Monday, June 22, 2026
Marco andrea@passaglia.it
The Bellwether

A morning brief, composed for you when the sources say something worth saying.

‹ Reference

AIGP_ILT_IG_v2.4.2

regulation Reference Materials/Regulations 537 KB text added 6/4/2026
AI Governance Professional Instructor Guide An IAPP Publication -- 1 of 320 -- AIGP®, CIPP®, CIPP/A®, CIPP/C®, CIPP/E®, CIPP/G®, CIPP/US®, CIPM® and CIPT® are registered trademarks of the IAPP. © 2026 IAPP. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior, written permission of the IAPP. For more information contact copyright@iapp.org. v 2.4.2 -- 2 of 320 -- Dear faculty, We are pleased to provide you with the instructor guide for this IAPP training course. This resource contains the following: • Copies of the training slides at the top of each page. • Participant notes. • Instructor notes, available only to you, in italics. Using the instructor guide In preparation to teach this course, please follow these steps: • Become familiar with the training materials. While the slides and the instructor guide include a lot of information, explanations and elaborations will require your expertise and preparation. • Be prepared to reference the instructor guide during the training. This will include outlining learning objectives, facilitating discussions and activities, and concluding each module with review questions. • Communicate with the IAPP training team if you spot learning content that should be updated. Your expertise is an important asset in helping us maintain the integrity and relevance of this training. • Make note of the time estimates for each module and manage time during class sessions. Thank you! Thank you for reviewing this guide. We hope it will serve as an instructive and useful resource. We appreciate the level of expertise you bring to the classroom and your dedication to delivering first-class AI governance training to professionals around the world. The IAPP Training Team -- 3 of 320 -- -- 4 of 320 -- ARTIFICIAL INTELLIGENCE GOVERNANCE PROFESSIONAL TRAINING This instructor guide contains notes in italics that are not included in the participant guide. The participant guide includes all other notes not in italics that appear in the instructor guide. 1 Artificial Intelligence Governance Professional -- 5 of 320 -- AIGP®, CIPP®, CIPP/A®, CIPP/C®, CIPP/E®, CIPP/G®, CIPP/US®, CIPM® and CIPT® are registered trademarks of the IAPP. © 2026 IAPP. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior, written permission of the IAPP. For more information contact copyright@iapp.org. v 2.4.2 Introduction AIGP®, CIPP®, CIPP/A®, CIPP/C®, CIPP/E®, CIPP/G®, CIPP/US®, CIPM® and CIPT® are registered trademarks of the IAPP. © 2026 IAPP. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior, written permission of the IAPP. For more information contact copyright@iapp.org. v 2.4.2 Artificial Intelligence Governance Professional 2 -- 6 of 320 -- Introduction 3 Thank you to our subject matter experts who contributed to the development of this course! Brenda Leong, Executive Editor AIGP, CIPP/US Director of the AI Division ZwillGen Jacqueline Acker AIGP, CIPP/US, CIPM AI Policy Analyst U.S. Government Vivienne Artz AIGP Senior Data Strategy and Privacy Policy Advisor Centre for Information Policy Leadership Beatrice Botti AIGP, CIPP/E, CIPP/US, CIPM, FIP Senior Vice President, Chief Privacy Officer DoubleVerify Inc. Nishant Bhajaria AIGP Privacy Advisor, Author Nia J. C. Castelly AIGP, CIPP/E Co-founder and Legal Lead Google Sam Clearwater AIGP, CIPP/E, CIPP/US, CIPM, FIP Senior Vice President D. E. Shaw & Co., L.P. Ashley Casovan Managing Director, AI Governance Center IAPP John Bowman AIGP, CIPP/E, CIPM, FIP AI Ethics Market Strategy Lead IBM Artificial Intelligence Governance Professional 3 -- 7 of 320 -- Introduction 4 Thank you to our subject matter experts who contributed to the development of this course! Carl E. Mathis AIGP, CIPP/E, CIPP/US, CIPM, CIPT Privacy Architect Hewlett-Packard Julie McEwen AIGP, CIPP/G, CIPP/US, CIPM, CIPT, FIP Cybersecurity & Privacy Engineer, Strategic Advisor David J. Marcos AIGP, CIPM, CIPT Senior Director of Responsible AI and Technology Stewardship Motorola Solutions Phil Lee AIGP, CIPP/E, CIPM, FIP Managing Director, Solicitor Digiphile Services Tahir Latif AIGP, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP Board Member and Chief Privacy & AI Governance Officer Ethical AI Alliance Robert Grosvenor AIGP, CIPP/E, CIPM, CIPT Managing Director, Privacy and Data Compliance Alvarez & Marsal Amaka Ibeji AIGP, CIPP/E, CIPM, FIP Founder and AI Governance & Privacy Engineer PALS Hub Casey Flores AIGP, CIPP/US, CIPM Senior Data Privacy Analyst Mazda Shana Morgan AIGP, CIPP/E, CIPM, FIP Global Head of AI / Privacy L3Harris Technologies, Inc. Jonathan Friend AIGP, CIPP/E, CIPM, FIP UK & EMEA Privacy Lead Senior Privacy Counsel Wise Virginia Lee AIGP, CIPP/G, CIPP/US, CIPM, CIPT, FIP Strategic Counsel Cisco Elaine Morrissey AIGP, CIPP/E, CIPM, FIP Director Rock Consultancy Artificial Intelligence Governance Professional 4 -- 8 of 320 -- Introduction 5 Thank you to our subject matter experts who contributed to the development of this course! Laura Weiss AIGP, CIPP/US, CIPT Chief Counsel, Data and Privacy Law; Head of Data and Technology Compliance Prudential Financial Niels Torm AIGP, CIPP/E, CIPM, FIP Data Responsibility & Privacy Solutions Lead, GGM Cognizant Technology Solutions James A. Sherer AIGP, CIPP/E, CIPP/US, CIPM, FIP, PLS Partner & Co-Lead, Emerging Tech Team Baker & Hostetler Mark Webber AIGP, CIPP/E, FIP U.S. Managing Partner Fieldfisher (Silicon Valley) LLP Oliver Patel AIGP, CIPP/E Enterprise AI Governance Lead AstraZeneca Petruta Pirvan AIGP, CIPP/E, CIPP/US, CIPM, FIP Principal Counsel, Data Protection and AI Governance Symmetry Compliance Aaron Weller AIGP, CIPP/US, CIPM, CIPT, FIP Leader, Privacy Innovation & Assurance HP, Inc. Aileen Schultz AIGP, CIPT Sr. Manager, Emerging Technologies and AI TELUS, Data Trust Office Alesya Nasimova AIGP, CIPP/E, CIPP/US, CIPM Senior Director, Associate General Counsel, Privacy, Product and AI Anaconda May Sethaphanich AIGP, CIPP/A Senior Counsel AI/AI Governance McDonald’s Corporation Artificial Intelligence Governance Professional 5 -- 9 of 320 -- Online AIGP body of knowledge and exam blueprint Online "Key Terms for AI Governance" glossary Resources list provided with this training The AI Governance Center on the IAPP website The IAPP AI Governance Dashboard newsletter Annual AI Governance Global conferences The IAPP and Credo AI Artificial Intelligence Governance Profession Report Introduction 6 Additional IAPP resources In addition to this training, the IAPP provides other resources to help you and your organization create effective, trustworthy AI governance systems: ADDITIONAL IAPP RESOURCES In addition to this training, the IAPP provides other resources to help you and your organization create effective, trustworthy AI governance systems: • The AIGP body of knowledge (BoK) and exam blueprint • The AIGP BoK documents the knowledge and skills that will be assessed on the AIGP certification exam. The domains reflect what the AI governance professional should know, and be able to do, to show competency in this designation. • The IAPP "Key Terms for AI Governance" glossary • Resources list PDF provided with this training • The Resources list that accompanies this training provides depth and background on topics found on the BoK, as well as some topics not listed on the BoK. While certification candidates will not be tested on these additional topics, AI governance professionals may find the additional information useful to their work in this ever-evolving field. • The IAPP AI Governance Center, where you can explore content, networking opportunities and a myriad of resources to help prepare you, your team and your risk center to create effective, trustworthy AI governance systems • The AI Governance Dashboard newsletter: subscribe via the Subscription Center on the IAPP website • IAPP conferences, where you can learn from expert keynotes, attend training, network and share ideas and challenges • The IAPP and Credo AI Artificial Intelligence Governance Profession Report: Artificial Intelligence Governance Professional 6 -- 10 of 320 -- Introduction 7 Notes on this course NOTES ON THIS COURSE 1. While contemporary topics, developments and events may be discussed in this training, please understand this is not a current events course, but rather, is based on the AIGP exam’s body of knowledge. The BoK is an outline of topics, developed and approved by an exam development board, that serves as the foundation for the certification exam and training. 2. If emerging AI governance issues or events become part of the exam, the training will be updated accordingly at least one month prior to the release of exam updates. 3. Review questions are intended to help reinforce key topics covered in the lesson. They are not meant to represent actual certification exam questions. 4. The IAPP has published “Key Terms for Governance” to provide definitions and explanations for some of the most common terms related to AI today. This glossary is intended to be a helpful study resource and was based on numerous sources to create a common lexicon and shared understanding of terms and phrases used in AI governance. 5. Generative AI was used in the following ways in the development of this product: • Generating closed captions for videos • Illustrating concepts with graphics or imagery • Providing initial drafts of text-based learning content, such as introductions, review questions and summaries, and offering recommendations for edits For all uses, we have employed human review by experienced subject matter experts, IAPP instructional designers and editors to ensure content accuracy and quality. Artificial Intelligence Governance Professional 7 -- 11 of 320 -- A note on the AIGP body of knowledge v2.1 This training aligns to the AIGP BoK v2.1 Focal points for this BoK update: • Adding clarifying language or examples • Using broader or more global terminology • Adding the term “system” to, or in place of, the term “model” throughout for clarity • Shifting the focus from the EU AI Act to include a broader range of AI-specific laws • Trimming repetitive and out-of-scope content 8 Introduction A NOTE ON THE AIGP BODY OF KNOWLEDGE V2.1 • This training aligns to the AIGP BoK version 2.1 • The focal points for this BoK update include: • Adding clarifying language or examples. • Using broader or more global terminology. • Adding the term “system” to, or in place of, the term “model” throughout for clarity. • Shifting the focus from the EU AI Act to include a broader range of AI-specific laws. • Trimming repetitive and out-of-scope content. • Legislation has begun to create distinctions between developer and deployer to better understand where liability rests. In this training, we use these terms not as a binary classification of organizations, but to distinguish sets of tasks and abilities specific to deployment and development, fully understanding that sometimes an organization plays both roles. • Individual AI-specific U.S. state laws are not covered in detail, not because they are unimportant, but because they are currently piecemeal and could easily overwhelm the rest of the exam content. We know that if your organization is subject to one of these laws, you will educate yourself on the requirements of that state law. Artificial Intelligence Governance Professional 8 -- 12 of 320 -- 9 Course outline Module 5 Module 6 Module 7 Module 1 Module 2 Module 3 Module 4 Foundations of artificial intelligence AI impacts and responsible principles AI governance and risk management Governing AI development Governing AI deployment 9 AI regulation Other laws that apply to AI COURSE OUTLINE Module 1: Foundations of artificial intelligence Module 2: AI impacts and responsible principles Module 3: AI governance and risk management Module 4: AI regulation Module 5: Other laws that apply to AI Module 6: Governing AI development Module 7: Governing AI deployment Artificial Intelligence Governance Professional 9 -- 13 of 320 -- Module 1 Foundations of artificial intelligence MODULE 1: FOUNDATIONS OF ARTIFICIAL INTELLIGENCE Introduction AI governance professionals need a solid foundation of key concepts to understand AI systems and implement AI governance. They must understand, for instance, the unique characteristics of AI that require a comprehensive approach to governance. AI governance professionals should be able to identify the primary types of AI, their distinctions and their practical applications to assess the appropriateness of each for an organization. They need foundational knowledge of various AI algorithm types and use cases to effectively govern the development or selection of AI that aligns with organizational needs. A clear understanding of machine learning's role in AI and the main types of machine learning training methods is also crucial. The increased rate of AI adoption will place extra demand on technological resources and supporting infrastructure. Recognizing different AI types and learning methods, along with identifying their technological requirements, is essential for effectively overseeing the development or selection of an AI system. Artificial Intelligence Governance Professional 10 -- 14 of 320 -- L E S S O N MODULE 1 Foundations of artificial intelligence 1 Core concepts of AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Know the generally accepted definitions and types of AI • Identify the unique characteristics of AI that require a comprehensive approach to governance (e.g., complexity, opacity, autonomy, speed and scale, potential for harm or misuse, data dependency, and probabilistic versus deterministic outputs) Additional topics: • Describe some AI use cases/benefits • Recognize the interplay between tech megatrends and AI 11 LESSON 1: CORE CONCEPTS OF AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Know the generally accepted definitions and types of AI (I.A) • Identify the unique characteristics of AI that require a comprehensive approach to governance (e.g., complexity, opacity, autonomy, speed and scale, potential for harm or misuse, data dependency, and probabilistic versus deterministic outputs) (I.A) Additional topics: • Describe some AI use cases/benefits • Recognize the interplay between tech megatrends and AI Artificial Intelligence Governance Professional 11 -- 15 of 320 -- CHAT What constitutes artificial intelligence? 12 Module 1: Foundations of artificial intelligence What constitutes identifying a machine or automated process as AI? What challenges do AI professionals and AI governance face? What are the unique characteristics of AI that require a comprehensive approach to governance? CHAT: WHAT CONSTITUTES ARTIFICIAL INTELLIGENCE? Much like the definition of personal information, our understanding of what constitutes artificial intelligence has evolved. Over the decades, society’s advancements have altered our perception of what type of machine or automated process is sophisticated enough to be considered "intelligent." • What constitutes identifying a machine or automated process as AI? • What challenges do AI professionals and AI governance face? • What are the unique characteristics of AI that require a comprehensive approach to governance? Possible answers: AI is not a specific technology, but rather a branch of computer science, with countless potential applications in both the commercial and public spaces. Artificial intelligence seeks to replicate or simulate human intelligence, so machines can perform tasks that typically require human intelligence. The field of artificial intelligence has been evolving at unprecedented speeds, highlighting new challenges for AI professionals and AI governance. Chief among them is the need to successfully balance innovation and competitiveness against the need for risk identification and tracking, and the implementation of monitoring and compliance controls. A thorough understanding of different AI models, their characteristics and inherent risks is critical to successfully achieving this balance. Unique characteristics of AI that require a comprehensive approach to governance include: (These are discussed in more detail in module 3, lesson 2) • Complexity • Opacity • Autonomy • Speed and scale • Potential for harm or misuse • Data dependency • Probabilistic vs. deterministic outputs Resources UN AI Advisory Body, “Governing AI for Humanity,” September 2024. Artificial Intelligence Governance Professional 12 -- 16 of 320 -- What is artificial intelligence? Definition of AI 13 Module 1: Foundations of artificial intelligence Artificial intelligence is a broad term used to describe an engineered system that uses various computational techniques to perform or automate tasks. This may include techniques, such as machine learning, in which machines learn from experience, adjusting to new input data and potentially performing tasks previously done by humans. More specifically, it is a field of computer science dedicated to simulating intelligent behavior in computers. Technology Intelligence Autonomy Output Goal-directed behavior Human interaction Learning COMMON ELEMENTS WHAT IS ARTIFICIAL INTELLIGENCE? Artificial intelligence is a broad term used to describe an engineered system that uses various computational techniques to perform or automate tasks. This may include techniques, such as machine learning, in which machines learn from experience, adjusting to new input data and potentially performing tasks previously done by humans. More specifically, it is a field of computer science dedicated to simulating intelligent behavior in computers. • Hallmarks of human intelligence: ability to think creatively, consider possibilities and keep a goal in mind while making decisions. • Like the definition of personal information, our understanding of what constitutes artificial intelligence has evolved. Society’s advancements alter our perception of what type of machine or automated process is sophisticated enough to be considered "intelligent." Definition of AI • Machines performing tasks that normally require human intelligence. • A branch of computer science concerned with creating technology to do things that normally require human intelligence. • Mathematician Alan Turing developed a test to determine whether a machine is intelligent in 1950. • The test considered a machine intelligent if humans thought the responses it produced came from a human and not a machine. Common elements found across various definitions: • Technology: AI is a technological construct, composed of algorithms, data structures and computational models. • Intelligence: AI mimics aspects of human intelligence, e.g., reasoning and problem solving. • Autonomy: AI systems often operate independently, making decisions without direct human oversight. • Goal-directed behavior: AI is typically designed to achieve specific objectives. • Output: AI generates outputs such as predictions, decisions, classifications and actions. • Learning: AI systems incorporate learning and adapt to new inputs, environments or feedback. • Human interaction: AI's impact on society is shaped by human interaction. Meaningful engagement between humans and AI systems can harness AI's full potential. The field of AI has been evolving quickly, bringing new challenges for AI professionals and AI governance. A primary challenge is balancing innovation and remaining competitive with the need to identify and track risks and implement monitoring and compliance controls. Resource: IAPP, "Key terms for AI governance," updated July 2025. Artificial Intelligence Governance Professional 13 -- 17 of 320 -- Types of artificial intelligence Three high-level categories 14 Module 1: Foundations of artificial intelligence Artificial narrow intelligence Artificial general intelligence Artificial super intelligence We are here TYPES OF ARTIFICIAL INTELLIGENCE Three high-level categories 1. Artificial narrow intelligence – also known as Weak AI. • Designed to perform a single or narrow set of related tasks at a high level of proficiency. • Example: A system designed to play chess. • Operates under a narrow set of constraints and limitations. • Boosts productivity and efficiency by automating repetitive tasks, enabling smarter decision- making and optimization through trend analysis. • Benefits both organizations and end users and is embedded in many industries, such as health care, financial services, manufacturing and customer service. • Broad artificial intelligence • More advanced in scope than ANI, capable of performing a broader set of tasks (e.g., AI agents). • Relies on a group of AI systems, capable of working together and combining their decision-making capabilities (e.g., autonomous driving vehicles). • Lacks full, human-like capabilities experts expect of artificial general intelligence. 2. Artificial general intelligence – also known as strong, deep or full AI • Intended to closely mimic human intelligence. • Remains beyond reach at present. • Moving closer to achieving development through technological advancements. • Experts expect AGI systems to have strong generalization capabilities such as the ability to think, understand, learn, perform complex tasks, and achieve goals in different contexts and environments. 3. Artificial super intelligence • AI systems with intellectual powers beyond those of humans across a comprehensive range of categories and fields of endeavor. • Capable of outperforming humans, self-aware, understanding and evoking human emotions and experiences, thus experiencing reality like humans. • Like AGI, ASI does not yet exist. Artificial Intelligence Governance Professional 14 -- 18 of 320 -- Module 1: Foundations of artificial intelligence Classifying AI systems OECD’s five dimensions to classify AI systems People and planet Economic context Data and input AI model Tasks and output 15 1 2 3 4 5 CLASSIFYING AI SYSTEMS The Organisation for Economic Co-operation and Development helps organizations to classify AI systems and examine risks to those systems. OECD’s five main dimensions developed to classify AI systems: 1. People and planet: Identifies individuals and groups that might be affected by the AI system. For example, human rights, the environment, society. Privacy applies here. 2. Economic context: AI system is looked at according to the economic and sectoral environment in which it operates. • Characteristics include: • Sector where the AI system operates (e.g., financial, health care, education). • Business function or model for the AI system. • Necessity of the AI system to operations. • How it is deployed and the impact of the deployment. • Scale of the system. • Technological maturity of AI system (a newer system may not have tested as much data over time; more mature systems may be more effective). 3. Data and input: What type of data was used in the model and any expert input used. • Expert input is human knowledge that gets codified into rules. • Includes characteristics such as how data was collected and what collection method was used (by machine or by human), structure of the data and data format. 4. AI model: Discusses the technical type; how the model is built and used. 5. Tasks and output: Tasks that AI systems perform, its outputs and resulting actions from those outputs. • Characteristics include system tasks, systems that combine tasks and actions, evaluation methods used to look at how tasks and systems perform. Resource OECD Framework for the Classification of AI Systems: a tool for effective AI policies. Artificial Intelligence Governance Professional 15 -- 19 of 320 -- Interplay of tech megatrends and AI Tech megatrends relating to AI • Cloud computing • Mobile technology and social media • IoT • PETs • Autonomous vehicles and weapons • Blockchain • Computer vision • Augmented reality and virtual reality • The Metaverse 16 Module 1: Foundations of artificial intelligence INTERPLAY OF TECH MEGATRENDS AND AI Technology megatrends have varying relationships with artificial intelligence. Some trends actively support the development and implementation of AI technologies, while others serve as significant drivers that propel the growth and evolution of AI across various sectors. • Cloud computing: on-demand, scalable computing resources, high-powered computing accessible to everyone; drives AI development and data processing capabilities. • Mobile technology and social media: proliferation of smartphones and rise of social media platforms have led to a massive increase in data, AI models learn from this information. • Internet of things: IoT devices generate data that feeds into AI models, contributing to data science. • Privacy-enhancing technologies: AI is driving the need for, and enhancement of, privacy and governance technologies. PETs are emerging as a viable approach to data security and privacy concerns; ensures continued, responsible growth of AI and data science. • Autonomous vehicles: demand advancements for perception, decision-making, adaption to dynamic environments; drive innovation in machine learning, computer vision and edge computing. • Autonomous weapons: raise ethical concerns about accountability, potential for bias in targeting decisions, and impact on international stability. • Blockchain: Blockchain technology provides a trusted interface for secure financial transactions, enhances data privacy and security in certain contexts; not universally applicable to every data privacy and AI challenge. • Computer vision, augmented and virtual reality, and the Metaverse: emerging technologies that shape the digital landscape of AI and Data Science. • Computer vision: enables machines to understand the world through images and videos; creates safer, more efficient, interactive human-machine interactions; transformed how AI interprets and processes visual data (e.g., health care, autonomous vehicles, robotics). • Augmented reality and virtual reality: redefines how we interact with digital content. • Applies to diverse fields (e.g., gaming, therapy, medicine). • AR overlays virtual objects onto the real world. • VR immerses users in entirely simulated environments. • The Metaverse: represents a vision of a shared virtual space where individuals can interact, conduct business and explore endless possibilities. It may still be ahead of its time. Artificial Intelligence Governance Professional 16 -- 20 of 320 -- AI uses and impacts • Can be faster and more accurate • Helping with medical assessments and legal predictions • Processing huge volumes and a wide variety of data • Automation of processing • Accelerating mundane and repetitive tasks Value and opportunities 17 Module 1: Foundations of artificial intelligence AI USES AND IMPACTS AI can produce a huge number of potential opportunities: • AI can be faster and more accurate in its results across a broader range of data. • AI in the use of medical assessments can be incredibly accurate, more so than humans, particularly when evaluating scans and other medical outcomes. • AI can also help with legal predictions, and can review case law, issues and regulations far more broadly, quickly and accurately than humans. • AI is similar to big data; it can process a huge volume of data at tremendous velocity and can process a wide variety of data. • AI in its automation of processing can also help remove human error and bias from decision- making; can automate and accelerate otherwise mundane and repetitive tasks, which is often where inconsistencies occur. We also need to ensure that the intended audience understands the value that AI brings or adds. • Can often be a suspicion about the use of technology when replacing people or a more human approach. • The security and integrity of AI must be ensured to prevent reverse engineering of data in order to identify individuals. • Need to ensure AI will honor and enable privacy rights. Artificial Intelligence Governance Professional 17 -- 21 of 320 -- Use cases and benefits of AI 18 Module 1: Foundations of artificial intelligence Recognition Event detection Forecasting Product marketing Manufacturing defects Plagiarism detectors Fraudulent behavior Incident management Sports Sales/inventory Ride sharing apps Weather USE CASES AND BENEFITS OF AI • Recognition • Typically, image, speech or facial recognition. • Facial recognition: utilizing software to verify a person’s identity from a digital image (or video), via measurements and unique facial features. Note, facial recognition is color- and gender-agnostic. • Retailer product matches: sending a picture of a desired product to a retailer’s online system. The system looks for a product match based on the description of the picture received, then notifies the consumer of product matches. • Manufacturing machines learn to see defects that impact product development. • Plagiarism detectors, often used in education. • Forecasting • Predict sales and revenue, as well as potential product or service demand. • Ridesharing apps: determine when there might be a higher demand for rides; when demand is high, prices can increase. • Weather forecasting. • Event detection • Credit card transaction fraud detection or fraud detection when applying for government services or benefits: looking for patterns of fraudulent behavior within the system. • Events and sports video: for example, reviewing at a particular activity such as a touch down or goal. • Cyber events and systems management help organizations better respond to incidents. Artificial Intelligence Governance Professional 18 -- 22 of 320 -- Use cases and benefits of AI 19 Module 1: Foundations of artificial intelligence Personalization Interaction support Goal-driven optimization Recommendation Customer profiles Shopping experiences Chatbots Virtual assistants Products and viewing Decision-support systems Supply chain management Delivery route improvement USE CASES AND BENEFITS OF AI • Personalization • Unique online customer profiles: AI systems can help develop a profile based on an individual’s previous activity and create a unique experience that better meets the individual’s needs. Personalization can also improve customer engagement and sales. • Recommendation • Product recommendations or viewing recommendations for customers based on predictive analytics. • Can also be used for decision support systems. AI can help humans make better decisions in general. For example, AI can help health care providers make diagnoses based on past information about similar types of diseases, symptoms and previous diagnoses. • Government use for adjudicating disability cases: trying to figure out the best way to give an individual access to their benefits for disability cases. • Interaction support • Virtual assistants or chatbots that assist customers with transactions. Commonly used in private industry. • Used in the public sector as well, chatbots sometimes assist students applying for government student loans, such as answering frequently asked questions. • Goal-driven optimization • Used to optimize a particular problem and find solutions: for example, it can be used to optimize a supply chain. If you are having supply chain issues and want to get a product out faster, AI can be used to help you figure out how. • Optimizing driving routes and idle time for vehicles: for example, with bus routes or a trucking company trying to get products out in a timely manner. Artificial Intelligence Governance Professional 19 -- 23 of 320 -- REVIEW QUESTION According to the OECD, which of the following are included in the five dimensions that should be used to classify AI systems? Select all that apply. A. Data and input. B. AI model. C. Tasks and output. D. Economic context. E. People and planet. 20 Module 1: Foundations of artificial intelligence REVIEW QUESTION According to the OECD, which of the following are included in the five dimensions that should be used to classify AI systems? Select all that apply. A. Data and input. B. AI model. C. Tasks and output. D. Economic context. E. People and planet. Answers: All answers are correct The OECD helps organizations to classify AI systems and examine risks to those systems. The OECD’s five dimensions to classify AI systems are people and planet, economic context, data and input, AI model and tasks and output. Artificial Intelligence Governance Professional 20 -- 24 of 320 -- L E S S O N MODULE 1 Foundations of artificial intelligence 2 Machine learning and AI models The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the differences in AI model types (e.g., classic vs. generative, proprietary vs. open source, small vs. large, and language vs. multimodal capabilities) Additional topic: • Understand the basics of machine learning and its training methods 21 LESSON 2: MACHINE LEARNING AND AI MODELS The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the differences in AI model types (e.g., classic vs. generative, proprietary vs. open source, small vs. large, and language vs. multimodal capabilities) (IV.A) This lesson will also cover the basics of machine learning and its training methods. Artificial Intelligence Governance Professional 21 -- 25 of 320 -- KEY TERMS 22 Raw information used to train AI models (e.g., text, images, audio, video, sensor data) A computational procedure or set of instructions and rules designed to perform a specific task, solve a particular problem or produce an AI model A program that applies algorithms to data allowing the model to make predictions or decisions based on the patterns it has learned The full operational environment that includes data, algorithms, models, interfaces and infrastructure Data Algorithm Model System Module 1: Foundations of artificial intelligence KEY TERMS Data: raw information used to train AI models (e.g., text, images, audio, video, sensor data). Algorithm: a computational procedure or set of instructions and rules designed to perform a specific task, solve a particular problem or produce an AI model. Model: a program that applies algorithms to data allowing the model to make predictions or decisions based on the patterns it has learned. System: the full operational environment that includes data, algorithms, models, interfaces and infrastructure. Resources IAPP, "Key terms for AI governance," updated July 2025. IBM. "What is an AI model?" Artificial Intelligence Governance Professional 22 -- 26 of 320 -- Categories of AI • Machine learning • Deep learning • Generative AI • Agentic AI 23 Module 1: Foundations of artificial intelligence AI ML DL GenAI Agentic AI CATEGORIES OF AI Machine learning (further discussed later in this lesson) • Refers to the algorithms that learn patterns from data and improve their performance over time without explicit programming. Deep learning • Machine learning using multi-layered neural networks to simulate the complexities of the human brain. • Deep learning models can recognize complex patterns in pictures, text, sounds and other data to produce insights and predictions. • Benefits over traditional machine learning include efficient processing of unstructured data, hidden relationships and pattern discovery, and unsupervised learning capabilities. • Deep learning requires a large amount of high-quality training data and ample processing power. • Drives many applications and services that improve automation, like digital assistants and voice- enabled devices. Generative AI • Deep learning models that can generate new text, images, video and other output, based on the patterns and relationships learned from training data. • Generative AI systems create entirely new data or outputs that are representative of the original data the system was trained on but are distinctly unique (e.g., after learning what a cat looks like, the system can then generate an entirely new image of a cat). • Popular generative AI tools/platforms include ChatGPT (OpenAI), Gemini (Google), GitHub Copilot, Firefly (Adobe), Claude (Anthropic) and Microsoft Copilot. Agentic AI • Systems that are goal-oriented and engineered to autonomously make decisions, plan and execute actions, and adapt to changing conditions while operating with minimal human guidance. • Emerging technology that leverages automation and various AI models depending on the task it is required to do and the type of data it was trained on. • Perform specific, complex tasks and solve multistep problems with limited supervision. • Reliant on patterns and likelihoods to make decisions and take actions. • Highly adaptable; reinforced learning where the AI improves through experience. Artificial Intelligence Governance Professional 23 -- 27 of 320 -- How are AI systems trained? Machine learning approaches 24 Module 1: Foundations of artificial intelligence Three main learning approaches: • Supervised learning • Unsupervised learning • Reinforcement learning HOW ARE AI SYSTEMS TRAINED? AI systems do not inherently possess the ability to solve complex problems. They must first undergo a learning process to acquire the necessary skills to address challenges effectively. The process of teaching AI systems is called machine learning. • Machine learning leverages data and algorithms to enable systems to repeatedly learn and make decisions. • System improves over time without being explicitly instructed or programmed to do so. • Categorized based on the type of training model they rely on. • Three main learning methods: • Supervised learning: provides training examples in the form of labeled data. • Data is labeled (e.g., “this is an apple”) before being processed through the system; system is then instructed on how the labeled data should be categorized. • Unsupervised learning: uses raw data without labels; finds patterns on its own. • Reinforcement learning: system learns by trial and error through a structure of “rewards and punishments”. Artificial Intelligence Governance Professional 24 -- 28 of 320 -- Module 1: Foundations of artificial intelligence Supervised learning Machine learning approaches 25 MACHINE LEARNING APPROACHES 1. Supervised learning: learns from a pre-labeled and classified data set. • An algorithm analyzes the input data and associated labels to produce an inferred function, which becomes the basis for the system's predictions based on new, previously unseen inputs. • This approach compares its outputs with correct or intended output to identify errors and improve prediction skills (e.g., a model that analyzes images of road signs labeled to define the sign’s meaning or purpose). • Strength: Produces accurate results if trained on high-quality labeled data. • Challenge: Requires large amounts of labeled data. • Labor-intensive, expensive. • Labeling data may introduce bias. • Two types: regression and classification. 