Can auditing AI products work? 'AI audit refers to evaluating AI systems to ensure they work as expected without bias or discrimination and are aligned with ethical and legal standards.' states Javid in the 'How to perform an AI Audit in 2023' article. It's a fine article, listing many of the existing frameworks that are currently in existence, principally COBIT Framework (Control Objectives for Information and related Technology) and IIA's (Institute of Internal Auditors) AI Auditing Framework: This AI framework aims to assess the design, development, and working of AI systems and their alignment with the organisation’s objectives. Three main components of IIA’s AI Auditing Framework are Strategy, Governance, and Human Factor.
This all seems fine, on the surface. Internal auditing has had a variety of issues though. The same can be said for External Auditing. There are five large firms that conduct external AI auditing: Deloitte, PwC, EY, KPMG and Grant Thronton. Those of you familiar with recent history may be aware of say the contractors Carrilion, who collapsed in 2018 with debts of £7bn came after annual accounts were approved by KPMG. Carillion may not be the same industry, but there have been many other auditor failures, Lehman Brothers employed Ernst & Young (EY) as their firm's independent auditors. Lehman Brothers and MF Global had very comprehensive Enterprise Risk Management programs and very knowledgeable CROs, and they still failed.
So what lessons can be learned from both internal and external audit failures? Thankfully there is a lot of literature on the subject. Most, but not all of the literature emanated from the Great Financial Crash of 2018 but are still of value:
Risk managers face several challenges that make it difficult to demonstrate the total cost of risk and the Return On Investment of enterprise risk management.
They often struggle to uncover and deliver risk-related information from across the entire organisation due to a lack of convincing and actionable data. Relevant data is often tied up in multiple, manually-based systems that are a challenge to pull together, making it exceedingly difficult to demonstrate the value of preventing risks that never came to fruition or the value of taking risks that resulted in revenue generation.
A lack of sound and timely data often translates into a lack of organisational support for enterprise risk management. The E suite often won’t buy in because they can’t comprehend why ERM matters any more than all the other initiatives on its plate, and those employees on the lower rungs of the organisational ladder often won’t buy in because they presume the data intake and input associated with ERM is going to impede them from doing their actual jobs.
When inadequate data is married to inadequate organisational support, risk management won’t be a strategic endeavour. This makes it extremely difficult for a risk manager to earn a seat at the decision-making table, and organisations often struggle to fulfil the many risk management tasks spread across a multitude of departments and countless employees.
'Model evaluations for extreme risks will play a critical role in governance regimes. A central goal of AI governance should be to limit the creation, deployment, and proliferation of systems that pose extreme risks. To do this, we need tools for looking at a particular system and assessing whether it poses extreme risks. We can then craft company policies or regulations that ensure:
1. Responsible training: Responsible decisions are made about whether and how to train a new model that shows early signs of risk.
2. Responsible deployment: Responsible decisions are made about whether, when, and how to deploy potentially risky models.
3. Transparency: Useful and actionable information is reported to stakeholders, to help them mitigate potential risks.
4. Appropriate security: Strong information security controls and systems are applied to models that might pose extreme risks.'
This is for Extreme Risk Models. It seems totally inadequate, to me. We also know that a large proportion of staff dealing with risk have been cut recently from most of the big tech firms. So who will be left, internally, to train their programmers, their LLM trainers, their C Suite staff on AI Ethics?
No wonder there are so many signatories to the 'risks in the far future papers' which can serve to distract from the
risks that are currently occurring in the Tech corporate sector.
Such an approach, if adopted by legislators, is likely though to stymie the deployment of models through the Open Source communities.
AI is not new. Far from it. The risks and
concerns have long been debated. Their are frameworks in place in the sector to mitigate against risk (few seem to want to prevent risk). The biggest problems occur still, from the facts that legislators will find it difficult to adapt sufficiently to the scale of change that is occurring in the industry, and the risks posed by this all taking place in the context of: economy's prioritising individual choice and viewing social outcomes as a byproduct of individual maximising behaviour, in a rapidly decaying biosphere.
Comments
Post a Comment