Wrap Your Arms Around AI: AI Policy - To Be or Not To Be (Session 2)

Part 1: AI Governance

Session 2: AI Policy – To Be or Not To Be

Regardless of how you choose to define AI, the assessment completed during your strategy development will identify the risks associated with these digital tools.  Wrapping governance around your AI tools will mitigate these risks.  The format of AI governance is a hotly debated topic.  Create a policy exclusive for governing the creation and use of AI tools? Embed AI governance in another policy?  Do nothing and hope that the risks are covered in existing policies?  There is no ‘one size fits all’ answer.  The answer depends on the scope of your digital landscape, size of the organization, and even your industry.

Let’s explore what should be included in an AI Governance framework:

• First and foremost, define AI.  What does the term mean for your organization? 

• Define the permissible existing AI tools (workflows, algorithms)

• Define vetting requirements for new tools

• Is there a desire to use a generative AI tool? 

  • Will you allow the use of external solutions such as ChatGPT?  If yes, will you require documentation of the use of an external tool in the creation of a company document?

  • If CoPilot will be enabled, define the desired configuration settings (i.e., the scope of the search capabilities, capturing results of searches or generated material)

• Define methods for assuring search results are accurate especially for data analysis

• Define methods for data traceability (i.e., lineage)

• Define required foundational tools (information map, taxonomy schema, metadata schema, information classification, and security schema)

• Define methods for selecting and approving tools

• Define information security requirements

• Consider the acceptability of implementing solutions that require the use of API tools

• Define the use of SAAS versus on-prem tools

• Confidentiality requirements – is it acceptable for an employee to use ChatGPT on a personal device to ask sensitive organizational questions?

The maturity of the Information Management program will determine if many of these topics are already included in existing policies and standards. Creating a new, AI specific standard that reiterates topics already covered is not advisable.  Large organizations with a mature, modern Information Management (IM) program will likely cover many of these aspects.  The definition of AI and specific related topics not covered in other policies should be included in the Knowledge Management component of the program.  Small and mid-sized companies may not have invested in a comprehensive IM program.  Hence, the recommendation is to develop a Knowledge Management program that will ensure that the key foundational tools are implemented. (Knowledge Management is discussed in Part 2 of this series.)  AI and other tools used to ensure information flows throughout the organization will be defined as part of the program.  If you choose to develop a unique AI policy, ensure you do not duplicate protocols already implemented elsewhere and afterward, consider if what you have created is indeed, a Knowledge Management program.

We must implement governance to protect Information Assets, especially when AI tools are in use and computer programming is defining how and when information is accessed, shared, and utilized.  How we define what is and is not acceptable will be unique for each organization based on the business model, strategy, and company culture.  Choosing whether to create a unique policy or embed governance in an existing policy will be up to each organization, but choosing to not govern is NOT an option.

One additional consideration is the legal landscape.  Countries are implementing AI regulations and the landscape changes almost daily.  These regulations must be considered when deciding how to govern the use of AI tools.

The next session will be “Navigating the Digital Maze with an Information Map” … a tool that will help you determine where all of your “stuff” is located and view how it flows through your organization.

IM Visibility Information

IM Visibility provides clients with practical approaches for protecting information assets. Regardless of industry or company size, managing information assets in the age of AI is crucial.  How these new tools are implemented must be managed from a technical and people perspective.  Let IM Visibility support your next project to ensure that your information gets the protection required while meeting the technical and cultural needs of your organization.

Cathy Blosser is the owner and principal consultant for IM Visibility. She is a certified Change practitioner and certified Information Governance practitioner.  She is available to support your project or speak to your organization.

The Octopus Den

The Caribbean Reef Octopus displays incredible colors in its attempt to camouflage.  In the first image, the octopus has matched its color and texture to a nearby sponge. In the second picture, the octopus is located at the bottom of a piling.  The octopus is imitating the variety of colorful sponges located in the vicinity.

Octopus pictures are provided courtesy of Panacea Place – a short-term vacation rental in St. Croix, USVI.   www.panaceaplace.com