Compliance News

Here are practical measures to ensure your organisation stays updated and compliant:

1. Comprehensive Governance and Policies

• Define and govern AI security policies, processes, and procedures that align with corporate standards and Responsible AI principles, including ethics, data privacy, and legal compliance. These policies should be flexible enough to support future iterations and address evolving socio-technical use cases.

• Implement an AI Usage Policy within the organisation, which can be part of existing documentation or a separate detailed document. This policy should define acceptable AI use, governance, employee responsibilities, and how to report incidents or violations.

• Establish a formal documented and approved change management policy and procedure for any modifications to AI systems, models, algorithms, or datasets throughout their lifecycle. This includes tracking changes, obtaining approvals, testing, and monitoring post-implementation.

2. Robust Risk Management and Continuous Monitoring

• Conduct rigorous risk assessments for AI initiatives, identifying potential risks from data quality issues, algorithmic bias, cybersecurity threats, and regulatory compliance. Prioritise risks based on impact and likelihood.

• Implement real-time monitoring tools and reporting mechanisms for AI systems. This includes monitoring key risk indicators (KRIs) for AI systems and establishing automated alerting systems for threshold breaches. Detailed logging for AI systems, capturing model training, inference, data processing, and configuration changes, is essential.

• Integrate audit logs and activity monitoring with Security Information and Event Management (SIEM) solutions to correlate AI-related events with broader security incidents and threat intelligence.

• Proactively monitor for data drift, which occurs when input data's statistical properties change over time, degrading model performance. Use statistical tests and sequential analysis methods, defining metrics, thresholds, and alerting mechanisms. Retrain models if significant deviations are detected.

• Develop comprehensive incident response plans for AI-related incidents, covering preparation (team establishment, AI-driven detection solutions, baseline metrics), containment, eradication, recovery, and post-incident analysis. Regularly train and conduct exercises for the incident response team.

3. Compliance with Regulatory Frameworks and Standards

• Stay updated and adhere to emerging legislation like the EU AI Act and the US Executive Order on AI. The EU AI Act, for instance, introduces specific provisions for LLMs, including risk management systems, mandatory cybersecurity testing, transparency obligations, post-market monitoring, record-keeping, and reporting obligations for significant cyber incidents.

• Adhere to industry standards for risk management such as ISO 31000 and NIST RMF. The ISO/IEC 42001:2023 standard is specifically designed for Artificial Intelligence Management Systems (AIMS) and sets requirements for establishing and improving them. Organisations should also consider GDPR (General Data Protection Regulation) for data privacy.

• Implement measurable and auditable controls by defining risks and their corresponding controls, establishing measurable metrics, and automating monitoring systems for continuous assessment. Conduct regular internal audits to verify compliance with organisational and ISO/IEC 42001 standards.

4. Cultivating a Safety Culture and Continuous Learning

• Provide tailored, role-based education programmes to equip employees with AI knowledge relevant to their specific roles.

• Cultivate a culture of awareness through clear documentation, policies, and procedures. Conduct regular training sessions for employees and third-party partners to stay updated on evolving risks, including social engineering attacks.

• Ensure Responsible AI Training covers ethical design, development, and deployment of AI systems, including bias mitigation, transparency, explainability, and privacy considerations.

• Foster trust, accountability, and transparency by effectively communicating AI risks, limitations, and ethical considerations to internal and external stakeholders. This includes public policies and ethics statements, and potentially an AI transparency dashboard.

• Continuously invest in reskilling and upskilling employees to help them gain the proper knowledge and skills related to AI and its security implications, ensuring the AIMS remains current.

5. Addressing Specific AI Challenges

• Address the common weakness of LLM hallucination, which is the generation of factually incorrect, fabricated, or culturally incoherent content. The reviewed frameworks currently lack explicit controls for managing this risk. Organisations should implement mandatory hallucination identification processes (e.g., confidence scoring, uncertainty quantification), establish human validation checkpoints for critical LLM outputs, mandate transparency around LLM training data and model functionality, and conduct continuous bias testing. Integrate LLM risk scenarios into cybersecurity exercises.

• Implement robust access control mechanisms such as Multi-Factor Authentication (MFA), Role-Based Access Control (RBAC), and the Least Privilege Principle for AI systems, models, and datasets. Encrypt data in transit and at rest, and monitor access logs.

• Maintain a comprehensive inventory of all AI systems within the organisation, documenting their components, access controls, security measures, and purpose. Regularly compare current AI governance and security practices against desired states to identify discrepancies (Gap Analysis). Implement continuous monitoring mechanisms to detect anomalous behaviour or unauthorized AI systems (Shadow AI prevention).

By integrating these multi-faceted measures, organisations can navigate the complex AI landscape effectively, ensuring adherence to compliance, mitigating risks, and fostering trust in AI applications