Identifying the Scope of Responsibility
The AI governance strategy starts with identifying the scope of responsibility. This scope includes governance, compliance, legal and privacy, risk management, implementing security controls, and ensuring model resilience.
Generative AI Security Scoping Matrix
The Generative AI Security Scoping Matrix shows how responsibility increases as you build your own AI solution. Scopes 1 and 2 involve consuming third-party applications and carry the least responsibility. Scopes 3, 4, and 5 involve building your own AI model, where you have more responsibilities, such as managing data classification, model risk, and security.
Scope and Responsibility Breakdown
As the scope increases, so does the responsibility for governance and compliance. In Scopes 1 and 2, if a third-party model meets your needs, you have fewer responsibilities. AWS offers services for each of these scopes.
Minimizing Scope
Minimizing your scope reduces your responsibilities for governance, compliance, risk management, security, and model resilience. The goal is to choose a solution that fits your needs while minimizing these responsibilities.
Choosing the Right Solution
The approach is to start from the left and look for fully trained AI services (like Amazon Comprehend or Amazon Translate). If those don’t fit, explore pre-trained models (such as Amazon Bedrock) or models that can be fine-tuned with your own data, like SageMaker JumpStarts.
Documenting AI Governance Policies
Once the scope is defined, the next step is to document your AI governance policies. Employees must be trained based on their job roles and level of access. Policies should cover data governance, access requests, and model transparency.
Compliance, Certifications, and Best Practices
Align policies with the required compliance certifications for the business. Use these certifications to guide AI governance best practices and establish standards.
Monitoring AI Systems
Define mechanisms to monitor the performance, compliance, and bias of AI systems. Set predefined thresholds for actions based on performance or policy violations.
Reviewing and Revising Policies
Frequently review the results of your AI systems, and revise existing policies as needed. This ensures alignment with business goals and maintains AI safety.
