Does your Algorithmic auditor know how to code ?
Sri Krishnamurthy, CFA, CAP
CEO, QuantUniversity | AI Expert | Educator | Author | TedX Speaker |
I started my career 25 years ago as an ISO 14001 auditor. At that time, the primary tools I had was Microsoft Excel and Powerpoint. I had the domain knowledge and I would do audits based on the expectations and requirements.
Fast forward 25 years, I just finished teaching a graduate course entitled "Big Data and Intelligent Analytics" at Northeastern University. This is an intense boot-camp styled course, where over 15 weeks, students build full stack AI-applications. Along the way, they learn the problems in working with messy datasets, scaling and deployment and the pain in using multiple components and technologies.
As a summary, here are some of the projects my students worked on!
More interestingly, the technologies used to build these projects involved:
1. Data Processing and Visualization:
- Streamlit
- Nougat or PyPDF libraries
- pandas-profiling
- greatexpectations
- Diagrams tool for architecture visualization
2. APIs and Integration Tools:
- FAST API
- OpenAI APIs
- Docker for containerization
3. Database and Cloud Technologies:
- Airflow
- Pinecone
- JWT (JSON Web Token)
- SQL Database
4. Machine Learning and Language Models:
- Huggingface
- LLAMA from Meta
5. Enterprise Solutions:
- Snowpark Python
- Snowflake Marketplace
- Google Bard
- Anthropic
- Cohere
Each student team spent close to 600 hours collectively over 16 weeks to build these applications. Many enterprises spend comparable time and comparable tools to build AI-based applications! With all the hoopla and the emerging profession of AI auditing,
What does this mean if you are an Algorithmic auditor invited to audit such applications ?
Well, first, Algorithmic auditing is not an arm-chair exercise, where you sit back in a conference room and critique the application. Understanding the domain and reviewing the complete architecture holistically is crucial in AI-based applications to ensure the solution is contextually relevant, scalable, and integrates well with existing systems.
Second, Algorithmic auditors often focus narrowly on the algorithm due to its direct impact on decision-making and its complexity. However, considering all components of AI-based applications is crucial for comprehensive risk evaluation. This includes data sources, infrastructure, user interfaces, and integration points. Understanding the domain ensures the solutions are contextually appropriate, addressing specific needs and challenges of the field.
Moreover, a deep understanding of the tech stack is essential for auditors to identify potential risks and vulnerabilities in AI systems, which often arise from interactions between different components rather than solely from the algorithm.
Algorithmic auditors need to know how to code and must have done extensive domain-specific work and application development themselves! So the next time, you are hiring an algorithmic auditor, show them your system architecture of your AI-based system and ask them to explain what they understand before giving them the contract!!
Sri Krishnamurthy
Promotional note: Upcoming events from QuantUniversity :
If you are interested in learning how to build LLM-based applications, QuantUniversity & CFA Society Boston is hosting a 1-day workshop next week on December 14th. The course can be attended online or in-person in Boston! Check https://www.quantuniversity.com/course-details/GENAI.html for details!
I would agree that AI auditing for the purposes of risk spans a broad spectrum. I greatly appreciate the breadth and depth of this article. Other comments to this article touch on critical aspects such as what I like to refer to as public-policy aspects of AI risk (e.g. privacy, bias/fairness) often grounded in laws. One can always refer to NIST's framework for completeness. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf. One thing I do wonder about is the top-level guidance where technical aspects (such as this article) and compliance/policy dimensions, to say nothing of internal enterprise governance (e.g. training, a culture of privacy/cybersecurity awareness, etc.), come together. No single person can be an expert in all areas. What shall be required of this high-level professional's credentials and skill set, knowledge, etc.? This is, for me, a most pressing and underrepresented issue. Replies here are very welcomed! Thank you for a thorough, relevant and informative article!
Risk Executive | Ex-McKinsey
11 个月For a sound risk management of the AI, the AI auditor role (aka model validator or model risk manager) should have an expertise that is not limited to the technical / software development aspects only. At the end of the day, you would also like your AIto be fit for purpose and deployed with limited risk (in terms of data, bias / fairness, cyber risk, conceptual soundness, esg etc.)
Leader and innovator in data privacy, financial data and data's governance, strategy, regulation, and standardization.
11 个月Excellent piece, amazing projects. Many thanks for posting! We have not caught up in a while, Sri ... I look forward to the next opportunity!
Machine Learning & AI Risk Management
11 个月Broad expertise is required to audit AI systems--certainly technical AI expertise and domain expertise are needed. Social science expertise and legal expertise are often needed as well.
I've dedicated the past few months to a deep dive into algorithmic programming and engineering. Hopefully, we can exchange notes very soon.???