AI Governance Considerations for AI Deployers

Written By Morgan Ryan

Hauke Schupp

Director, Risk Practice, Clarendon Partners
Connect with me on LinkedIn

Ensuring Compliance through Governance and Risk Management

Artificial Intelligence (AI) is transforming industries worldwide, offering unprecedented opportunities for innovation, efficiency, and growth. However, with great power comes great responsibility, and the deployment of AI technologies is accompanied by significant regulatory and governance challenges. This article explores the AI governance considerations for organizations deploying AI, particularly considering the emerging regulatory frameworks such as the EU AI Act, the Colorado Consumer Protection for AI Regulation, and established data privacy standards like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

Key AI Governance Considerations for Deployers

Artificial Intelligence (AI) governance is critical to ensure the responsible and ethical deployment of AI technologies within organizations. As companies increasingly integrate AI into their operations, it is imperative to assess and implement your organizations Risk Management, AI Transparency and Explainability, Data Governance and Privacy, Bias and Fairness, and Accountability and Governance capabilities. These elements are not just regulatory requirements but foundational pieces that safeguard the integrity of AI systems. By prioritizing these considerations, companies can mitigate risks, foster trust, and ensure that their AI applications are both effective and aligned with ethical standards.


1. Risk Management and Compliance

Given the stringent requirements of the EU AI Act and the Colorado regulation, organizations must implement robust risk management frameworks and adopt them for AI technologies. These frameworks should include:

  • Risk Assessment: Regular assessments to identify and mitigate risks associated with AI deployment, particularly in high-risk sectors.

  • Compliance Monitoring: Ongoing monitoring to ensure that AI systems remain compliant with evolving regulations, including data protection laws like GDPR and CCPA.

  • Ethical AI Deployment: Aligning AI development and deployment with ethical standards, including fairness, non-discrimination, and respect for human rights.

2. Transparency and Explainability

Transparency is a cornerstone of AI governance, emphasized by both the EU AI Act and the Colorado regulation. Organizations need to:

  • Disclose AI Use: Clearly inform consumers and stakeholders when AI is being used, particularly in decision-making processes.

  • Implement Model Governance and Explainability: Ensure that AI systems, especially those in high-risk categories, are explainable. This means that the logic behind AI decisions should be documented, understandable to users, regulators, and other stakeholders, and periodically tested by independent reviewers.

  • Establish AI and Model Documentation: Maintain comprehensive documentation of AI system design including assumptions and mathematical theory, development including model code and training data, and deployment processes to demonstrate compliance with transparency requirements.

3. Data Privacy

Effective AI governance requires robust data governance practices that align with privacy regulations like GDPR and CCPA. Key considerations include:

  • Data Quality and Accuracy: Ensuring that the data used in AI systems is accurate, relevant, and up-to-date. Poor data quality can lead to biased outcomes and compliance risks.

  • Data Anonymization: Where possible, organizations should anonymize personal data to minimize privacy risks, especially in AI systems that handle large datasets.

  • User Consent: Obtain clear and informed consent from users for data collection and processing, in line with GDPR and CCPA requirements.

4. Bias and Fairness

Bias in AI systems is a significant concern, particularly in high-risk applications like hiring, lending, and law enforcement. To mitigate bias, organizations need to consider and implement:

  • Bias Audits: Conduct regular audits of AI systems to identify and address potential biases in algorithms and datasets.

  • Diverse Data: Use diverse and representative datasets to train AI models, reducing the risk of biased outcomes.

  • Fairness Metrics: Implement fairness metrics to evaluate AI system performance and ensure equitable treatment of all individuals.

5. Accountability and Governance Frameworks

Establishing accountability mechanisms is crucial for AI governance. Organizations should implement proportional:

  • Governance Structures: Create governance structures, such as AI ethics boards or committees, to oversee AI deployment and ensure alignment with regulatory and ethical standards.

  • Incident Response: Expand existing incident response protocols to address potential AI failures or breaches swiftly and effectively.

  • Continuous Learning: Foster a culture of continuous improvement, where AI systems are regularly reviewed, updated, and improved based on feedback and new developments in AI ethics and regulation.

Preparing for the Future of AI Regulation

The regulatory landscape for AI is rapidly evolving, with more jurisdictions likely to introduce AI-specific regulations in the coming years. To stay ahead, organizations need to focus on strengthening their:

  • AI Governance Frameworks: Evolve existing Model Risk Management frameworks to address the unique challenges and regulatory expectations that come with AI. Invest in assessing your current capabilities and building additional capabilities to close existing gaps at the onset of your AI journey to keep pace with regulatory expectations.