1. Regression: predicts output values by identifying linear relationships between values. For example, predicting the price of a car based on data such as its year, model, make, features and mileage. 2. Classification: predicts categorical output variables by labeling input data. For example, predicting whether a future email is spam based on prior emails being labelled "spam" or "not spam." Resource IBM. "What is Machine Learning?" Artificial Intelligence Governance Professional 25 -- 29 of 320 -- Module 1: Foundations of artificial intelligence Supervised learning Reinforcement learning Unsupervised learning 26 Machine learning approaches MACHINE LEARNING APPROACHES (CONT.) 2. Unsupervised learning: does not rely on labeled datasets. • Designed to identify patterns, structures and relationships without human supervision or predefined targets. • Strengths: discovering hidden patterns and insights in data; more cost-efficient. • Challenges: interpretations may be subjective; may display more unpredictable behavior. • Two categories: clustering and association rule learning: 1. Clustering: automatically grouping data points that share similar or identical attributes (e.g., DNA samples that share similarities or patterns). 2. Association rule learning: identifying relationships and associations between data points (e.g., understanding consumer buying habits). • Examples: anomaly detection for mechanical faults or in fraud identification, consumer segmentation and marketing strategies, genetics. 3. Reinforcement learning: interacts with the environment and receives feedback as rewards and punishments, which helps it determine correct or optimal outcomes. • They do not ingest pre-labeled datasets; learning is solely through action and repetition, changing or not changing state or getting feedback from their environment. • Errors trigger a penalty and reduce rewards, proportional to the scale of the error. • Actions and decisions that result in a reward reinforce the triggering behavior, incentivizing the model to use the same tactic in the future. Over time, the system learns to maximize rewards and improve performance. • Strength: can learn complex behaviors without explicit supervision. • Challenges: creating an appropriate reward mechanism; exploration/exploitation tradeoffs. • Examples: generative predictive text (making the model mimic human responses based on feedback); improving the placement of online ads in a real-time bidding environment. Artificial Intelligence Governance Professional 26 -- 30 of 320 -- Module 1: Foundations of artificial intelligence Reinforcement learning Semi- supervised learning Supervised learning Unsupervised learning 27 Machine learning approaches MACHINE LEARNING APPROACHES (CONT.) • Semi-supervised learning: Addition to the three primary types of machine learning, a combination of supervised and unsupervised learning processes • Uses a small amount of labeled data and a large amount of unlabeled data. • Aims to leverage the benefits of both models: improving reliability while reducing costs. • Helpful in scenarios where it is challenging to find or create a large pre-labeled dataset. • Examples: • Image and speech analysis. • Categorization and ranking of web page search results. • Large Language Models: AI that utilizes deep learning algorithms to create models trained on massive text data sets to analyze and learn patterns and relationships among characters, words and phrases. LLMs often rely on semi-supervised learning models. • ChatGPT, Dall-e and other generative AI tools. Resource OECD. "AI language models," April 13, 2023. Artificial Intelligence Governance Professional 27 -- 31 of 320 -- Module 1: Foundations of artificial intelligence 28 Common algorithms and techniques • Linear regression • Logistic regression • Decision trees • Random forests • Neural networks COMMON ALGORITHMS AND TECHNIQUES Algorithms and various techniques in machine learning are chosen based on the intended outcome or task needing to be performed by the model. While these are generally selected and managed by the engineering and AI development teams, as a governance professional it is helpful to understand the various tasks that can be performed and how. This supports dialogue between the teams and assessment of risk levels. Most common algorithms and types of tasks: Linear regression Used for numeric predictions based on continuous variables, e.g., predicting the cost of damages for natural disasters in a particular region based on housing prices, infrastructure, etc. Logistic regression A probabilistic technique used to predict whether or not something is likely to occur, usually a binary function, e.g., whether or not a customer is likely to churn, or a particular product will sell to a given demographic. Decision trees A supervised learning algorithm used most commonly for regression tasks and classification, e.g., spam detection tools that classify emails as spam or not. Random forests An ensemble technique and algorithm used in supervised learning primarily for classification and regression tasks, it tends to produce more accurate results and handles complex data better than decision trees, e.g., recommendation engines. Neural networks An algorithm that mimics the human brain used for highly complex tasks across a wide range of tasks such as natural language processing or facial recognition, e.g., ChatGPT or Google’s Gemini. Artificial Intelligence Governance Professional 28 -- 32 of 320 -- Machine learning architectures and applications • Foundation • Transformer models • Multimodal models • Large language models • Generative architectures • Specialized architectures • CNNs • RNNs • GNNs • Hybrid and emerging concepts • Retrieval-augmented generation • Agentic AI systems 29 Module 1: Foundations of artificial intelligence MACHINE LEARNING ARCHITECTURES AND APPLICATIONS AI governance professionals should be familiar with machine learning architectures and applications even though they may not be directly involved in the technical implementation. A solid grasp of these concepts enables effective engagement with technical teams, assesses risks and ensures compliance with governance standards. Foundation models • Transformer models • A deep learning model that learns context and meaning by tracking relationships in sequential data (such as words in a sentence). • They find patterns between elements mathematically, eliminating the need for large, labeled datasets. They process inputs in parallel, which is more efficient for training and inference. • Transformer models enable modern natural language processing and multimodal models. They are also used in protein sequencing to develop medications and DNA sequencing. • Multimodal models • Process inputs and produce outputs of a variety of modalities, including image, video and text, as opposed to unimodal models using a single input and output modality, like text to text. • Trained by analyzing large amounts of content to detect their patterns and associations. • Some are LMMs. • NLP is a key component of multimodal models. • Common use cases include weather forecasting, medical diagnoses and generating code. • Multimodal models have raised specific privacy and ethical concerns. WHO released AI ethics and governance guidance for LMMs in 2024. • Concerns include inaccurate, biased or incomplete output negatively affecting health decisions, poor quality or biased training data, and privacy risks with patient data. • Popular multimodal generative AI tools include Gemini (Google), ChatGPT (OpenAI), ImageBind (Meta) and Inworld AI. • Large language models (discussed later in this lesson) Generative architectures Specialized architectures • Convolutional neural networks. • Recurrent neural networks. • Graph neural networks. Hybrid and emerging concepts • Retrieval-augmented generation: a technique applied to generative AI systems that allows the system to incorporate external information into a generated response. This technique is thought to enhance LLM-based systems by increasing accuracy and relevance. • Agentic AI systems (discussed further in module 7). Artificial Intelligence Governance Professional 29 -- 33 of 320 -- Comparing model types • Classic vs. generative models • Proprietary vs. open-source models 30 Module 1: Foundations of artificial intelligence COMPARING MODEL TYPES Classic vs. generative models • Classic models: typically focused on specific tasks with deterministic outputs, classic models often rely on structured algorithms and fixed rules, such as decision trees or linear regression, to analyze data and make predictions. • Generative models: these models, like GPT or GANs, can create new data instances that resemble training data. They learn the underlying distribution of the input data, enabling them to generate text, images, or other content that is novel and diverse. Proprietary vs. open-source models • Proprietary models: Developed by specific organizations, these models are usually restricted in access and use, often designed for commercial applications, which can limit transparency and independent auditing. • Open-source models: These models are publicly available for anyone to use, modify and distribute, promoting collaboration, innovation and transparency, but they may also carry risks regarding quality control and security. Artificial Intelligence Governance Professional 30 -- 34 of 320 -- Comparing model types • Small vs. large language models 31 Module 1: Foundations of artificial intelligence COMPARING MODEL TYPES Small vs. large language models • Size and complexity: • LLMs, like GPT-4, contain billions to trillions of parameters, making them highly complex and capable of understanding and generating human-like text across a wide range of topics. • SLMs have fewer parameters, typically ranging from a few million to several billion. They are designed to be more efficient and are often specialized for specific tasks. • Training data and versatility: • LLMs are trained on vast datasets that cover diverse topics. LLMs are versatile and can handle a wide array of tasks, from conversational AI to content generation. • SLMs are trained on more focused datasets, making them excel in specific domains but less versatile than LLMs. • Resource consumption: • Training and running LLMs require significant computational resources, often involving thousands of GPUs and substantial energy consumption. • SLMs are more resource-efficient, requiring less computational power and can often be run on standard hardware. • Bias and fine-tuning: • LLMs can exhibit biases due to the vast and varied data they are trained on. Fine-tuning is often necessary to mitigate these biases. • While also susceptible to bias, SLMs can be fine-tuned more easily for specific tasks, reducing unwanted outputs. Resources iovox. "The Battle of the Brains: Large Language Models vs. Small Language Model" Rama, Muhammad. "LLMs vs SLMs: The differences in large and small language model." Splunk Blogs, Feb. 17, 2025. Artificial Intelligence Governance Professional 31 -- 35 of 320 -- Comparing model types • Language models vs. multi-modal models 32 Module 1: Foundations of artificial intelligence COMPARING MODEL TYPES Language models and multi-modal models differ primarily in the types of data they handle and their capabilities: • Data types: • LMs, like GPT-4, are designed to process and generate text. They excel in tasks such as language translation, text summarization and conversational AI. • MMMs can handle multiple types of data, including text, images, audio and video. Examples include models like CLIP and DALL-E, which can understand and generate content across different modalities. • Capabilities: • LMs are focused on understanding and generating human language. LMs are powerful in natural language processing tasks but are limited to textual data. • MMMs integrate and interpret information from various data sources simultaneously. MMMs can perform tasks such as generating descriptive text from images, answering questions based on visual content, and creating images from textual descriptions. • Applications: • LMs are used in applications like chatbots, virtual assistants and automated content creation where text is the primary medium. • MMMs are applied in more diverse fields such as image captioning, video analysis and multi- modal search engines, where understanding and generating content from multiple data types is essential. Artificial Intelligence Governance Professional 32 -- 36 of 320 -- 33 Module 1: Foundations of artificial intelligence Knowledge base Inference engine User interface Expert systems TYPES OF ARTIFICIAL INTELLIGENCE Expert systems • Mimics the decision-making abilities of a human expert within a specific field. • Draws inferences from a specific knowledge base and relies on AI to replicate the judgment and behavior of a human with a specific expertise. • Widely deployed across industries: financial services, health care, agriculture, engineering. • Designed to support and assist humans, rather than replace them (e.g., a medical diagnosis system designed to aid doctors in determining the type and stage of a cancerous growth). Three main elements of expert systems are: knowledge base, inference engine and user interface. 1. Knowledge base: typically consists of an organized collection of facts and information provided by human experts and focused on a specific field or domain; system is also allowed to gather additional information from external sources. 2. Inference engine: extracts relevant information from a knowledge base and uses it to solve a problem. • Uses a rule-based approach that maps data from the knowledge base to a series of rules, which the system relies on to make decisions in response to the input provided. • Expert systems often include a module that allows users to review its decision-making process. 3. User interface: Allows the end user to interact with the expert system by providing it an input (problem or question) and obtaining an output (resolution). Artificial Intelligence Governance Professional 33 -- 37 of 320 -- REVIEW QUESTION 1 An AI system studies a large set of unlabeled data and tries to detect hidden patterns within it. What type of machine learning is being used in this example? A. Forecasting. B. Supervised learning. C. Unsupervised learning. D. Reinforcement learning. 34 Module 1: Foundations of artificial intelligence REVIEW QUESTION 1 An AI system studies a large set of unlabeled data and tries to detect hidden patterns within it. What type of machine learning is being used in this example? A. Forecasting. B. Supervised learning. C. Unsupervised learning. D. Reinforcement learning. Answer: C. Unsupervised learning. Unsupervised learning models do not rely on labeled datasets and are able to identify differences, similarities and other patterns without human supervision. Artificial Intelligence Governance Professional 34 -- 38 of 320 -- REVIEW QUESTION 2 True or false? AI and machine learning mean the same thing and can be used interchangeably. A. True. B. False. 35 Module 1: Foundations of artificial intelligence REVIEW QUESTION 2 True or false? AI and machine learning mean the same thing and can be used interchangeably. A. True. B. False. Answer: B. False AI and machine learning are related but are not the same thing. Machine learning is a technique for achieving AI. It uses algorithms to review data, learn from it, then make predictions or decisions, rather than being explicitly programmed to perform a task. AI refers to machines that perform tasks ordinarily requiring human intelligence. In simple terms, AI can be thought of as the result (machines exhibiting intelligence), and machine learning as a process by which that result can be achieved (teaching the machine). Artificial Intelligence Governance Professional 35 -- 39 of 320 -- REVIEW QUESTION 3 Which of the following models would be most appropriate for an analysis of relationships between two variables? A. Linear/statistical model. B. Computer vision. C. Reinforcement learning. D. Decision tree model. 36 Module 1: Foundations of artificial intelligence REVIEW QUESTION 3 Which of the following models would be most appropriate for an analysis of relationships between two variables? A. Linear/statistical model. B. Computer vision. C. Reinforcement learning. D. Decision tree model. Answer: A. Linear/statistical model Linear/statistical models use a linear equation to model the relationship between two variables, such as sales and pricing, or time of day and volume of road traffic. Artificial Intelligence Governance Professional 36 -- 40 of 320 -- L E S S O N MODULE 1 Foundations of artificial intelligence 3 The AI system development life cycle Lesson topics: • Recognize the AI system development life cycle and its key stages 37 LESSON 3: THE AI SYSTEM DEVELOPMENT LIFE CYCLE The following topics are covered in this lesson: • Recognize the AI system development life cycle and its key stages Artificial Intelligence Governance Professional 37 -- 41 of 320 -- 38 The AI system development life cycle 38 Module 1: Foundations of artificial intelligence Data collection and preparation Model development Model testing and evaluation Deployment Monitoring and maintenance Planning and design Iterative process THE AI SYSTEM DEVELOPMENT LIFE CYCLE: GOVERNANCE REQUIREMENTS The iterative, structured process of moving from a problem or idea to an AI solution. • AI development life cycle stages are similar to those for other technology: plan, design, develop (or build) and implement (or deploy). • However, AI systems focus on data and require specialized attention, including rigorous and continuous monitoring and maintenance, to ensure they perform as intended and effectively achieve desired outcomes. • Not a linear or one-time process; takes an iterative approach. • Steps in the life cycle are revisited many times throughout the stages as models must adapt to new data inputs or changing conditions (e.g., changes in business, technology, regulatory, and economic environments; data availability/quality; user feedback). • AI development requires continuous monitoring and ongoing adjustments and refinements to ensure it works well and meets the needs of the organization. Key stages: Governance requirements at each stage could include: • Planning and design: defining the problem AI will solve; ensuring the user group is considered; considering use of an interpretable model. • Data collection and preparation: ensuring the data is representative of the problem aiming to be solved; bias prevention in data labelling. • Model development, including selection and training: explainability by design; appropriate reporting and documentation. • Model testing and evaluation: testing for bias and ensuring fairness principles are maintained; user testing and representation. • Deployment: enabling user feedback; putting in place a reporting function of incidents and errors. • Monitoring and maintenance: determining a monitoring and reporting schedule; regular quality checks; action plan should the model need to be taken offline or retrained. • Decommissioning: ensuring sensitive data is properly archived or destroyed and that the system is properly stood down to prevent safety, reputational and legal risks; documenting the process. Resources: “Understanding and managing the AI lifecycle.” U.S. General Services Administration. Patel, Rakesh, "AI Developmental Life Cycle: A Comprehensive Guide," Spaceo Technologies, Oct. 18, 2025. Weller, Suzanne. "Streamline AI Governance with Informatica." Informatica, May 27, 2025. Artificial Intelligence Governance Professional -- 42 of 320 -- Module 2 AI impacts and responsible principles Artificial Intelligence Governance Professional 39 MODULE 2: AI IMPACTS AND RESPONSIBLE PRINCIPLES Introduction Before implementing AI in an organization, AI governance professionals must understand potential reputational, cultural, economic, acceleration, legal and regulatory harms. These harms may impact individuals, groups, society, organizations and the environment. When developing and using AI, potential risks can be overlooked or inadvertently created. Machine learning and AI pose risks already understood in existing sectors and practices, but the scale, scope and speed of processing of ML and AI could exacerbate those risks. Since ML and AI continue to evolve, it can be difficult to anticipate what form future risks may take. Therefore, AI principles and ethics must be applied to development and testing to mitigate potential harms. Understanding what makes an AI system trustworthy provides a foundation for building an AI governance program. These systems can be articulated in different ways; in this course, they are characterized as being human-centric, accountable and transparent. Understanding these terms in the context of AI and ML can help guide AI governance professionals in determining if a particular AI system or program is appropriate and meets an organization’s standards. -- 43 of 320 -- L E S S O N MODULE 2 AI impacts and responsible principles 1 AI harms and impacts The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Identify the types of risks and harms posed by AI to individuals, groups, organizations and society (e.g., misalignment with objectives, ethics and bias risk, and complexity and scalability) Additional topic: • Review of harms taxonomies 40 LESSON 1: AI HARMS AND IMPACTS The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Identify the types of risks and harms posed by AI to individuals, groups, organizations and society (e.g., misalignment with objectives, ethics and bias risk, and complexity and scalability) (I.A) Additional topic: Review of harms taxonomies Artificial Intelligence Governance Professional 40 -- 44 of 320 -- Privacy harms taxonomies • What is a harms taxonomy? • Why is a harms taxonomy important? What and why? 41 Module 2: AI impacts and responsible principles PRIVACY HARMS TAXONOMIES What and why? • Artificial intelligence presents a complex mix of risks and benefits that continue to shape public opinion. According to a recent Pew Research Center study (resource below), many individuals appreciate AI's potential to assist with tasks like data analysis and problem-solving, but concerns about its broader societal impact remain significant, e.g., a majority of people worry about AI eroding human creativity and the ability to form meaningful relationships. • Despite these concerns, there is cautious optimism about AI's role in specific domains. Many support its application in areas such as weather forecasting, financial crime detection and medical advancements. However, skepticism persists regarding AI's involvement in personal and sensitive matters. This dual perspective highlights the need for thoughtful governance to balance AI's benefits with its potential harms. • What is a harms taxonomy? • A list of negative consequences that could befall the data subject or organization if certain pieces of information are leaked or misused. • An ontological map of individual harms — breaks down harms into their constituent components or attributes. • Example: What is the capacity of the attacker to complete that harm? What is the capability? What is the opportunity? • Looks at the dimensions of the harm. • Why is a harms taxonomy important? • Privacy laws, directives and regulations focus on the right to the protection of personal data and principles surrounding it, which is helpful within a legal context. To understand why these rights matter, you must understand the concept of harm; a harms taxonomy allows privacy professionals to focus on the consequences of privacy rights infringements — for individuals and society as a whole • It enhances empathy for data subjects — customers and people from whom personal data is collected • Once harms are broken down, organizations can perform targeted, controlled selection to drive down a specific type of risk (security, privacy, business) Resource: Kennedy, Brian, Eileen Yam, Emma Kikuchi, Isabelle Pula and Javier Fuentes. “How Americans View AI and Its Impact on People and Society.” Pew Research Center, Sept. 17, 2025. Artificial Intelligence Governance Professional 41 -- 45 of 320 -- Harms taxonomies PANOPTIC Sociotechnical Harms of Algorithmic Systems CSET AI Harm Taxonomy for AIID Ryan Calo Citron and Solove Approaches to identifying harms 42 Privacy harms AI harms Module 2: AI impacts and responsible principles NIST AI Risk Management Framework HARMS TAXONOMIES Examples related to privacy harms 1. MITRE PANOPTIC Privacy Threat Model (https://ptmworkshop.gitlab.io/#/panoptic) • Data-driven structure to support privacy threat assessment, risk modeling and red teaming. 2. Ryan Calo (https://www.repository.law.indiana.edu/ilj/vol86/iss3/8) • Two broad categories of harms: 1. Subjective privacy harms: sense of being internal to the person being harmed. 2. Objective privacy harms: sense of being external to the person being harmed. Can occur when personal data is used for adverse action (e.g., refusing a loan). 3. Citron and Solove (https://ssrn.com/abstract=3782222) • Harm types: physical, reputational, relationship, economic, discrimination, psychological, autonomy. Examples related to AI harms There are also AI-specific harms taxonomies, which have some overlap with privacy harm taxonomies. Examples: 1. Sociotechnical Harms of Algorithmic Systems: Scoping a Taxonomy for Harm Reduction (https://arxiv.org/pdf/2210.05791) • Builds on existing taxonomies, classifications and terminologies. • Has five major themes: representational, allocative, quality-of-service, interpersonal, social system/societal. 2. CSET AI Harm Taxonomy for AIID (https://incidentdatabase.ai/taxonomy/csetv1) — CSET is the Center for Security and Emerging Technology at Georgetown University. • Characterizes the harms, entities and technologies involved in AI incidents and the circumstances of their occurrence. • Defines AI harm as having four elements which enable the identification of AI harm. All four elements must be present for there to be AI harm. 3. NIST AI Risk Management Framework (https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf). • Risk defined as "the composite measure of an event’s probability of occurring and the magnitude or degree of the consequences of the corresponding event". • Approach is to enable AI use by minimizing negative impacts and trying to maximize positive outcomes. • Identified potential harms include harm to people, harm to an organization and harm to an ecosystem. Artificial Intelligence Governance Professional 42 -- 46 of 320 -- Potential harms posed by AI systems Who is affected? 43 Module 2: AI impacts and responsible principles Organizations Ecosystems Individuals Groups Society POTENTIAL HARMS POSED BY AI SYSTEMS Who is affected? • Individuals (civil rights, economic opportunity, safety). • Groups (discrimination towards subgroups). • Society (democratic process, public trust in governmental institutions, educational access, jobs redistribution). • Organizations (reputational, cultural, economic, acceleration risks). • Ecosystems (natural resources, environment, supply chain). Note: Although presented as a one-to-one format herein, not all harms are singular in nature. Some may affect multiple sectors, depending on how the AI system is used. For example, facial recognition systems have a high risk of harm for individuals (consider journalists, protesters, victims of domestic violence, incorrect identification for a crime), groups (facial recognition programs used to identify a group of marginalized people gathering on a regular basis at a particular location), society (deepfakes and spoofing, eroding public trust), and organizations (privacy violations and security breaches through biometric theft). Ethical considerations • Businesses are racing to be the first in the marketplace, but this can result in the release of unethical, unresponsive and potentially malicious AI systems into the world • We as humans configure these AI systems, and our biases, morals and ethical values are mirrored in the AI systems we develop • Human biases, morals and ethical values instilled in AI systems can affect AI decision-making that can have significant consequences for the data subject Resource MIT AI Risk Initiative. "What are the risks from Artificial Intelligence?" Artificial Intelligence Governance Professional 43 -- 47 of 320 -- Individual harms • Implicit bias • Sampling bias • Temporal bias • Overfitting to training data • Underfitting to training data • Edge cases and outliers: • Noise • Outliers 44 Bias and discrimination Module 2: AI impacts and responsible principles INDIVIDUAL HARMS Bias and discrimination Bias in AI systems can cause harm to a person’s civil liberties, rights, safety and economic opportunity. Individuals developing the systems can have bias; this should be addressed during the life cycle of AI system development. • Implicit bias: Discrimination or prejudice toward a particular group or individual. • Sampling bias: Data gets skewed toward a subset of a group and therefore may favor that subset of a larger group. • Temporal bias: A model is trained and functions properly at the time, but may not work well at a future point, requiring new ways to address the data. • Overfitting to training data: An AI model learns too much from the specific examples it was trained on, making it less effective when faced with new, unseen data. • Underfitting to training data: The model is too simple and fails to capture important patterns in the training data, leading to poor performance • Edge cases and outliers: Any data outside the boundaries of the training dataset (e.g., edge cases can be errors when you have data that is incorrect, duplicative or unnecessary). • Noise: Data that negatively impacts the machine learning of the model. • Outliers: Data points outside the normal distribution of the data; can impact how the model operates and its effectiveness. Artificial Intelligence Governance Professional 44 -- 48 of 320 -- Individual harms • Employment and hiring • Insurance and social benefits • Housing • Education • Credit 45 Bias and discrimination Module 2: AI impacts and responsible principles INDIVIDUAL HARMS Bias and discrimination • Employment and hiring discrimination. • AI-based systems used for recruiting and hiring. • If the system is biased, it may discriminate against applicants based on gender, race, ethnicity or economic status. • Amazon, 2014: implemented an AI system to help with recruiting and hiring; during testing they found the system was biased against women. • This happened because the system was trained on test data of the resumes of men only. • Engineers tried to retrain the system, but this is difficult to do once the model has already been trained a certain way; project was eventually abandoned in 2017. • Insurance and social benefit discrimination. • If the system is not appropriately modeled and developed, there can be a discriminatory impact against particular groups of individuals, often based on economic status. • Housing discrimination. • Tenant selection and mortgage qualification can be affected if a biased AI system is used. • Education discrimination. • AI systems used to select individuals to attend a school. • A biased system can discriminate against qualified individuals based on race, gender or economic background. • Credit discrimination. • Financial lending discrimination and individuals unable to get loans. • Differential pricing of goods and services. Artificial Intelligence Governance Professional 45 -- 49 of 320 -- Individual harms • Personal data used for AI training • Appropriation of personal data for model training • Inference • Lack of transparency of use • Inaccurate models 46 Civil rights and privacy concerns Module 2: AI impacts and responsible principles INDIVIDUAL HARMS Civil rights and privacy concerns • Personal data used as part of AI training data. • Screen out personal data: If you don’t need personal data, it should not be used in the system; personal data could be shared with individuals who should not have access to it if it is part of the larger set of data used to train the system. • Deidentification: removing identifiers from the data, such as name, address, Social Security number; however, it is possible to reidentify an individual if data is aggregated or combined with another data set. • With AI systems, massive amounts of data are used and there are typically multiple data sets; easy to recombine personal data from different datasets and take deidentified data, combine it with identified data, and reidentify individuals, leading to privacy issues. • Appropriation of personal data for model training • Systems being trained in AI from large sources of data. • Data may come from social media or large datasets with information about individuals; individuals may have consented for one particular use of their data, but not for training an AI system. • Inference: An AI system that makes predictions or decisions. • In some cases, the systems can be used to identify individuals, but they are not always accurate. • Personal data can be attributed to the wrong individual. • Lack of transparency of use • AI systems should notify individuals when AI is being used (e.g., interacting with chatbots). • Inaccurate models • Data accuracy is very important; AI systems are only as good as the data that trains them. Resource Schwartz, Gabrielle, Joe Jones, Uzma Chaudhry. “The Intersection of Privacy and AI Governance.” IAPP Resource Center, May 2024. Artificial Intelligence Governance Professional 46 -- 50 of 320 -- Individual harms 47 Economic opportunity and job loss Module 2: AI impacts and responsible principles INDIVIDUAL HARMS Economic opportunity and job loss. • While AI can help to create some opportunities for jobs (increased productivity, lower costs, work assistance, possibility to create new types of future jobs), it also has the potential to affect job loss. • AI being used to conduct jobs previously handled by humans (e.g., data entry or research and summarization). • AI-driven discriminatory hiring practices. • Job opportunities may fail to reach key demographics due to AI-driven tools for job targeting, marketing or hiring. • If there is bias built into the AI model and it is used for marketing and recruiting people for jobs, certain demographic groups may not be contacted if that bias is toward those subgroups. Artificial Intelligence Governance Professional 47 -- 51 of 320 -- Group harms • Facial recognition • Mass surveillance • Civil rights • Deepening of racial and socio-economic divides 48 Module 2: AI impacts and responsible principles GROUP HARMS • Facial recognition algorithms: Many AI systems using face recognition exhibit demographic differentials (the ability to match two images of the same person vary from one demographic group to another). • A NIST study found AI facial recognition systems to be unreliable across many kinds of systems. • Studies have found those with darker skin tones and females are much more difficult to recognize, leading to discrimination and bias. • AI facial recognition software used by the London police once showed an 81% inaccuracy rate; can lead to biased policing, as well as the ability to track individuals online that could lead to discrimination using those types of systems. • Mass surveillance: A large potential harm, particularly for marginalized groups. • If mass surveillance is used, protected groups or those harmed in the past may not receive as much privacy protection and may be targeted for surveillance (due to race, religion, sexual orientation, etc.). • Civil rights • Harms to freedom of assembly and protest due to tracking and profiling individuals linked to certain beliefs or actions. • Deepening of racial and socio-economic divides • Discrimination against population subgroups. • Mistrust among groups. Artificial Intelligence Governance Professional 48 -- 52 of 320 -- Societal harms • Spread of disinformation • Ideological bubbles • Deepfakes • Safety 49 Module 2: AI impacts and responsible principles SOCIETAL HARMS Societal harms are harms to the democratic process and participation. • Spread of disinformation. • Ideological bubbles or echo chambers. • Individuals exposed only to information that agrees with information they encountered in the past. • Unable to see differing views or understand broader societal implications. • Causes isolation and more division; groups only exposed to their specific ideas and values. • Deepfakes: Audio, video or images manipulated to create an alternate reality. • Harmful in elections. • Safety • Lethal autonomous weapons that identify targets to attack. • Concern that without sufficient oversight, systems could evolve and may be able to attack randomly without being monitored. Artificial Intelligence Governance Professional 49 -- 53 of 320 -- Environmental harms • High carbon emissions • Excessive energy consumption • Water usage in AI systems • Impact of lithium extraction 50 Module 2: AI impacts and responsible principles ENVIRONMENTAL HARMS 1. High carbon emissions: training large AI models can emit over 626,000 pounds of carbon dioxide, equivalent to five times the lifetime emissions of an American car. 2. Excessive energy consumption: the energy used to train top AI models matches the energy mix of major cloud service providers, significantly impacting the environment. 