Policies and Procedures

Appropriate policies and procedures relating to AI will be an important component of an organisation’s AI compliance framework.  Such documentation will help organisations to raise staff awareness of regulatory requirements relating to AI and to outline the role that staff members play in respect of such compliance.  AI policies and procedures will also assist organisations in demonstrating their compliance with the AI Act.

One approach is to build your organisation’s primary AI policy around the core principles of the AI  Act, namely: (i) human agency and oversight; (ii) technical robustness and safety; (iii) privacy and data governance; (iv) transparency (including traceability and explainability); (v) diversity, non-discrimination and fairness; and (vi) social/environmental well-being and accountability. This approach will help your organisation ensure that it has an AI policy that is rooted in the key tenets of the AI Act and that can support the development of an AI compliance framework that aligns with statutory requirements.

In terms of using publicly available AI solutions, an important policy document can be an acceptable use policy.  In effect, such a document is designed to establish the ways in which staff are permitted to use publicly available AI solutions and the ways in which the use of such solutions is prohibited.  Frequently, this document can take the form of reasonably simple but clear series of ‘dos’ and don’ts’, such as: (i) don’t upload personal data or confidential information into a publicly available AI solution; and (ii) do ensure that any outputs produced by a publicly available AI solution are subject to human review before they are utilised within your organisation.

It is also worth bearing in mind that regulatory guidance and codes of conduct relating to AI are continuing to evolve and develop.  For example, the European Commission is due to publish guidance on the practical implementation of the AI Act in due course following publication of the AI Act in the Official Journal.  As a result, organisations should continue to stay apprised of developments in  regulatory guidance and market practice relating to AI so as to help ensure that they are developing and implementing a suite of AI policy documentation that aligns with regulatory expectations and market practice.

Governance

Effective monitoring and oversight around the use of AI solutions is critical from both an operational and compliance perspective.  More specifically, effective oversight is a core principle of the AI Act so ensuring that robust governance/oversight applies to your use of AI solutions will be a key component of your organisation’s compliance with the AI Act.

As part of this, it will be important to allocate responsibility for the oversight and monitoring of AI solutions to appropriate persons or functions within your organisation.  Putting in place appropriate reporting structures in respect of AI will be another important competent of your organisation’s AI governance structures.  In particular, regular reporting on the performance of the AI solution and any related issues should be received from the AI provider.  Appropriate internal reporting lines and escalation points should also be put in place so as to help ensure that there is sufficient visibility and input in respect of AI from senior management.

In assessing the steps to be taken to embed effective monitoring and oversight around AI into your organisation, it is also worth considering if there are existing governance and reporting structures that can be leveraged. For example, financial services entities are likely to have invested time and effort into developing reporting lines and governance structures for regulatory rules relating to outsourcing and operational resilience in recent years and there may be opportunities to leverage these existing reporting lines and governance structures to help ensure that robust governance structures are deployed for AI compliance purposes.   

We hope that you have found this series of practical legal tips on the procurement and deployment of AI solutions helpful.  For more information on any of the themes addressed in this series of briefings, please feel free to contact any of the authors.

You can access our earlier briefings from the series using the following links:

1. Procurement & Deployment of AI – Practical Legal Tips,
2. AI & Practical Legal Tips: Risk Assessment and Due Diligence in the Procurement of AI Solutions
3. AI & Practical Legal Tips: Contracting Considerations in the Procurement of AI Solutions.