A key question confronting many boards is the extent they need to embrace AI to keep their companies relevant. They are weighing this up against how to manage the associated risks as well as answer questions like “how do I stop company information being released into the wild? “or, “are there unapproved AI tools being used in the company?”
To those who want to pursue an AI development path this can be done while still minimising the risk exposure by providing the necessary AI governance framework is put in place and followed. This in turn should enable a company’s board satisfy itself that management has a clear approach for approving, monitoring, and escalating AI-related risks.
One of the keys steps here is establishing a list of all AI tools in use by employees, whether official or otherwise, all need to be included. The major governance risk arises if AI tools are used in an uncontrolled manner potentially exposing a company to errors, data loss, contractual disputes, or regulatory breach. Other consequences may lead to decisions being made on unreliable outputs, where a person may fail to apply proper judgment in reviewing a model and its outputs.
For each model, this list needs to include - what is in use, why it is in use, who owns it, and whether it has been approved for use in the company. Under the EU AI Act, a risk category should be assigned to each model, which determines amongst other things what needs to be disclosed to users of the model. An example of a high risk model is one that involves personal, customer or employee data, confidential information, or regulated activity. Any of these elements ending up “in the wild” would be detrimental to the company.
The following should be kept under review in relation to each model:-
A key factor in managing AI models is understanding the output produced and being able to explain it. This is critical where important decisions are being made based on the output, especially in the area of customers, staff, compliance, or finance. A company’s reputational risk is critical here as mistakes in any of these areas could result in the negative publicity, especially if the error is considered careless, unfair or ungoverned.
The degree of human involvement will be determined by the risk level, with higher risk models, a human should be included as part of the process and in other cases they may review output regularly. The extent of this involvement should be linked to the associated risks.
With a framework in place the top-down AI governance should include reporting on the number of approved AI tools and new use cases being developed will help show the progress the company is making.
Other data points to be reported and keep the picture “whole” for the board include any unapproved tools discovered, high risk cases under review, any incidents, staff training completion, supplier assessments done and any new regulation that could affect the company. The detail of the above should not be to give the board an in-depth briefing but enough for them to understand the current status of AI for the company.
Implementing an AI governance framework to guide the operation and control of AI in a company is an appropriate step to enable a company use and gain the maximum benefit from AI in a safe and controlled manner.
Keith Morrow brings over 20 years of global experience in strategy design, governance, and operational effectiveness, with a strong background in software, cybersecurity, and financial leadership. As founder of Kamolyn Limited, he advises clients on delivering measurable outcomes across commercial strategy, cross-functional operations, and finance transformation.
Read how they tackle today’s challenges and shape tomorrow’s solutions
