Overview of the New Product
Get Practical Artificial Intelligence Risk Management and Control Ideas You Can Implement Immediately… To Prepare an Initial AI Risk Management Policy, or Rapidly Upgrade an Existing AI Risk Management Policy
Make Changes Where They Are Most Effective: Far too much of the conversation about AI risks has been at the high-tech vendor and government levels, specifically discussing ethical issues, as well as laws and regulations. Very important -- but largely neglected -- are the specific risk reduction actions that user organizations of all types (including corporations, non-profits, and government agencies) can be taking on their own. This new book provides a compendium of practical ideas addressing the latter conversation -- the specific risk reduction ideas that user organizations can unilaterally adopt and implement. AI risks vary widely by industry and country, the nature of the business problem being addressed by AI, the sophistication of the AI technology used, the products and services offered by the involved organization, etc., and each organization needs to make its own decisions about what risk reduction measures are best for it. What’s more, user organizations are in the best place to take effective and responsive risk-reduction actions. This book acknowledges that each organization has unique circumstances and unique needs, and each in turn must tailor AI risk management approaches to these unique circumstances. That’s why a large menu of risk reduction options is provided in this book, and the user organizations are invited to choose from amongst them.
_____________________________
In October 2023, the U.S. Securities and Exchange Commission (SEC) filed a civil complaint against SolarWinds Corporation, and its Chief Information Security Officer, Timothy G. Brown, for violating federal laws by making false and misleading statements about cybersecurity practices and known risks. The complaint also alleges internal control failures related to known risks and vulnerabilities. This complaint highlights the “duty of care” that all directors and officers have to owners, to not only have reasonable and appropriate controls, but also to be forthright and truthful in disclosures about these controls. The same legal concept, specifically the fiduciary duty of care, applies to the risk management mechanisms related to AI. The new book explained on this website provides a compendium of the AI risk management options, so that the directors and officers can in turn make good choices, and if they are required to do so, also later prove that they chose reasonable and appropriate risk management mechanisms. First, there must be an awareness of the options, then there can be appropriate choices amongst those options, and then there must be implementation, maintenance, enforcement, and evolution of those control options chosen. – For more details about this specific example, see the SEC Press Release entitled “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures,” 2023-227.
_____________________________
Leverage The Fact That the Background Research Has Been Done for You: This collection of practical and ready-to-deploy control ideas allows every organization to rapidly pick-and-choose the risk reduction approaches that are best for them. Expressed as policies, these 175+ control ideas, can be used set the ball in motion, toward markedly reducing the risk of using AI. Policies are the beginning of an unfoldment of a new organizational reality, starting at the top of the organization. Once a risk assessment has been performed, responsive policies can then be chosen and adopted. At that point, a slew of infrastructure components that are consistent with those adopted policies can be generated. These subsidiary components include reporting relationships, job descriptions, governance structures, operational procedures, system design guidelines, technical standards, system architectures, system upgrade plans, technical tool acquisition plans, contingency plans, staff training systems, staff hiring plans, quality assurance approaches, compliance systems, vendor negotiation protocols, and many other organized ways in which risks can be reduced.
_____________________________
Start with these already-written policies, then have related internal conversations about which policies might be appropriate, given your firm’s unique needs, then select those policies which are appropriate, compile them in a separate document, and distribute them for review, editing, and approval -- such a process is expedited by this new book.
_____________________________
Propose Specific Control Ideas: While published control frameworks (such as the NIST AI Risk Management Framework (RMF)) and similar documents, are general and helpful as far as they go, they fail to provide the specific AI system control ideas that can be used to markedly reduce AI risks. Likewise, these documents fail to provide the specific words that could go into an internal policy document addressing such control ideas. Furthermore, these documents fail to provide suggested action-forcing mechanisms that could assure a high rate of internal compliance with the policies that were chosen. Responding to all three of these needs, this new book provides specific control ideas, expressed as policies, in business-like layman’s language. The book also provides extensive explanations and justifications with which top management approval can readily be achieved. Furthermore, with each of the 175+ already-written policies provided in this book, comes with a related action-forcing mechanism -- a way in which compliance will be required (for example, “shadow AI” can be strongly discouraged through the provision of certain resources, like technical AI talent, only to those AI systems which pass through the AI Life Cycle Process). Over 2000 linked references in this book allow the policy-writer to quickly zero-in on the specific sources that help to illuminate the AI-specific risk addressed by a policy, different approaches to writing the policy in question, and additional ideas with which the policy in question might be justified and/or implemented.
Level of Concern Ramps-Up: According to a survey done by FTI Consulting, the number of shareholder proposals to the Board of Directors, at publicly listed US companies, that addressed AI issues, more than doubled from 2023 to 2024. The first such shareholder proposal only came in 2019, and it was directed to Amazon. The scope of these proposals has also markedly grown recently, reflecting a wider scope of AI-related concerns. Shareholders want particularly to see policies addressing the governance of AI and ethical issues related to AI. This new book directly addresses both of those areas, by providing specific AI governance policies and a suggested organizational structure, plus a set of policies for selecting and evaluating ethical codes so that a well-tailored AI ethics code can then be adopted by the organization in question. All types of organizations need to markedly up-level their handling of the AI governance, ethics, and risk management areas, and this book can jump-start their efforts in that regard.