A Comprehensive Framework for AI Development, Adoption and Governance

With the rise of AI and its increased adoption, there are questions:

• What are the right frameworks for AI adoption?
• Would my existing governance practices equip me to manage AI?
• What are the key considerations while building or adopting AI?

To be honest, answers to a lot of these questions are still evolving. While we don’t need to throw away existing governance frameworks, they would certainly undergo dramatic changes to factor in organizational AI adoption – similar to the way Cloud changed them. IT Service Management (ITSM) practices are still valid, but cloud brought in newer concepts like DevOps, DevSecOps, FinOps, etc. to augment these IT governance frameworks. I do not think organizations stopped following ITSM practices, but they adopted and augmented the new methodologies to incorporate Cloud governance components into it. Let’s look at how ITSM evolved due to cloud and then discuss how AI is likely to add newer dimensions to it.

Since IT systems became business critical, there was need to structure the IT service management. The complexity of IT systems, their business criticality, involvement of multiple teams, multiple vendors and partners and need to make it more predictable pushed the IT providers to build IT Service Management frameworks.

First generation ITSM frameworks included following widely used ones:

• ITIL (IT Infrastructure Library) - One of the most globally recognized ITSM frameworks is ITIL. First introduced in 1989 by British government's Central Computer and Telecommunications Agency (CCTA), ITIL provides directions to organizations on how to best use IT for business transformation, development, and change—and it has still remained relevant. The latest version of ITIL is v4 released in 2019 and has five key stages, comprising 26 processes.
• COBIT (Control Objectives for Information and Related Technologies) - is designed by ISACA to help organizations develop and implement governance and information management strategies. The COBIT Core Model contains 40 governance and management objectives that help companies.
• MOF (Microsoft Operations Framework) – is a series of 23 different documents that outline the processes of creating, implementing, and managing IT services. MOF includes guidelines for the whole lifecycle of a specific IT service, which enables organizations to achieve full system reliability and availability of Microsoft technologies and products.
• eTOM (enhanced Telecom Operations Map) – is a framework specifically for enterprise processes in the telecommunications industry. The entire framework consists of best practices, models, and a set of standards, all of which are arranged in three levels of processes in a hierarchy.
• TOGAF (The Open Group Architecture Framework) – is a framework and methodology that aims to define business goals while aligning them with architecture objectives related to software development. It is a great way to learn and structure your design thinking for enterprise architecture.
• ISO 20000 – is the international standard for IT?service management. It was developed in 2005 by?ISO/IEC JTC1/SC7 ?and revised in 2011 and 2018. It was originally based on the earlier?BS 15000?that was developed by?BSI Group . It is based on ITIL and is the auditable / certifiable implementation of ITIL / IT Service management for an organization.

With wide adoption of cloud, Micro-service architecture, agile development, the ITSM frameworks went through a major change and augmentation process. The new IT SM frameworks more suited for a post cloud world, include:

• DevOps - A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers. DevOps enables formerly siloed roles — development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build, and achieve business goals faster. It is aimed at brining agility required in the cloud era with Continuous Integration and Continuous Delivery (CI/CD).
• FinOps - FinOps is an evolving cloud financial management discipline and cultural practice that enables organizations to get maximum business value by helping engineering, finance, technology and business teams to collaborate on data-driven spending decisions. Share the same language and processes to monitor cloud spend and maximize the value of cloud adoption. FinOps is not just about saving money, it's much more than that, by incorporating FinOps practice to your organization, your cloud spend can drive more revenue, enable quicker go to market strategy, help you maximize ROI, and most importantly to help you achieve your business outcome.
• SecOps - SecOps, formed from a combination of security and IT operations staff, is a highly skilled team focused on monitoring and assessing risk and protecting corporate assets, often operating from a security operations center, or SOC.
• DevSecOps - DevSecOps is a software engineering culture and practice that aims at unifying software development (Dev), security (Sec) and operations (Ops). The DevSecOps framework brings security into the DevOps approach from the beginning as an important part of app development. This framework incorporates security testing and audits throughout the whole development lifecycle instead of only as a last step.

