders and experts throughout the organisation to ensure a multidisciplinary approach and mindset. It should be comprised of key stakeholders, including those that have knowledge and expertise in key areas, such as AI technology, internal audit, cybersecurity, compliance, legal counsel and business operations.

Once the advisory board is identified, its first order of business should be to identify and evaluate potential AI use cases for the organisation.

Use cases pave the way to identifying governance requirements

One of the first and most essential functions of the advisory board is identifying and examining individual use cases for AI in the organisation, ensuring that each use case gets customised controls based on its unique needs while considering the potential benefits against any risks that need to be addressed and managed.

As we noted earlier, governance is not a new concept for organisations. Most have a high level of familiarity and often sophisticated governance policies and practices in place around numerous functions — ERP systems, supplier management, cybersecurity and more. Most organisations likely have detailed governance frameworks that they apply to these functions, ones that may have taken months or even years to refine.

When it comes to AI, the key points here are that (1) there is no need to reinvent the wheel with a unique approach to AI governance — it’s likely existing policies and practices offer some nuances and specificity that can be used as foundation components for AI governance and (2) the governance components and controls should be flexible and adapt to how AI will be used — i.e., the use case.

Each use case may have unique capabilities and requirements that may require different controls in the governance framework. For example, an AI use case of identifying preventive maintenance needs will carry a much different set of risks than a use case that supports hiring decisions. It is also possible that some controls defined in the organisation’s current governance programs, policies and frameworks may not be necessary for a particular AI use case. Which controls are and are not relevant and necessary depends on the specific AI use case and its context. For example, an AI deployment that is considered a closed system, where no queries or data extend beyond the internal systems, may not need stringent privacy or data sovereignty controls.

The advisory board should support the examination of the implications of the use case and evaluate its viability. This includes:

  • Identifying the problem the AI solution will solve and setting measurable objectives for success.
  • Ensuring visibility into the quality and relevance of the data sources used.
  • Determining data requirements such as storage, processing, privacy and security.
  • Determining the high-level technical components needed for implementing the use case.
  • Assessing compliance requirements, including data protection laws and industry regulations.
  • Addressing ethical concerns and incorporating principles of fairness, transparency and accountability.
  • Performing a risk assessment to understand potential challenges and unintended consequences.
  • Identifying and engaging stakeholders affected by the use case.
  • Comparing potential benefits against costs to justify investment in the use case.
  • Creating metrics to evaluate the success or failure of the use case.

Once these tasks are completed, the next step is to outline further the use case to determine how it fits into a broader governance framework.

Refining a use case requires incorporating considerations that are typically defined in an AI governance framework. These considerations will help accelerate the development of the use case and make the deployment align with business goals.

Keep in mind that different use cases may have different considerations. However, most use cases share some common principles that are encapsulated in the governance framework. These principles, summarised below, can speed the development of use cases while also preventing essential elements from falling through the cracks.

Accountability: Clearly define responsibilities for AI systems and establish roles and expectations for those involved in their development, deployment and oversight of the use case.
Transparency: For some use cases, transparency is an important consideration and explains the decision-making process of AI systems so that stakeholders understand how the systems arrive at their conclusions or recommendations.
Auditability: To make sure that a use case meets an organisation’s needs, it is important to ensure that the AI systems can be audited, which in turn can speed troubleshooting and allow the examination of decision-making processes and outcomes to ensure that business objectives are met.
Fairness: A framework can help embed fairness into a use case, which helps to prevent bias and ensure equitable outcomes for all individuals or groups affected by AI applications.
Security: The framework should offer guidance on how to implement robust security measures where needed.

 

Aligning governance to use cases

Now that we’ve set up the advisory board and defined the AI use cases, it’s time to discuss governance.

With the introduction of any innovative technology, there are considerations that must be addressed to help drive success. For example, a benefit versus risk analysis is a critical element for vetting any use case. In addition to defining the opportunities created by implementing an AI use case, it is important to identify and manage risk properly to realise the full potential offered by that use case. Only then can the specifics of the use case be aligned with the components of a governance framework.

In many cases, particular components of a governance framework may not be applicable or may have reduced importance during the alignment process. Even so, there are some basic foundational tasks that are common across most use cases:

Identify core principles: Determining your organisation’s core AI ethics and principles proves critical for defining how the organisation will use AI. Considerations here include how the proposed use case aligns with the organisation’s values and goals. For example, principles like transparency, fairness, accountability and explainability can help ensure responsible and ethical AI practices and should be codified into the governance framework. Additionally, ethical considerations, such as avoiding biased or discriminatory outcomes, should be considered when determining the weighting of policies incorporated into the governance model.
Understand the regulatory landscape and compliance requirements: A well-thought-out use case will acknowledge the requirements set forth by the existing regulatory landscape. Public AI systems, which interact with external data stores and transmit data or queries beyond the organisation, may be subject to regional laws, and the associated policies and guidelines must be codified into the governance framework. Organisations that are aligning use cases built on private systems, where all data and queries remain within the organisation, may have fewer compliance requirements and can instead focus on internal policies and rules as opposed to government-driven compliance regulations and policies.
Conceptualise data security and accuracy: A use case should identify the sensitivity of the data that is collected, processed and created. Knowing what to protect and how to protect it becomes one of the core components of defining what governance policies to leverage. Robust data governance practices, including data collection, storage and sharing, should be implemented to ensure the security and integrity of data within the context of the use case.
According to an IBM study, executives are eager to capitalise on GenAI, with more than 6 in 10 planning to pilot or operate in some way in 2024. IDC predicts global spending on AI will exceed $301 billion by 2026.

