That said, software in these regulated industries tends to be a bit of a disaster area. Mainly because embedded software pays so much less, the average skill level is lower and no amount of quality paperwork is going to completely stop systematic incompetence. (not that the paperwork itself is inherently a problem: even skilled engineers will make mistakes sometimes and the quality system does generally mean that you do reviews and catch them. But when neither your planners nor your implementers nor your reviewers understand that casting pointers around willy-nilly in C is undefined behaviour, it's not gonna save you).
I feel like for software it depends on the use case, not the technology. There a plenty of laws about software use cases such as data storage and privacy compliance etc.
Thanks a ton for posting this !
I have been looking for just such material on implementing AI Governance (at a non profit, if that matters).
The whole literature and research listed there is super helpful to me.
Sure it is good to keep oversight on AI use and co, but this only purpose is to feed countless useless executives and consultants shitting paper.
In the end, the company will be happy to put the "iso" sticker, and will stash the thousand page documents in a drawer with no one reading it and the company will continue to work the same as if this was not done. Just with money burned on the way.
The original research paper on IBM’s AI Risk Atlas defines a taxonomy of 40 AI risks. IBM then expanded the online Atlas, and the current IBM documentation lists 100 named risks. Where does the 60 number come from for IBM's list of AI risks?
An internal audit is how you go from gap assessment to ready for external audit.
External auditors should be selected by looking for ones who themselves are audited by your regional government auditing body. Eg if you wanted to be audited and certified for ISO27001, and you happened to be in UK, you may choose BSI as your external auditor, who themselves are audited by UKAS.
It’s a web of trust model.
The purpose of these certificates are to shortcut compliance checks by your customers (or in some cases suppliers).
You don't need to use an external auditor that is your local audit provider, you just need to be sure that the audit provider (certification body) is accredited with an accreditation under IAF (eg IAS, UKAS, Dakks, COFRAC etc).
Any accredited certification body the world can audit you, and you can also save a lot by opting for a smaller certification body abroad instead of, for instance, one of the big names (I am an auditor for ISO 42001 and ISO 27001 as well)
>Or can we follow the decades of experiences built when developing new technologies like planes, trains, and automobiles? Indeed, we can.
do we regulate any software the way we regulate planes?
operating systems? compilers? web browsers? text/image/video/audio/3D editors? video games?
Medical device software.
That said, software in these regulated industries tends to be a bit of a disaster area. Mainly because embedded software pays so much less, the average skill level is lower and no amount of quality paperwork is going to completely stop systematic incompetence. (not that the paperwork itself is inherently a problem: even skilled engineers will make mistakes sometimes and the quality system does generally mean that you do reviews and catch them. But when neither your planners nor your implementers nor your reviewers understand that casting pointers around willy-nilly in C is undefined behaviour, it's not gonna save you).
Well for starters, the software that runs on planes.
I feel like for software it depends on the use case, not the technology. There a plenty of laws about software use cases such as data storage and privacy compliance etc.
Health care software with HIPPA compliance? Or SOC2? It’s not the same but it’s a high degree of regulation.
Thanks a ton for posting this ! I have been looking for just such material on implementing AI Governance (at a non profit, if that matters). The whole literature and research listed there is super helpful to me.
Thanks Beatrice
You’re very welcome :)))
So totally useless...
Sure it is good to keep oversight on AI use and co, but this only purpose is to feed countless useless executives and consultants shitting paper.
In the end, the company will be happy to put the "iso" sticker, and will stash the thousand page documents in a drawer with no one reading it and the company will continue to work the same as if this was not done. Just with money burned on the way.
The original research paper on IBM’s AI Risk Atlas defines a taxonomy of 40 AI risks. IBM then expanded the online Atlas, and the current IBM documentation lists 100 named risks. Where does the 60 number come from for IBM's list of AI risks?
Who audits compliance?
An internal audit is how you go from gap assessment to ready for external audit.
External auditors should be selected by looking for ones who themselves are audited by your regional government auditing body. Eg if you wanted to be audited and certified for ISO27001, and you happened to be in UK, you may choose BSI as your external auditor, who themselves are audited by UKAS.
It’s a web of trust model.
The purpose of these certificates are to shortcut compliance checks by your customers (or in some cases suppliers).
You don't need to use an external auditor that is your local audit provider, you just need to be sure that the audit provider (certification body) is accredited with an accreditation under IAF (eg IAS, UKAS, Dakks, COFRAC etc).
Any accredited certification body the world can audit you, and you can also save a lot by opting for a smaller certification body abroad instead of, for instance, one of the big names (I am an auditor for ISO 42001 and ISO 27001 as well)