3. Water usage in AI systems: each casual use of generative AI is likened to wasting a small bottle of water, which accumulates over time. 4. Impact of lithium extraction: the extraction of lithium for battery production for AI systems demands enormous water usage, causing additional environmental strain. Concerns about the future availability of lithium are also growing due to the rapid increase in demand, geopolitical concentration and the slow pace of mine development, all of which present significant challenges. To address this, many organizations are seeking alternatives to the use of electrical power. • Possibility of using batteries to power systems; this can also have an environmental impact. How can AI be used to help the environment? • Self-driving cars developed by AI systems can help reduce emissions. • AI use in agriculture has produced higher yields. • AI use in satellite images can help identify disaster-stricken areas so they can receive help. • Weather forecasting. Artificial Intelligence Governance Professional 50 -- 54 of 320 -- Organizational harms • Risks: • Reputational • Cultural • Economic • Acceleration • Legal and regulatory 51 Engage key stakeholders across the organization to understand potential risks and harms. Module 2: AI impacts and responsible principles ORGANIZATIONAL HARMS Reputational • Loss of customers and renewals. • Increased queries due to concerns about AI usage. • New customer concerns over AI usage. • Negative brand impact. • Share price drop and investor flight. • Company is a target for activists. Cultural • Assumption that AI is more accurate than humans, so we are less likely to challenge its outcomes, even though AI is created by humans. • Built-in bias that AI is technology and data-driven and therefore can produce a superior outcome, which is not necessarily the case. Economic • Costs of internal resources and remediation if something goes wrong with the AI. • Litigation costs, including class actions and punitive damages. Acceleration • Not all risks can be anticipated from the beginning due to the volume of data that AI can process, the speed of processing and the complexity of the algorithm. • AI impact may be wider and greater than with other software and technology solutions. • Generative AI must be created with necessary controls in place as it can be very difficult to see the warning signs when things move quickly. Legal and regulatory • Industry laws and regulations may apply to AI use (e.g., pharmaceutical, telecom, financial). • Privacy law implications; competition law; trade; tax. • Breach of legal and regulatory risks can lead to sanctions, fines and orders to stop processing. • Given the nature of AI to continue to learn and evolve, it can be difficult to anticipate what forms risks may take, particularly for new risks. Therefore, it is essential to apply AI principles and ethics rigorously to the development and testing of AI to mitigate these potential harms. • Engage key stakeholders to understand potential harms. Artificial Intelligence Governance Professional 51 -- 55 of 320 -- Other potential harms from AI • Threat to democracy • Misuse of pattern analysis • Profiling/tracking • Overreliance on predictive analytics 52 Module 2: AI impacts and responsible principles OTHER POTENTIAL HARMS FROM AI • Threat to democracy • Can cause erosion of confidence in government and public institutions. • AI algorithms do not know what is fact and what is not fact. • Misuse of pattern analysis • AI can detect patterns, but this can be misused. • Example: facial recognition software used to identify individuals at a protest march. • Profiling/tracking • Identifies shared characteristics and behaviors across platforms. • Can carry over to nonusers of systems or users who did not consent. • Example: When a user shops on multiple websites, a profile is created that links all the user’s activities on these sites; however, this profile may carry over to more than one family member using the same device or account and visiting different websites. • Overreliance on predictive analytics • Leads to the creation of records on people with little or no direct interaction or consent. • Uses a device’s IP address, Mac address or hardware serial number to identify the user and create a record about them. Artificial Intelligence Governance Professional 52 -- 56 of 320 -- CHAT 53 How can we anticipate and address the broad range of potential harms to an organization? Let’s talk about… Module 2: AI impacts and responsible principles CHAT Let’s talk about… How can we anticipate and address the broad range of potential harms to an organization? Possible answers: • Start with identifying the risks you know: look at the requirements already in place and make sure your AI complies with those. • Identify gaps in known risks to better identify the new and novel risks of AI use and outcomes. • Address new and evolving risks by ongoing monitoring and assessments of AI implementation. • Use the many tools available already. Artificial Intelligence Governance Professional 53 -- 57 of 320 -- REVIEW QUESTION 1 Which of the following are examples of types of privacy concerns regarding the use of AI? Select all that apply. A. Deidentifying personal data. B. Business reputation. C. Lack of transparency of use. D. Appropriation of personal data for model training. 54 Module 2: AI impacts and responsible principles REVIEW QUESTION 1 Which of the following are examples of types of privacy concerns regarding the use of AI? Select all that apply. A. Deidentifying personal data. B. Business reputation. C. Lack of transparency of use. D. Appropriation of personal data for model training. Answers: A. Deidentifying personal data. C. Lack of transparency of use. D. Appropriation of personal data for model training. Privacy concerns with the use of AI mentioned in this lesson include deidentifying personal data (removing identifiers such as name or address; however, it is possible to reidentify an individual if data is aggregated or combined with other data), lack of transparency of use (individuals should know when AI is being used) and appropriation of personal data for model training (individuals may consent for one particular use of their data, but not for training an AI system). Artificial Intelligence Governance Professional 54 -- 58 of 320 -- REVIEW QUESTION 2 True or false? Using AI-driven tools for job marketing and hiring could result in a negative economic impact by failing to reach key demographic groups. A. True. B. False. 55 Module 2: AI impacts and responsible principles REVIEW QUESTION 2 Using AI-driven tools for job marketing and hiring could result in a negative economic impact by failing to reach key demographic groups. A. True. B. False. Answer: A. True Job opportunities may not reach people of all demographic groups if an AI model used for marketing or job recruitment has bias in favor of specific subgroups. Artificial Intelligence Governance Professional 55 -- 59 of 320 -- L E S S O N MODULE 2 2 Principles of trustworthy and responsible AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand the Organisation for Economic Co-operation and Development (OECD) principles, framework, policies and recommended practices for trustworthy AI • Identify and apply the common principles of responsible AI (e.g., fairness, safety and reliability, privacy and security, transparency and explainability, accountability and human- centricity) 56 AI impacts and responsible principles LESSON 2: PRINCIPLES OF TRUSTWORTHY AND RESPONSIBLE AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand the Organisation for Economic Co-operation and Development (OECD) principles, framework, policies and recommended practices for trustworthy AI (II.D) • Identify and apply the common principles of responsible AI (e.g., fairness, safety and reliability, privacy and security, transparency and explainability, accountability and human-centricity) (I.A) Artificial Intelligence Governance Professional 56 -- 60 of 320 -- OECD and FIPs Guidelines Common principles Collection limitation Use limitation Security safeguards Notice or openness Access or individual participation Accountability Purpose specification Data quality and relevance 57 Module 2: AI impacts and responsible principles OECD GUIDELINES ON THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA (OECD GUIDELINES) AND FAIR INFORMATION PRACTICES (FIPS) • The FIPs, originated by the OECD Guidelines in 1980, are rooted in decades of ethical guidance and organizational design for privacy, security and other data- or technology-related functions. These have since been echoed in various permutations by other international organizations and by U.S. government agencies (Dept. of Homeland Security, Federal Trade Commission). • In addition to the FIPs, which are primarily focused on data collection, use, protection and associated individual rights relative to personal data, there have been many follow-on sets of principles to apply them in various contexts, such as AI governance. Common principles: 1. Collection limitation: data collection should be limited to only what is necessary and be obtained by lawful and fair means. 2. Use limitation: data should be limited to uses specified by the organization unless a data subject has given consent for, or there is a legal exception for, alternate uses. 3. Security safeguards: reasonable security safeguards should be established to protect personal data. 4. Notice or openness: companies should be clear and open to the extent required by law about how they manage personal data and explain their practices and policies regarding personal data. 5. Access or individual participation: appropriate access should be provided to allow a person to understand the data an organization has about them and to obtain, amend, correct or otherwise challenge it. 6. Accountability: companies should be accountable for complying with the principles and obligations in the other FIPs. 7. Purpose specification: the organization should be committed to disclosing specific purposes for which it will use data, and then only use that data for those compatible purposes. 8. Data quality and relevance: personal data should be relevant to the purposes for which it is to be used and should be accurate, complete and timely to be fair to data subjects. Artificial Intelligence Governance Professional 57 -- 61 of 320 -- OECD AI Principles 58 Inclusive growth, sustainable development and well-being Human rights and democratic values, including fairness and privacy Transparency and explainability Robustness, security and safety Accountability 1 2 3 4 5 Module 2: AI impacts and responsible principles OECD AI PRINCIPLES The OECD also has a set of principles specific to promoting trustworthy AI use. 1. Inclusive growth, sustainable development and well-being Recognizes that trustworthy AI can play an important role in advancing inclusive growth, sustainable development and well-being, and global development objectives. Encourages responsible AI stewardship by stakeholders. 2. Human rights and democratic values, including fairness and privacy States that AI systems should be designed in a way that respects the rule of law, human rights, democratic values and diversity, and include appropriate safeguards to ensure fairness and justice. 3. Transparency and explainability Calls for transparency and responsible disclosure around AI systems so that people understand when they are engaging with them and can challenge outcomes. 4. Robustness, security and safety States that AI systems must function in a robust, secure and safe way throughout their lifetimes, and potential risks should be continually assessed and managed. It specifically highlights two methods: 1) traceability and subsequent analysis and inquiry; 2) applying a risk management approach. 5. Accountability Proposes that organizations and individuals who develop, deploy or operate AI systems should be held accountable for their proper functioning in line with the OECD’s values-based principles for AI and applicable regulatory frameworks. Resource OECD AI Principles. Artificial Intelligence Governance Professional 58 -- 62 of 320 -- What are key ethical issues for AI? • Lawfulness • Safety • Bias protection • Transparency • Choice • Human intervention • Security Considerations 59 Module 2: AI impacts and responsible principles WHAT ARE KEY ETHICAL ISSUES FOR AI? Ethical principles • Lawfulness: AI systems must operate within the framework of existing laws and regulations, ensuring compliance with legal standards that protect individual rights and societal norms. • Safety: the deployment of AI should prioritize the safety and well-being of individuals and the environment, mitigating risks that could lead to harm or adverse effects. • Bias protection: AI systems must be designed to minimize and eliminate biases that can lead to unfair treatment of individuals or groups, ensuring equitable outcomes across diverse populations. • Transparency: organizations should strive for transparency in AI operations, providing clear explanations of how AI systems make decisions and the data they utilize, fostering trust among users and stakeholders. • Choice: individuals must have appropriate choices about the use of their personal information to develop AI. It is essential that individuals are informed and empowered to make choices regarding how their personal data is collected, used and shared in the development of AI technologies. • Human intervention: individuals can choose to have human intervention in key AI-driven decisions that impact their legal rights or well-being. Users should have the option to request human oversight in significant decisions made by AI systems, particularly those that affect their rights or quality of life. • Security: organizations must be accountable for ensuring AI they develop and use is secure. Companies have a responsibility to implement robust security measures to protect AI systems from vulnerabilities and threats, ensuring the integrity and safety of their technologies. To achieve these standards, organizations will need a process to determine what use cases meet the organization’s ethical principles and code of conduct. Artificial Intelligence Governance Professional 59 -- 63 of 320 -- What foundational controls should be in place? Ethics-by-design principles 1. Respect for human agency 2. Privacy and data governance 3. Fairness 4. Individual, social and environmental well-being 5. Transparency 6. Accountability and oversight Mitigating ethical risk posed by AI 60 Module 2: AI impacts and responsible principles WHAT FOUNDATIONAL CONTROLS SHOULD BE IN PLACE TO MITIGATE ETHICAL RISK POSED BY USING AI? • Organizations should adhere to ethical principles of AI. • Organizations should develop a cross-functional and demographically-diverse oversight body to review higher-risk AI use cases that create ethical gray areas for the organization. • Organizations should assess whether they have appropriate policies and procedures for associated risks such as unfair bias/disparate impact; privacy; cybersecurity and data governance and enhance those policies and procedures as necessary to apply to AI use cases. They should also develop metrics to verify that policies and procedures are having the desired effect. Specific strategies for risk mitigation will be discussed in a later module. Ethics by design • Similar to privacy by design; requires early involvement and a customized approach to address ethical considerations. • Six core principles: 1) respect for human agency 2) privacy and data governance 3) fairness 4) individual, social and environmental well-being 5) transparency and 6) accountability and oversight. • Purpose: enable ethical issues to be addressed at the outset of a project, rather than as an afterthought, preventing potential individual, societal and organizational harm. • Operates on the assumption that values can be embedded within the design of technology. • When implementing, tailor ethical principles and considerations to specific risks posed by the technology and incorporate into new technology design and development, including AI systems. • Ethical issues should also be evaluated in the deployment phase, as risks may have changed, requiring an adjustment to the tailored approach. A real-world ethics by design case (trigger warning: discusses suicide) Failing to implement continuous ethics by design resulted in real-world harm in the tragic case of a teen who took his own life in April 2025 with the guidance of ChatGPT. He easily bypassed a suicide hotline notification programmed into the platform and discussed his challenges with ChatGPT. Instead of preventative measures, the bot discouraged the teen from disclosing issues to family, advised him on methods, and helped him draft suicide notes. In August 2025, OpenAI said it would add additional guardrails to ChatGPT after a wrongful death lawsuit. It found its safeguards did not work reliably when users engaged in long interactions or across conversations. In September 2025, OpenAI released a statement (see resource below). Ethics by design may have been incorporated in early stages; however, the company did not continue to review risks and use ethics by design as the model’s capabilities, and how users interacted with it, had changed. Resource Altman, Sam. “Teen safety, freedom, and privacy.” OpenAI, Sept. 16, 2025. Artificial Intelligence Governance Professional 60 -- 64 of 320 -- Creating a culture of ethical AI within an organization Legal and compliance Transparency and explainability Privacy and cybersecurity Data governance Equitable design 61 CREATING A CULTURE OF ETHICAL AI WITHIN AN ORGANIZATION Organizations should have programs to train and educate employees to create a culture of ethical AI. Some roles and positions to include: Legal and compliance • Legal and compliance guidance — including relevant policies and procedures — should be in place to ensure legal review of AI and the execution of existing processes to ensure bias mitigation (or development of such process for AI if none exist). Equitable design • Consider whether there is diversity of thought in teams responsible for developing, training, testing and monitoring AI. Without it, there is increased likelihood of biased inputs or outcomes. • A cross-functional, demographically diverse group should evaluate higher-risk AI products/processes that could result in biased outcomes or other ethical concerns. Transparency and explainability (also known as interpretability) • AI systems and products with embedded AI should be labeled as such internally and externally (see FTC guidance on transparency). Consumers should be aware when they are interacting with AI or receive output/decisions generated by AI. • Decisions made by AI should be explainable to the consumer. This still applies when AI is provided by a third party — as such, third-party due diligence and contracts should ensure that the third party can provide explanations of AI-generated decisions. Privacy and cybersecurity • Use of personal information to develop or train AI should be disclosed in privacy notices. • Consent must be obtained in compliance with applicable privacy regulations (e.g., GDPR, California Consumer Privacy Act, Omnibus U.S. State Privacy Law, Brazil’s LGPD) for use of personal information for automated profiling. • Consumers should be able to access and delete their personal information used to develop and train AI models in compliance with applicable laws. • Data minimization: while it takes a massive volume of data to develop and train AI models, personal data that is unlikely to improve the model should be left out by default. • AI must be developed to mitigate the risk of cyber intrusion, such as exfiltration of confidential or personal information or poisoning of the model. Data governance • Organizations must ensure the quality and integrity of data used to develop and train models. Artificial Intelligence Governance Professional 61 -- 65 of 320 -- Trustworthy AI What are the characteristics? Module 2: AI impacts and responsible principles 62 Transparent and explainable Accountable Privacy- enhanced Human- centric TRUSTWORTHY AI CHARACTERISTICS Trustworthy AI operates in an expected, legal and fair manner. It is: Human-centric • AI that amplifies human agency. • AI that has a positive impact on the human condition. Accountable • Organizations ultimately need to be responsible for the AI they deliver, irrespective of the number of contributors. • An organization should ensure that the AI systems they use are safe, secure, resilient, valid, reliable and fair. Transparent and explainable • Organizations should provide meaningful information in order to: • Provide easy-to-understand information on the development, training, operation and deployment of an AI system in the relevant application domain, to enable informed choices. • Make stakeholders aware of when they are interacting with AI systems. • Enable those adversely affected by an AI system to challenge its output. • Explainability is the capacity to describe an AI system and its expected impact and potential biases. It requires an understanding of how an AI system operates and the data it was trained on. • Transparency and explainability are key to building trust in an AI model. Privacy-enhanced • Organizations should use practices related to collecting, storing and using personal information by AI systems in a way that protects individuals' rights. • Organizations can use privacy-enhancing technologies, digital solutions that allow use of information while also helping to protect data confidentiality and privacy. • PETs are an important tool to help prevent intentional misuse of data as well as accidental or negligent misuse due to hacks, bugs or misunderstandings of policies. Artificial Intelligence Governance Professional 62 -- 66 of 320 -- CHAT What are some characteristics of untrustworthy AI? Let’s talk about… 63 Module 2: AI impacts and responsible principles CHAT Let’s talk about… What are some characteristics of untrustworthy AI? Possible answers: • Black box decision-making. • Unfair outcomes. • Lack of explainability regarding those outcomes. • Diminishes the human experience. Artificial Intelligence Governance Professional 63 -- 67 of 320 -- REVIEW QUESTION 1 Which of the following best describes how the OECD guidelines influence AI governance? A. They focus solely on data privacy and security in AI systems. B. They provide a framework for ensuring AI systems are human-centric and transparent. C. They are legally binding regulations for all organizations using AI. D. They mandate specific technologies to be used in AI systems. 64 Module 2: AI impacts and responsible principles REVIEW QUESTION 1 Which of the following best describes how the OECD guidelines influence AI governance? A. They focus solely on data privacy and security in AI systems. B. They provide a framework for ensuring AI systems are human-centric and transparent. C. They are legally binding regulations for all organizations using AI. D. They mandate specific technologies to be used in AI systems. Answer: B. They provide a framework for ensuring AI systems are human-centric and transparent. The OECD guidelines are not legally binding regulations but serve as a set of recommended practices for ethical AI governance. While data privacy and security are important, the OECD guidelines also address broader principles like fairness, accountability and transparency. Artificial Intelligence Governance Professional 64 -- 68 of 320 -- REVIEW QUESTION 2 Which of the following is a foundational control to mitigate ethical risks posed by AI? A. Avoiding the use of external audits for AI systems. B. Implementing a diverse and cross-functional team for AI evaluation. C. Relying solely on automated systems to monitor AI behavior. D. Focusing only on technical performance metrics. 65 Module 2: AI impacts and responsible principles REVIEW QUESTION 2 Which of the following is a foundational control to mitigate ethical risks posed by AI? A. Avoiding the use of external audits for AI systems. B. Implementing a diverse and cross-functional team for AI evaluation. C. Relying solely on automated systems to monitor AI behavior. D. Focusing only on technical performance metrics. Answer: B. Implementing a diverse and cross-functional team for AI evaluation A diverse and cross-functional team helps identify and address potential ethical risks by bringing varied perspectives and expertise to AI evaluation. Artificial Intelligence Governance Professional 65 -- 69 of 320 -- Module 3 AI governance and risk management Artificial Intelligence Governance Professional 66 MODULE 3: AI GOVERNANCE AND RISK MANAGEMENT Introduction Building AI governance starts with understanding how an organization operates, how the organization is considering AI, and what type of organization it is (technology, financial, health care, etc.). Additionally, the strategy should identify the organization’s maturity level to help leadership understand how AI governance is created and the resourcing impacts to the organization as it matures. These considerations help drive plans to shape and recommend AI governance plans to leadership. AI governance practitioners must understand the stakeholders and engage them early to identify areas of partnership, which will strengthen a program in its build-out. As the strategy is developed, AI governance professionals must identify and define the structure based on organizational preferences. They must also define roles and responsibilities that inform leadership and those building and evaluating the organization’s AI capabilities. Finally, an organization will undertake the identification and management of risks, both internal and external. All of an organization’s risk management strategies should align. Best practices and risk management frameworks and tools will be discussed. -- 70 of 320 -- L E S S O N MODULE 3 AI governance and risk management 1 Establishing AI strategy The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Differentiate approaches to AI governance based upon company size, maturity, industry, products and services, objectives and risk tolerance • Identify differences among AI developers, providers, deployers and users from a governance perspective (e.g., with respect to responsibilities, opportunities and needs) • Create and implement policies to ensure oversight and accountability across all AI life cycle stages (e.g., use case assessment, risk management, ethics by design, data acquisition and use, model and system development, training and testing, deployment and monitoring, documentation and reporting, and incident management) 67 LESSON 1: ESTABLISHING AI STRATEGY The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Differentiate approaches to AI governance based upon company size, maturity, industry, products and services, objectives and risk tolerance (I.B) • Identify differences among AI developers, providers, deployers and users from a governance perspective (e.g., with respect to responsibilities, opportunities and needs) (I.B) • Create and implement policies to ensure oversight and accountability across all AI life cycle stages (e.g., use case assessment, risk management, ethics by design, data acquisition and use, model and system development, training and testing, deployment and monitoring, documentation and reporting, and incident management) (I.C) Artificial Intelligence Governance Professional 67 -- 71 of 320 -- Module 3: AI governance and risk management KEY CONCEPTS AI developers, providers, deployers and users 68 DEVELOPER PROVIDER DEPLOYER USER Technical creators Places systems on the market Uses AI in professional activities Anyone who interacts with AI KEY CONCEPTS: AI DEVELOPERS, PROVIDERS, DEPLOYERS AND USERS This training discusses several roles in the AI system life cycle: developer, provider, deployer and user. • Some legislation, like the Colorado AI Act, uses the term “developers,” while others, like the EU AI Act, use the term “providers.” Specific roles under AI regulations are defined later in this training. • A developer can also be a deployer, and multiple entities can be developers and deployers throughout an AI’s lifespan. Developer Key responsibilities • Designs, develops and implements AI models, algorithms and applications. • Handles raw data, including cleaning, preprocessing and transforming for model training. • Rigorously tests and evaluates AI models for accuracy, reliability and potential biases. • Provides documentation to deployers that includes foreseeable uses, known harmful uses, training data summaries and system limitations. • Identifies and mitigates known or foreseeable risks of algorithmic discrimination. • Makes public statements about the types of AI systems developed and how their risk is managed. • Notifies authorities and deployers of newly discovered risks of algorithmic discrimination. • Examples: A cybersecurity firm that develops AI software to monitor networks; a startup that develops a generative AI chatbot available to the public. Provider Under the EU AI Act, a person, public authority, agency or other body that develops an AI system or general-purpose AI model (or has one developed) and puts it on the market or into service under its name/trademark. The emphasis is on bringing the AI system to market or making it available. Key responsibilities • Ensures AI systems meet safety, transparency and accountability standards before going to market. • Complies with all legal and regulatory standards, including for data security and ethical use. • Assesses and manages risks associated with the AI technologies throughout the lifecycle. • Prepares detailed technical documentation, especially for general-purpose AI models, including information on training content. • Reports serious incidents and notifies authorities if systemic risks emerge from their AI systems. • Has accountability (and potential liability for AI systems’ compliance and safety) • Example: a company that develops and sells an AI system that automates recruitment activities. Continued on next slide Artificial Intelligence Governance Professional 68 -- 72 of 320 -- Module 3: AI governance and risk management KEY CONCEPTS AI developers, providers, deployers and users 69 DEVELOPER PROVIDER DEPLOYER USER Technical creators Places systems on the market Uses AI in professional activities Anyone who interacts with AI KEY CONCEPTS: AI DEVELOPERS, PROVIDERS, DEPLOYERS AND USERS (continued) Deployer • Individual or entity that uses an AI system under its authority. • Generally applies to professional activities, excluding personal nonprofessional use. • Key responsibilities • Uses AI systems in accordance with regulations and provider instructions. • Ensures adequate human oversight, particularly for high-risk AI systems. • Provides training and fosters AI literacy among staff who interact with AI tools. • For high-risk AI systems, ensures input data is relevant, representative, error-free and complete. • Continuously monitors the AI system’s operations and identifies emerging risks. • Promptly reports identified risks and serious incidents to providers. • Maintains detailed logs of AI system usage. • Conducts regular (e.g., annual) impact assessments for high-risk AI systems, as required by legislation like the Colorado AI Act. • Notifies consumers when a high-risk AI system will be used to make a consequential decision about them. • Implements and maintains a risk management policy and program for high-risk AI systems. • Examples: a bank employing an AI system to assist with loan application decisions; a company using an external AI tool to support its customer service operations. User • Individual or entity that interacts with or is directly affected by an AI system. • Key responsibilities • Understands that they are interacting with an AI system, especially if it’s not immediately obvious. • Provides feedback on AI system performance or outcomes, where mechanisms exist. • Understands and exercises rights related to AI-driven decisions that affect them, such as the right to notice or human review for consequential decisions. • Examples: an individual using a generative AI tool for personal creative work; a customer interacting with an AI-powered chatbot on a company website. Artificial Intelligence Governance Professional 69 -- 73 of 320 -- AI developers, providers, deployers and users Module 3: AI governance and risk management 70 FEEDBACK Developers and providers User Deployer DOCUMENTATION Developers and providers Deployer User Obligations and needs AI DEVELOPERS, PROVIDERS, DEPLOYERS AND USERS: OBLIGATIONS AND NEEDS Developers • Obligations • Fully understand the purpose of the algorithm and the problem it could solve. • Ensure appropriate data is used to design the algorithm. • Document decisions made, the source of the data and how it was used in training. • Needs • A clear definition of the algorithm’s purpose. • Appropriate resources to implement necessary constraints and governance. • Understanding of legal and policy restrictions that apply. • Ability to receive feedback from deployers and users. Providers • Obligations • Ensure safety, transparency and accountability standards before making an algorithm available. • Assess and manage risks associated with the algorithm throughout its life cycle. • Report serious incidents and notify authorities if systemic risks emerge from the algorithm. • Needs • Clear information on the algorithm’s purpose and how it was constructed. • Appropriate resources to implement necessary governance and risk mitigations. • Understanding of legal and policy restrictions that apply. • Ability to receive feedback from deployers and users. Deployers • Obligations • Ensure the algorithm is used responsibly. • Provide necessary documents and education. • Potentially update or supplement acceptable use policies. • Needs • Clear information on how the algorithm was made. • Guidance on what the parameters are for appropriate use. • Ability to receive feedback from users. Users • Obligations • Comprehend information provided on the algorithm’s limits and appropriate uses. • Provide feedback on how the algorithm is working along with any performance issues. • Needs • Clear guidance for use, including applicable AI governance tools and documentation. • Knowledge of how to provide feedback to the deployer. Artificial Intelligence Governance Professional 70 -- 74 of 320 -- Tailoring AI governance to the organization (1) 71 Module 3: AI governance and risk management Company size Maturity Industry/sector Why might approaches to AI governance differ? TAILORING AI GOVERNANCE TO THE ORGANIZATION (1) • Always tailor AI governance to the context of the organization • Some reasons that approaches to AI governance may differ across organizations include the following: 1. Company size • Likely correlates to the number, scope and variety of AI systems involved. • May impact the availability of resources devoted to AI governance, including whether AI-related responsibilities are assigned to existing roles and offices, or new positions are created. • Smaller companies may need to combine services with privacy or legal oversight functions and leverage existing screening or risk assessment tools to include new AI aspects. • However, larger companies may create new AI-specific offices, oversight and detailed processes regarding ML and GenAI models. 2. Maturity • Likely correlates to the organization’s approach to creating sufficient infrastructure for managing risks introduced by including AI. 3. Industry/sector • Organizations in highly regulated sectors like health care, insurance and banking have already been tackling how to comply with existing rules when incorporating AI. • In many jurisdictions, such as the U.S., these organizations receive guidance from regulatory agencies on how to address AI-specific risks. This will continue to influence how those in different industries approach their governance strategies. Artificial Intelligence Governance Professional 71 -- 75 of 320 -- Tailoring AI governance to the organization (2) 72 Module 3: AI governance and risk management Products and services Objectives Risk tolerance Why might approaches to AI governance differ? TAILORING AI GOVERNANCE TO THE ORGANIZATION (2) • Reasons for approaches to AI governance to differ across organizations include the following (continued): 4. Products and services • Tied to industry requirements, the amount of AI incorporated directly into products and services will drive the required scope of governance to ensure sufficient risk management. • Whether in the context of B2B or B2C, both existing services with AI features and new offerings based on new AI capabilities require careful risk assessment and ongoing oversight proportional to the complexity and impact of the AI aspects. 5. Objectives • An organization’s strategic objectives in choosing to develop or incorporate AI, or simply use AI-based tools, should be structured around the variety of risks the choices entail. • Business objectives such as profit, quality of service or internal work culture can all be impacted by AI. Tying potential uses to desired outcomes can enable more balanced decisions on where and when to include these systems. 6. Risk tolerance • AI systems may ameliorate some existing risks but will almost certainly introduce new risks. Therefore, deciding to use AI instead of an alternative should be based on the risk assessment of that use case. • Such risk assessments only provide a relative score. So, an organization must further determine how specific risks: • Fit within its larger operational position. • Align with its values. • Otherwise support strategic plans reflecting things like cultural tolerance for risk in different aspects of its operations. Artificial Intelligence Governance Professional 72 -- 76 of 320 -- Module 3: AI governance and risk management Policies for oversight and accountability 73 Policies should address key areas such as: • Use case assessment • Risk management • Ethics by design • Data acquisition and use • Model and system development • Training and testing • Deployment and monitoring • Documentation and reporting • Incident management POLICIES FOR OVERSIGHT AND ACCOUNTABILITY Part of establishing AI governance strategy is creating and implementing policies to ensure oversight and accountability across all AI life cycle stages. The areas included in an organization’s policies partly depend on whether it will develop or deploy AI (or a combination of these activities). Key areas to address in policies for oversight and accountability include the following, some of which apply to both development and deployment: • Use case assessment. • Risk management. • Ethics by design. • Data acquisition and use. • Model and system development. • Training and testing. • Deployment and monitoring. • Documentation and reporting. • Incident management. Later lessons in this training cover these topics in greater detail in relation to AI development and deployment, as well as legislative and sectoral requirements. Artificial Intelligence Governance Professional 73 -- 77 of 320 -- Use case assessment 74 Module 3: AI governance and risk management Establish context for an AI system and identify risks related to the context. What are the potential impacts? Map Assess, analyze and track identified risks. Quantify risks across different domains. Measure Prioritize and act upon risks identified and measured during the assessment. Manage USE CASE ASSESSMENT A structured process to evaluate the viability, risks and ethical implications of applying AI to a specific problem or opportunity. Its primary goal is to ensure AI systems are developed and deployed responsibly, effectively and in compliance with relevant regulations. Key components (per the NIST AI Risk Management Framework) 1. Map: establish the context for an AI system and identify risks related to that context. Involves surveying the environment where an AI system will operate and knowing its potential impacts. Key aspects: • Document the AI system’s intended purposes, potentially beneficial uses and prospective settings in which it will be deployed. • Identify stakeholders and impacts, characterizing potential positive and negative impacts. • Categorize the AI system: define specific tasks and methods the AI system will support (e.g., generative models, recommenders) and understand its capabilities, targeted usage, goals, and expected benefits and costs. • Map risks and benefits: identifying and linking system limitations, risks and benefits for AI system components, including third-party software and data sources. • Document the AI system’s knowledge limits and how humans may use and oversee output. 2. Measure: assess, analyze and track identified risks from the “map” phase and quantify risks across technical, societal and organizational domains. Key aspects: • Apply appropriate methods and metrics to evaluate AI systems for trustworthy characteristics (e.g., accuracy, robustness, fairness). • Assess severity, likelihood and scope of identified risks, including potential biases in data or models, and security vulnerabilities. • Implement mechanisms to continuously track identified AI risks and gather feedback on the efficacy of measurement. 3. Manage: prioritize and act on the risks identified and measured during assessment. Key aspects: • Develop and plan responses to identified risks based on their projected impact, which can include mitigating, transferring, avoiding or accepting risks. • Implement security controls, safeguards, and other interventions to reduce risk. • Regularly monitor system behavior, updating controls as needed, and establish continuous improvement plans. Artificial Intelligence Governance Professional 74 -- 78 of 320 -- Use case assessment 75 Module 3: AI governance and risk management Establish context for an AI system and identify risks related to the context. What are the potential impacts? Map Assess, analyze and track identified risks. Quantify risks across different domains. Measure Prioritize and act upon risks identified and measured during the assessment. Manage USE CASE ASSESSMENT (CONT.) When to perform a use case assessment • Before implementation: it is crucial to conduct a thorough assessment before initiating an AI project to ensure strategic alignment, technical/operational feasibility and identification of potential risks. • In early stages of the AI life cycle: within frameworks like the NIST AI RMF, the “map” function involves categorizing AI use cases, an initial and foundational step in the risk management process. • For a new AI initiative: any time a new AI application or system is considered, especially those with potentially significant impacts or classified as high-risk, perform a formal use case assessment. • Throughout the AI life cycle: AI use case assessment should be ongoing, with risk reviews and governance checkpoints embedded throughout the life cycle due to evolving risks and performance. • For regulatory compliance: to meet the requirements of emerging AI regulations, continuously assess AI systems based on their use cases to ensure ongoing compliance and manage associated legal and reputational risks. Example cases: Example 1: AI-powered medical image analysis for cancer detection. • Situation: a healthcare provider is developing an AI system to assist radiologists in detecting early signs of cancer from medical images. • When to assess: during the design phase when selecting algorithms, defining data sources and planning model training. • Why: to meticulously map out potential risks such as false positives/negatives (life-critical errors), algorithmic bias (if training data lacks diversity across patient demographics or disease presentations), data security (handling protected health information) and the need for human oversight (e.g., a radiologist always makes a final diagnosis). This assessment informs the choice of robust algorithms, data collection protocols and validation methods. Example 2: Adopting a new third-party AI solution. • Situation: a company purchases an off-the-shelf AI tool to analyze customer feedback sentiment. • When to assess: before integrating the third-party solution into operations. • Why: to evaluate the vendor's AI governance practices, the tool's transparency, its performance on relevant data and its compliance with the company's internal policies and external regulations. The company needs to understand risks associated with using a black- box system and ensure it meets their ethical and performance standards. Artificial Intelligence Governance Professional 75 -- 79 of 320 -- REVIEW QUESTION 1 Which connections can be drawn between the size of a company or organization and its approach to AI governance? Select all that apply. A. The size is likely related to the number of AI systems involved. B. The size may affect the likelihood of new positions being created for AI responsibilities. C. A smaller company is more likely to create new AI-specific offices. D. Larger companies will likely have a lower risk tolerance than smaller companies. 76 Module 3: AI governance and risk management REVIEW QUESTION 1 Which connections can be drawn between the size of a company or organization and its approach to AI governance? Select all that apply. A. The size is likely related to the number of AI systems involved. B. The size may affect the likelihood of new positions being created for AI responsibilities. C. A smaller company is more likely to create new AI-specific offices. D. Larger companies will likely have a lower risk tolerance than smaller companies. Answer: A. The size is likely related to the number of AI systems involved B. The size may affect the likelihood of new positions being created for AI responsibilities A and B were both included in this lesson as ways company/organization size may impact the AI governance approach. A larger, not smaller, company is more likely to create new AI-specific offices. Finally, no relationship was discussed between a company’s size and its risk tolerance. Artificial Intelligence Governance Professional 76 -- 80 of 320 -- L E S S O N MODULE 3 2 Establishing AI governance The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Define roles and responsibilities for AI governance stakeholders • Establish cross-functional collaboration in the AI governance program (e.g., for efficacy and diversity of expertise and perspective) • Create and deliver a training and awareness program to all stakeholders on AI terminology, strategy and governance Additional topic: • AI governance structure and types of governance models 77 AI governance and risk management LESSON 2: ESTABLISHING AI GOVERNANCE The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Define roles and responsibilities for AI governance stakeholders (I.B) • Establish cross-functional collaboration in the AI governance program (e.g., for efficacy and diversity of expertise and perspective) (I.B) • Create and deliver a training and awareness program to all stakeholders on AI terminology, strategy and governance (I.B) Additional topic: • AI governance structure and types of governance models Artificial Intelligence Governance Professional 77 -- 81 of 320 -- What is AI governance? Definition of AI governance 78 • An organization’s approach to using laws, policies, frameworks, practices and processes to help stakeholders manage AI technology use • Used to manage associated risks • Guardrails to help address potential issues and increase innovation and trust Module 3: AI governance and risk management WHAT IS AI GOVERNANCE? • AI governance is an organization’s approach to using laws, policies, frameworks, practices and processes at international, national and organizational levels. It is also a means to help stakeholders in implementing, managing, overseeing and regulating the use of AI technology. • AI governance is also used to manage associated risks to ensure AI aligns with stakeholders' objectives and organizational ethics, is developed and used responsibly, and complies with applicable requirements. • Using the guardrails that AI governance provides can help to address potential issues such as bias, privacy impacts and misuse, while also helping to increase innovation and trust. Artificial Intelligence Governance Professional 78 -- 82 of 320 -- Grounding AI governance Why The "why" and "how" of AI governance 79 How Principles Frameworks • OECD AI Principles • FIPs • UNESCO's Recommendation on the Ethics of Artificial Intelligence • ISO (several standards) • NIST AI Risk Management Framework • IEEE 7000-21 • HUDERIA • Other standards specific to jurisdiction/industry Module 3: AI governance and risk management GROUNDING AI GOVERNANCE The "why" and "how" of AI governance AI governance principles are a set of values, whereas an AI governance framework is a means to operationalize those values. Principles • AI governance principles are guidelines to enable consistency, standardization and responsible AI use. Around the world, principles that guide responsible AI governance are similar. • Established principles can help organizations identify their own ethical principles of AI. • Examples: • OECD AI Principles. • Fair Information Principles (FIPs). • UNESCO’s Recommendation on the Ethics of Artificial Intelligence. Frameworks • AI governance frameworks and standards provide guidance for operationalizing values coming from principles. • While there are similarities among frameworks, they are often context-sensitive and fit for specific purposes. An organization can also align to one framework or set of standards in multiple ways. • Examples of frameworks and standards relevant to AI governance: • International Organization for Standardization (ISO): Several standards apply, including ISO 42001 (Information technology ― Artificial intelligence ― Management Systems). • U.S.: National Institute of Standards and Technology (NIST) AI Risk Management Framework. • Institute of Electrical and Electronics Engineers (IEEE) 7000-2021 Standard Model Process for Addressing Ethical Concerns during System Design. • Human Rights, Democracy, and the Rule of Law Impact Assessment for AI Systems (HUDERIA). • Other standards specific to jurisdiction/industry. Later modules provide details of specific principles and frameworks and how they may apply. Artificial Intelligence Governance Professional 79 -- 83 of 320 -- A comprehensive approach to AI governance Complexity 1 2 Regulatory challenges Accountability issues Opacity 1 2 Trust and transparency Bias and fairness 80 Complexity and opacity Module 3: AI governance and risk management A COMPREHENSIVE APPROACH TO AI GOVERNANCE Complexity 1. Regulatory challenges: The intricate nature of AI systems can make it difficult for regulators to create comprehensive guidelines that address all facets of AI behavior and development, leading to gaps in governance. 2. Accountability issues: As AI systems grow more complex, attributing responsibility for their decisions becomes challenging, complicating legal and ethical accountability. Opacity 1. Trust and transparency: The lack of transparency in AI decision-making processes can undermine public trust, necessitating governance frameworks that prioritize explainability and clarity. 2. Bias and fairness: Opaque algorithms can perpetuate biases, making it essential for governance to include mechanisms for auditing and mitigating bias in AI systems. Artificial Intelligence Governance Professional 80 -- 84 of 320 -- A comprehensive approach to AI governance Autonomy 1 2 Decision-making oversight Risk of misalignment Speed and scale 1 2 Rapid deployment risks Global coordination 81 Autonomy and speed/scale Module 3: AI governance and risk management A COMPREHENSIVE APPROACH TO AI GOVERNANCE (CONT.) Autonomy 1. Decision-making oversight: Highly autonomous AI systems may operate independently of human oversight, prompting the need for governance structures that ensure human accountability and ethical considerations in decision-making. 2. Risk of misalignment: Autonomy increases the risk of AI systems acting in ways that diverge from human values, necessitating governance strategies that align AI objectives with societal goals. Speed and Scale 1. Rapid deployment risks: The speed at which AI technologies can be developed and deployed outpaces regulatory responses, raising concerns about unforeseen consequences and societal impacts. 2. Global coordination: The scalable nature of AI means its effects can transcend national borders, requiring international governance frameworks to address global challenges posed by AI technologies. Artificial Intelligence Governance Professional 81 -- 85 of 320 -- A comprehensive approach to AI governance Potential for harm or misuse 1 2 Malicious use Proactive risk assessment Data dependency 1 2 Data privacy concerns Data quality and bias 82 Potential for harm/misuse and data dependency Module 3: AI governance and risk management A COMPREHENSIVE APPROACH TO AI GOVERNANCE (CONT.) Potential for harm or misuse 1. Malicious use: AI's capabilities can be exploited for harmful purposes, necessitating governance frameworks focused on preventing misuse and ensuring safe development practices. 2. Proactive risk assessment: Effective governance must include mechanisms for ongoing risk assessment to anticipate potential harms and implement safeguards before they manifest. Data dependency 1. Data privacy concerns: AI’s reliance on large datasets raises significant privacy issues, necessitating governance policies that protect individual rights and ensure ethical data use. 2. Data quality and bias: Poor-quality or biased data can lead to flawed AI outputs, making it crucial for governance to enforce standards for data collection, curation and validation. Artificial Intelligence Governance Professional 82 -- 86 of 320 -- A comprehensive approach to AI governance Probabilistic vs. deterministic outputs 1 2 Interpretability and decision-making Regulatory approaches 83 Module 3: AI governance and risk management 3 Ethics A COMPREHENSIVE APPROACH TO AI GOVERNANCE (CONT.) Probabilistic vs. deterministic outputs 1. Interpretability and decision-making: Probabilistic outputs can complicate decision-making processes, requiring governance frameworks to clarify how uncertainty is communicated and managed in AI systems. 2. Regulatory approaches: Different output types may require tailored regulatory approaches; for instance, probabilistic systems might need more stringent guidelines around risk assessment and user interpretation compared to deterministic systems. 3. Ethics: Ethical principles and ethics by design should be applied to combat misalignment and abuse and to promote safety. Artificial Intelligence Governance Professional 83 -- 87 of 320 -- Governance structure • Do you have an AI governance structure? • Who implements and maintains it? • Who writes policies and procedures? • Who oversees development and testing or selecting the AI system? • Who champions development or implementation? 84 Module 3: AI governance and risk management GOVERNANCE STRUCTURE It is important to start slowly and build out. Where possible, practitioners should leverage existing structures and emphasize that, while AI governance will introduce new processes, it will build atop and integrate with existing governance processes for security and privacy. This can help gain organization- wide buy-in. • Determine the governance structure • Do you have an AI governance structure already in place? • Identify who has responsibilities for maintaining and implementing an AI governance structure. • Who writes the AI policies and procedures? • Who oversees development and testing or selecting the AI system? • Document the above decisions. • Find an executive within the organization to be the champion for developing or implementing the AI system. • Increases the impact. • Helps get other stakeholders to support the total effort. Artificial Intelligence Governance Professional 84 -- 88 of 320 -- Governance models 85 Module 3: AI governance and risk management Centralized Decentralized Hybrid Team A Team B Team C Team A Team B Team B Team C Team C Team A GOVERNANCE MODELS • AI governance structure is highly dependent upon the organizational structure and culture. • To help identify recommendations and effective ways to build out AI governance properly from the beginning, engage leadership and existing governance teams early. • Types of governance models: • Centralized model: leaves one team or person responsible for AI-related affairs and all other people or organizations flow through this point. • Decentralized model: also known as "local governance," it involves delegating decision- making authority to the lower levels in an organization, away from and lower than a central authority. Fewer tiers in the organizational structure allows for a wider span of control and bottom-to-top flow of decision-making and ideas; the structure is integrated into development tools. • Hybrid model: allows for a combination of centralized and local governance; typically seen when a large organization assigns an individual the main responsibility for AI affairs and local entities fulfill and support the policies and directives from the central governing body. Regardless of the governance structure, a strongly defined set of roles and responsibilities will aid all personnel in knowing their specific roles, where to go for help and how to empower themselves and others to be successful as AI products are developed, evaluated and released. Artificial Intelligence Governance Professional 85 -- 89 of 320 -- Establishing AI governance • Establish and understand roles and responsibilities of AI governance people and groups 86 Module 3: AI governance and risk management ESTABLISHING AI GOVERNANCE • Establish and understand the roles and responsibilities of AI governance people and groups. • Privacy, ethics, RAI (responsible AI), governance and legal personnel all look at similar aspects of the same things; that is, legal and policy compliance. • Designers, developers, builders, marketers and managers should also be part of AI governance. This provides an opportunity to communicate and helps ensure policy goals, business goals and tech realities align. • Examples of roles and teams include: • Chief privacy officer. • Chief ethics officer/ethics board. • Office for responsible AI. • Legal advisors and department. • Architecture steering groups. • AI project managers. • Risk management officer. • Procurement. • Human resources. • Marketing and sales department representatives. • Security/IT. • Engineering/data management. (Note that some of the above could constitute some of the same people/offices in an organization.) • Assist personnel to understand: • Their specific roles. • Where to seek assistance. • How to empower themselves in the AI development and release process. Artificial Intelligence Governance Professional 86 -- 90 of 320 -- Establishing AI governance • Establish and understand roles and responsibilities of AI governance people and groups • Include researchers, data scientists, AI and ML engineers and non-AI engineers 87 Module 3: AI governance and risk management ESTABLISHING AI GOVERNANCE Include researchers, data scientists, AI and ML engineers and non-AI engineers • Researchers can help identify key risks for the organization and core principles to uphold. • Data scientists and AI/ML engineers will provide practical considerations, such as how to measure AI systems, capabilities and limits of AI and other development-focused needs that help drive how AI governance works in practice. • Non-AI engineers will: • Help generate questions about AI generally. • Have a strong operations perspective that will be critical to determine how to take AI capabilities and drive them into implementation and product release processes. Artificial Intelligence Governance Professional 87 -- 91 of 320 -- Support from leadership 88 Module 3: AI governance and risk management 1 Identify leadership already using AI 2 Explain how responsible AI is a differentiator 3 Show why/ how the organization can govern AI SUPPORT FROM LEADERSHIP It is crucial to gain AI governance leadership support at the earliest opportunity. A holistic organizational approach with support from leadership can help influence behavioral and cultural change. Three considerations for engaging leadership when kicking off an AI governance program: 1. Identify any leadership already using AI who would support improved governance and structure. This is important given growing pressure on teams to build AI solutions quickly and efficiently. Pressure may come from various stakeholders such as internal leadership, shareholders and customers. Understanding these pressures and demonstrating how effective AI governance helps to safely and responsibly launch AI solutions are key to gain needed support. 2. Explain how responsible AI is a differentiator and how current programs and public- or customer-focused information is insufficient. For example, improved forms of AI-focused transparency grounded in governance can make products more appealing to customers. 3. Show why and how your organization and leadership can govern AI • Requires a clear understanding of data science and model operations teams. For example, developing ML models may require extensive investment in AI software engineers and costly hardware and software. In addition, development can be a long, slow process. • Proactively identifying challenges and presenting possible solutions helps ensure your message is well-received by leadership and stakeholders. • Explain legislation that may impact the organization and showcase existing regulatory statements. Express concerns and questions about AI to emphasize why a strong governance program helps mitigate risk and demonstrate the organization’s commitment to building trustworthy products. Approaches will differ depending on the nature of the organization. Select the best ones for the organization’s structure and processes. Transparency with leadership about the state of maturity of AI governance is important, as it may lead an organization to hold onto more advanced AI capabilities until governance is sufficiently built out to support. Artificial Intelligence Governance Professional 88 -- 92 of 320 -- CHAT Consider who the AI stakeholders are in your organization. What are some methods to engage stakeholders on issues in AI governance? Let’s talk about… 89 Module 3: AI governance and risk management CHAT Let’s talk about… Consider who the AI stakeholders are in your organization. What are some methods to engage stakeholders on issues in AI governance? Artificial Intelligence Governance Professional 89 -- 93 of 320 -- Engaging other stakeholders Module 3: AI governance and risk management Involve stakeholders early Define the business case Assess whether AI is the right solution Determine who the stakeholders are Continuously evaluate progress Identify risks and establish responsibility 90 ENGAGING OTHER STAKEHOLDERS • Determine who the stakeholders are. • Soliciting suggestions from leadership and existing governance teams is a valuable starting point to gather recommendations and build out AI governance. • Include the users when possible. • Aim for a diversity of inputs by other measures for testing and assessment, such as age, gender, race, region, culture, etc. • Involve stakeholders early in the process. • When starting AI governance, involve existing stakeholders who can help support build out. • Leverage existing structures and build on previous lessons as they apply to AI. • Define the business case. • It is important for stakeholders to determine the goal for AI use. • What is the cost/benefit analysis? What are the tradeoffs in using AI/ML vs. other solutions? • What will the organization’s declared position on AI use be, externally and internally? • The business case should align with the organization or business unit mission and vision; otherwise, it will not be prioritized and funded. • Ask the stakeholder group to assess whether AI is the right solution. • Is it suitable for the mission and for the purpose that needs to be addressed? • Provide an opportunity for the group to continuously evaluate success toward the goal and mitigate issues during the development life cycle. • What are the risks, both internal and external, to AI use? • Risk identification is discussed in greater detail in the next lesson. Note: In some cases, these activities are undertaken by a smaller internal committee, such as an AI review committee or an ethics committee, as opposed to the larger stakeholder group, which has a broader membership and can include external members. Artificial Intelligence Governance Professional 90 -- 94 of 320 -- Training and awareness for stakeholders Module 3: AI governance and risk management AI strategy 91 AI governance AI terminology TRAINING AND AWARENESS FOR STAKEHOLDERS • The information covered in such programs will differ from organization to organization. • Tailor AI training and awareness efforts to the needs of the organization in the same way AI governance structures and approaches are tailored. • Focus on the organization’s use of AI and its AI governance practices, not on AI expertise in general. • This is an opportunity to communicate important information about the organization’s policies and answer questions stakeholders have. • Concentrate efforts on three main areas: AI terminology, AI strategy and AI governance, in relation to the organization’s use of AI. • Include both the technological and the human dimensions of AI: how it works (the techniques and the technologies) and its impact on people (i.e., privacy, agency, etc.). AI techniques frequently aim to emulate, and even surpass, human cognitive processes, making the human dimension of AI as crucial as the technological dimension. • Training on the purpose, limitations, and security and privacy controls for AI systems will be critical. • For generative AI system use, training will be necessary to ensure employees do not provide sensitive, personal or classified information to an AI program without awareness and required approval. • Be sure to train employees on permissible uses prior to providing any access to AI. • Using multiple channels of information, such as email, intranet pages and workshops, can improve reach and understanding. • AI literacy is a requirement under the EU AI Act. Artificial Intelligence Governance Professional 91 -- 95 of 320 -- AI literacy Module 3: AI governance and risk management A lack of AI literacy can lead to mistrust, misuse and an inability to identify or mitigate potential risks. • Equips individuals and organizations with the necessary understanding to engage with AI responsibly, ethically and effectively. • Involves comprehending fundamental AI concepts, capabilities, and limitations, and recognizing potential benefits and risks. • ISO/IEC Artificial intelligence concepts and terminology (ISO 22989:2022) establishes AI terminology and describes AI concepts, helping to address a need for AI standardization. 