Skip to content

Latest commit

 

History

History
67 lines (49 loc) · 6.49 KB

File metadata and controls

67 lines (49 loc) · 6.49 KB

5.1 Govern

The GOVERN function:

  • Cultivates and implements a culture of risk management within organizations designing, developing, deploying, evaluating, or acquiring AI systems
  • Outlines processes, documents, and organizational schemes that anticipate, identify, and manage the risks a system can pose, including to users and others across society -- and procedures to achieve those outcomes
  • Incorporates processes to assess potential impacts
  • Provides a structure by which AI risk management functions can align with organizational principles, policies, and strategic priorities
  • Connects technical aspects of AI system design and development to organizational values and principles, and enables organizational practices and competencies for the individuals involved in acquiring, training, deploying, and monitoring such systems
  • Addresses full product lifecycle and associated processes, including legal and other issues concerning use of third-party software or hardware systems and data

GOVERN is a cross-cutting function that is infused throughout AI risk management and enables the other functions of the process. Aspects of GOVERN, especially those related to compliance or evaluation, should be integrated into each of the other functions.

Strong governance can drive and enhance internal practices and norms to facilitate organizational risk culture. Governing authorities can determine the overarching policies that direct an organization's mission, goals, values, culture, and risk tolerance. Senior leadership sets the tone for risk management within an organization, and with it, organizational culture. Management aligns the technical aspects of AI risk management to policies and operations. Documentation can enhance transparency, improve human review processes, and bolster accountability in AI system teams.


Categories and Subcategories

GOVERN 1: Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks are in place, transparent, and implemented effectively.

Subcategory Description
GOVERN 1.1 Legal and regulatory requirements involving AI are understood, managed, and documented.
GOVERN 1.2 The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices.
GOVERN 1.3 Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization's risk tolerance.
GOVERN 1.4 The risk management process and its outcomes are established through transparent policies, procedures, and other controls based on organizational risk priorities.
GOVERN 1.5 Ongoing monitoring and periodic review of the risk management process and its outcomes are planned and organizational roles and responsibilities clearly defined, including determining the frequency of periodic review.
GOVERN 1.6 Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities.
GOVERN 1.7 Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness.

GOVERN 2: Accountability structures are in place so that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing AI risks.

Subcategory Description
GOVERN 2.1 Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization.
GOVERN 2.2 The organization's personnel and partners receive AI risk management training to enable them to perform their duties and responsibilities consistent with related policies, procedures, and agreements.
GOVERN 2.3 Executive leadership of the organization takes responsibility for decisions about risks associated with AI system development and deployment.

GOVERN 3: Workforce diversity, equity, inclusion, and accessibility processes are prioritized in the mapping, measuring, and managing of AI risks throughout the lifecycle.

Subcategory Description
GOVERN 3.1 Decision-making related to mapping, measuring, and managing AI risks throughout the lifecycle is informed by a diverse team (e.g., diversity of demographics, disciplines, experience, expertise, and backgrounds).
GOVERN 3.2 Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems.

GOVERN 4: Organizational teams are committed to a culture that considers and communicates AI risk.

Subcategory Description
GOVERN 4.1 Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts.
GOVERN 4.2 Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly.
GOVERN 4.3 Organizational practices are in place to enable AI testing, identification of incidents, and information sharing.

GOVERN 5: Processes are in place for robust engagement with relevant AI actors.

Subcategory Description
GOVERN 5.1 Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the AI system regarding the potential individual and societal impacts related to AI risks.
GOVERN 5.2 Mechanisms are established to enable the team that developed or deployed AI systems to regularly incorporate adjudicated feedback from relevant AI actors into system design and implementation.

GOVERN 6: Policies and procedures are in place to address AI risks and benefits arising from third-party software and data and other supply chain issues.

Subcategory Description
GOVERN 6.1 Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third-party's intellectual property or other rights.
GOVERN 6.2 Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk.