Risk Management for Responsible AI

Generative Artificial Intelligence (Gen AI) is a form of artificial intelligence which is capable of generating new content e.g. text, images, videos, etc. using generative models that are trained on extensive data sets. The proliferation of numerous versatile Gen AI tools e.g. Claude, GPT, DALL-E, Gemini makes them well-suited for a variety of business. They are incredibly valuable in diverse domains, from creating personalized experiences like, chatbots, digital assistants, production scheduling and maintenance, detection and prevention of fraud, to life-saving medicine discovery.

With Gen AI's transformative potential, governments also recognize a new wave of associated risks while augmenting the existing risks, thus challenging ethics, privacy, intellectual property, and fundamental rights.

Governments around the world have swiftly introduced regulatory frameworks, however they face a balancing act, as stringent regulation can inhibit the technological?innovation while a liberal regulation may fail to provide sufficient integrity to the ecosystem.

?

Gen AI Technology Stack

?Business leaders are embracing Gen AI to accelerate innovation and productivity, at the same time they are concerned about ownership and control. In an evolving AI governance landscape, organizations need a pragmatic approach to embrace traditional risk management methodologies incorporating techniques to manage AI risks, allowing a comprehensive view of potential pitfalls.

?AI risk management will be no easy task as the generative AI models are still evolving. There will be reliance on model providers for sensitive intelligence, cognizant to the limitations that global standards have been released in the recent past.

?Majority of the policy makers converge on risk-based approach amidst blatant differences in the legal stance towards the technology. The interplay between policymakers and technologists is further complicated by the risk imposed due to multiple data sources that are used to train the models. This introduces new set of risk of ‘questionable provenance’ of machine-generated data. It would be unwise to adopt AI tools without properly handling risks that ranges from bias, hallucination to intellectual property infringement to privacy and security breaches.

?The usual risk management process adopted by many organizations may need to be revamped to include AI risk assessment - identification, evaluation and possible mitigation of AI risks. The Gen AI technology stack as shown in the figure below, segregates key domains of responsible AI and the AI risk categories that could be used for assessing and categorizing AI risks for further mitigation, thus integrating AI risk assessments to the risk framework already established in the organizations.

??

?

The seven key domains for a responsible use of Gen AI systems : Accountability, an unambiguous ownership and their impacts; Fairness to promote inclusiveness for all stakeholders and positive impact on society; Sustainable design and deployment; Reliable outcomes aligned with expectations and consistent with desired level of precision; Transparency model design and interpretations; Explainability of the model’s decision-making processes; Privacy in consideration to data rights of personal information.

Other overarching risks beyond the scope of technology and its immediate impact, e.g. over-reliance on technology can hindering critical thinking and problem-solving skills in humans, digital divide caused by varying access and acceptance levels of the technology, potential for job displacement and unemployment, market dominance by a few players, etc., could rather be dealt at the level of societal ecosystem.

?

?

AI Risk Frameworks

?A robust risk management framework requires vigorous risk assessments strategy. Identifying and mitigating risks is a crucial part of any AI governance program to establish safe and trustworthy use of Gen AI, some of the popular frameworks: NIST AI RMF, ISO/IEC23894-ISO 42001, HITRUST, EU AI act, OWASP Top 10 for LLM, etc.

?

?NIST AI RMF

The risk management framework for Gen AI, NIST AI Risk Management Framework (AI RMF 1.0) released on January 2023 provides guidelines for trustworthiness considerations into Gen AI application lifecycle. NIST-AI-600-1, ‘Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile’published in July 2024 can assist to identify unique Gen AI risks and suggest mitigative actions.

ISO/IEC AI RMF

ISO/IEC AI management systems (ISO/IEC 42001:2023) applies to organizations of all size that are involved in developing, providing, or using AI-based products or services. It focuses on risk, impact assessments and data protection through?its core components. Artificial intelligence Guidance on risk management ISO/IEC 23894:2023, framework is for developers, deployers, offering how to integrate risk management into all AI activities and manage AI-specific risk.