Understanding and communicating the benefits of governance

One of the biggest benefits offered by a strong governance program is ensuring AI adoption is aligned with organisational strategy and designed to maximise business value.

The benefits offered by a properly executed governance program should be shared with the core stakeholders that are impacted by the defined use case and, eventually, the broader enterprise. Some of these benefits include:

Establishing ethical use: A governance framework enables organisations to quickly develop a use case that takes into consideration the use and behavior of AI systems while promoting ethical development, deployment and use.
Promoting transparency and accountability: A well-designed governance framework encourages transparency and collaboration, allowing others to understand AI decision-making processes and better execute on a proposed use case.
Protecting user rights: For many use cases, data privacy is an important consideration, especially for open systems. A governance framework accelerates use case development by establishing guidelines for data privacy, consent and security to safeguard individual rights in accordance with state, federal and global requirements.
Mitigating risk: Governance policies help to identify and mitigate risks by ensuring organisations are prepared to handle the challenges and uncertainties that may arise during AI deployment.
Complying with current laws and regulations: AI governance helps a use case adhere to legal and regulatory requirements concerning AI technologies.
Building trust and protecting reputation: A robust governance framework fosters trust among stakeholders, including customers, investors and the public. Building trust is vital for successful use case adoption.
For more information on building responsible AI, please see guidance from the National Artificial Intelligence Centre — CSIRO and the Artificial intelligence | Department of Industry, Science and Resources.

Shaping AI governance: internal and external dynamics

Governments, legislative bodies and other authorities are working to address concerns related to the adoption of AI technologies and are developing or modifying legislation, guidelines and compliance requirements to meet the challenges posed by AI. Organisations that are adapting their governance programs for AI use cases need to consider how external factors will influence the design and application of their frameworks. Whether an organisation is modifying existing frameworks or creating new ones, it is important for them to conduct their own due diligence.

Selecting the appropriate governance policies depends on the specific needs of the organisation. For example, certain businesses may have charters, codes of conduct or foundational perspectives that influence the use of AI technologies and guide appropriate use policies. Therefore, the organisation needs to consider and define the following factors:

Capabilities and resources: The availability of resources, such as financial, technical and human resources, greatly impacts an organisation’s ability to implement AI policies. These resources are crucial for the deployment, training and enforcement of AI governance policies.
Internal policies and ethics guidelines: Predefined policies regarding ethics and other requirements are fundamental for establishing governance that aligns with the organisation’s objectives.
Data governance and management strategies: Understanding the existing controls and strategies for data issues is an important consideration in the development of an AI governance framework.
Risk management strategies: Risk concerns extend beyond AI/ML and GenAI. Organisations should align their AI governance with the broader risk management strategy of the organisation.

 

As noted earlier, an important aspect of AI governance is establishing company standards for the implementation and use of the technology, and how those standards impact use cases. Fortunately, many organisations already have broader technology-related standards in place that can be used to support the development of AI governance standards. This simplifies the process of creating specific AI governance standards.

Call to action for AI governance

Identifying appropriate governance for an AI solution is one of the most critical steps for an effective deployment of the technology. However, determining the applicable policies and components of governance is a task that should not be taken lightly. Assembling the appropriate controls to protect data and ensure ethical use of AI systems will take a team effort, where stakeholders as well as management have a clear understanding of the goals being pursued. Obviously, there are steps to instantiating appropriate governance before deploying any AI solution, which include the following:

  • Create an advisory board.
  • Align the governance framework, policies, standards and controls.
  • Educate users.
  • Develop an inventory of existing AI technologies and use cases and rate those use cases for risk.
  • Apply controls as appropriate to the use cases, including red-team testing of high-risk use cases.

Of course, AI systems evolve over time and require measurement for effective long-term management. Governance goes a long way toward providing the foundation that supports an AI deployment, while also setting the stage for reiteration and agility.

Currently, according to the OECD policy repository, there are over 800 AI legislative policy initiatives from 69 countries and territories.

Artificial Intelligence (AI) is changing the way we do business. Across all industries, from technology to healthcare, financial services and consumer products, organisations are adopting AI, intelligent automation and advanced analytics to improve processes, drive new business opportunities and increase competitive advantage.
We partner with organisations to solve business challenges with cutting-edge Artificial Intelligence services that improve speed, enhance precision, and optimise customer experiences.

As companies progress on the journey toward digital transformation, AI is a key element that promises to deliver critical insights leading to accelerated innovation and success while protecting critical business assets.

Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, analytics, digital, legal, HR, governance, risk and internal audit through our network of more than 85 offices in over 25 countries.

Named to the 2023 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 80 percent of Fortune 100 and nearly 80 percent of Fortune 500 companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Related resources

Loading...