Cybersecurity

AI Governance is Taking Shape

Michael perleoni

Michael Perleoni

Senior Manager, Coalfire

Booker young

Booker Young

VP, Coalfire

August 2, 2024

The dust is beginning to settle around AI regulation, and it is clear that the European Union will be leading the charge on regulating the general use of AI systems. Although most companies will have a couple years before they must comply with the EU AI Act, the baseline for AI system trust is being set now. Organizations eager to get ahead of the curve will be in an advantageous position to minimize compliance hurdles as demand for third-party assurance becomes widespread in the marketplace.  

Intro to ISO/IEC 42001:2023 

ISO 42001 is poised to be the de-facto third party assurance framework, prescribing a risk-based approach to ethical and responsible AI system development, implementation, and adoption. If this is the first time you are hearing about ISO 42001, you can read my initial take on the standard, as well as a summary of the work Coalfire has already performed in this space. If you are familiar with ISO 42001, the next question may be: Does it even apply to my organization?  

In order to answer this question, it is imperative to understand a little more about the types of interactions with AI systems, as well as the benefit of implementing an AI Management System (AIMS). 

Understanding ISO 42001 Roles 

ISO defines the following roles as it relates to companies interacting with AI systems: 

Provider 

  • Definition: The entity that brings the AI system to market, either as the original creator of the system/model, or by incorporating AI features into their product offerings.  
  • Responsibilities: Ensuring the systems provided, whether through white-labeling, development, or integration, meet the needs and expectations of their stakeholders.  

Developer 

  • Definition: The designer and creator of the AI system itself. 
  • Responsibilities: Incorporating compliance, ethics, and safety into all phases of the design process. 

User 

  • Definition: Any party that operates or interacts with the final product on the market. 
  • Responsibilities: Using the system as it is intended and reporting any issues or unexpected behaviors to the provider. 

Organizations may encompass multiple roles. If your organization or product falls into any of the above categories, ISO 42001 certification could be beneficial.  

Benefits of Implementing ISO 42001 

Implementing ISO 42001 requirements offers numerous advantages: 

  • Managing Risk: As part of the ISO family of standards, ISO 42001 provides a framework for assessing the risks and impacts of AI systems. ISO 42001 also provides a set of controls that can be implemented to mitigate risks down to acceptable levels. Thanks to this consistent structure across ISO standards, ISO 42001 aligns with existing management systems such as Information Security Management System (ISMS), Privacy Information Management System (PIMS), or Quality Management System (QMS). 
  • Standardizing Processes: ISO 42001 will help your company standardize processes for design, evaluation, implementation, and use of AI systems. Standardization streamlines development and operations when everyone knows the playbook. It also creates structure and consistency to keep everything on track as your business scales. 
  • Focusing Objectives and Metrics: Regardless of the role(s) applicable to your business, setting objectives for your AI systems ensures the systems are meeting stakeholder needs. Annex C of ISO 42001 defines several objectives for the responsible development and use of AI systems. On a more quantifiable level, establishing and tracking metrics such as parameters of the model, quality of training data, customer satisfaction, and performance of a vendor, will help guide the decision-making process. 
  • Defining Roles and Responsibilities: ISO 42001 requires organizations to define roles and responsibilities relating to AI systems. Well-defined roles and responsibilities translate to accountability and responsibility in AI development. 

Why ISO 42001 Matters 

Compliant and trustworthy AI will become the baseline. Organizations that provide AI products to the global marketplace will either have explicit compliance requirements or compete with those that do. For companies that face regulatory compliance obligations, an implemented and managed AIMS can help reduce the organizational burden of complying with frameworks like the EU AI Act, through overlapping requirements such as establishing AI policies and conducting AI risk and impact assessments. Organizations that face no such obligation will still have to compete with compliant firms. ISO 42001 can level the playing field and prove to the marketplace that your business takes AI Risk Management seriously.