GRN 2.1 - Roles and Responsibilities

NIST AI RMF (in the playbook companion) states:

GOVERN 2.1

Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are clear to individuals and teams throughout the organization, and documented.

About

The development of a risk-aware organizational culture starts with the definition of responsibilities. Under ideal risk management settings, oversight professionals are independent from model developers and report through risk management functions or directly to executives, countering implicit biases such as groupthink. This creates a firewall between technology development and risk management functions, so efforts cannot be easily bypassed or ignored.

Facilitating a culture where AI system design and implementation decisions can be questioned and course-corrected by empowered stakeholders provides organizations with tools to anticipate and effectively manage risks before they materialize.

Actions

• Establish policies that define the AI risk management roles and responsibilities for positions directly and indirectly related to AI systems, including, but not limited to

  • Boards of directors or advisory committees

  • Senior management

  • AI audit functions

  • Product management

  • Project management

  • AI design

  • AI development

  • Human-AI interaction

  • AI testing and evaluation

  • AI acquisition and procurement

  • Impact assessment functions

  • Oversight functions

• Establish policies that promote regular communication among AI actors participating in AI risk management efforts.

• Establish policies that separate management of AI system development functions from AI system testing functions, to enable independent course-correction of AI systems.

• Establish policies to identify, increase the transparency of, and prevent conflicts of interest in AI risk management, and to counteract confirmation bias and market incentives that may hinder AI risk management efforts.

Transparency and Documentation

Organizations can document the following:

• To what extent has the entity clarified the roles, responsibilities, and delegated authorities to relevant stakeholders?

• Who is ultimately responsible for the decisions of the AI and is this person aware of the intended uses and limitations of the analytic?

• Are the responsibilities of the personnel involved in the various AI governance processes clearly defined?

• What are the roles, responsibilities, and delegation of authorities of personnel involved in the design, development, deployment, assessment and monitoring of the AI system?

• Did your organization implement accountability-based practices in data management and protection (e.g. the PDPA and OECD Privacy Principles)?