  • Stakeholder Engagement: Engage with stakeholders, including regulators, industry groups, and outside consultants, to stay informed about regulatory changes and best practices in AI governance. As this is an emerging regulatory environment it is likely that regulators will seek industry input enabling companies to help shape the requirements.

  • Technology Investment: Invest in AI governance technologies, such as AI auditing tools, risk management and compliance management systems, and AI enabled control automation to streamline compliance and mitigate risks.

  • Human Capital Investment: Augment existing capabilities through hiring of subject matter experts and consultants while simultaneously investing in upskilling and training your human resources through AI and human in the loop training as a key aspect.

Understanding the Regulatory Landscape

The EU AI Act

The EU AI Act is one of the most comprehensive regulatory frameworks introduced to govern AI technologies to-date. Proposed by the European Commission in April 2021 and effective as of August 1, 2024, the Act categorizes AI systems into four risk levels:

  • Unacceptable Risk: AI applications that pose a threat to safety, livelihoods, or rights are banned. Examples include AI systems that manipulate human behavior or use subliminal techniques.

  • High Risk: AI systems in sectors like healthcare, law enforcement, and employment are classified as high-risk and are subject to strict compliance requirements. These include mandatory risk assessments, data quality controls, transparency obligations, and human oversight.

  • Limited Risk: AI systems with specific transparency obligations, such as chatbots, require users to be informed that they are interacting with an AI system.

  • Minimal Risk: These are systems that pose little to no risk and are mostly exempt from regulatory requirements.

The regulation focuses on ensuring that AI systems are safe, respect fundamental rights, and comply with existing laws. Key provisions include:

  • Risk-Base Approach: The regulation imposes stricter requirements on AI systems categorized as high-risk and prohibits AI systems that pose an unacceptable risk to safety or fundamental rights.

  • Transparency: Users must be informed that they are interacting with an AI system.

  • Human Oversight: High-risk AI systems must be designed and implemented with mechanisms that ensure human oversight and to have the authority to override AI decisions.

Colorado Consumer Protection for AI Regulation

In the United States, AI regulation is emerging at a state level, with Colorado being a pioneer. The Colorado Consumer Protection for AI Regulation, enacted May 17, 2024 and effective on February 1, 2026, mandates that AI systems should be designed, developed, and deployed with fairness, accountability, and transparency in mind. Key provisions include:

  • Transparency: Organizations must clearly disclose when AI is used in high-risk and consumer-facing use cases and provide consumers the opportunity to correct personal data or appeal adverse decisions

  • Accountability: AI deployers must establish governance frameworks that ensure accountability for AI outcomes including Risk Management policies, impact assessments, and model algorithm testing.

  • Bias Mitigation: Companies are required to implement measures to mitigate bias in AI systems, ensuring fairness in decision-making processes and disclose any discovery of algorithmic discrimination.

California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR)

Both the CCPA and GDPR are critical to AI governance, particularly regarding data privacy. The GDPR, in effect since May 2018, is a comprehensive data protection law that applies to any organization processing the personal data of EU residents regardless of where the organization is located. The CCPA, effective from January 2020, grants California residents certain rights over their personal data and imposes obligations on businesses to safeguard this data.

  • Data Subject Rights: Both GDPR and CCPA grant individuals the right to access, correct, and delete their data. AI systems must be designed to respect these rights.

  • Data Minimization: AI deployers should ensure that they collect and process only the data necessary for their specific purpose, adhering to the principles of data minimization under GDPR.

  • Data Security: Organizations must implement robust security, data governance, and control measures to protect personal data, which is particularly crucial in AI systems handling sensitive information.

Conclusion

AI governance is a complex but essential aspect of responsible AI deployment. By understanding your existing capabilities, identifying gaps to achieving the future state, and partnering with subject matter experts to accelerate your success you can ensure that their AI systems are not only innovative but also ethical, transparent, and compliant. As AI continues to evolve, so too will the regulatory framework, making proactive governance a critical component of long-term success in AI deployment.


Contact Clarendon Partners

To learn more about how to implement a comprehensive governance strategy for AI, schedule a consultation with our team of experts at evolve@clarendonptrs.com. We can help you navigate the complexities of this evolving landscape and develop a tailored solution that meets your organization's unique needs.

Morgan Ryan
Previous

Optimizing Performance & Maximizing Returns
Next

New FinCEN Rule Expands AML and KYC Requirements to Real Estate and Investment Advisers: Are You Ready?