Harmonizing Data and AI Governance: To Do or Not To Do?

Harmonizing Data and AI Governance: “To Do or Not to Do”? This is a question every data management professional should ask.

This article summarizes the key topics of my presentation at the upcoming DG&AI Conference in Washington this December. I want to thank the DATAVERSITY team, notably Tony Shaw , for this excellent opportunity to share my experience and research findings at this prestigious global event. If you're interested in attending, you can use the coupon code STEENBEEK for 15% off your registration at https://dgiq2024east.dataversity.net/.

The original title of my presentation was "Integrating Data and AI Governance." Several months ago, I believed that data and AI governance frameworks?needed to be integrated for a straightforward reason: all components of an AI system—inputs, outputs, and models—are forms of data. Therefore, integration seemed obvious. However, as I delved deeper into the topic, I changed the title to "Harmonizing Data and AI Governance Frameworks" for a specific reason: I realized that factors like AI and data risk-related regulations could influence the integration decision.

The results of a LinkedIn poll I conducted several weeks ago also highlighted the differing opinions on integrating various frameworks, as shown in Figure 1.

In this article, I will:

·????? Highlight core factors that impact the?harmonization of Data and AI governance frameworks

·????? Outline the method to develop data, AI, and data risk management frameworks

Five Factors that Impact the Design of a Governance Framework for Data and AI System Management

As demonstrated in Figure 2, I divided the factors into five categories. Let me share?some findings and insights for each category.

(Meta)Data and Data Products

In the industry, we lack a consistent definition of data. In my practice, I use the following definition: “Data is the physical or electronic representation of signals “in a manner suitable for communication, interpretation, or processing by human beings or by automatic means.’”

Why is defining "data" so important? The answer is simple: it helps determine the scope and focus of the governance framework for data management. I identify seven data types, categorized based on factors such as data organization (structured, semi-structured, unstructured), format (digital, non-digital), and origin (authentic or synthetic), among others. This classification also aids in defining the scope of the framework.

Metadata and its management are often overlooked, with only some organizations giving adequate attention to this data management capability. Metadata is data that defines and describes other data within a specific context. It possesses several unique characteristics that must be considered. Most importantly, no data handling can occur without metadata, meaning the governance framework must account for this particular data type.

Today, many implement the concept of data products, but definitions and constituent components of data products are inconsistent across the industry. The following components are often considered part of data products: data, metadata, software code/applications, services, hardware and infrastructure, and facilities. This list of potential components illustrates a key challenge for the governance framework: the scope can become quite extensive.

AI definitions, components, and techniques

I reviewed ten regulatory documents on AI governance?issued by various countries representing five world regions. Comparing these regulations is part of my presentation but is not included in this article. I must admit that approaches are quite different in many views.

However, it's important to note that no universally aligned definition of an AI system exists. Common features of AI systems include being engineered, machine-based, computational, and capable of processing information. Crucially, the key components of an AI system are input and output data, AI models, and technology platforms. By closely examining the key elements of a data product, one can arrive at the same conclusion I did: an AI system has components similar to those of a data product. This raises the question: wouldn't it be reasonable to unify the governance framework for data management and AI systems?

Another important point to consider is that different AI models exist, each delivering distinct outcomes, such as decisions, recommendations, predictions, and results for goal-oriented tasks.

Data Management or Governance Frameworks

When developing an internal governance framework, an organization has a choice: it can adapt industry guidelines or develop its own. Several leading industry guidelines are available, including DAMA-DMBOK2 by DAMA International, DCAM?, and CDMC? by the Enterprise Data Management Council, and the TOGAF? Standard by The Open Group, among others. As I have mentioned in several of my publications, these guidelines offer significantly different perspectives on data management and governance structure. This variation poses another challenge for developing a governance framework: what exactly is governance,?and?what are?its key components?

I use the following approach in my practice: the governance capability oversees and controls data management (DM) design and implementation, as outlined in DAMA-DMBOK2. Governance is one of the DM capabilities that performs three key functions: establishing a framework for DM, governing each DM capability, and coordinating their activities. Therefore, the key components of a governance framework are a DM operating model, an organizational structure, and processes and roles for each DM capability. Furthermore, if the components of an AI system are data, then an AI governance framework should also include these same components.

AI Regulations and Frameworks

AI regulations take different approaches to managing AI systems: risk-based, principle-based, and mixed. Each approach requires a distinct AI governance framework. Frameworks for risk-based AI regulations should be integrated with an enterprise risk management framework, while frameworks for principle-based regulations may or may not include a risk component. The conclusion is clear: we must distinctly differentiate between managing the capabilities of an AI system and managing the risks associated with AI systems.

My analysis of several principle-based data and AI system regulations demonstrated many similarities between these principles. This is also one of the arguments for integrating the governance frameworks for data (management) and AI systems.

Data and AI Risk Management Frameworks

In addition to the previously mentioned reason, there is another reason to include risk assessment in the governance framework for managing data and AI systems—data risks. This topic is particularly familiar to financial institutions that must comply with multiple data-related regulations. Notably, industry guidelines such as DAMA-DMBOK2 and the TOGAF? Standard have already addressed risk-related topics. DAMA-DMBOK2 focuses on risks associated with data and those arising from various data management capabilities. In contrast, the TOGAF? Standard addresses only risks related to the implementation of enterprise architecture.

All of these lead to an inevitable conclusion: alongside a governance framework for data and AI systems management, we must establish a risk management framework to address the risks associated with data management and AI systems.

I hope this review has provided insight into the complexity of the core factors discussed above. However, the key question remains: how can we assess all these factors and arrive at a solution that fits an organization’s needs and resources while ensuring compliance with multiple regulations? I use the revised O.R.A.N.G.E. Data Management Framework (DMF) to answer this question.

Method to Develop Governance Frameworks for Data, AI Systems, and Associated Risks Management

The O.R.A.N.G.E. DMF includes six steps that guide an organization in analyzing all of the factors mentioned above in the logical order, determining a solution for integrating and/or harmonizing different frameworks and designing the resulting framework(s).

Let me briefly outline the key goals and deliverables of each step, illustrated in Figure 3.

Further reading: https://datacrossroads.nl/2024/10/29/harmonizing-data-and-ai-governance/

About the author:

Dr. Irina Steenbeek is a well-known expert in implementing Data Management (DM) Frameworks and Data Lineage and assessing DM maturity. Her 12 years of data management experience have led her to develop the "Orange" Data Management Framework, which several large international companies successfully implemented.?

Irina is a celebrated international speaker and author of several books, multiple white papers, and blogs. She has shared her approach and implementation experience by publishing?The "Orange" Data Management Framework,?The Data Management Toolkit,?The Data Management Cookbook, and Data Lineage from a Business Perspective.

Irina is also the founder of Data Crossroads, a coaching, training, and consulting services enterprise in data management.?

To inquire about Irina's training, coaching, or participating in your company webinar or event, please email?[email protected]?or book a free 30-min session at https://datacrossroads.nl/free-strategy-session/