The Power of Knowledge: AI Risk Management

Newly enacted European legislation could have just started the clock ticking for more AI-related regulations in the U.S. The European Union (EU) AI Act was launched Aug. 1, 2024, and could have impacts in the U.S., which often closely trails Europe on cybersecurity and data protection matters. 

Intended to provide a comprehensive standard for systems that utilize AI technology, the EU AI Act states that AI applications are to be classified according to the risk they pose to users. Although full compliance with the EU AI Act is not required until May 2027, many in the industry believe that the impact of these regulations will be felt sooner and will therefore catalyze the adoption of similar standards in the U.S. Businesses that want to remain on the forefront of technological advancement in the U.S. should keep close watch on regulatory updates and start taking steps now to create best practices for AI risk management that extend beyond the bare minimum of current federal and state guidelines. 

Evolving Federal Guidelines

Currently, three major frameworks drive AI risk management and governance in the U.S.: NIST’s AI Risk Management Framework (AI RMF), ISO/IEC 42001, and HITRUST’s AI Risk Management Assessment. 

The NIST AI RMF is a voluntary framework designed to help organizations manage the risks of AI systems across their lifecycle, while ISO/IEC 42001 is an emerging standard and related certification that encourages the establishment of an AI Management System (AIMS) within organizations. The HITRUST AI Risk Management Assessment harmonizes ISO/IEC 23894:2023 and the NIST AI RMF. 

Companies can pursue certifications and define clear privacy and security procedures that align with the principles of these frameworks to ensure the risks of using AI systems are identified and managed properly.

New policies have also been introduced at the federal level to encourage the practice of ethical and responsible AI implementation. In October 2023, President Biden issued an executive order that established new standards for AI safety and security as well as guidelines for the ethical use of AI in federal agencies. These mandates require federal agencies to verify that AI systems and tools do not compromise the safety of American citizens, including requirements for agencies to publish a comprehensive list of AI systems and related risks and hire a chief AI officer. Similarly, the U.S. Securities and Exchange Commission (SEC) is in the process of developing requirements for financial advisors and broker dealers that will require the elimination or neutralization of conflicts of interest associated with the firm’s use of predictive analytics and AI in investor interactions. 

Introduction of State-Level Legislation

Laws intended to address AI usage at the state level are also on the rise. California, Connecticut, Louisiana and Vermont have enacted legislation to protect individuals from adverse impacts or uses of unsafe or ineffective AI systems. Further, several states are establishing AI councils or divisions within their state agencies to monitor the use of AI technology and provide policy recommendations regarding data privacy and preventing algorithmic discrimination in AI.

New state legislation targeting transparency in the use of AI technology has also emerged, requiring that individuals know when and how an AI system is being used. To achieve this, some states mandate that employers or businesses  disclose the use of AI systems. For example, an employer may be required to receive consent from an employee to utilize an AI system that collects data about them. Additionally, other legislation requires the completion of a bias audit and issuance of required notices of use to end users. User privacy is clearly a significant risk as it relates to AI, and we will likely see further legislation developed to enforce responsible use of AI.

Looking Ahead

Companies currently using AI or that may implement AI systems in the future should pay close attention to the issued guidance and consider implementing risk management protocols as soon as possible. Third-party risk management efforts are increasingly targeting software and services providers that are implementing AI. Organizations are responsible for telling customers and end users that they are using AI in an ethical, lawful, and responsible fashion and demonstrate their commitment to developing and deploying AI technologies in a compliant, secure, and responsible way. 

Providing external assurance to stakeholders and customers can currently be addressed through pursuit of an ISO/IEC 42001 certification or a HITRUST AI Risk Management Assessment, as these frameworks help to ensure that AI is being used responsibly and reassures customers that appropriate steps have been taken to mitigate bias and other risks in their AI solutions. Third-party risk management requirements are ever increasing; getting ahead of the requirements now will help companies to position themselves as leaders in AI technology as the market grows.

Streamline your security and privacy compliance with Aprio’s comprehensive Risk Advisory and Assurance Services. As a leading provider of SOC reports and ISO, HITRUST, and PCI DSS certifications, Aprio simplifies reporting and management for clients navigating the nuances of each requirement. Aprio specializes in its “Test Once, Report Many” approach, getting synergies across all your compliance requirements and reducing your audit burden. Aprio can manage your compliance program with our proprietary technology and specialized team, allowing your team to focus on business, not compliance. Schedule a consultation today and achieve what’s next at Aprio.com.

Aprio is the brand name under which Aprio, LLP, and Aprio Advisory Group, LLC, deliver professional services. Since 1952, clients throughout the U.S. and across more than 50 countries have trusted Aprio for guidance on how to achieve what’s next. As a premier business advisory and accounting firm, Aprio Advisory Group, LLC, delivers advisory, tax, managed and private client services to build value, drive growth, manage risk and protect wealth, and Aprio, LLP, provides audit and attest services. With proven experience and genuine care, Aprio serves individuals, entrepreneurs, and businesses, from promising startups to market leaders alike. Aprio has grown to 2,000+ team members providing solutions to clients in industries including manufacturing and distribution, non-profit and education, professional services, real estate, construction, restaurant, franchise and hospitality, government contracting and technology and blockchain.