Even innovative technologies, such as AI, should align and integrate with existing organizational governance structures. The complexity and rapid evolution of AI creates a need for quick deployment and integration, but this must be weighed and balanced and follow existing enterprise governance, risk, and compliance (GRC) practices where possible. Risk professionals play a key role in ensuring AI technologies add value to the enterprise within acceptable limits.
Understanding enterprise goals and objectives can help risk professionals ensure proper due diligence and consideration of risk without impeding innovation within the organization. This can be accomplished by ensuring AI considerations are properly integrated within enterprise governance.
AI governance encompasses the senior oversight, processes, policies/standards, and safeguards that ensure the safe and ethical use of AI systems and tools. AI governance frameworks direct AI research, development, and applications to promote safety, fairness, and respect for human rights.
AI governance also addresses the inherent flaws that arise from the human element in AI creation and maintenance. As AI is ultimately developed by humans, it is susceptible to human biases and errors that can result in discrimination and other harm to individuals.
Governance provides a structured approach to mitigate this potential risk. Such an approach can include sound AI policy, regulation, legal, and data governance. These measures help ensure that ML algorithms are monitored, evaluated, and updated to prevent flawed or harmful decisions and that datasets are well-trained and maintained.
Transparent decision making and explainability are also crucial for ensuring RAI use and building trust. AI systems are responsible for a variety of decisions, from determining which advertisements to display to approving loans and making health diagnoses. It is imperative that enterprises understand and can explain how AI systems make decisions to ensure they make them fairly, ethically, and with accountability for their choices.
Furthermore, AI governance extends beyond mere compliance to sustaining ethical standards over time. AI models can drift or hallucinate, leading to alterations in output quality and reliability. Current trends in governance are moving from standard legal compliance toward ensuring social responsibility, thereby safeguarding against financial, legal, and reputational damage while promoting responsible technological growth.
The use of AI creates new considerations for enterprises, including:
In addition, AI governance ensures that the use of AI continues to deliver value to the enterprise, whether through realization of new business opportunities, increased productivity, new lines of revenue, or competitive advantage. Governance also enables enterprises to decommission or adjust the objective of AI solutions when the original purpose no longer serves the objectives of the business.
Effective AI governance and management processes must be designed to integrate seamlessly into an organization’s existing governance and management structures. This integration is essential to ensure that AI initiatives align with the enterprise’s strategic objectives, values, and risk appetite, while minimizing disruption to established workflows and promoting organizational acceptance.
AI governance should not operate in isolation but rather be embedded within the broader organizational governance framework. As governance encompasses oversight across financial, operational, legal, and IT domains, AI governance must similarly align with these established structures to ensure consistency and accountability. For example, leveraging existing governance frameworks can facilitate structured management of AI risk, ethical considerations, and change management processes, thereby supporting alignment with organizational goals and trustworthy AI principles.
Consider an organization that leverages the COBIT framework for its enterprise governance of I&T (EGIT) efforts. The primary goal of COBIT is to help organizations align IT with business objectives, manage risk, and ensure the optimal use of resources.53
COBIT can be applied to AI technology governance and management by integrating its principles into each stage of the AI life cycle—from design and development to deployment, operations, and monitoring (see Chapter 2 AI Life Cycle Risk Management for more information).
For example, to build an in-house AI system, COBIT’s Evaluate, Direct, and Monitor (EDM) domain can be used to ensure that AI initiatives are aligned with the organization’s overall strategy in the design phase. The principles in this domain can help decision-makers evaluate AI’s potential impact on the business, direct resources accordingly, and monitor performance against strategic objectives. Organizations can also use these principles to ensure their AI systems adhere to principles of ethical use, fairness, and transparency.
During the development phase, the Align, Planning, and Organization (APO) domain can help organizations define clear management structures and establish the processes necessary to build secure and trustworthy AI systems. For organizations purchasing AI systems, these principles are just as important. This phase involves setting clear policies for data governance, security, and compliance; planning for the resource needs of the AI initiative; and addressing bias, security vulnerabilities, and compliance challenges.
In the deployment phase, COBIT’s Build, Acquire, and Implement (BAI) domain can be leveraged to address how AI systems are integrated into the business. Regardless of whether the organization buys or builds the AI system, this domain ensures that it is implemented securely and efficiently and that proper testing and validation processes are in place. This domain also covers aspects of change management, making sure new AI solutions are introduced without disrupting existing systems or creating unforeseen risk.
Once an AI system is implemented, the Deliver, Service, and Support (DSS) domain covers the day-to-day operations and ongoing support of the AI solution. DSS principles ensure that AI systems perform efficiently, service levels are maintained, and any issues are promptly addressed. This domain also ensures the security and continuity of AI systems to protect them from cyberthreats and other risk while in operation.
Finally, in the monitoring phase, COBIT’s Monitor, Evaluate, and Assess (MEA) domain can support the continuous evaluation of AI systems to ensure they meet performance, compliance, and risk management objectives. This domain emphasizes the importance of assessing AI outcomes, measuring performance against business goals, and identifying areas for improvement. MEA principles also play a critical role in ensuring AI systems comply with evolving regulations and industry standards. Through continuous monitoring and assessment, organizations can refine AI models and processes to ensure long-term success and alignment with both internal goals and external requirements.
