Article

Navigating the Future: Crafting an AI Governance Plan for Your Enterprise

governance hero

Integrating generative AI into enterprise operations will continue to unlock increasingly remarkable opportunities, but it will also come with increasingly significant compliance and security risks, especially for regulated industries like fintech, healthcare and medical device development, energy, and aerospace. Establishing the necessary governance structures for your organization is essential to managing these risks effectively. Companies that can swiftly implement robust governance frameworks will not only reduce risk but also innovate faster, staying ahead in a competitive landscape.

This plan must address all types of AI usage, with an emphasis on generative AI—one of the most popular applications across many industries today. While this post won’t nearly cover every single aspect of AI governance and is not designed as an in-depth, prescriptive plan; rather, hopefully, it can act as a catalyst to help your enterprise begin considering, drafting, and implementing a robust AI governance plan of its own by addressing the key areas of focus every governance plan should have. 

Who’s responsible for AI governance within an organization?

When starting down the path of AI governance, the first question every enterprise leader should ask is “Who is going to be responsible for overseeing the effort?” While there may be some variation from organization to organization, generally speaking, accountability for governance should start at the c-suite and encompass the following group of key stakeholders:

  • C-Level Executives: The Chief Legal Officer (CLO) or a similarly senior risk-focused figure should lead the governance efforts.
  • Legal and Compliance Teams: These teams ensure adherence to both internal policies and external regulations.
  • IT and Data Security Departments: These groups are responsible for safeguarding data during AI operations.
  • Operations and HR: These areas ensure that all employees understand their roles in AI use and governance.

If your organization does not have an in-house CLO, consider recruiting a legal consultant who specializes in technology and AI to assist in creating a plan tailored to your company’s needs.

What are the Core Components of an AI Governance Plan?

With governance leadership in place, including all of the business, operations, and technology stakeholders necessary to bring the relevant design viewpoints to the table, the next step is to block in the key governing components.

1. Accountability & Oversight

Establishing clear accountability and responsibility roles is paramount in identifying potential risks, designing protective strategies, and ensuring effective monitoring of AI initiatives. For example, Google has implemented oversight committees to address ethical AI concerns while ensuring innovation. IBM’s AI ethics board includes diverse experts to guide the responsible use of technology. Also, Salesforce has assigned specific teams to address AI risk management and accountability. 

Again, these committees are teamed by a mix of senior business and technology leaders, but to ensure that the AI governance work aligns with the enterprise’s overall business strategy, these accountability groups, however they are comprised, should ultimately report up to the enterprise’s most senior leader responsible for enterprise risk management and then, after that, the c-suite. 

2. Regulatory Compliance

The second core component of a sound AI governance framework addresses the operational framework (the “how”) an organization will provide to all of the relevant stakeholders, both internal and external, to ensure adherence to both domestic and international industry laws, regulations, and compliance regimes. This aspect of AI governance will differ significantly from organization to organization, and each governance plan will contain unique tools, systems, and processes, based on differing business models and associated risks, organizational structures, and cultures.

You will need to revise and update your plan as technology and workforce dynamics evolve.

One example of an enterprise doing this well is Microsoft as it has taken the approach of embedding compliance protocols across its AI services. Another example is Amazon, whose tools include rigorous internal audits that allow the multinational technology giant to operate across a dizzying array of international standards and compliance requirements. 

Included in any operational component of an AI governance plan should be a framework that allows that governance plan to flexibly and quickly evolve right along with the rapidly evolving nature of AI technologies and applications. 

3. Data Privacy & Security

No conversation around AI, particularly generative AI, would be complete without discussing data privacy and security. And likewise, no approach to AI governance would be complete without that same discussion and design. While data security and privacy laws and regulations are beginning to address AI specifically, much of the compliance risk analysis is being done in the context of legal regimes and statutory schemes that were enacted without AI in mind. Nevertheless, enterprises need to understand that those laws, and the governing bodies that enforce them, will extend little grace to those enterprises that violate the laws simply because AI technologies were not called out with particularity when the laws were enacted. 

Thus ensuring that your enterprise’s AI governance plan manages implementation risk under both existing and future data privacy and security regulations is critical. Some examples of companies that are addressing this coverage requirement include that leading the design of frameworks and processes that safeguard data integrity and privacy throughout the AI lifecycle is crucial. Examples include Facebook, which, despite controversies, has made strides in transparency and data protection through various AI audits. Another example is Apple, which focuses on and promotes user privacy both internally and externally as it adheres to stringent data protection regulations.

The key to building out a solid data privacy and security component to your enterprise’s AI governance plan starts with auditing the types of data your company touches through its people and processes, how its AI implementations (either existing or proposed) interact or will interact with that data, and then ensuring there are both human and technologies safeguards and processes in place to ensure that the data is protected throughout the AI lifecycle. 

4. Ethical Use & Transparency

Another component of AI governance that will be different from enterprise to enterprise depending on a number of different factors should focus on the enterprise’s approach to and values around implementing AI from both a transparency and ethics standpoint. While that is a good place to start, by itself it is insufficient. Governance should encourage teams to adhere to those transparency and ethical guidelines with the ultimate goal of supporting responsible AI use. Some examples of companies that are doing this include Open AI, which exhaustively promotes transparency in AI through open research and guidelines for ethical use. Another example is Tesla, which strives for clarity in the implementation of AI in autonomous mobility by engaging public discourse. And as a final example, SAP ensures ethical AI use by baking into its governance policy a focus on integrating the company’s core values into product development.

Start your AI governance program with a strong, right-sized foundation

Reaping the full benefits of AI both internally and externally is as much a product of good governance design and intentionality as it is about the game-changing capability that AI brings. That means having a sound AI governance plan in place as you start down the path of leveraging AI to build competitive advantage. It doesn’t have to be perfect, and it’s important to recognize that you will need to revise and update your plan as technology and workforce dynamics evolve. But also recognize that drafting your governance framework today is an essential strategy for mitigating future risks and enabling you to harness the transformative power of AI responsibly. 

Hopefully, by following this high-level guide, your organization can take at least the necessary initial steps toward effective AI governance, and begin positioning your organization for a successful and innovative future.

Michael-Wiggins-Default-BW-e1528873797450_optimize.jpg

Michael Wiggins

Chief Legal Officer

Michael, Fresh’s Chief Legal Officer, has been practicing law in the commercial sector for nearly 20 years. As much a business person as he is a lawyer, he has a keen eye for striking the right balance between managing risk and advancing strategic growth.

Before coming to Fresh, Michael was partner at a boutique business transaction and litigation firm before leaving to start his own practice advising and representing business owners and their enterprises. As litigation counsel, Michael represented his clients at trial and on appeal in both state and federal court.

Although general counsel by day, Michael maintains his love of technology and science, having earned his Bachelors of Science in Biochemistry/Molecular Biology from the University of Washington, and a law degree from Seattle University with an emphasis in Business and Intellectual Property Law.

When he’s not at work, Michael loves traveling with his wife, also a lawyer, and their 5 children. Some of his outdoor passions are fly fishing, surfing, and rock climbing, although he’s always down for any kind of adventure.