I do intend to elaborate on some of these exciting frameworks in future, so stay tuned!

Framework for AI:

One of the key differences between most of the IT frameworks in the past and the ones getting developed for AI is this – most of the IT frameworks were designed to better manage IT – availability, performance, cost, SLA, etc. Over the last decade Privacy started becoming an important consideration, especially for data collectors or data fiduciary organizations, but in general for every IT organization. AI would be taking this part of governance to a whole different level because of its need for large amounts of data for training, its own ability to generate data, AI’s growing role in not only processing data but also in making or influencing decisions and a concern that AI could impact humanity in much larger way than any other IT system ever did in the past.

The main reason why AI needs a completely different governance framework is because of its possible impact on humanity. In every generation, you have one or at a maximum of two events which have potential to alter fate of humanity in both positive and negative way. Our grandfather’s generation witnessed the rise of atomic energy which gave us a source of clean and abundant power but also created the threat of nuclear weapons. Our father’s generation saw the rise of genetic research and engineering – with promise to eradicate genetic diseases like diabetes, asthma, cancer but also possibility of wild experimentation resulting in unthinkable consequences on humans as species. Our generation is witnessing AI – promising to change the way we have been interacting or using machines for last 400+ years and help humanity achieve great things but also with thought of AI going “rogue”. While In each of the first two instances, what helped get maximum benefits for humanity and control the damage as much as possible, was the evolution of a governance framework and global consensus around it. ?

Because of these reasons, there are efforts to build global consensus on Responsible AI. And also, because of these reasons, AI governance would need to be centered around Humans first and IT later. As a first step, let’s think through possible AI Governance framework. A Framework for AI would need to consider 3 stages of AI consumption – build, adopt and govern, like most of the IT systems.

• Build – in this stage the framework would largely be applicable to organizations developing AI systems and its people, processes, data usage and systems.
• Adopt and Operate – applicable to organizations which would be using AI – enterprises, government entities, consumers, etc. Governance for them would be on similar lines of current IT Service Management frameworks, but with additional components relevant for AI.
• Govern – applicable to industry regulators, law enforcement bodies, internal auditors, etc. This would be centered around regulations / laws, their audit, forensic and enforcement.

Let’s elaborate the layers and components of proposed AI Governance Framework. The AI Framework would need to have 5 key layers – Human Values, Data Governance, IT Governance, Applications and Regulations.

Here is a glimpse of key components of a proposed framework for AI. The detailing of each component should be able address the questions or requirements for each block:

1.????? Human Values

a.????? Fairness - How a system impacts different subpopulations of users (e.g. by gender, ethnicity)? How might an AI system allocate opportunities, resources, or information in ways that are fair to the humans who use it?

b.????? Inclusiveness - How might the system be designed to be inclusive of people of all abilities?

c.????? Transparency - Communicating information about an AI system so stakeholders can make informed choices about their use of the system. How might people misunderstand, misuse, or incorrectly estimate the capabilities of the system?

d.????? Safety - How might the system function well for people across different use conditions and contexts, including ones it was not originally intended for? What are the safety levers or override built into AI system? How do we build practical equivalent to science fiction of Three Laws of Robotics by Issac Asimov?

2.????? Data Governance

a.????? Privacy - How might the system be designed to support privacy? It will certainly have to factor in requirements of EU’s GDPR or India’s DPDP .

b.????? Security - How is Data protected from theft and exposure? This not only deals with security but also integrity of the data.

c.????? Consent – How the system is managing consent of end users for storing, processing and removing their data or its usage by the system? Be it for training or development of AI or using the data for end use case execution (e.g. automated loan processing).

d.????? Reliability or Robustness – Mechanisms to ensure an AI system operates reliably and things like hallucination are either known or quantifiable.