92 AI LITERACY • The skills, knowledge and understanding that allow individuals to engage with AI in an informed, responsible and effective manner. It encompasses comprehending the fundamental concepts, capabilities and limitations of AI, as well as recognizing its potential benefits and risks. • Fundamentally important to AI governance because it equips individuals and organizations with the necessary understanding to engage with AI responsibly, ethically and effectively. As AI becomes more integrated into daily life, a lack of understanding can lead to mistrust, misuse and an inability to identify or mitigate potential risks. • Article 4 of the EU AI Act mandates that AI system providers and deployers ensure a “sufficient level of AI literacy” for staff and others involved in operating and using AI systems on their behalf. • The EU AI Office created a repository to provide examples of ongoing AI literacy practices. ISO/IEC 22989:2022: Artificial intelligence concepts and terminology Establishes terminology and describes concepts in the area of AI • Defines over 100 key concepts in the field of AI. • Addresses the need for AI standardization. • Current lack of harmonization in language used in different global regulations. • Using clear and universal standards helps create a more cohesive and consistent approach to AI governance. • Establishing a shared vocabulary can facilitate stakeholders working together for responsible AI development and use. Resources: “Living Repository to Foster Learning and Exchange on AI Literacy.” European Commission, Feb. 4, 2025. Mahay, Monica, Nils Müller and Erica Werneman Root. “Understanding AI literacy.” IAPP. Jan. 15, 2025. ISO/IEC 22989:2022: Artificial intelligence concepts and terminology. Note: Trainees do not need to purchase the ISO 22989:2022 standard to be successful on the AIGP exam. A high-level understanding, as laid out here, is sufficient. Artificial Intelligence Governance Professional 92 -- 96 of 320 -- Operationalizing responsible AI practices • Understand where AI is used and its role in the organization • Set clear technical standards that are shared and adhered to • Develop AI runbooks and playbooks • Update internal legal organizational structures to reflect new roles and responsibilities 93 Module 3: AI governance and risk management OPERATIONALIZING RESPONSIBLE AI PRACTICES • Understand where AI is used and its role in the organization. • It could play a small or critical part within your organization. AI is growing in use in all organizations. • Set clear technical standards that are shared and adhered to. • Develop AI runbooks and playbooks. • Help ensure AI follows the rules of the organization; includes guidelines about what should and shouldn’t be done with AI within the organization. • Update internal legal organizational structures to reflect new roles and responsibilities. • Everyone should be clear on the role they will play. Artificial Intelligence Governance Professional 93 -- 97 of 320 -- Creating a culture of responsible AI within an organization • Highlight customer value and increased customer trust • Recognize cultural variations • Define responsible AI as a discipline • Identify work roles and success measures for practitioners • Set common AI terms and taxonomy for the organization • Provide knowledge resources and training to personnel 94 Module 3: AI governance and risk management CREATING A CULTURE OF RESPONSIBLE AI WITHIN AN ORGANIZATION • Highlight customer value and increased customer trust. • Incentivizes effective and safe AI products. • Recognize cultural variations. • Ensure that diversity is included and encouraged. • Regularly assess organizational policies to ensure they promote inclusivity and do not inadvertently disadvantage any group. • Define responsible AI as a discipline. • Reinforce the value of AI for the organization. • Engage HR to identify work roles and success measures for practitioners so they are rewarded. • Highlights the value of responsible AI. • Fosters a strong governance community. • Supports responsibly minded AI engineers. • Set common AI terms and taxonomy for the organization. • Ensures clarity and consistency across teams. • Improves communication and collaboration among stakeholders. • Reduces misunderstandings and fosters a unified approach to AI initiatives. • Provide knowledge resources and training to personnel. • Foster a culture that continuously promotes ethical behavior. Practitioners should foster a strong community that can help keep tabs on development and inform AI governance practitioners as well as leadership. Artificial Intelligence Governance Professional 94 -- 98 of 320 -- Application of trustworthy AI • Embed trustworthy AI as part of the operating model • Ensure the organization and the AI are following the stated processes • Confirm AI systems are safe and secure • Ensure the integrity of the AI • Make sure AI enables human oversight and promotes human values How is trustworthy AI achieved? 95 Module 3: AI governance and risk management APPLICATION OF TRUSTWORTHY AI How is trustworthy AI achieved? • Embed trustworthy AI as part of the operating model. • Achieved by practicing responsible AI processes. • Operationalized with a risk management framework. • A risk management framework will address privacy measures and requirements and ensure accountability of the organization. • Ensure the organization and the AI are following the stated processes. • If there are more users, scale, data or use, ensure the AI can withstand these challenges. • Confirm AI systems are safe and secure. • Ensure the integrity of the AI. • Transparent and explainable. • Fairness and nondiscrimination principles. • Ensure AI enables human oversight and promotes human values. Artificial Intelligence Governance Professional 95 -- 99 of 320 -- 96 AI governance framework development Organizations must determine: • Principles • Risk tolerance • Jurisdiction • Industry/sector • AI relationship to business strategy • AI purpose • Organization’s size/ability to implement One-size does NOT fit all Module 3: AI governance and risk management AI GOVERNANCE FRAMEWORKS To build an AI governance framework, organizations must determine: Principles: Identify your organizational principles • Forms the foundation for your governance framework. • Include all stakeholders in the discussion and capture all values. • Why do you need AI processes? • How restrictive/permissive is your organizational approach? Risk tolerance • What is the organization’s risk tolerance? • Are there risks prohibited by your industry or jurisdiction? • Will risk tolerance vary within the organization? Jurisdiction • Do you need to comply with multiple jurisdictions? • Are you familiar with existing and emerging laws? • Can you comply with all? • Which risk factors are most critical to address? Industry/sector: Does your industry or sector have specific requirements or standards? AI relationship to business strategy • Are you creating AI programs/processes? • Are you using provided programs/processes? • How well have you vetted the risks associated with the program? • What compliance processes has the provider undergone for the program? AI purpose (use case) • Why do you need the AI program or process? • Which department(s) will use it? • Different uses require different frameworks. • What is the risk level of an organization-wide program vs. specific to one department? Organization’s size/ability to implement • Align your framework to your ability to implement it. • Verify your resources: monetary, technical and staff. Artificial Intelligence Governance Professional 96 -- 100 of 320 -- AI governance framework development AI processes • Development • Procurement • Use Consider your organization’s… 97 Module 3: AI governance and risk management AI GOVERNANCE FRAMEWORK DEVELOPMENT Use of AI: Each process will have different frameworks • AI development • Creating AI for your own use or for external sales. • Who will use it? • Has it met all jurisdictional requirements? • How will you maintain/monitor it? • AI procurement • Purchasing/utilizing a third-party program/system. • What is your vetting process? • Has it met all jurisdictional requirements? • What is the purpose for using this system? • AI use • What guidance/restrictions will you put into place within the organization? • Who has access and why? • What is the auditing process? • Is this intended for permanent or temporary use? • Does the use align with your principles and comply with regulatory requirements? Identify the systems you are already using and determine whether they align with your organization’s principles and jurisdictional requirements and determine their risk levels. Artificial Intelligence Governance Professional 97 -- 101 of 320 -- AI governance framework Guidance for using AI responsibly and effectively, including the various aspects of AI and applications an organization may use. • Integrated approach to managing AI projects, from risk assessment to effective treatment of risks • Process: • Integrate AI management system into the organization’s processes and management structure • Consider issues related to AI in designing processes, information systems and controls ISO 42001:2023 98 Module 3: AI governance and risk management AI GOVERNANCE FRAMEWORK ISO/IEC Artificial intelligence management system ISO 42001:2023 Provides guidance for using AI responsibly and effectively, including the various aspects of artificial intelligence and the different applications an organization may use. • It takes an integrated approach to manage AI projects, from risk assessment to effective treatment of these risks. • Applies to organizations of any size and industry involved in developing, providing or using AI-based products or services. • Process: • Integrate the AI management system into the organization’s processes and overall management structure. • Consider specific issues related to AI in the design of processes, information systems and controls, such as: • Determining organizational objectives, involvement of interested parties and organizational policy. • Managing risks and opportunities. • Processes for managing concerns related to the trustworthiness of AI systems. • Processes to manage suppliers, partners and third parties that provide or develop AI systems for the organization. Note: Trainees do not need to purchase the ISO 42001:2023 standard to be successful on the AIGP exam. A high-level understanding, as laid out here, is sufficient. Artificial Intelligence Governance Professional 98 -- 102 of 320 -- AI governance framework • Creates a basis for legal frameworks from existing human rights laws • Purpose: To help define and develop impact assessments based on the Council of Europe’s standards • Eight principles and priorities to address specific AI-related challenges HUDERIA 99 Module 3: AI governance and risk management AI GOVERNANCE FRAMEWORK Council of Europe. "METHODOLOGY FOR THE RISK AND IMPACT ASSESSMENT OF ARTIFICIAL INTELLIGENCE SYSTEMS FROM THE POINT OF VIEW OF HUMAN RIGHTS, DEMOCRACY AND THE RULE OF LAW (HUDERIA METHODOLOGY)." Rev2, November 28, 2024. Creates a basis for legal frameworks from existing human rights laws. Purpose: To help define and develop impact assessments based on the Council of Europe’s standards. • Develop impact assessment models that incorporate human rights with AI-centered approaches. • Apply a risk-based approach based on specific principles. • Formulate a methodology of impact assessments that follow the proportionality principle. • Develop a method for assessing and grading the likelihood of risks associated with an AI system. Eight principles and priorities to address specific AI-related challenges: • Human dignity. • Human freedom and autonomy. • Prevention of harm. • Fairness, nondiscrimination, equality, diversity and inclusiveness. • Data protection and the right to privacy. • Democracy. • Rule of law. • Social and economic rights. Process: • Identify relevant human rights that could be adversely impacted. • Assess the impact on those rights. • Assess governance mechanisms to ensure the mitigation of risks, stakeholder involvement, effective remedy, accountability and transparency. • Monitor and evaluate the system continuously for sufficient response to changes in context and operation. Artificial Intelligence Governance Professional 99 -- 103 of 320 -- REVIEW QUESTION 1 What are ways in which a practitioner can engage and attain buy-in for a responsible AI program from organizational leadership? Select all that apply. A. Identify early adopters or proponents among leadership. B. Describe how responsible AI is a competitive differentiator. C. Show how existing programs are sufficient to mitigate AI risk. D. Show how the organization can anticipate and mitigate regulatory concerns and demonstrate a commitment to trustworthy products. 100 Module 3: AI governance and risk management REVIEW QUESTION 1 What are ways in which a practitioner can engage and attain buy-in for a responsible AI program from organizational leadership? Select all that apply. A. Identify early adopters or proponents among leadership. B. Describe how responsible AI is a competitive differentiator. C. Show how existing programs are sufficient to mitigate AI risk. D. Show how the organization can anticipate and mitigate regulatory concerns and demonstrate a commitment to trustworthy products. Answers: A. Identify early adopters or proponents among leadership. B. Describe how responsible AI is a competitive differentiator. D. Show how the organization can anticipate and mitigate regulatory concerns and demonstrate a commitment to trustworthy products. Ways to engage leadership and buy-in for a responsible AI governance program include: 1) Identifying early adopters or proponents — those in leadership already using AI who would support improved governance. 2) Informing leadership how responsible AI can be a competitive differentiator. 3) Explaining applicable regulatory concerns for using AI, and how a strong governance program helps with mitigation. Artificial Intelligence Governance Professional 100 -- 104 of 320 -- REVIEW QUESTION 2 What is the most important aspect of establishing a practical and responsible AI governance program? A. Identifying engineering teams building AI capabilities. B. Understanding organizational structure and culture. C. Understanding the competitor’s capabilities and governance programs. D. Building a strongly hierarchical governance program for the organization. 101 Module 3: AI governance and risk management REVIEW QUESTION 2 What is the most important aspect of establishing a practical and responsible AI governance program? A. Identifying engineering teams building AI capabilities. B. Understanding organizational structure and culture. C. Understanding the competitor’s capabilities and governance programs. D. Building a strongly hierarchical governance program for the organization. Answer: B. Understanding organizational structure and culture A practical and responsible AI governance program should always tailor AI governance to the context of the organization. Those establishing the program should have a thorough understanding of the organization's structure and culture. Artificial Intelligence Governance Professional 101 -- 105 of 320 -- L E S S O N MODULE 3 3 AI risk management The topics in this lesson align to the following performance indicators on the AIGP certification body of knowledge: • Understand the NIST AI Risk Management Framework and Playbook (e.g., the core functions, categories and subcategories) • Identify and manage the internal and external risks and contributing factors related to designing and building the AI model and system (e.g., using probability/severity harms matrix, using a risk mitigation hierarchy, stakeholder mapping, use case evaluation, benchmarking, pre-deployment pilots and testing) 102 AI governance and risk management LESSON 3: AI RISK MANAGEMENT The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand the NIST AI Risk Management Framework and Playbook (e.g., the core functions, categories and subcategories) (II.D) • Identify and manage the internal and external risks and contributing factors related to designing and building the AI model and system (e.g., using probability/severity harms matrix, using a risk mitigation hierarchy, stakeholder mapping, use case evaluation, benchmarking, pre-deployment pilots and testing) (III.A) Artificial Intelligence Governance Professional 102 -- 106 of 320 -- Operational risks • High costs • Hardware • Storage • High-speed network • Skilled professionals • Environmental • Data corruption and poisoning Operational risks of running an AI algorithm in your environment 103 Module 3: AI governance and risk management OPERATIONAL RISKS Operational risks of running an AI algorithm in your environment • High costs. • Hardware. • AI systems require powerful hardware to run, including specialized processors, such as central processing units (CPUs) or graphical processing units (GPUs). • Storage. • AI systems require a lot of training data; there are over 500,000 pieces of data in a training set. • High-speed network. • 10 GbE or faster. • Skilled professionals to run AI system. • No-code or low-code systems exist, but if the organization is developing its own AI model, it will need data scientists; typically requires high salaries and must be hired, retained and trained to keep skills current. • Environmental — twofold. • Detriment to the environment/negative cost; e.g., increased carbon footprint or greater resource utilization leading to natural resource depletion • Cost of running green/environmentally friendly. • Data corruption and poisoning. • Happens if data is insecure/doesn’t have proper guardrails (e.g., if you do not have good identity and access management). • Data corruption and poisoning can then lead to bad data decision-making, such as inaccurate health care decisions. Artificial Intelligence Governance Professional 103 -- 107 of 320 -- Legal risks • Compliance with complex laws and regulations • Legal and financial repercussions • Intellectual property disputes • Human rights violations • Reputational damage Legal challenges of running an AI algorithm in your environment 104 Module 3: AI governance and risk management LEGAL RISKS Legal challenges of running an AI algorithm in your environment. • AI systems must comply with a complex web of laws and regulations. • Noncompliance can result in significant legal and financial repercussions, including liability for harm caused by AI decisions. • Legal risks encompass intellectual property disputes, human rights violations, and reputational damage. Organizations should establish comprehensive AI governance frameworks to ensure adherence to relevant laws. Proactive measures, such as regular legal reviews and collaboration with legal experts, can help organizations navigate these challenges and maintain trust with stakeholders Artificial Intelligence Governance Professional 104 -- 108 of 320 -- Security risks • Internal and external threats • Potential blind spots To mitigate these risks, implement human oversight, regular audits and continual updates to AI systems. Security vulnerabilities of running an AI algorithm in your environment 105 Module 3: AI governance and risk management SECURITY RISKS Security vulnerabilities of running an AI algorithm in your environment • Internal and external attacks • Malicious actors manipulating input data to alter AI outputs • Ensure robust security measures are in place • Potential blind spots • AI-driven system may not detect novel attack patterns • Hallucinations • Deepfakes • Data training poisoning • Data leakage • False sense of security • Misuse of AI • Must have human oversight, regular audits and continual updates to AI systems Artificial Intelligence Governance Professional 105 -- 109 of 320 -- Privacy risks Risks that endanger an individual’s privacy 106 Module 3: AI governance and risk management • Data persistence • Data repurposing • Data spillover • Data collected from the AI algorithm/model itself PRIVACY RISKS Risks that endanger an individual’s privacy • Data persistence • Data can exist longer than the human subjects who created it; however, this should not happen • Good practice is to delete the data after the human subject is gone unless there is consent for data to remain, or a purpose for data to be retained • E.g., a family wishes to have access to photos or social media; it is a legal necessity to retain data • Data persistence may happen if an organization keeps the data beyond the lifespan of the data subject • Data repurposing • Data being used beyond its originally specified purpose • May be intentional or unintentional • Data users may not be trained to know which purposes are aligned with each other and which purposes require additional supervision, verification, etc. • Data spillover • Data is collected on people who are not the target of the data collection; e.g., from surveillance • Data collected/derived from the AI algorithm/model itself • Challenges with informed consent (transparency with the data subject and consent that is freely given), providing the data subject with the option to opt out, limiting data collection, limiting creation of certain pieces of derived data, describing the nature of the AI processing to the data subject, and deleting personal data upon the request of the data subject (part of the data subject’s right) Artificial Intelligence Governance Professional 106 -- 110 of 320 -- Business risks to the organization 107 Bias and discrimination Job displacement • Vendor lock-in • Lack of accountability to the final customer Dependence on AI vendors Lack of transparency IP infringement Module 3: AI governance and risk management BUSINESS RISKS TO THE ORGANIZATION • Bias and discrimination can be fed by: • Bad quality training data; bad/lack of labeling practices or bad/lack of good transformation practices • Bad quality AI algorithms, which may result in lack of or bad algorithm tuning • Job displacement • AI can automate tasks and jobs • Not just manual jobs, but also processes • Dependence on AI vendors • A lot of AI startups • Risk of vendor lock makes it difficult to switch from one vendor to another (impacts flexibility) • Vendor failure is possible (e.g., bankruptcy) • What happens if the vendor gets bought out? Does the new owner get all of your org’s data, and what can they do with it? • Vagueness around liability/accountability to the final customer • May be the organization or the data subject • Lack of transparency • Avoid treating AI as a "black box" • Document the logic of the AI and the envisioned risks to the data subject and the business • Intellectual property infringement • Relates to copyright, patents and trademarks, etc. • If the AI scrapes the internet, it may use somebody else’s intellectual property and claim it as its own Artificial Intelligence Governance Professional 107 -- 111 of 320 -- Business risks to the organization Regulatory and legal risks 108 Compliance with laws and regulations Liability for harm caused by the AI system Intellectual property disputes Human rights violations Reputational damage Socioeconomic inequality Social manipulation Opaque decision- making Lack of human oversight Module 3: AI governance and risk management BUSINESS RISKS TO THE ORGANIZATION Regulatory and legal risks • Compliance with laws and regulations • Liability for harm caused by the AI systems • Intellectual property disputes • Human rights violations • Reputational damage • Socioeconomic inequality • Social manipulation • Opaque decision-making • Lack of human oversight Artificial Intelligence Governance Professional 108 -- 112 of 320 -- AI and risk • Gaps are likely to be exploited • Incorporate AI into existing risk management strategies (security/operational risk strategy, privacy risk strategy, business risk strategy) • Or take a holistic approach Aligning strategies Module 3: AI governance and risk management 109 AI AND RISK Aligning strategies All of the organization’s risk management strategies need to be aligned to avoid security gaps that may result in incidents. • Strategies may have an AI component, or AI may have its own risk management strategy. • An organization may have a security/operational risk strategy, privacy risk strategy and business risk strategy, all with an AI component to them, or it may have a holistic AI risk management strategy. • In identifying and planning for the risks, both internal and external, to AI use, an organization should seek to: • Conduct a risk analysis and determine contributing factors. • Determine what risks can be mitigated. • Establish who is ultimately responsible for risks and mitigation of AI, as well as any failures of a system after implementation. • Identified risks, risk analysis, management plan and mitigations, and the responsible party can be documented in a preliminary analysis report. This report can be incorporated into an existing data management plan, privacy impact assessments or authority to operate process. Artificial Intelligence Governance Professional 109 -- 113 of 320 -- Building AI assessment processes • Use external frameworks and publications • Adapt the framework for external procurement or internal development of AI-based solutions • Focus on key AI risks and needs based on the organization’s AI principles, values and standards • Contrast the assessment against existing assessments 110 Module 3: AI governance and risk management BUILDING AI ASSESSMENT PROCESSES • As you begin to build AI assessment processes, use: • External frameworks (e.g., NIST AI Risk Management Framework and ISO) • Academic publications and any produced by the organization • Adapt the framework for external procurement or internal development of AI-based solutions • Focus on key AI risks and needs based on the organization's AI principles, values and any standards developed within the organization • Examples of principles an assessment should investigate are fairness, bias, transparency and safety • Contrast the assessment against existing assessments, such as privacy reviews for the purposes of: • Identifying areas of commonality • Simplifying the overall compliance processes expected for AI products • Reinforcing leadership support as they see that processes are optimizing and de-duplicating to maintain product release timelines aligned with pace of market developments Artificial Intelligence Governance Professional 110 -- 114 of 320 -- Risk assessment Context-specific 111 Module 3: AI governance and risk management Owner and operator Industry and use case Social impacts Timing Jurisdiction RISK ASSESSMENT Context-specific Risk assessment is critical to the successful governance of AI systems, but is context-specific as to the: • Owner and operator • Specific industry and use case • Potential social impacts • Timing and use of AI • Jurisdictional controls Because of this, assigning values and identifying and measuring AI against accepted standards are key aspects of implementing reasonable risk controls. Artificial Intelligence Governance Professional 111 -- 115 of 320 -- Risk calculation • Business purpose and planned uses of the AI • Potential harms • Descriptions of the data used to train the AI • Functionality • Performance metrics • Benchmarking • Third-party risk Is the AI producing the desired outcome? 112 Module 3: AI governance and risk management RISK CALCULATION Is the AI producing the desired outcome? • Risk assessment helps organizations identify which AI systems or parts of the AI system need additional governance measures • In addition to risk scoring, organizations can use certain criteria or categories in risk assessment to determine if the outcome of developing and using AI is appropriate and producing the desired outcome • Business purpose and planned uses of the AI • What is the intended task of the AI? • What is it going to achieve? • Has the organization been sufficiently transparent around how the AI works and what the intended consequences might be? • Potential harms, including false positives and negative predictions • Descriptions of the data used to train the AI, including sensitive data • Functionality • How does it function? • Is it robust; i.e., is it scalable? Can it withstand greater or less use? • Performance metrics • Benchmarking the AI against established and known processes; i.e., whether the AI has or will be evaluated against alternate approaches • Third-party risks: Determine and include the risks raised by involving third parties • Consider those risks from start to finish — what risks might be introduced when you terminate your involvement with the third-party? Artificial Intelligence Governance Professional 112 -- 116 of 320 -- AI system impact assessments Purposes of an AI system impact assessment (AIIA) • Identifying/mitigating risks earlier • Protecting human rights and freedoms • Aligning with standards and legal requirements • Building trust and accountability • Informing responsible AI development/deployment Key areas in an AIIA • Privacy and security risks • Bias and discrimination • Transparency and explainability • Accountability • Societal and environmental impacts ISO 42005 113 Module 3: AI governance and risk management AI SYSTEM IMPACT ASSESSMENTS: ISO 42205 Purposes of an AI system impact assessment (AIIA) • Identifying risks early in the design process and implementing measures to reduce or eliminate them. • Protecting fundamental human rights and freedoms, especially for vulnerable or underrepresented groups, by evaluating impacts on privacy, fairness and equality. • Helping organizations to align with international standards and legal requirements, which may mandate these assessments for high-risk AI applications. • Building trust and accountability with customers, users and regulatory bodies by transparently assessing and addressing potential impacts. • Informing responsible development and deployment of AI, maximizing the benefits while minimizing risks. May guide decisions on whether to proceed with an AI project. Key areas covered in an AIIA • Privacy risks and how personal data is collected, processed and protected. • Bias and discrimination. • Transparency and explainability: the extent to which system decisions can be understood by users and auditors. • Who is accountable for outcomes and errors of the AI system. • Security risks that could lead to harm or misuse. • Broad impacts on economic structures, cultural norms, political stability and the environment. ISO/IEC 42005:2025 is an international standard that provides structured guidance for conducting AI system impact assessments. Resource: ISO/IEC 42005:2025: AI system impact assessment, 2025. Artificial Intelligence Governance Professional 113 -- 117 of 320 -- The NIST AI Risk Management Framework (RMF) A guide for managing risk and incorporating trustworthiness considerations into AI design, development, use and evaluation • Review and hold accountable risk management structures • Equip the right people with the right tools Four core functions: 1. Govern 2. Map 3. Measure 4. Manage 114 Module 3: AI governance and risk management THE NIST AI RISK MANAGEMENT FRAMEWORK (RMF) • A guide to manage risk and incorporate trustworthiness into AI design, development, use and evaluation • Review and hold accountable risk management structures • Determine and document roles and responsibilities • Equip the right people with the right tools to support AI risk management • It identifies seven characteristics of trustworthy AI: 1. Valid and reliable 2. Safe 3. Secure and resilient 4. Accountable and transparent 5. Explainable and interpretable 6. Privacy-enhanced 7. Fair with harmful bias mitigated • Four core functions: 1. Govern: Cultivate and implement a culture of risk management; this function is infused throughout AI risk management and enables the other functions 2. Map: Identify use and risks related to use 3. Measure: Assess, analyze and track risks 4. Manage: Prioritize risks and act based on projected impact • The NIST AI RMF Playbook includes suggested actions to accomplish the core functions. • NIST has a companion document to the RMF for generative AI, the Generative AI Profile. Resources NIST AI RMF Playbook, updated February 6, 2025 NIST AI RMF: Generative AI Profile, July 2024. Artificial Intelligence Governance Professional 114 -- 118 of 320 -- ARIA (Assessing Risks and Impacts of AI) is: • A plan for assessing LLMs • An evaluation system to improve tools, measurement methods and metrics used to evaluate models and improve trustworthiness and decision-making • A process to assess risks related to positive and negative outcomes in use contexts 115 The NIST ARIA program Module 3: AI governance and risk management THE NIST ARIA (ASSESSING RISKS AND IMPACTS OF AI) PROGRAM ARIA is: • A system to assess LLMs based on predefined scenarios and testing approaches • Designed to improve tools, measurement methods and metrics necessary to evaluate models, improve the trustworthiness of AI applications and enable better decisions for acquiring or deploying AI • Intended to: 1. Confirm claims about AI model capabilities 2. Red team LLMs to stress controls and guardrails for sufficiency 3. Field test how real-world use occurs The initial ARIA activities focus on risks related to gen AI; future iterations will be broader. Resource NIST, "NIST Launches ARIA, a New Program to Advance Sociotechnical Testing and Evaluation for AI," May 28, 2024. Artificial Intelligence Governance Professional 115 -- 119 of 320 -- Scenario 1 Insurance company Acme organized its internal AI program according to the NIST AI RMF and certain guidelines from the National Association of Insurance Commissioners' principles on AI guidance, whose principles are similar to the OECD’s. Acme’s interpretation of the RMF and NAIC guidance is that AI programs should have documentation and supporting records. Therefore, if Acme purchases products or services incorporating AI, it will require supporting documentation from the provider. Acme’s assistant chief AI officer, Alecia, evaluates third-party contracts of AI purchases. She is asked to fast-track the purchase of a third-party AI platform, Diaspro. Module 3: AI governance and risk management Continued on next slide 116 SCENARIO 1 Insurance company Acme organized its internal AI program according to the NIST AI RMF and certain guidelines from the National Association of Insurance Commissioners’ 2023 Principles on AI, whose principles are similar to the OECD’s. Acme’s interpretation of the RMF and NAIC guidance is that AI programs should have documentation and supporting records. Therefore, if Acme purchases products or services incorporating AI, it will require supporting documentation from the provider. Acme’s assistant chief AI officer, Alecia, evaluates third-party contracts of AI purchases. She is asked to fast-track the purchase of a third-party AI platform, Diaspro. Continued on next slide Resource National Association of Insurance Commissioners (NAIC) Principles on Artificial Intelligence (AI), August 2020. Artificial Intelligence Governance Professional 116 -- 120 of 320 -- Scenario 1 (continued) When Alecia requests documentation of Diaspro’s ML model development and how fine- tuning is supported (including whether Diaspro uses its own ML), Diaspro does not provide the requested documentation. Instead, it provides contract warranties and indemnification in case issues arise and offers to share third-party audit results from the prior year. Diaspro will not share the underlying work papers for the audit, saying they are confidential. Alecia does not believe there are regulatory requirements for Diaspro to capture information about ML development and fine-tuning. However, she questions whether contract warranties, indemnification and third-party audit results are sufficient documentation for Acme’s needs. Module 3: AI governance and risk management Continued on next slide 117 SCENARIO 1 (CONTINUED) When Alecia requests documentation of Diaspro’s ML model development and how fine-tuning is supported (including whether Diaspro uses its own ML). Diaspro does not provide the requested documentation. Instead, it provides contract warranties and indemnification in case issues arise and offers to share third-party audit results from the prior year. Diaspro will not share the underlying work papers for the audit, saying they are confidential. Alecia does not believe there are regulatory requirements for Diaspro to capture information about ML development and fine-tuning. However, she questions whether contract warranties, indemnification and third-party audit results are sufficient documentation for Acme’s needs. Artificial Intelligence Governance Professional 117 -- 121 of 320 -- Scenario 1 (continued) Questions to consider: • Should Alecia make a determination without approval from the chief AI officer? • What organizational considerations related to AI governance in this lesson could provide guidance for Acme’s decision? Module 3: AI governance and risk management 118 SCENARIO 1 (CONTINUED) Questions to consider: Should Alecia make a determination without approval from the chief AI officer? The answer is likely context-sensitive and dependent on Acme’s