AI risk, like other enterprise risk, can impact multiple facets of an organization, including operational, strategic, legal, and reputational domains. Therefore, integrating AI risk into ERM promotes a holistic view that aligns AI risk considerations with the organization’s overall risk appetite, tolerance, and strategic objectives.
AI risk identification, assessment, mitigation, and monitoring across the AI life cycle requires identified owners, including delineation of responsibilities among AI developers, deployers, risk practitioners, and senior management. The risk management function, often positioned as the second line of defense, plays a critical role in overseeing AI risk management activities, ensuring that first-line functions implement appropriate controls and that third-line audit functions assess effectiveness consistently. Clear role definitions prevent misunderstandings and foster coordinated risk management efforts enterprisewide. See 1.7 AI-related Roles and Responsibilities for more information.
Treating AI risk as part of the broader risk portfolio yields several benefits. It enables an organization to leverage existing risk management processes, tools, and frameworks, ensuring consistency and comparability of risk assessments across departments and functions. This approach facilitates comprehensive risk reporting and prioritization, allowing management to make informed, risk-aware business decisions that consider AI’s unique challenges in the context of other enterprise risk, such as cybersecurity, privacy, and operational risk. Moreover, integrating AI risk management supports efficient resource allocation and helps avoid fragmented or duplicated efforts, ultimately enhancing the organization’s resilience and strategic agility.
The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management (ERM) Framework emphasizes the importance of integrating risk management throughout an organization, as risk impacts all areas of an enterprise.54 This framework can be applied to consider AI-related risk to ensure integrated AI governance and risk management.
When considering AI risk, COSO’s Governance and Culture component can be leveraged to ensure that board members understand how the organization evaluates risk related to AI and determine measures of success for AI implementations. This component can also be used to ensure data governance aligns with the enterprise’s core values.55
Enterprises may choose to revisit their risk appetite related to AI implementation and benchmark it against industry peers, as guided by the Strategy and Objective-Setting component.
The Performance component and its related principles can aid enterprises in ensuring that AI models and implementations are properly assessed for risk and prioritized for risk response.
The Review and Revision component can be leveraged to help an enterprise continue to evaluate and monitor the effectiveness of implemented AI models. The lines of defense model is part of this component and can inform the enterprise on how each line can collaborate to ensure that AI applications and implementations are meeting goals for business objectives and risk management.
Finally, as AI is often a high-visibility topic for many enterprises, the Information, Communication, and Reporting component can help enterprises determine the cadence and content of communication on AI risk for various stakeholders.
Managing AI solutions effectively throughout their life cycle requires well-defined organizational processes to support AI adoption, ensure alignment with organizational objectives, and mitigate associated risk.
Audit is a key part of enterprise governance, and its role in AI is significant for ensuring that AI models, outputs, and related controls are functioning as expected. Audit serves as the third line of defense in risk management and provides independent assurance that the AI solution and controls surrounding it are operating as expected. AI algorithm audits are a key component to understanding how the underlying logic of an AI system is working. They also provide insight into aspects of RAI and trustworthiness.
As with many teams in an enterprise, the use of AI to assist with traditional audits is increasing, especially when it comes to reporting and log analysis, so ensuring proper human oversight of these processes is key.
Security of AI solutions is an area of high importance to enterprises, and it is essential for data to be complete, accurate, processed, and retained or destroyed at periods that support the business objectives and processes of the AI systems and models. Information security teams should partner closely with risk management to ensure that the risk associated with the implementation of AI solutions is properly assessed and well understood by all areas of the enterprise. Information security ultimately selects and designs the controls related to AI, making collaboration between these two teams imperative for sound AI risk management and RAI use.
The AI threat landscape is quickly evolving, making communication between the security team, monitoring and identifying new threats, and the risk management team, assessing and analyzing these threats, paramount.
Many organizations and their leadership have started to rapidly experiment and attempt to implement GenAI solutions. However, some studies have shown that many AI projects fail to meet their goals.56 A primary reason for project failure is the unsuitability of business use cases for AI and that organizations and users may have inflated expectations of AI.
AI project failures are commonly attributed to people, process, and data issues. Research into the failure of AI projects has identified several common risk factors:
Ensuring a strong business case and proper project planning and management can help to minimize the risk of AI projects going over budget and time, introducing new risk to the AI solution, or ultimately failing.
AI solutions often introduce unique operational and risk considerations that necessitate leveraging established change management frameworks. Effective change management processes should address the integration of AI into existing workflows with minimal disruption, manage resistance to change, and ensure that AI-related modifications are systematically planned, tested, and documented. This approach facilitates smooth transitions, maintains business continuity, and supports the organization’s risk management objectives. See 2.13 Change Management in AI Systems for more information.
AI is also impacting business resilience and can be a powerful tool in supporting current resiliency planning and efforts by creating enhancements in data analytics, decision making, customer service, supply chain optimization, and risk assessment.57 Conversely, as an enterprise builds more AI solutions for organizational processes, it may become overreliant on these solutions, which can create issues should the systems fail or become compromised.
Risk management is key to ensuring these considerations are made and reassessed as the adoption of AI increases. See Part F: AI Incident Response, BIA, Business Continuity, and Disaster Recovery for more information.