3.????? IT Governance

a.????? Monitoring and Management – this constitutes of the typical IT Service Management components like Incident / Problem / Change Management, etc. Like any other IT system, AI would need to be monitored, managed, etc. Parameters for monitoring would greatly differ though from existing IT systems and are rooted across the human, data and application layers.

b.????? Cost or FinOps – a critical component of rapid AI adoption is cost – cost of building AI, cost of running it – from GPU infrastructure to Data scientists to cost of developing, managing and delivering value to end business users. Estimating, controlling and optimizing of cost will play significant role in AI adoption.

c.????? Explainability - Mechanisms to understand and evaluate the outputs of an AI system, to be able to trace through the steps of decision making.

d.????? Security – At the IT layer, Security can easily leverage SecOps – identifying, implementing and monitoring controls to ensure the IT Infra, data and applications running AI are secured.

4.????? Applications

a.????? Use Cases – A lot of current AI adoption is in three areas – solve known problems faster, cheaper, or better. So, most of the use cases seem familiar. Of course, there are newer areas like drone, robotics, autonomous systems, etc. opening newer fronts but key for wider AI adoption would be newer and richer use cases – solving problems that we either didn’t dare engage on in the past or didn’t know.

b.????? Performance – Critical factor for AI adoption is its performance. A minimum performance expectation from AI is to have human parity – results should be same or better than the job if performed by humans. But that is only the starting point of adoption. There are more rigorous application performance criterions from existing frameworks that get extended to AI applications here. ?

c.????? Integration and Interoperability – like any other IT system evolution, there are going to be few significant players who would take bulk of the AI market share, lead the technological development and would set themselves up as standard. To ensure these players have their systems designed to integrate not only with customer / enterprise systems but also have models to integrate with each other and interoperate would ensure we don’t repeat gaps of past IT systems when AI scales.

d.????? Security – this component purely focuses on application-level security and draws on IT and Data security from layers below it.

5.????? Regulations

a.????? Industry – Processes to define, implement and adopt AI in accordance with the industry requirements, practices and regulations within an industry member organization or its suppliers. Many industries would have to either amend existing regulations or evolve new ones to regulate AI.

b.????? Law – most of the progressive governments are working or at least contemplating the law to regulate AI. Their dilemma is – they want their nations to become center for AI development – so don’t want to be looked upon as restrictive state for AI tech companies and startups but also want to ensure they balance it with their own AI law. Most nations have some Data Privacy regulations like EU’s GDPR or India’s DPDP . That gives nations control over how their citizens data collected, stored and processed by companies. Since AI is all about Data, these data privacy laws have a bearing on AI, but certainly there is an ongoing deliberation in many nations for a regulation or law for AI. Question is – who will do it first?

c.????? Accountability and Indemnity – A key question around use of AI is accountability and indemnity protection from the loss to customers incurred dur to errors or any IP infringement. Still a very new area of work but there are few initiatives happening – e.g. recent Microsoft announcement of Copilot Copyright Commitment for customers .

d.????? Proliferation and Control – the human life changing events that I mentioned above (nuclear tech, genetic research) were not only regulated by international and local laws, but also with very strict non-proliferation and IT regimes. You can see subtle national interests playing out in AI as well. As AI starts making larger impact on more critical issues, the regulations for proliferation, cross border transfer and control of IP is likely to go through a lot of deliberations in regulators and law makers around the world. A clear framework to collaborate across borders but also within sovereign authority of states would be critical to keep AI growth unhampered as well as regulated.

Hope this was useful in bringing some clarity on possible AI Governance framework that needs to be evolved. While there are multiple stakeholders working on various components mentioned above, this was my attempt to put together a comprehensive view of what all an AI Governance Framework would need or should incorporate. I intend to elaborate on this framework going forward. Let me know what you think about it, if anything is missing or which component / layer, you would like me to elaborate on priority! Looking forward to your input and comments.

?______________________________________________________________________________________

Author is currently working with Microsoft, but the views are personal. All brands and IP rights referred to in the above blog are acknowledged to the respective owners.