HITRUST

HITRUST launched the AI Risk Management Assessment in August 2024 as part of its HITRUST CSF, offering a structured approach to AI risk management, meticulously mapped to existing NIST and ISO/IEC 27001 standards. This enables organizations looking for a flexible and globally recognized ISMS framework to seamlessly manage data, information risk and report AI risk management efforts.

EU AI Act Risk assessment

The European Union’s Artificial Intelligence (AI) Act (Regulation 2024/1689) published in July 2024 making it the first comprehensive horizontal legal framework to regulate AI systems across the EU. It lays down a harmonized risk-assessment criteria and legal requirements, while boosting innovation and commitment to trustworthy AI. It applies to AI systems and providers of AI systems involved in the value chain, and relies on different level of requirements in accordance with the level of risk - Unacceptable risk (e.g. social scoring), High risk (e.g. critical infrastructures), Limited risk (e.g. biometric categorization or emotion recognition systems), and Minimal risk (e.g. AI-enabled recommender systems or spam filters).

For instance, the EU AI Act under Article 13 emphasizes the need for operational transparency and accountability in high-risk AI systems to build public trust in AI technology. Furthermore, it requires a robust AI risk management system, specifically for high-risk AI systems with continuous risk management process: dentification and analysis of potential risks, evaluation of the risks under both intended use-case as well as any foreseeable misuse, mitigation i.e. minimize or eliminate the identified risks, monitor risk management system for new insights and feedback.

OWASP Top 10 for Large Language Models (LLMs)

OWASP provides essential security and governance checklist for organizations deploying Gen AI technology. It raises awareness of the common vulnerabilities and their remediations for a better security posture of LLM applications.

MIT Risk Repository

Massachusetts Institute of Technology has released a foundational AI risk framework to help businesses identify and mitigate risks. MIT's repository includes a living risk database that captures 700+ risks extracted from 43 existing frameworks and taxonomy of AI Risks for appropriate classifications of AI risks. ?

??

Gen AI risk mitigation Techniques

A predominant common concern for a responsible AI requires continuous refinement of Gen AI systems for the veracity and reliability of AI-generated outputs. Subsequently, a critical step is to identify appropriate risk mitigation options, and implement technically feasible controls. There is significant room for research to enumerate potential algorithmic flaws and their remediation ensuring that risks are adequately managed while harnessing the potential benefits.?

Risk Mitigation through Model Alignment is achieved by tuning a model to follow artificial general intelligence (AGI) such that it always performs as desired towards the human intended goals, preferences, or ethical principles.

Risk Mitigation through Model Inspection consists of a number of techniques to generate explanations to demystify the decision-making processes of deep learning models. These techniques are based on the concepts of “Inner Interpretability and Outer Explainability” generating interpretations of a Gen AI model’s operations and outputs in human understandable form making them transparent and trustworthy.

Risk Mitigation through Provenance techniques like, watermarking enable provenance tracking of the content, which is also closely related to the topic of deepfake detection. This technique is instrumental in labeling the AI generated content hence reinforcing the legal mandates like EU AI Act’s transparency protocol to prevent the creation of illegal content.

Defense Advanced Research Projects Agency (DARPA) has made significant investments on two programs: Media Forensics (MediFor) and Semantic Forensics (SemaFor) program that detects the integrity of media content e.g. images, video.

Risk mitigation by AI red teaming, as defined by IBM “Red teaming is a way of interactively testing AI models to protect against harmful behavior, including leaks of sensitive data and generated content that’s toxic, biased, or factually inaccurate.” It is a structured testing effort to evaluate a Gen AI model for a broad range of flaws and vulnerabilities. Gen AI model is realigned when problems are exposed to further strengthen its security perimeter from a real-world adversary. Red teaming could be executed on top of usual penetration tests and vulnerability assessments.

?The MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework offers a living knowledge base of adversary tactics and techniques against Al-enabled systems based on real-world attack observations.

?

?

?

?

?

?

?

?