AI governance policies, which should include information on its processes and roles/responsibilities. What organizational considerations related to AI governance in this lesson could provide guidance for Acme’s decision? Answers include: • Create policies to manage third-party risk, to ensure end-to-end accountability. • Be prepared for changes, new products and possibilities. Artificial Intelligence Governance Professional 118 -- 122 of 320 -- REVIEW QUESTION 1 Given that organizations have finite resources, including those dedicated to risk management, how should they prioritize those resources to adequately govern AI systems? A. Allocate resources equally across all risk levels B. Focus the majority of resources on high-risk areas C. Distribute resources based on stakeholder preferences D. Prioritize resources based on the cost of implementation 119 Module 3: AI governance and risk management REVIEW QUESTION 1 Given that organizations have finite resources, including those dedicated to risk management, how should they prioritize those resources to adequately govern AI systems? A. Allocate resources equally across all risk levels B. Focus the majority of resources on high-risk areas C. Distribute resources based on stakeholder preferences D. Prioritize resources based on the cost of implementation Answer: B Organizations must develop policies and processes to assess risk levels and then allocate their resources accordingly; i.e., by focusing resources on high-risk- and medium-risk-rated AI. Focusing on high-risk areas ensures that the most critical risks are addressed first, aligning with best practices in risk management. Artificial Intelligence Governance Professional 119 -- 123 of 320 -- REVIEW QUESTION 2 The NIST AI Risk Management Framework notes that "organizations can establish board committees for AI risk management and oversight functions and integrate those functions within the organization’s broader enterprise risk management approaches." What are examples of how organizational management can demonstrate this? 120 Module 3: AI governance and risk management REVIEW QUESTION 2 The NIST AI Risk Management Framework notes that "organizations can establish board committees for AI risk management and oversight functions and integrate those functions within the organization’s broader enterprise risk management approaches." What are examples of how organizational management can demonstrate this? Answers: • Support AI risk management roles at all levels of the organization. • Ensure appropriate authority and resources to perform risk management are allocated throughout the organization. • Determine and document roles, responsibilities and delegation of authorities to personnel involved in the design, development, deployment, assessment and monitoring of the AI. • Ensure AI solutions provide sufficient information to assist in making informed decisions and document accordingly. • Allocate roles, responsibilities and authority to relevant stakeholders. Artificial Intelligence Governance Professional 120 -- 124 of 320 -- Module 4 AI regulation MODULE 4: AI REGULATION Introduction Artificial intelligence has moved from the realm of voluntary ethics to binding legal requirements. The European Union’s AI Act, South Korea’s AI Basic Act, new U.S. state laws, China’s generative AI regulations, and Japan’s and India’s governance measures all mark a decisive shift: organizations can no longer treat AI oversight as optional. What unites many of these laws is a shared structure: they classify AI by risk, impose obligations on providers and deployers, require documentation and transparency, and create enforcement pathways with significant penalties. Yet each jurisdiction introduces its own variations, whether it is South Korea’s emphasis on high-impact AI, U.S. states’ focus on discrimination and transparency, or China’s priority on safety and content controls. This module equips you to recognize those common threads and navigate the differences. It offers a practical framework to evaluate AI laws across jurisdictions, helping you identify where obligations align, where they diverge, and what this means for organizations building or deploying AI systems globally. Artificial Intelligence Governance Professional 121 -- 125 of 320 -- L E S S O N MODULE 4 AI regulation 1 Overview of AI regulation Lesson topics: • Understand the evolving landscape of AI regulation and global implications • Understand key definitions in AI laws • Recognize global AI-specific legislation 122 LESSON 1: OVERVIEW OF AI REGULATION Lesson topics: • Understand the evolving landscape of AI regulation and global implications • Understand key definitions in AI laws • Recognize global AI-specific legislation Artificial Intelligence Governance Professional 122 -- 126 of 320 -- Existing and emerging global AI regulation 123 SPECIFIC AREAS OF FOCUS OVERARCHING REGULATIONS AMENDING EXISTING LAWS AND REGULATIONS • Automated decision-making • Industry-based • Employment e.g., the EU AI Act; South Korea AI Basic Act e.g., Brazil O f t e n b u i l d o f f e x i s t i n g d a t a p r o t e c t i o n a n d p r i v a c y l a w s Module 4: AI regulation EXISTING AND EMERGING GLOBAL AI REGULATION Artificial intelligence is now regulated by a growing number of binding laws. • Across regimes, a risk-based approach is consistent: higher-risk systems face stricter obligations, while low-risk applications are lightly regulated • Providers, deployers and distributors are given distinct responsibilities, with additional duties emerging for general-purpose AI models • Laws share a common regulatory DNA: risk-based classification, role-based responsibilities and transparency requirements • What differs is how each jurisdiction defines risk and how obligations are distributed across providers, deployers, importers and distributors AI regulations with a variety of approaches: • Specific areas of focus: • Automated decision-making • Industry-based: e.g., health care, finance, transportation • Employment • Overarching regulations: e.g., the EU AI Act; South Korea’s AI Basic Act • Amending existing laws and regulations: e.g., Brazil Proposed regulatory frameworks often build off existing data protection and privacy laws • Requiring similar risk assessments and auditing processes • Transparency is a primary concern Regulation discussion seems to be focused heavily on the EU, but other jurisdictions are also deliberating these frameworks and developing regulatory requirements. It is critical that AI governance professionals are aware of these other regulations and understand how and if they impact their organizations. Artificial Intelligence Governance Professional 123 -- 127 of 320 -- Global AI regulation Global AI regulation Alignment and dissonance 124 • No one-size-fits-all approach to AI regulations • Remain alert to regulatory requirements and be prepared to adjust accordingly • To comply with regulations in multiple jurisdictions, develop a compliance strategy based on strictest requirements and harmonize into a unified framework Module 4: AI regulation GLOBAL AI REGULATION Alignment and dissonance • Risk-based vs. rights-based • Regulatory vs. voluntary • AI, ML or both • Overarching (e.g., EU AI Act or federal laws), regional (e.g., state law), sectoral or industry regulated • Laws already in place that address AI and ML Organizations must remain alert to regulatory requirements, both existing and emerging, that apply to where they do business • Know what AI programs are in use • Identify potential risks • Have processes in place for AI governance and management • Be flexible, ready to adjust to changing requirements To ensure an AI system complies with regulatory requirements of multiple jurisdictions, develop a compliance strategy based on the strictest requirements in various regulations (EU AI Act, local regulations, laws governing specific sectors etc.). Then, harmonize them into a unified compliance framework. For details on AI legislative policy and developments for different jurisdictions, see the IAPP’s Global AI Legislation Tracker. Artificial Intelligence Governance Professional 124 -- 128 of 320 -- Key terms PROVIDER Develops AI systems and makes AI systems available Role-based responsibilities DEPLOYER Uses or implements AI systems for a professional purpose or goal 125 Module 4: AI regulation KEY TERMS: ROLE-BASED RESPONSIBILITIES Role-based responsibilities form a crucial component of the global AI regulation framework. These responsibilities define the obligations of various stakeholders involved in the development, deployment and distribution of AI systems. • Although exact terminology may differ across jurisdictions, these roles are consistently recognized in numerous legal frameworks. Provider: The entity or organization that develops and makes AI systems available on the market, whether directly or through a third party. Providers are sometimes referred to as "developers.“ Responsibilities: Providers have the most extensive obligations because they control the design, testing and risk mitigation strategies for AI systems. • Obligations extend across the entire life cycle of the AI system, including post-market monitoring and transparency. • Responsible for ensuring that the AI system complies with laws from the design stage to its deployment. Example: A technology company developing an AI-based diagnostic tool for health care would be classified as a provider. In South Korea, a developer releasing a high-impact AI system must establish risk management and documentation measures before launch. Deployer: The entity or professional user who applies an AI system for a specific purpose or goal. Responsibilities: Deployers are primarily responsible for the safe and ethical use of AI systems in their operations. • Must ensure they adhere to all relevant regulatory requirements concerning transparency, fairness, human oversight, data protection and monitoring risk. Example: A hospital using the AI diagnostic tool developed by a provider to assist doctors in making clinical decisions would be the deployer of that system. In Colorado (SB 24-205), a bank using AI for loan approvals is treated as a deployer and must conduct an algorithmic impact assessment before deployment. Note that the roles of provider and deployer are not clearly distinct – there is a fine line separating these roles, and it is possible to cross from one to the other. • Deployers need to be particularly careful because they can become providers and take on those additional obligations. • A deployer could become a provider by making a substantial modification to a high-risk AI system, or making a modification to a system which wasn't previously high risk, but the modification made it high risk. Artificial Intelligence Governance Professional 125 -- 129 of 320 -- Key terms PROVIDER Develops AI systems and makes AI systems available Role-based responsibilities DEPLOYER Uses or implements AI systems for a professional purpose or goal 126 IMPORTER Places a third-country AI system on the domestic market DISTRIBUTOR Makes an AI system available on the market Module 4: AI regulation KEY TERMS: ROLES DEFINED Importer: Any entity that brings an AI system into the domestic market from a third country. Under the EU AI Act, importers bringing AI products/services into the EU must be located or established in the EU. Responsibilities: Importers are responsible for ensuring that the third-country AI system complies with relevant laws before it is made available on the market. Example: A U.S.-based AI company selling its AI-driven financial services tool in the EU must have a designated importer in the EU who ensures that the tool complies with EU regulations before it is deployed. Distributor: An entity, other than the provider or importer, that makes an AI system available on the market. Responsibilities: Distributors ensure conformity and proper handling of AI systems within the supply chain and must ensure that the AI systems they handle meet all compliance requirements before they reach end users. Example: A domestic technology vendor in South Korea that imports and resells AI solutions developed overseas is treated as a distributor under the AI Basic Act. It must confirm that “high- impact” AI systems meet local compliance requirements, including documentation, labelling and human-oversight obligations before they are placed on the Korean market. Artificial Intelligence Governance Professional 126 -- 130 of 320 -- Executive Orders 127 United States Module 4: AI regulation UNITED STATES Executive Orders • Executive Order, Ensuring a National Policy Framework for Artificial Intelligence • Signed 11 December 2025 • Goal: Dissuade new state-level AI legislation by linking federal funding eligibility to compliance and discourage state-level AI regulations viewed as excessive • Federal policy will not preempt state laws in children’s online safety or state government procurement and use of AI • Enforcement and compliance challenges • Criteria for Dept. of Commerce evaluations of AI laws for constitutional compliance and Dept. of Justice litigation thresholds remain unclear • Courts may pause or nullify parts of state AI laws, creating complex compliance scenarios for companies • Follow IAPP news for developments on this Executive Order • Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence • Signed 23 January 2025; replaces the rescinded Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (14110) • July 2025: White House released America’s AI Action Plan • Outlines over 90 federal actions • Supported by three new executive orders and organized under three pillars: 1) accelerating innovation, 2) building AI infrastructure and 3) international leadership and security • Focus areas include streamlined permitting, expanded AI exports and ensuring government AI use is ideologically neutral Resource Duball, Joe. “U.S. President Trump signs state AI executive order, legal questions remain.” IAPP, 12 December 2025. Artificial Intelligence Governance Professional 127 -- 131 of 320 -- Federal guidance 128 United States Existing regulatory requirements Module 4: AI regulation UNITED STATES Federal guidance • Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People • Framework released by White House Office of Science and Technology Policy in Oct. 2022 • Five principles to guide the design, use and deployment of automated systems • Includes a section with concrete steps that organizations can use to uphold the five values • The Office of Management and Budget (OMB) issued guidance to federal agencies to strengthen the appropriate use of AI, advance AI innovation and manage risks from AI • Department of Homeland Security’s (DHS) Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure: guidance and recommendations for the safe and secure development and deployment of AI in critical infrastructure • TAKE IT DOWN Act: Specifically relates to AI-generated, nonconsensual and deepfake images • The Act puts obligations on platforms to: • Remove deepfake and nonconsensual images that cause harm or infringe privacy with additional rules and extra care needed for depictions of minors • Ensure content generation tools are not misused, such as by creating nonconsensual intimate images • Respond within 48 hours to valid removal requests by removing copies of harmful depictions • Implications: platforms may need to deploy AI themselves to detect content that needs removal, raising concerns about freedom of speech and underrepresentation of historically unheard voices; false positives; bias; and enforcement difficulties Existing regulatory requirements: in the short term, AI may be regulated primarily by existing laws and regulatory agencies; for example: • FTC: Considers Section 5 of the FTC Act (unfair and deceptive business practices) to apply to AI/ML • Consumer Financial Protection Bureau: creditors must explain specific reasons behind an adverse credit decision • Applies to "black box" models and other complex algorithmic models Artificial Intelligence Governance Professional 128 -- 132 of 320 -- 129 U.S.: state and city laws 129 Passed laws Proposed laws Module 4: AI regulation U.S.: STATE AND CITY LAWS Most include the right to opt out of automated decision-making or prohibit algorithmic profiling • Initial legislative efforts focused on state government use of AI, with states creating new safeguards or outright bans on high-risk governmental AI applications • Other states have focused on implementing studies and task forces to assess AI’s risks and benefits before rushing to new regulations • The recent surge in generative AI has shifted legislative attention to commercial AI guardrails. These efforts typically fall within consumer protection law and aim to amend state legal codes accordingly. Laws passed, as of October 2025: • California Transparency in Frontier Artificial Intelligence Act (TFAIA) (SB 53): effective 1 January 2026 • Legislation designed to enhance online safety by applying reasonable rules and limits to the creation of the most advanced AI systems (e.g., Anthropic’s Claude, Google Gemini, OpenAI GPT-4.1, DALL-E 3) to ensure they are developed responsibly and do not cause harm • Also encourages safe and responsible innovation – strikes a balance between protecting society and allowing AI to evolve and improve • Establishes new requirements for frontier AI developers to create stronger transparency, innovation, safety, accountability and responsiveness • California Generative AI: Training Data Transparency (AB 2013): effective 1 January 2026 • California AI Transparency Act (SB 942): effective 1 January 2026 • Colorado AI Act (SB 205): effective 1 February 2026* • *The law is currently facing a proposal to significantly overhaul the framework in response to feedback received on the original bill. If the amendments fail to pass, the existing Act will go into effect on 1 February 2026. • Texas Responsible Artificial Intelligence Governance Act (HB 149): effective 1 January 2026 • Utah Artificial Intelligence Consumer Protection Amendments (SB 226): effective 7 May 2025 • Utah AI Policy Act (SB 149): effective 1 May 2024 • New York City's Local Law 144 requires bias audits of AI-enabled employment tools • California's BOT Act prohibits the use of bots to encourage a sale Many other U.S. states have proposed AI-related bills. Resources: IAPP U.S. State AI Governance Legislation Tracker “Governor Newsom signs SB 53, advancing California’s world-leading artificial intelligence industry.” Office of Governor Gavin Newsom. Sept. 29, 2025. Andrews, Caitlin. “With SB 53, California puts AI disclosure requirements on the map.” IAPP, Oct. 1, 2025. Artificial Intelligence Governance Professional -- 133 of 320 -- The EU AI Act 130 Purpose Impact Module 4: AI regulation THE EU AI ACT The EU AI Act is a landmark regulation designed to address the development, deployment and use of AI systems across the European Union. • Risk-based regulation: ensuring that AI systems with higher risks (such as those affecting human rights or public safety) face stricter requirements. • Aim was to craft legislation that does not regulate a specific technology, but how it is used. Purpose of the Act: • Regulate AI: create harmonized EU rules for placing AI systems on the market, putting them into service and governing their use. • Balance innovation with safety: ensure AI development and deployment is safe, trustworthy, transparent and respectful of fundamental rights while accounting for progress and innovation. • Promote AI literacy to enhance transparency and ensure that both experts and non-experts can interact with AI systems responsibly and safely. • Address potential harms • Ensure legal certainty to promote investment and innovation • Align organizations’ use of AI with EU core values and rights of individuals Impact of the Act: far-reaching provisions for organizations that use, design or deploy AI systems. • Extraterritorial impact: Like the GDPR’s impact on the processing of personal data worldwide, the Act is expected to have a global impact. • Even non-EU organizations must comply with the Act if offering AI services or products to EU customers. • Applicability extends the Act’s influence far beyond Europe, making it a global standard for AI regulation. • Global leadership in AI regulation: The EU AI Act is expected to set a precedent for other countries and regions looking to regulate AI systems. • By complying with the EU AI Act, organizations will be better prepared for future regulations in other jurisdictions. • Organizations may choose to operate by EU standards as a default for ease and consistency with other areas; may require similar responsibility from business partners. • Early adopters of the EU's AI standards will gain a competitive edge in future regulatory environments and compliance will make adapting to future versions more efficient. • Economic impact: while organizations may face increased compliance costs, the EU AI Act offers legal certainty that fosters investment and innovation. • Organizations that align with the Act's requirements will be well-positioned to leverage the growing AI market with the confidence of compliance and global leadership in AI ethics and safety. Further reading: “The EU AI Act: Guide for In-House Lawyers.” Hunton, February 2025. Artificial Intelligence Governance Professional 130 -- 134 of 320 -- EU Digital Omnibus on AI 131 Module 4: AI regulation Aims to simplify and modernize the EU’s complex digital regulatory framework Major component: the structured delay to the implementation of high-risk AI obligations EU DIGITAL OMNIBUS ON AI The Digital Omnibus on AI, introduced by the European Commission in November 2025, is part of a wider effort to simplify and modernize the EU’s complex digital regulatory framework. • Created in response to concerns that Europe’s growing patchwork of digital, data and AI-related rules had become overly burdensome and was hindering innovation and competitiveness. • Introduces targeted amendments to the EU AI Act aimed at making compliance more coherent and practical. • Released as part of a legislative package proposing targeted changes to the EU digital rulebook, including to the AI Act, GDPR, Data Act, and ePrivacy rules, to reduce administrative friction while maintaining high standards of safety and fundamental rights. • Important to also look at the Omnibus on Data and Digital for its partial reference to AI governance. A major component of the proposal is a structured delay to the implementation of high-risk AI obligations. • The proposed delay is in recognition that the development and adoption of harmonized standards to support high-risk AI requirements has been a very slow process coming up against the August 2026 application deadline • Original August 2026 start date may be extended by up to 16 months and no later than 2 December 2027, with requirements only taking effect once the Commission confirms that adequate compliance support, such as harmonized standards, is available. • After that confirmation, high-risk AI systems will phase in gradually, with some categories receiving six months to comply and others receiving 12 months, along with “backstop” deadlines in late 2027 and mid-2028 to ensure progress even if standards are delayed. • High-risk AI systems already lawfully on the market can continue operating without new certification unless they undergo significant design changes, and public-sector uses of high-risk AI benefit from an extended compliance deadline of August 2030. • Omnibus proposals are now going through the EU legislative negotiation process expected to take at least a few months and is creating some confusion during this transitional period as organizations await clarity on possible changes to rules and timeline. Resources:  IAPP, “Unpacking the EU Digital Package: What It Means for Compliance,” LinkedIn Live, 4 December 2025.  Fazlioglu, Müge and Joe Jones, “EU Digital Omnibus: Analysis of Key Changes,” IAPP, 9 December 2025.  Casovan, Ashley, “Notes from the AI Governance Center: What the EU's proposed Digital Omnibus means for AI governance professionals,” IAPP, 17 December 2025.  Roccia, Isabelle, “A view from Brussels: How, when will the Omnibus yield results?” IAPP, 8 January 2026. Artificial Intelligence Governance Professional 131 -- 135 of 320 -- 132 South Korea AI Basic Act Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act) Module 4: AI regulation SOUTH KOREA AI BASIC ACT Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act) • Enacted January 2025; takes effect 22 January 2026 • Second comprehensive national artificial intelligence regulation to be passed, after the EU AI Act • Establishes a National Artificial Intelligence Committee to make recommendations to the heads of government agencies, and deliberate and decide on major policies for the development of AI • Minister of Science and ICT will establish, revise, and implement a basic plan for AI every three years The act aims to: 1. Protect the rights and interests of the people 2. Improve the quality of life of the people 3. Strengthen national competitiveness Business operators • More general than the EU AI Act, the South Korean AI Basic Act applies its requirements uniformly across roles and places obligations on “business operators” of the AI (instead of more detailed roles such as providers and deployers) • Business operators are defined as a corporation, organization, individual, or government agency that conducts business related to the AI industry and falls under these categories: a. AI Development Business Operator: a person who develops and provides AI b. AI Utilization Business Operator: a person who provides AI products or services using AI Business operators are subject to: • Notification requirements • Risk management and user protection measures • Explanation and documentation requirements • Human management requirements • Impact assessment requirements Additionally, an AI business operator without a domestic address or place of business who meets the standards prescribed by presidential decree must designate, in writing, a domestic agent who has a home address or place of business in S. Korea. The domestic agent will report required compliance, documents and requests for confirmation of a high-risk AI system to the Minister of Science and ICT. Artificial Intelligence Governance Professional 132 -- 136 of 320 -- 133 Comparing AI regulation: South Korea and the EU Act on the Development of Artificial Intelligence and Establishment of Trust (South Korea AI Basic Act) EU AI Act Module 4: AI regulation COMPARING AI REGULATION: SOUTH KOREA AND THE EU • Both the South Korea AI Basic Act and the EU AI Act emphasize a concern for human rights and responsible use of AI • Both laws require that companies make users aware when they are interacting with AI, purporting the fair information practice of transparency Risk-based approach • Similar to the EU AI Act, the AI Basic Act takes a risk-based approach • S. Korean law regulates “high-impact” AI (defined as an AI system that may have a significant impact on, or pose a risk to human life, physical safety and basic rights) • The AI Basic Act sets out 11 high-risk categories such as healthcare, management of nuclear materials and production of drinking water • Business operators must review in advance whether the AI is high-impact • If the AI is high-impact, a business operator must implement: • Risk management and user protection measures • Explanation measures for the results derived from AI, the main criteria used to derive the results, and an overview of the learning data used in the development and use of the AI • Human management and supervision of the AI • Documentation that can confirm the contents of measures to ensure safety and reliability • An impact assessment evaluating the impact on the fundamental rights of people Scope and applicability • Like the EU AI Act, the AI Basic Act has an extraterritorial scope and applies domestically or internationally if South Korean users or the market are affected. • Under the EU AI Act, AI systems used solely for national security by member states are exempt. South Korea's AI Basic Act excludes AI developed and used solely for of national defense or national security, as prescribed by presidential decree. Enforcement and penalties - South Korea • The Minister of Science and ICT have the power to conduct investigations and impose/collect fines • Business operators who fail to: (a) comply with notification requirements, (b) designate a domestic agent, or (c) comply with a suspension or corrective order, can be fined up to 30 million won Resources: Andrews, Caitlin. “South Korea’s AI Basic Act Puts Another AI Governance Regulation on the Map.” IAPP, Jan. 16, 2025 Choi, Kyoungjin. “Analyzing South Korea’s Framework Act on the Development of AI.” IAPP, Jan. 23, 2025. Artificial Intelligence Governance Professional 133 -- 137 of 320 -- Japan AI Promotion Act 134 Act on the Promotion of Research and Development and the Utilization of AI-Related Technologies (AI Promotion Act) Module 4: AI regulation EXISTING AI REGULATION: JAPAN AI PROMOTION ACT Act on the Promotion of Research and Development and the Utilization of AI-Related Technologies (AI Promotion Act) • Has a basic structure and relies on business cooperation and current laws to regulate the technology rather than inventing a new structure Key features: • Strategic focus: Takes an “innovation-first” approach; focus on boosting AI research, development and utilization • Safety and risk mitigation: Aims to address risks like misinformation, disinformation and misuse of AI systems • The government can investigate misuse and advise businesses, though there are no penalties for noncompliance • Multi-stakeholder governance: Encourages collaboration among government, academia, businesses and citizens • Soft-law approach: The Act is nonbinding, serving more as a guiding framework than enforceable regulation • Reflects Japan’s tradition of “regulation by guidance” rather than punitive enforcement • International alignment: Designed to align with global efforts like the EU AI Act Japan's law is another example of how members of the Asia-Pacific region, including Singapore and South Korea, are taking a more relaxed approach to AI governance for now compared to the EU. Resource: Andrews, Caitlin. “Japan passes innovation-focused AI governance bill.” IAPP, June 4, 2025. Artificial Intelligence Governance Professional 134 -- 138 of 320 -- China 135 National law Municipal law Module 4: AI regulation EXISTING AI REGULATION: CHINA China has established a comprehensive and multi-layered regulatory framework for artificial intelligence. Unlike the EU AI Act, this framework does not consist of a single unified law. Instead, China's approach is built on a network of laws, administrative regulations, and national standards that collectively govern AI development, deployment and ethical considerations. Currently, the laws, regulations and policies governing AI in China are specific to AI use cases, including: •Algorithmic Recommendation Management Provisions; Interim Measures for the Management of Generative AI Services; Deep Synthesis Management Provisions; AI guidelines, Scientific and Technological Ethics Regulation; New Generation AI Development Plan Cyberspace Administration of China: Oversees cyberspace security and internet content regulations •Created guidelines (Interim Measures for Generative AI Services) in July 2023 •Apply to services available to the general public in China •Research institutions are exempt •Requires generative AI service providers to conduct security reviews and register algorithms with the government if the service can influence public opinion or "mobilize" the public China also established an AI standards committee, drawing members from industry, such as Baidu, Alibaba and Tencent. Municipalities have passed additional AI governance •Include oversight for compliance and development, including audits •Have or are contemplating bans on AI that threatens national security, personal privacy, health or discrimination •Potentially ban development or use of "metaverse-related" technology •Technology used to create and manage digital entities, such as virtual assistants and chatbots Resources Creemers, Rogier, Graham Webster and Helen Toner. “Translation: Internet Information Service Algorithmic Recommendation Management Provisions – Effective March 1, 2022.” DigiChina, Stanford University. Jan. 10, 2022. “Interim Measures for the Management of Generative Artificial Intelligence Services.” China Law Translate. July 13, 2023. Zheng, Sarah, Zheping Huang and Jane Zhang. “China Takes Friendlier Approach to AI in Finalized Guidelines.” Bloomberg. July 13, 2023. Zheng, Sarah and Jane Zhang. “China Wants to Regulate Its Artificial Intelligence Sector Without Crushing It.” Bloomberg. August 14, 2023. Artificial Intelligence Governance Professional 135 -- 139 of 320 -- Other existing and emerging AI regulations 136 Brazil Canada India Singapore Module 4: AI regulation OTHER EXISTING AND EMERGING AI REGULATION Brazil • Brazil’s AI Act is a proposed comprehensive risk-based AI bill • Human oversight required for high-risk systems or if AI could violate fundamental rights • Human rights-oriented: proposes rights for those affected by AI systems, such as the right to an explanation about an AI system’s decision, recommendation or prediction • Three levels of risk for AI systems, similar to the EU AI Act • Clear rules for damages caused by AI systems Canada • September 2023: Canadian government announced the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems • A temporary measure providing common standards to Canadian companies and enabling them to voluntarily demonstrate that they responsibly develop and use generative AI systems • Encourages fairness, safety and human oversight India • Created AI governance principles and national committees to develop a policy framework • A proposed Digital India Act would replace the IT Act of 2000 and regulate high-risk AI systems • Aims to balance freedom, safety and accountability in one of the world’s largest online populations • Complements the Digital Personal Data Protection Act, giving users more control • The Ministry of Electronics and Information Technology issued two AI advisories • Platforms and intermediaries must ensure use of AI does not facilitate unlawful content • AI models that are untested, unreliable or still in development can only be available after labelling output as inherently fallible or unreliable Singapore • Takes a multi-layered, innovation-friendly approach to AI regulation, blending voluntary frameworks, sector-specific laws and international cooperation rather than imposing a single, overarching AI law • 2019: Model AI Governance Framework for Traditional AI, Asia’s first AI governance framework • Voluntary framework based on two principles: 1. Decision-making process should be explainable, transparent and fair 2. AI should be human-centric • Currently a sectoral approach to AI governance regulation, such as for financial services and health • AI Verify: toolkit to address AI governance to support testing and oversight • 2024: Model AI Governance Framework for Generative AI: nine dimensions to create a trusted environment enabling safe use of generative AI while allowing for innovation Artificial Intelligence Governance Professional 136 -- 140 of 320 -- Other existing and emerging AI regulations 137 UK EU Member States UAE Africa Pacific Module 4: AI regulation OTHER EXISTING AND EMERGING AI REGULATION (CONT.) • UK: No central AI law as of 2025; sector-specific regulation and a flexible, “context-based” oversight framework driven by the 2023 AI Regulation White Paper. • EU Member States, Italy, Spain, Switzerland, Norway, Turkey: Some are developing or debating national AI bills and establishing new AI supervisory agencies or national strategies to supplement the EU AI Act. • United Arab Emirates, Abu Dhabi Global Market, Dubai International Financial Centre: Existing data laws amended in financial free zones to address AI risks, plus