Crafting an AI Governance policy best suited for your business requires careful consideration of the types of AI, how AI will be used, current and future legislation, and a group of individuals specifically designated to oversee implementation of AI. Because of the significant developments in AI legislation in 2024 and the ongoing efforts to reform existing laws to adapt to AI development and deployment and the new legislative initiatives designed to address AI in 2025, it is becoming increasingly important for businesses to develop comprehensive and effective AI Governance policies that can accomplish legal compliance requirements and evolve within an increasingly volatile legal landscape.
With rapid advancements and new uses continuing in the realm of artificial intelligence (“AI”), all types of businesses are looking to find ways to utilize this technology as a powerful tool for increasing effectiveness and efficiency.
As a result, the need for comprehensive corporate policies governing the use of AI systems (“AI Governance policies”) within a business and mitigating risks associated with AI systems is becoming an increasingly important consideration for business leaders looking to stay ahead of the trend.
In crafting an AI Governance policy, each organization will need to balance the risks and benefits associated with use of AI in light of the specific challenges and opportunities it faces. Nonetheless, there are general considerations that every business should factor in when taking the next step toward AI Governance.
Defining AI and Uses are Important Starting Points
An AI Governance policy will need to take into account the different types of AI that a business may utilize. For example, an AI Governance policy covering use of a generative AI system should include provisions addressing human-involvement and supervision vs. a policy covering use of an algorithmic AI system.
Another important consideration in creating a comprehensive AI Governance policy is understanding the business’s intended use cases. The level of scrutiny and oversight for AI systems that are used for internal purposes will be different than what is needed for customer-facing AI systems.
The type of AI systems and use cases will also vary depending on what industry a business is in, impacting what goes into a comprehensive AI Governance policy. For example, healthcare companies using AI to organize or analyze patient health information will need to consider including provisions based on HIPAA requirements, and financial institutions must be mindful of how their use of AI may impact their compliance with Gramm-Leach-Bliley obligations, whereas unregulated businesses may not be faced with such concerns.
Improve Upon Current Technology Governance Policies
While crafting new policies explicitly covering use of AI systems is important for any business as the technology continues to grow in importance, a business may be able to leverage current policies covering use of different technologies as a basis for how to govern its use of AI systems.
Revising and updating existing IT policies and procedures in a business to cover the AI lifecycle (e.g., development, deployment and ongoing monitoring of AI systems) can be an effective mechanism for developing early guidelines to implement AI systems within an organization.
Understand How Current and New Legislation Impacts AI
While most currently in force AI legislation focuses on consumer protection, businesses in highly regulated industries—such as healthcare, telecommunications and financial services, or those engaging in highly regulated activities—must evaluate how existing regulations may impact use of an AI system—even if the regulation is silent as to AI.
For example, a business that processes a significant amount of personal or sensitive data will need to ensure that its use of AI systems complies with applicable data protection regulations, such as the GDPR. This can include applying robust data security measures to an AI system using a recognized data security framework, obtaining proper consent before processing personal data in an AI training set, and using data anonymization or other privacy enhancing measures to protect personal data in AI models.
In addition to reviewing existing legislation and regulations, businesses should stay up to date on new legislation, case law and evolving industry standards to avoid falling behind or out of compliance. Joining working and industry groups, engaging with legal counsel and consultants, or even subscribing to newsletters with important AI updates can give businesses an edge in remaining compliant with AI regulations as they come into force.
Create an AI Governance Body Within the Business
While most corporate policies are reviewed on an annual basis, an AI Governance policy will require more oversight and adaptation because the technology is constantly changing. Businesses should designate a multi-disciplinary group of individuals from various departments within the organization to continuously review, update and implement an AI Governance policy. Many AI governance bodies are comprised of stakeholders from information technology, human resources and legal departments, to name a few.
The purpose of an AI Governance body should be to work toward collaboration and cooperation regarding use of AI systems, rather than just compliance, given the complexities this technology presents. Offering trainings to employees on proper uses of AI, documenting all uses to review efficiency and effectiveness, and providing guidance as the technology changes are all key roles necessary for an AI Governance body.
Consider Vendor Risk Management Issues
Not only should an AI Governance policy address a business’s internal use of AI systems, but such a policy must also take into consideration how the business’s third-party vendors are utilizing such tools. As more and more companies utilize AI systems to provide services, it is incumbent on businesses to have a plan for identifying those vendors that utilize AI systems in the provision of services, evaluating the security of those systems based on the applicable use case, and drafting appropriate contract terms.
Benesch’s multidisciplinary AI Commission combines deep legal knowledge, technological know-how and incisive strategic business solutions. The team is prepared to assist our clients in crafting, implementing and overseeing a comprehensive AI Governance policy tailored to the specifics of the business, industry and use of AI.