federal decrees guiding government AI deployments. DIFC Regulation 10 governs the processing of personal data by autonomous and semi-autonomous systems. • Kenya, Nigeria, South Africa: National AI strategies, codes of practice and draft laws addressing human rights and algorithmic accountability; many are in consultation or draft stage. • Australia, Taiwan: Multiple sector-specific initiatives, voluntary codes, and draft legislation on AI governance, algorithmic fairness, and data transparency. • Global/international: UN draft resolution encouraging national AI regulation, OECD/UNESCO/G7 principles guiding responsible AI but not legally binding. These developments underscore the current complexity and speed of change in AI regulation, with new laws, amendments and enforcement mechanisms continually emerging. Artificial Intelligence Governance Professional 137 -- 141 of 320 -- REVIEW QUESTION 1 Which of the following statements best describes the consistent approach found in global AI-specific legislation? A. Transparency requirements are optional in most AI-specific regulations B. Providers and deployers share identical responsibilities under all AI- specific laws C. A risk-based approach is commonly used, with higher-risk systems facing stricter obligations D. AI systems are regulated uniformly across all jurisdictions to ensure global consistency 138 Module 4: AI regulation REVIEW QUESTION 1 Which of the following statements best describes the consistent approach found in global AI-specific legislation? A. Transparency requirements are optional in most AI-specific regulations B. Providers and deployers share identical responsibilities under all AI-specific laws C. A risk-based approach is commonly used, with higher-risk systems facing stricter obligations D. AI systems are regulated uniformly across all jurisdictions to ensure global consistency Answer: C Global AI-specific legislation consistently employs a risk-based approach, where higher-risk systems are subject to stricter obligations. Artificial Intelligence Governance Professional 138 -- 142 of 320 -- L E S S O N MODULE 4 AI regulation 2 Risk classification framework for AI The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the risk classification framework for AI (e.g., prohibited/high/limited/minimal-risk) and what systems/uses fall into each category 139 LESSON 2: RISK CLASSIFICATION FRAMEWORK FOR AI The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the risk classification framework for AI (e.g., prohibited/high/limited/minimal-risk) and what systems/uses fall into each category (II.C) Artificial Intelligence Governance Professional 139 -- 143 of 320 -- Risk-based legislation Classification frameworks 140 1. Prohibited risk 2. High risk 3. Limited risk 4. Minimal or no risk Module 4: AI regulation RISK CLASSIFICATION FRAMEWORKS Most AI laws use a risk-based logic, though terminology and categories differ. A common teaching framework is: • Prohibited or unacceptable risk: systems banned outright because they threaten rights or safety. • High or high-impact risk: systems allowed, but subject to strict obligations (risk management, oversight, documentation). • Limited or transparency risk: systems with lower risks, often subject only to disclosure or labelling duties. • Minimal or no risk: systems considered low-concern, with voluntary standards or codes of conduct encouraged. Note: The EU AI Act, South Korea’s AI Basic Act, U.S. state laws, China’s Generative AI Measures, and Japan’s Guidelines all apply this logic in different ways, but the same principle holds: higher risk = more duties; lower risk = lighter touch. • Risk-based approach allows for continued AI innovation under appropriate safeguards, ensuring that regulation is proportionate to the level of risk posed by AI systems • Provides flexibility and adaptability • Provides clear guidance for organizations Artificial Intelligence Governance Professional 140 -- 144 of 320 -- AI risk levels Prohibited or unacceptable risk: • Social scoring or discriminatory profiling • Manipulating or exploiting people’s vulnerabilities • Certain biometric applications • Emotion recognition in sensitive settings • Specific predictive policing or mass surveillance applications Prohibited or unacceptable risk 141 PROHIBITED Module 4: AI regulation PROHIBITED OR UNACCEPTABLE RISK Prohibited AI systems are considered inherently harmful and are restricted or banned in many jurisdictions. While the exact lists differ, common categories include: • Social scoring or discriminatory profiling by governments or organizations (e.g., EU bans public- authority social scoring; South Korea bars unjustified discrimination in education, work or essential services). • AI that manipulates or exploits people’s vulnerabilities, such as targeting children, the elderly or people with disabilities. • Certain biometric applications, including untargeted scraping of facial images, biometric categorization based on sensitive traits, or real-time facial recognition in public spaces (restricted in EU; disclosure/oversight duties in U.S. states like Illinois BIPA; compliance and labelling rules in China). • Emotion recognition in sensitive settings, such as workplaces or schools (explicitly listed in the EU Act; subject to stricter oversight elsewhere). • Predictive policing or mass surveillance applications, especially those with no clear safeguards or accountability. • Other practices that threaten fundamental rights or safety, with examples varying across laws (e.g., China’s Generative AI Measures prohibit outputs undermining social stability; U.S. federal guidance warns against deceptive AI impersonation). Artificial Intelligence Governance Professional 141 -- 145 of 320 -- AI risk levels The majority of AI regulation will apply to AI in the high-risk category. 142 HIGH RISK High or high-impact risk Module 4: AI regulation HIGH OR HIGH-IMPACT RISK High- or high-impact risk AI systems that can significantly affect people’s rights, safety, or access to essential services are allowed but are subject to strict obligations. Across jurisdictions, examples include: • Critical infrastructure and safety systems: e.g., transport, energy, medical devices. (EU Annex II; South Korea requires risk management and documentation for high-impact sectors.) • Health care, credit, housing and employment decisions: systems that determine access to jobs, loans, housing or medical care. (EU Annex III; Colorado SB 24-205 defines these as “consequential decisions.”) • Education and testing: AI used to score exams, assess students or allocate educational opportunities. (EU Annex III; South Korea high-impact designation includes education.) • Law enforcement and justice applications: predictive analytics, biometric identification in investigations or risk scoring of individuals. (EU Annex III; multiple jurisdictions impose added oversight or restrictions.) • Generative AI with systemic risks: foundation or general-purpose models with wide impact. (EU AI Act introduces “systemic risk” category; China requires safety reviews and security filings; California mandates training data transparency.) • Sensitive biometric uses: facial recognition, voice recognition or emotional analysis where individuals could be unfairly classified or monitored. (EU restricts; China and U.S. state laws impose disclosure or consent duties.) The majority of AI regulation will apply to AI in the high-risk category. We will discuss requirements for high-risk systems along with high-risk obligations by role in the next lesson. Artificial Intelligence Governance Professional 142 -- 146 of 320 -- AI risk levels Limited or transparency risk 143 LIMITED RISK Module 4: AI regulation Fewer requirements than high-risk systems, but with specific transparency obligations. LIMITED OR TRANSPARENCY RISK AI systems that present lower risks are usually allowed, but with disclosure or labelling requirements. Common obligations include: • Chatbots and conversational AI: users must be informed they are interacting with AI. (EU Art. 52; mirrored in South Korea and Japan guidelines.) • Generative AI outputs: content such as images, video, or audio must be labelled or watermarked. (China’s 2023 GenAI Measures; California SB 942 effective 2026.) • AI impersonation or professional use: disclosure required when AI is used in regulated professions such as law or medicine. (Utah SB 149, 2024.) • Emotion recognition or biometric categorization in non-critical settings: requires clear notice to affected individuals. (EU limited-risk duties; echoed in Japan’s voluntary guidance.) Techniques and systems covered (illustrative): Chatbots and conversational AI, content-generating systems (email replies, recommendation engines), large language models (e.g., GPT-type systems), deepfake generation and editing tools. Obligations for providers and deployers (limited or transparency risk systems) Across AI laws, providers (developers/vendors) and deployers (users/operators) both carry duties. Wording differs by jurisdiction, but common requirements include: • Providers must: • Inform users when they are interacting with AI rather than a human. (EU Art. 52; South Korea high-impact systems; Japan guidelines.) • Label or watermark AI-generated content, e.g., text, images, video, audio. (EU limited-risk; China 2023 Measures; California SB 942 effective 2026.) • Disclose model characteristics – e.g., large language models must publish information on training data, risk controls and limitations. (EU GPAI obligations; California AB 2013.) • Deployers must: • Notify affected individuals if they are subject to emotion recognition or biometric categorization. (EU deployer duty; mirrored in SK Basic Act.) • Obtain consent or provide clear notice before applying such systems in sensitive contexts (e.g., workplaces, schools). • Clearly disclose deepfakes and manipulated media when published or used in communication. (EU Art. 52; China watermarking rule; Utah SB 149 disclosure rule.) • Conduct impact or risk assessments before using high-risk or consequential-decision AI. (EU Fundamental Rights Impact Assessment; Colorado Algorithmic Impact Assessment.) Artificial Intelligence Governance Professional 143 -- 147 of 320 -- AI risk levels Minimal or low risk 144 MINIMAL OR NO RISK Module 4: AI regulation Most AI systems fall into the minimal-risk category. MINIMAL OR NO RISK Most AI systems fall into this category. They are considered low-concern and are generally free of binding obligations. Global approaches include: • Entertainment and recreational AI: e.g., video games, music or art generation for leisure • Productivity tools with limited impact: e.g., AI spellcheck, grammar correction, spam filters, inventory management systems or data visualization tools (commonly excluded worldwide) • Voluntary standards and codes of conduct: promoted in multiple jurisdictions to encourage best practice even when regulation does not apply (Japan AI Guidelines v1.1; OECD and ISO standards) • Industry self-governance: trade bodies and sectoral codes often supplement regulation where risk is considered minimal Artificial Intelligence Governance Professional 144 -- 148 of 320 -- CHAT Can you think of a circumstance in which a limited- or minimal-risk use of AI could become a high-risk use? How might an organization mitigate the increased risks? Let’s talk about… 145 Module 4: AI regulation CHAT Let’s talk about… Can you think of a circumstance in which a limited- or minimal-risk use of AI could become a high-risk use? How might an organization mitigate the increased risks? Possible answers: • Repurposing the system (or redesigning it, to some degree) • Including more data or personal data or applying it in a higher-risk context, e.g., from facial detection to facial recognition • AI that is used to evaluate past behavior (in some context) and rate or rank it, but then is adapted to start projecting future behaviors as well Artificial Intelligence Governance Professional 145 -- 149 of 320 -- REVIEW QUESTION 1 Which of the following best describes the purpose of a risk-based AI regulation framework? A. To ban all AI systems that pose any level of risk. B. To ensure all AI systems are subject to the same regulations. C. To classify AI systems based on their risk levels and apply appropriate rules and obligations. D. To promote the use of AI systems without any regulatory oversight. 146 Module 4: AI regulation REVIEW QUESTION 1 Which of the following best describes the purpose of a risk-based AI regulation framework? A. To ban all AI systems that pose any level of risk. B. To ensure all AI systems are subject to the same regulations. C. To classify AI systems based on their risk levels and apply appropriate rules and obligations. D. To promote the use of AI systems without any regulatory oversight. Answer: C Risk-based AI regulation frameworks aim to classify AI systems into categories like prohibited, high, limited, or minimal risk, and apply rules accordingly. Artificial Intelligence Governance Professional 146 -- 150 of 320 -- L E S S O N MODULE 4 AI regulation 3 Key requirements for high-risk AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand the key requirements around risk management, data governance, technical documentation, conformity/impact assessment and record-keeping. • Understand the key requirements around human oversight, transparency and notification, and quality management. • Understand the differences in requirements based on organizational context (e.g., providers, deployers, importers, and distributors). 147 LESSON 3: KEY REQUIREMENTS FOR HIGH-RISK AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand the key requirements around risk management, data governance, technical documentation, conformity/impact assessment and record-keeping. (II.C) • Understand the key requirements around human oversight, transparency and notification, and quality management. (II.C) • Understand the differences in requirements based on organizational context (e.g., providers, deployers, importers, and distributors). (II.C) Artificial Intelligence Governance Professional 147 -- 151 of 320 -- Requirements for high-risk AI systems 148 Module 4: AI regulation Risk management Data governance and quality Technical documentation Impact/conformity assessment HIGH RISK REQUIREMENTS FOR HIGH-RISK AI SYSTEMS Common obligations for high-risk AI systems across major AI laws include: Risk management • Establish a life cycle risk-management system to identify, assess and mitigate foreseeable risks (EU Art. 9; SK Basic Act Art. 34; Colorado developer duty) • Monitor system performance continuously and update controls as risks evolve Data governance and quality • Ensure training, validation and test data are relevant, representative and regularly checked for errors or bias (EU Art. 10; SK Act; Colorado impact assessments; Japan guidelines) • Document data sources, labelling and cleaning processes • In some jurisdictions, sensitive data may be processed only to monitor and correct bias (explicit in EU, similar intent in Colorado) Technical documentation • Maintain transparent documentation of purpose, design, training/testing methods, and risk controls (EU Annex IV; SK documentation duty; California AB 2013 for GPAI disclosure) • Provide clear deployment instructions so deployers can comply with their own obligations Impact/conformity assessment • Conduct pre-market impact or conformity assessments • EU: conformity assessment and fundamental rights impact assessment (for public deployers) • Colorado: algorithmic impact assessment for consequential decisions • China: safety assessment before public release of generative AI models • Update assessments if the system undergoes major modifications Continued on next slide Artificial Intelligence Governance Professional 148 -- 152 of 320 -- 149 Module 4: AI regulation Record-keeping and logging Transparency and user information Human oversight Accuracy, robustness and security HIGH RISK Requirements for high-risk AI systems REQUIREMENTS FOR HIGH-RISK AI SYSTEMS (CONT.) Common obligations for high-risk AI systems across major AI laws include: Record-keeping and logging • Log key system events (inputs, outputs, data sources, human interventions) • Retain records for regulator inspection or audit (EU Art. 12; SK retention duty; U.S. states require assessment records) Transparency and user information • Inform individuals when they are subject to AI decision-making • Disclose AI-generated or manipulated content (deepfakes, GenAI outputs) (EU Art. 52; Utah disclosure law; China watermarking; California transparency law) • Provide instructions for safe use, including capabilities and limitations Human oversight • Design systems so humans can interpret outputs, and intervene or override • Train staff to exercise meaningful oversight (EU Art. 14; SK Act; Japan’s human-in-the-loop guidance) Accuracy, robustness and security • Test systems regularly for accuracy, resilience and cybersecurity • Ensure consistent performance for the intended purpose (EU Art. 15; SK Basic Act; China’s safety requirements) Artificial Intelligence Governance Professional 149 -- 153 of 320 -- High risk: provider/developer obligations Module 4: AI regulation HIGH RISK Providers and developers have multiple requirements that span the AI’s life cycle 150 HIGH RISK: PROVIDER/DEVELOPER OBLIGATIONS Requirements for providers/developers of high or high-impact AI systems converge globally around these themes: Governance and quality management (EU Arts. 8–9, 17; South Korea AI Basic Act Art. 34; ISO/IEC AI management standards) • Implement a life cycle risk management and quality system covering design, testing, deployment and monitoring • Ensure compliance with applicable regulatory standards and sectoral safety rules Data governance and documentation (EU Art. 10–11, 18; South Korea documentation duty; Colorado developer duty; Japan 2025 Guidelines) • Maintain comprehensive documentation: intended purpose, technical specifications, risk management controls, testing methods and updates • Demonstrate training and test data are relevant, representative and regularly monitored for bias or error Logging and traceability (EU Art. 12, 19; Japan logging guidance; China traceability rules) • Design systems to log inputs, outputs, key decisions and human interventions automatically • Keep logs for audit and investigation (duration and scope vary by law) Corrective action and incident handling (EU Art. 20, 73; South Korea corrective obligations; China incident reporting within filing regime) • Put mechanisms in place to detect and correct malfunctions or violations • Notify regulators or users of serious incidents or risks to rights and safety Assessment and assurance • Conduct pre-deployment assessments appropriate to the jurisdiction: • EU: conformity assessment • Colorado: Algorithmic Impact Assessment for consequential decisions • China: safety/security assessment for generative AI services • Update assessments if the system undergoes substantial modification Registration and disclosure • Meet registration or filing requirements where they exist: • EU: public database of high-risk systems • China: CAC filings for public algorithmic services • S. Korea: obligation to appoint domestic representative for foreign providers above thresholds Transparency and user information (EU Art. 13, 52; California AB 2013/SB 942; China 2023 Measures) • Provide clear instructions for safe use, including system limitations and human-oversight steps • Label or watermark AI-generated outputs where required Security, robustness and testing (EU Art. 15; South Korea reliability duties; China security testing obligations) • Regularly test for accuracy, robustness, resilience and cybersecurity • Ensure systems perform consistently for their intended purpose Artificial Intelligence Governance Professional 150 -- 154 of 320 -- 151 – CAs and the EU AI Act ‘Conformity assessment’ means the process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilled. Module 4: AI regulation HIGH RISK High risk: provider/developer obligations Conformity/impact assessments HIGH RISK: PROVIDER/DEVELOPER OBLIGATIONS: AI CONFORMITY OR IMPACT ASSESSMENTS A conformity or impact assessment is the process of demonstrating compliance with requirements for high- or high-impact AI systems. • Important review tool and aspect of risk management • If a conformity assessment (CA) is approved, it is presumed there will be adequate, continuous monitoring and AI observability throughout the AI process Goals: identify how the technology was developed, what data set was used, how the learning process was developed, how the AI behaves and potential impacts of the AI or technology over time • Adequate technical documentation is a key component While assessment terminology differs, most comprehensive AI laws include this step: • EU AI Act: requires pre-market conformity assessments for high-risk AI (recruitment, biometrics, medical devices, credit scoring, infrastructure safety) with reassessment over the life cycle • South Korea AI Basic Act: mandates designation confirmation for high-impact AI and compliance checks to verify safety, documentation and oversight obligations before release • China (2023 GenAI Measures): public generative AI systems must undergo security and safety assessment and be filed with the Cyberspace Administration before launch • Colorado SB 24-205: deployers of high-risk (“consequential decision”) AI must complete an algorithmic impact assessment (AIA) covering purpose, data, risks, mitigation and monitoring Common elements across jurisdictions include: • Conduct before deployment (pre-market or pre-use) • Evaluate safety, rights, and fundamental impacts, not only data protection • Require ongoing reassessment when systems are substantially modified • Support accountability and regulator access through documentation Artificial Intelligence Governance Professional 151 -- 155 of 320 -- HIGH RISK 152 • CAs must have technical documentation; can supplement DPIAs in areas that are more technical or associated with risk • CAs can envision harms that could result from AI; that data can be used to inform DPIAs High risk: provider/developer obligations DPIAs and CAs Module 4: AI regulation HIGH RISK: PROVIDER/DEVELOPER OBLIGATIONS: DPIAs AND CAs Many features and key aspects come from existing assessments (e.g., data protection impact assessments (DPIAs), product safety assessments). • Both DPIAs and CAs outline a method of providing accountability when developing new technology and use of data • Due to AI’s potential to evolve or change over time, some claim it best practice to complete and document a DPIA to understand implications and risks throughout the AI’s life cycle • Both assessments should involve an assessment of risks as well as a plan to mitigate such risks • Accountability tools; broader and more holistic in how they analyze technology and do not stop at the data or learning model • Issues of health, safety and fundamental rights are open to interpretation by the law • Can assess new technology or existing tools being applied to other functions in an organization • Information can continue to be vetted while monitoring against the threat model • Targeted mitigations can be formed to drive down risk by setting a context for the DPIA and CA on mitigations Implementation: • Customization of existing DPIAs may be needed to focus threats and opportunities AI poses • CAs are required with technical documentation; can supplement DPIAs in areas more technical or associated with risk • CAs can envision harms that could result from AI; that data can be used to inform DPIAs Artificial Intelligence Governance Professional 152 -- 156 of 320 -- • Pre-market filing/registration • Ongoing monitoring • Regulator access Module 4: AI regulation HIGH RISK High risk: provider/developer obligations 153 Registration and notification HIGH RISK: PROVIDER/DEVELOPER OBLIGATIONS: REGISTRATION AND NOTIFICATION Obligations vary by jurisdiction, but common patterns include: • Some form of pre-market filing/registration for high-risk/high-impact or public GenAI services • Ongoing monitoring of deployed systems, with incident/change notifications • Regulator access to documentation and logs (public database only in the EU) Additional details: Registration/filing • EU AI Act: providers must register high-risk AI systems in a public EU database before market placement • China (2023): providers of public generative AI services must file with the CAC and complete a security assessment before launch • South Korea (AI Basic Act): operators of high-impact AI submit designation confirmation and meet documentation/safety obligations; foreign operators above thresholds appoint a domestic representative Notification/post-market monitoring • EU: providers must run a post-market monitoring system and report serious incidents to market surveillance authorities within set deadlines • South Korea: regulators can require reports/information and order corrective measures; safety incidents tied to high-impact AI must be reported under implementing rules • China: providers must notify regulators of material changes, incidents or risks and keep filings current • Colorado (SB 24-205): deployers must maintain an AIA, review at least annually and provide the AIA/risk management policy/records to the AG upon request within 90 days; developers must disclose known risks to the AG and deployers within 90 days of discovery • Japan (Guidelines): encourage voluntary disclosure and incident reporting as good practice Artificial Intelligence Governance Professional 153 -- 157 of 320 -- Module 4: AI regulation HIGH RISK High risk: deployer obligations 154 Requirements of deployers are fewer but broader than provider obligations HIGH RISK: DEPLOYER OBLIGATIONS Deployers (operators/users) of high- or high-impact AI systems have distinct duties. Wording varies by jurisdiction, but common requirements include: Impact/conformity assessment (before use, where required) • Conduct an impact/rights assessment before first use where mandated (e.g., FRIA in the EU for public bodies or private entities providing public services; AIA in Colorado for “consequential decisions”). Keep the assessment updated on significant change. Use in line with intended purpose and provider instructions • Use the system only for its intended purpose and per provider instructions; assign roles and processes accordingly (EU deployer baseline obligations). Human oversight during operation • Ensure qualified human oversight with the ability to interpret, intervene and override as needed to protect rights/safety; provide staff training (EU deployers; similarly emphasized in Japan’s guidance). Monitoring & incident handling • Monitor performance in use; if risks or serious incidents arise, promptly inform the provider and (where required) regulators (EU requires incident escalation by deployers; Colorado enables attorneys general access to assessments/records on request). Logging & documentation • Retain logs generated by the system and keep deployment records to support audits/traceability (e.g., EU six-month minimum). Maintain AIA/FRIA documentation as applicable. Transparency to affected individuals • Inform individuals when a high-risk/covered AI is used to make or substantially influence decisions about them; provide required disclosures (EU deployer notices; Colorado pre-decision notice for consequential decisions). Adverse decision rights (where applicable) • Provide adverse-decision disclosures and channels for explanation, correction and human review/appeal (Colorado). Workplace transparency (where applicable) • Inform workers before putting a high-risk AI system into service in the workplace (EU). Registration cross-check (public sector, EU) • Public authorities (and EU institutions) must verify the high-risk system is registered in the EU database before use; if not, do not use and inform the provider/distributor. Jurisdictional notes • South Korea (AI Basic Act): operators of high-impact AI are required to implement life cycle risk controls, provide user notification for high-impact/GenAI and maintain documented safety measures. • China (GenAI 2023): “deployers” of internal, non-public GenAI are generally out of scope; public- facing providers bear most duties, but downstream platforms/users face obligations under deep synthesis/algorithm rules (labelling/traceability). Artificial Intelligence Governance Professional 154 -- 158 of 320 -- 155 Importers and distributors must ensure AI systems entering and moving through the market comply with regulatory standards Module 4: AI regulation HIGH RISK High risk: importer and distributor obligations • Verification • Documentation • Reporting HIGH RISK: REQUIREMENTS FOR IMPORTERS AND DISTRIBUTORS Importers and distributors (sometimes called resellers, retailers or intermediaries) are not responsible for developing AI systems, but they play a critical role in ensuring that only compliant systems enter and circulate in a market. Most comprehensive AI laws assign them verification, documentation and reporting duties, though scope and terminology differ. Importers • Place AI systems from outside the jurisdiction onto the local market • Must verify compliance with local law before sale or distribution • EU: confirm conformity assessment, registration in EU database and correct CE marking • South Korea (AI Basic Act): foreign providers above thresholds must appoint a domestic representative who serves this function, ensuring filings, documentation and compliance • China: foreign developers of public GenAI services must partner with local entities and file systems with CAC Distributors • Entities in the supply chain (other than providers or importers) who make AI systems available • Must ensure that systems are not modified in ways that break compliance • EU: obliged to verify conformity, preserve documentation, and stop distribution if risks arise • Colorado SB 24-205: while not called “distributors,” downstream deployers or intermediaries must only use systems consistent with developer disclosures and retain/document AIAs • China: platforms distributing AI applications must ensure labelling/traceability of AI content Common requirements across regimes • Verify compliance before placing or making systems available • Check for required filings/registrations (e.g., EU public database; CAC filings in China; SK designation confirmation) • Preserve integrity of the AI system – do not alter in ways that affect compliance; if modified, recheck conformity • Provide documentation to regulators on request (technical files, conformity or impact assessments, testing results) • Report incidents or risks if discovered in the supply chain Artificial Intelligence Governance Professional 155 -- 159 of 320 -- REVIEW QUESTION A company is developing a high-risk AI system for public use. To comply with major AI laws, what must they ensure regarding data governance? A. The data used is relevant, representative and regularly checked for errors or bias B. The data is sourced exclusively from public databases C. The data is anonymized before any processing D. The data is stored indefinitely for future audits 156 Module 4: AI regulation REVIEW QUESTION A company is developing a high-risk AI system for public use. To comply with major AI laws, what must they ensure regarding data governance? A. The data used is relevant, representative and regularly checked for errors or bias B. The data is sourced exclusively from public databases C. The data is anonymized before any processing D. The data is stored indefinitely for future audits Answer: A Major AI laws require that training, validation, and test data for high-risk AI systems meet these criteria to ensure fairness and accuracy. Artificial Intelligence Governance Professional 156 -- 160 of 320 -- L E S S O N MODULE 4 AI regulation 4 Requirements for general-purpose AI models The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the distinct requirements for general-purpose AI models. 157 LESSON 4: REQUIREMENTS FOR GENERAL-PURPOSE AI MODELS The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the distinct requirements for general-purpose AI models. (II.C) Artificial Intelligence Governance Professional 157 -- 161 of 320 -- General-purpose AI models and systems • Usually referred to as GPAI • An AI model that displays significant generality and performs a wide range of distinct tasks, regardless of how the model is released • Can be integrated into a variety of downstream systems or applications 158 Module 4: AI regulation GENERAL-PURPOSE AI MODELS AND SYSTEMS Definition and scope • GPAI (general-purpose AI): models trained to perform a broad range of tasks across domains, adaptable into many downstream systems (e.g., LLMs, multimodal models, recommendation engines, vision models) • Can be integrated into high-risk or low-risk applications, depending on deployment context • Major laws increasingly regulate GPAI as models (not just systems), reflecting their foundational role EU AI Act (2024) Chapter V sets duties for GPAI models and additional obligations for models with systemic risk (very large models above computing thresholds) • Provider obligations: • Maintain technical documentation • Publish training data summaries (while respecting IP/copyright) • Ensure transparency to downstream providers (model cards, usage conditions, limitations) • Appoint an EU representative if outside the EU • For systemic-risk GPAI models: • Conduct risk assessments and mitigation • Document/report serious incidents • Perform red-teaming/adversarial testing • Ensure robust cybersecurity and physical safeguards • Disclose energy consumption United States • Colorado SB 24-205 (effective 2026): GPAI developers are considered “developers” of high-risk systems if their models are integrated into consequential decision tools; must provide documentation to deployers and AG and disclose known risks of algorithmic discrimination • California AB 2013/SB 942 (2025/2026): GPAI/foundation model providers must: • Publish training data transparency reports • Provide watermarking/detection tools for audio/visual outputs • Implement testing and disclosure frameworks for large-scale GPAI • NIST AI RMF • Nonbinding, but widely referenced in federal/state procurement requiring risk management, documentation and transparency for GPAI Continued on next slide Artificial Intelligence Governance Professional 158 -- 162 of 320 -- General-purpose AI models and systems • Usually referred to as GPAI • An AI model that displays significant generality and performs a wide range of distinct tasks, regardless of how the model is released • Can be integrated into a variety of downstream systems or applications 159 Module 4: AI regulation GENERAL-PURPOSE AI MODELS AND SYSTEMS (CONT.) South Korea – AI Basic Act (effective 2026) • Applies to “general-purpose” and “high-impact” AI models • Requires: • Life cycle risk management plan and documentation • Transparency to downstream deployers and end users • Appointment of a domestic representative for foreign GPAI developers above thresholds • Safety, reliability and human oversight measures China – 2023 Interim Measures for Generative AI Services • Requires GPAI providers to: • File systems with the Cyberspace Administration of China (CAC) before public release • Undergo security and safety assessment • Label and watermark outputs (deep synthesis rules) • Ensure content complies with legal/policy standards • Monitor/rectify risks and report material changes or incidents Japan – AI Guidelines v1.1 (2025) • Nonbinding, but influential • Encourages GPAI providers to: • Maintain documentation and logs • Disclose model capabilities/limitations • Ensure human oversight and explainability • Share information with downstream deployers to enable safe use Artificial Intelligence Governance Professional 159 -- 163 of 320 -- Common global obligations 160 Module 4: AI regulation Documentation Transparency Filing and registration General-purpose AI models and systems Incident reporting Human oversight Risk management Detection tools GENERAL-PURPOSE AI MODELS AND SYSTEMS: COMMON GLOBAL OBLIGATIONS Regardless of jurisdiction, GPAI/foundation model providers are generally expected to: • Maintain documentation and provide information to downstream deployers/regulators. • Ensure transparency about training data, limitations and risks. • Provide tools for detection, traceability and labelling of AI outputs (e.g., watermarking). • Implement risk management and, for very large models, systemic-risk controls (red-teaming, incident reporting, safety/cybersecurity safeguards). • Support human oversight in downstream deployment. • Establish mechanisms for incident reporting and correction. • Meet filing/registration or representative appointment duties where required. Comparative GPAI obligations across regimes • EU AI Act: systemic-risk tier, documentation, training data summaries • U.S. (Colorado, California): developer disclosures, AIAs, transparency, watermarking • South Korea: domestic representative, life cycle safety plan • China: CAC filing, security assessments, watermarking, content governance • Japan: guidelines (documentation, transparency, oversight) Artificial Intelligence Governance Professional 160 -- 164 of 320 -- General-purpose AI models and systems: challenges 161 Data governance and training data Third-party integration risks Transparency and documentation Module 4: AI regulation GENERAL-PURPOSE AI MODELS AND SYSTEMS: CHALLENGES Primary challenges in governing general-purpose AI models include: Data governance and training data • Data governance: One of the critical challenges with GPAI is ensuring the quality and representativeness of the training data used to develop the model. Since GPAI systems are used across diverse applications, it is essential that the data used to train the model reflects a wide variety of contexts and avoids bias. • Training and adaptation: Providers must ensure the adaptation of GPAI models to specific use cases does not compromise the integrity or fairness of its outputs. For instance, a GPAI model originally trained for general text analysis may need additional training to ensure it is appropriate for use in a high-risk setting like health care or criminal justice. Transparency and documentation • Transparency obligations: GPAI providers must ensure the system’s intended use, capabilities and limitations are clearly communicated to users and deployers. In high-risk applications, this includes maintaining detailed documentation on how the model was developed, trained and deployed. • Automatically generated logs: For high-risk applications of GPAI, the system must automatically generate logs that document its decision-making processes. This is particularly important for traceability and accountability in critical decision-making environments. Third-party integration risks • Organizations must conduct thorough risk assessments for external AI products and services, whether they are integrated into business operations or used as standalone tools. • Includes evaluating vendor policies, testing results and safety measures to ensure compliance with internal standards. Artificial Intelligence Governance Professional 161 -- 165 of 320 -- REVIEW QUESTION A company is deploying a general-purpose AI model in a high-risk health care application. What is a critical step they must take to ensure compliance with transparency requirements? A. Publish a detailed summary of the training data used for the model B. Ensure the model is only used in low-risk applications C. Keep the training data confidential D. Ensure the model is only used by internal teams 162 Module 4: AI regulation REVIEW QUESTION A company is deploying a general-purpose AI model in a high-risk health care application. What is a critical step they must take to ensure compliance with transparency requirements? A. Publish a detailed summary of the training data used for the model B. Ensure the model is only used in low-risk applications C. Keep the training data confidential D. Ensure the model is only used by internal teams Answer: A Publishing a detailed summary of the training data is a key transparency requirement, ensuring users and regulators understand the model's development process. Artificial Intelligence Governance Professional 162 -- 166 of 320 -- L E S S O N MODULE 4 AI regulation 5 Enforcement and penalties for noncompliance The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the enforcement framework and penalties for noncompliance. 163 LESSON 5: ENFORCEMENT AND PENALTIES FOR NONCOMPLIANCE The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand the enforcement framework and penalties for noncompliance. (II.C) Artificial Intelligence Governance Professional 163 -- 167 of 320 -- Module 4: AI regulation 164 Governance and enforcement 164 GOVERNANCE AND ENFORCEMENT Common patterns across AI regulation • Central authority (or ministry) provides overall supervision (e.g., EU AI Office; South Korea Ministry of Science & ICT; China CAC) • Sectoral regulators enforce AI rules within their domains (e.g., financial regulators, health regulators) • Advisory committees or expert boards provide technical guidance (e.g., EU AI Board; Japan expert councils) • Providers can embed AI compliance into existing oversight systems (e.g., ISO/IEC AI management standards, GDPR/consumer-law structures) Common global enforcement logic • Central regulator and sectoral regulators enforce AI laws • Tiered penalties: highest for prohibited/systemic risks, proportionate caps for SMEs/startups • Pre-market filing/registration and post-market monitoring required • Mandatory incident reporting and corrective powers (suspension/takedown) • Mix of hard law (EU, SK, CN, U.S.) and soft law (Japan) Artificial Intelligence Governance Professional 164 -- 168 of 320 -- Module 4: AI regulation Penalties for noncompliance 165 PENALTIES FOR NONCOMPLIANCE Examples by jurisdiction • EU AI Act: up to €35m / 7% turnover (prohibited AI); phased enforcement 2025–27 • South Korea (AI Basic Act): fines and corrective orders; domestic representative required for foreign providers • United States (Colorado SB 24-205; California AB 2013, SB 942): AG enforcement; impact assessments, transparency, watermarking duties • China (GenAI Measures): CAC filings; fines, suspensions, takedowns for noncompliance • Japan (2025 Guidelines): soft law; industry-led compliance, reputational enforcement Artificial Intelligence Governance Professional 165 -- 169 of 320 -- Module 5 Other laws that apply to AI MODULE 5: OTHER LAWS THAT APPLY TO AI Introduction Legal compliance is an important part of any risk management and governance program. While AI governance professionals may not be legal experts, knowing the categories of existing laws that may affect AI use will be helpful when working with legal departments and advisors. This module will discuss ways that data privacy and other types of existing laws, such as intellectual property laws, nondiscrimination laws, consumer protection laws and product liability laws, may apply to AI. Having an awareness of these laws allows professionals to approach AI governance and risk management in ways that can help their organizations avoid potential legal or regulatory issues, while developing programs and processes for AI governance. Artificial Intelligence Governance Professional 166 -- 170 of 320 -- How current laws apply to AI systems AI technology and AI based products Module 5: Other laws that apply to AI AI adoption generally falls within one of two categories Performing an existing function in a new way Accomplishing a process not done yet or not possible before AI 167 HOW CURRENT LAWS APPLY TO AI SYSTEMS ALL existing laws for a sector or jurisdiction still apply when AI is used • Examples: employment, housing, health, privacy, product safety and anti-discrimination laws • Especially true for regulated industries (finance, automobiles, human resources, pharmaceuticals, etc.) AI technology and AI-based products • May not be currently under a specific regulatory framework, but they do not exist in a vacuum • Exist in the same legal and regulatory context other technologies navigate; can be subject to complex regulatory frameworks • Regulatory requirements should be accounted for throughout the AI development life cycle • Ensures development of appropriate controls to address risks and regulatory requirements in applicable AI • Similar considerations should occur when assessing the implementation and use of AI tools in an organization • AI adoption generally falls into one of two broad categories: 1. Performing an existing function in a new way • Existing regulatory requirements that would normally apply to that function continue to apply to the updated, AI-driven process • Using AI does not allow you to bypass or ignore applicable laws and regulations • Example: An organization must comply with, and be accountable under, applicable safety standards, software liability, consumer protection requirements, data retention and disclosure rules and any other existing frameworks that apply when a human manually performs the work 2. Accomplishing a new process that has not been done or was not possible before AI • Inquire if existing regulatory requirements may apply to this new process • Assess what laws are in scope, what reviews are required, what risks AI may pose and what controls can be implemented to mitigate risk and ensure compliance • General consumer protection and product safety rules continue to apply • Particularly relevant to highly regulated industries: financial services, health care, transportation, employment and education Artificial Intelligence Governance Professional 167 -- 171 of 320 -- L E S S O N MODULE 5 Other laws that apply to AI 1 Data privacy laws and AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand how transparency, choice, lawful basis and purpose limitation requirements apply to AI. • Understand how data minimization and privacy-by-design requirements apply to AI. • Understand how obligations on data controllers apply to AI (e.g., regarding privacy impact assessments, use of third-party processors, cross-border data transfers, data subject rights, automated decision-making, incident management, breach notification and record keeping). • Understand the requirements that apply to sensitive or special categories of data (e.g., biometrics). 168 LESSON 1: DATA PRIVACY LAWS AND AI The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand how transparency, choice, lawful basis and purpose limitation requirements apply to AI. (II.A) • Understand how data minimization and privacy-by-design requirements apply to AI. (II.A) • Understand how obligations on data controllers apply to AI (e.g., regarding privacy impact assessments, use of third-party processors, cross-border data transfers, data subject rights, automated decision-making, incident management, breach notification and record keeping). (II.A) • Understand the requirements that apply to sensitive or special categories of data (e.g., biometrics). (II.A) Artificial Intelligence Governance Professional 168 -- 172 of 320 -- Module 5: Other laws that apply to AI Data privacy laws and AI 169 Applicable principles Transparency Choice Lawful basis Purpose limitation DATA PRIVACY LAWS AND AI: APPLICABLE PRINCIPLES The global initiative to apply existing laws to AI is advancing swiftly, often taking precedence over the development of new, AI-specific legislation. • Data protection laws will impact and apply to most consumer-facing AI systems to some degree: GDPR, CCPA/CPRA and other U.S. state privacy laws, biometrics laws (Illinois’ Biometric Information Privacy Act), breach laws and other laws and regulations focused on personal data • Approaches for control of personal data will be further tested by AI technology • Essential to apply established privacy and data protection principles to AI governance Data protection rights and obligations must be complied with throughout the life cycle of the AI system, including the following: • Transparency: Any processing of personal data should be transparent to the individuals whose data is being processed. Any information and communication relating to the processing of their personal data shall be easily accessible, easy to understand and in clear and plain language. • Transparency obligations are pervasive in the EU AI Act, AI codes and best practices, and in data protection legislation. • Choice: Individuals should be allowed to agree or disagree with the collection and use of their personal data in AI systems. • Lawful basis: There must be a lawful (legal) basis for processing personal data. Organizations processing personal data need to consider the most appropriate legal basis; for example, consent, performance of a contract or legitimate interest. • Important to analyze the lawful bases to ensure the most appropriate basis is relied on • Purpose limitation: AI systems should collect and use personal data only for the specified purpose. • This is challenge for organizations needing data to build models. • Consideration needs to be given to data governance and transparency obligations in relation to the collection of data and for what purposes it will be used. • CNIL guidance: the learning and production phases of an AI system have distinct purposes and each should be “determined, legitimate and clear.” • Important that AI systems are developed to function in a way that adheres to this principle. Continued on next slide Artificial Intelligence Governance Professional 169 -- 173 of 320 -- Module 5: Other laws that apply to AI Data privacy laws and AI 170 Applicable principles Transparency Choice Lawful basis Purpose limitation Data minimization Collection limitation Privacy by design DATA PRIVACY LAWS AND AI: APPLICABLE PRINCIPLES (CONT.) Data protection rights and obligations must be complied with throughout the life cycle of the AI system, including the following: • Data minimization: AI systems, in development and use, should ensure data is adequate (not too little or too much data), relevant and limited to what is necessary for the intended purpose. • What is considered ‘adequate, relevant and limited’ is case-specific. • Consideration needs to be given to the techniques used to develop the AI system that process only the data needed while still achieving the required outcome; ‘nice to have data’ should be avoided. • Collection limitation: A subset of data minimization, this principle restricts how much and what kind of data is collected. • Privacy by design: AI systems should be designed, developed and deployed with data protection and privacy principles applied from the beginning • This includes embedding privacy-by-design principles into AI systems from the initial planning stage and implementing robust internal data governance frameworks. • Measures taken to ensure compliance with privacy by design and by default and the above principles may include appropriate technical and organizational measures such as: • Pseudonymization • Anonymization • Encryption of data • Use of technology to minimize transmission of data • Robust security measures • Organizations need to ensure that by default only personal data which is necessary for each specific purpose of the processing is processed. Artificial Intelligence Governance Professional 170 -- 174 of 320 -- 171 Data protection and privacy laws Practical recommendations for providers, developers and deployers Privacy and data protection by default and by design Purpose specification Human oversight and review Transparency Data governance and technical safeguards Data retention and deletion plans Cybersecurity controls Technical documentation and compliance Communication with privacy authorities PIAs and DPIAs Module 5: Other laws that apply to AI DATA PROTECTION AND PRIVACY LAWS Practical recommendations for AI providers can be extracted from the guidance of different global data protection authorities: 1. Integrate principles of privacy and data protection by default and by design at planning and design stages of an AI project 2. Conduct PIAs and DPIAs prior to making AI tools available for public use 3. Process personal data only for specific, explicit, legitimate purposes; refrain from processing that is not in line with individuals’ expectations 4. Have a system in place for human oversight and for review of AI input and output 5. Provide transparent information on personal data collection and usage; providers should share information on privacy risks with deployers 6. Have data governance and technical safeguards in place for review and filtering of personal data that is inaccurate or misleading 7. Develop data retention and deletion plans for any personal information collected 8. Implement cybersecurity controls and prevention techniques to keep attackers from extracting personal data from AI systems 9. Maintain accurate technical documentation and demonstrate compliance with privacy and data protection laws and policies 10. Communicate closely with DPAs and privacy authorities Challenges • Addressing traditional privacy principles/practices (e.g., accuracy; notice; access; deletion) • Legal requirements and applying data subject rights is complex for AI systems trained on datasets the system no longer holds or can access • Laws on issues like automated decision-making (GDPR) were designed with an awareness of AI’s existence and potential impact but not necessarily an in-depth understanding of it Resource Fazlioglu, Müge. “How privacy and data protection laws apply to AI: Guidance from global DPAs.” IAPP, May 29, 2024. Artificial Intelligence Governance Professional 171 -- 175 of 320 -- Intersection between the GDPR and AI Introduction 172 Module 5: Other laws that apply to AI INTERSECTION BETWEEN THE GDPR AND AI The EU’s General Data Protection Regulation oversees the governing and processing of personal data. The GDPR, which went into effect in 2018, provides a baseline for privacy and data protection regulations globally. The GDPR’s scope impacts countries and individuals outside the EU and has changed how data protection is viewed and practiced throughout the world. • While the GDPR is a data protection regulation, it also includes baseline requirements on using automated decision-making tools. • This guides the approach to achieve responsible AI systems • Because AI systems also use extensive amounts of data, they are frequently subject to GDPR requirements to collect, use, protect and control that data, including issues like how to support the right for individuals to delete their data • Knowing how key articles in the GDPR apply to AI aids in understanding the application of other privacy and data protection regulations to AI governance programs GDPR • Intended to be technology-agnostic to adapt to evolving technologies over time (including AI) • Focused on the governing and processing of personal information AI programs • Process information that can include personal information (but does not necessarily include it) • The principles of GDPR are underpinned by a series of requirements that honor data subject rights: lawfulness, fairness and transparency, purpose limitations, data minimization, accuracy, storage limitations, integrity, confidentiality and accountability • Key articles of the GDPR that intersect with AI: • Article 22: Automated decision-making • Article 35: DPIAs, when required in relation to high-risk/important processing • Recital 26: Techniques for pseudonymization and anonymization of data Artificial Intelligence Governance Professional 172 -- 176 of 320 -- Intersection between the GDPR and AI Automated decision-making AI has implications pertaining to the GDPR and automated decision- making since AI relies on large data sets Because AI applies automated processes on that data, these requirements naturally will impact how AI can be developed or used 173 Module 5: Other laws that apply to AI AUTOMATED DECISION-MAKING • GDPR imposes a general prohibition on automated decision-making, but it is not an outright ban • Article 22: individuals have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects or similarly significant impacts on them • A legal effect, or significant impact, is a broad concept analyzed on a case-by-case basis and is still being understood through court cases and how different organizations apply these principles • Automated decision-making is allowed only if: 1. Necessary for fulfillment of a contract (e.g., an online bank uses algorithms to approve loans as part of its service) 2. Authorized by law (e.g., tax fraud detection systems mandated by national legislation) 3. Based on explicit consent (for GDPR compliance, consent must be explicit, freely given and informed; there must also be a means to opt out) • Individuals have the right to human intervention, the ability to contest the decision, and the right to transparency about the logic involved, in certain circumstances Implementation considerations: • Broad interpretations of fairness, lawfulness and transparency are required (e.g., making data subjects aware they are interacting with a chatbot so they know the implications of continuing and sharing information) • Data subject rights: Accuracy, correction and right to erasure; key components in ensuring GDPR compliance • No current way to remove data from an AI model and have it persist with its original training • AI models are not set to dynamically update inferences based on new training data without a formal retraining process • Redress: a way for data subjects to register a formal complaint or request a review of an automated decision • Those conducting reviews must be knowledgeable of and competent with AI technology to know what to look for and accurately assess if a decision should be overturned • Have logic already documented on how the AI algorithm works so that it is understandable • Example: If the AI is a black box, it is difficult to honor the automated decision-making right to review the outcome, which involves knowing how the AI came to a decision Artificial Intelligence Governance Professional 173 -- 177 of 320 -- Intersection between the GDPR and AI Anonymized and pseudonymized data can inform and train AI • Gather datasets via data scraping • Voluntary utilization of system • Reliable source of data for AI? Pseudonymization and anonymization of data 174 Module 5: Other laws that apply to AI PSEUDONYMIZATION AND ANONYMIZATION OF DATA Anonymization • GDPR does not apply; no longer considered personal information • Threshold for anonymization varies by jurisdiction and is high under GDPR legislation • AI benefit: processing vast amounts of data and relying on large datasets to deliver promised outcomes and benefits Pseudonymization • Helpful for protecting data, still considered personal information, so obligations of GDPR apply • Deidentification of data can occur; utility will drop in AI Anonymized and pseudonymized data can inform and train AI: • Datasets gathered by scraping digital content (e.g., social media websites, articles, news articles, blogs, etc.). Much of that information constitutes personal information. • Data scraping often occurs without end user knowledge • Teaches AI models how to create valuable outputs, often without end user/data subject engagement or consent • Potentially collecting petabytes of data; data levels unseen before • Aspects of utilization of the system are voluntary • Creates conflict/challenge for organizations: end users input information about themselves, their prompts, items they are interested in • How is that information used by the system to then improve it? • Since current legislation was built without AI in mind, questions form regarding building new AI systems and if they can truly rely on pseudonymous or anonymized data Artificial Intelligence Governance Professional 174 -- 178 of 320 -- Intersection between the GDPR and AI Ideal outcome for AI: ensure there is a way to make systems successful and achieve goals without using personal information Use of pseudonymized and anonymized data in AI 175 Module 5: Other laws that apply to AI PSEUDONYMIZATION AND ANONYMIZATION OF DATA Use of pseudonymized and anonymized data in the context of AI • Must be conducted at scale: • Working with massive data sets; consider privacy and security controls dynamic enough to change and accompany the AI system • Deciding where and when to implement pseudonymization or anonymization that best suits the needs of the AI and organization results in a more complex AI logic and system • Ideal outcome for AI: ensure there is a way to make systems successful and achieve goals without using personal information Privacy-enhancing or privacy-enabling technologies to achieve pseudonymization and anonymization • Due to the drop in utility, a differential privacy is needed, and inquiries must be limited • Homomorphic encryption in scale is not at this level yet • Specific, targeted pockets of use cases for each group of privacy-enhancing technologies • Example: Secure multi-party computation: summation, counting, simple arithmetic operations; processes can become compute-intensive such as multiplication, division, etc. • Costs and benefits that organizations may trade off on that applies to AI technology and supporting technologies Artificial Intelligence Governance Professional 175 -- 179 of 320 -- Module 5: Other laws that apply to AI EDPB opinion on AI models: GDPR principles supporting responsible AI 176 When and how AI models can be considered anonymous Whether and how legitimate interest can be used as a legal basis for developing or using AI models What happens if an AI model is developed using personal data that was processed unlawfully Three-part focus GDPR PRINCIPLES SUPPORTING RESPONSIBLE AI 2024 opinion published by the European Data Protection Board (EDPB) The Irish Data Protection Authority sought an opinion on the processing of personal data and AI models in an attempt to harmonize European regulation. Opinion comprised of three parts in relation to the development and deployment of AI models: 1. When and how can an AI model can be considered anonymous? An AI model’s anonymity should be assessed on a case-by-case basis. To be considered anonymous: • Personal data related to the training data cannot be extracted out of the model • Any output produced when querying the model does not relate to the data subjects whose personal data was used to train the model 2. How can controllers demonstrate the appropriateness of legitimate interest as a legal basis in the development and deployment phases? To help assess the determination of legitimate interest as an appropriate legal basis, apply a three-step process: 1) Is there lawful and legitimate interest by the controller or a third party? 2) Is the processing really necessary for the legitimate interest? 3) Balancing test: are the interests and rights of individuals overridden by legitimate interest? • Opinion also includes criteria to determine if individuals may reasonably expect certain uses of their personal data: • Whether or not the personal data is publicly available • Nature of the relationship between the controller and the individual • Nature of the service • Context in which the personal data was collected and from what source • Potential further uses of the model • Whether individuals are aware their personal data is online 3. What are the consequences of unlawful processing of personal data in the development phase of an AI model on the subsequent processing or operation of the AI model? The third part of the Opinion deals with circumstances where an AI model is developed using personal data that was processed unlawfully. • The opinion addresses three scenarios, all unified by a common theme: each requires case- by-case analysis. Resource “EDPB opinion on AI models: GDPR principles support responsible AI.” European Data Protection Board. December 18, 2024 Artificial Intelligence Governance Professional 176 -- 180 of 320 -- Obligations on data controllers Application to AI 177 Data processing principles Data protection by design and default Data protection impact assessments Third-party processors Cross-border data transfers 3 Module 5: Other laws that apply to AI OBLIGATIONS ON DATA CONTROLLERS AI application: Data controllers, those who determine what and how personal data is processed, must ensure compliance with the GDPR. However, using AI that includes personal data can create issues for controllers, notably with data integrity, transparency and data subject access. Some considerations and examples of issues include: Data processing principles • Ensure that the processing of personal data is lawful, fair and transparent. • Apply data minimization, purpose limitation, storage limitation, data accuracy and data integrity principles. Data protection by design and default • Implement technical and organizational measures to meet data processing principles (particularly data minimization), meet GDPR requirements and protect data subjects’ rights. Data protection impact assessments • Have notice and consent requirements been met? • Will personal data will be used to train the AI model? • Where is the personal data being collected from? • Is the processing of personal data likely to change? • What personal data is being utilized by the system and in what way? • What impact is processing personal data through AI likely to have on individuals? • Be certain that the processing requirements of the GDPR are met or exceeded. Use of third-party processors • Verify that any AI systems used by processors comply with GDPR requirements. • Determine if personal data can lawfully be used if processors obtain it from other sources. Ensure data you control is not shared with others by the processors’ AI systems without consent. Cross-border data transfers • Exchanging data across national borders to develop, train and deploy AI systems is a cross-border data transfer under the GDPR. • Ensure appropriate DPAs are in place and you have not agreed to data localization with the client. • Is your AI system accessing data from the EU? Or for EU companies, sharing data to a country outside of the EU? Continued on next slide Artificial Intelligence Governance Professional 177 -- 181 of 320 -- Obligations on data controllers Application to AI 178 Data processing principles Data protection by design and default Data protection impact assessments Third-party processors Cross-border data transfers Data subject rights Automated decision-making Incident management Breach notification Record-keeping 3 Module 5: Other laws that apply to AI OBLIGATIONS ON DATA CONTROLLERS (CONT.) Data subject rights • Legal rights individuals have regarding the use of their personal data to train or operate AI systems • Rights to access, rectify, erase or restrict processing of their data • Includes right to understand how AI decisions are made based on their data • Right to request human intervention Automated decision-making • Where automated decision making produces legal effects or similarly affects the data subject, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling • This restriction does not apply if the decision is necessary for entering into or performance of a contract between the data subject and data controller, is authorized by Union or Member States law, or is based on the data subject’s explicit consent • An example includes automated recruitment practices, which is categorized as high-risk AI under the EU AI Act and requires human oversight Incident management AI can be a “black box” when trying to identify what data is being processed, making it difficult to determine the extent of an incident and provide accurate information to supervisory authorities. • Accurate records and regular testing of the AI system can help mitigate this risk • If procuring the AI from another party, include provisions in the agreement requiring appropriate assistance with incident management Breach notification Similarly, knowing who to notify about a breach can be difficult without accurate documentation and regular testing. • If procuring the AI from another party, be certain you get clear answers from them about how they will help you respect data subject rights Record keeping • AI requires a great deal of data for training, making it difficult to track what personal data has been collected and how it is used • Keep accurate records on how the AI system is intended to operate and regularly test to ensure it operates as expected • Where required, establish and maintain a record of processing activities containing at least the minimum required Artificial Intelligence Governance Professional 178 -- 182 of 320 -- Intersection between data privacy laws and AI • Racial or ethnic origin • Political views • Religious or philosophical beliefs • Trade union membership • Genetic data • Biometric data for identification purposes • Health data • Data about an individual’s sex life or sexual orientation Sensitive or special categories of data 179 Module 5: Other laws that apply to AI SENSITIVE OR SPECIAL CATEGORIES OF DATA Special categories of data refers to personal information that requires more protection and special handling and restrictions because it is sensitive. Privacy regulations such as the GDPR and the LGPD (Brazil’s general data protection law) define sensitive personal data as personal information that falls into the specific categories, including: • Racial or ethnic origin • Political views; religious or philosophical beliefs; trade union membership • Genetic data or biometric data for identification purposes • Health data or data about an individual’s sex life or sexual orientation The GDPR has strict requirements for processing sensitive personal data. Processing is only allowed if one of the following conditions is met: • Consent: Explicit consent from data subject • Publicly made information: Personal data was manifestly made public by the individual • Legal requirements: Processing is necessary to comply with a legal obligation under employment, social security or social protection law • Vital interests: Processing is vital to the interests of the individual and the controller demonstrates that it is not possible to obtain consent (e.g., emergency situations) • Legal claims: Processing is necessary for the controller to establish, exercise or defend legal claims • Public interest: Processing for substantial public interest, such as protecting public health (to be balanced with the data subject’s rights) • Research and archiving: Processing may be permitted for scientific and historical research, and statistical or archiving purposes • Not-for-profit organizations: Processing by a not-for-profit for its members or people in regular contact with the organization Resource GDPR Art 9: Processing of special categories of personal data, April 27, 2016. Artificial Intelligence Governance Professional 179 -- 183 of 320 -- 180 Intersection between data privacy laws and AI Working with sensitive or special categories of data 180 How to respect data minimization principles yet acquire sensitive information necessary for bias testing? • Collect data directly • Generate intentional proxies • Buy data • Ask customers/users for data Module 5: Other laws that apply to AI WORKING WITH SENSITIVE OR SPECIAL CATEGORIES OF DATA In the interests of data minimization, organizations often limit or avoid the collection of sensitive data. However, without the collection of this type of data, organizations are less able to engage in adequate bias testing of AI systems. • Conflict between the need to train and test AI systems for bias and limiting the collection of sensitive or special categories of data when there is often no other business need for such data • As audit requirements grow, both as a best practice and as a legal requirement, companies will experience increasing pressure to collect sensitive data to adequately evaluate their AI systems What can organizations do? 1. Collect data directly: Intentionally include the collection, handling and protection of sensitive data starting in the design phase • Sensitive data shouldn’t be including in the training model, but having it available makes subsequent testing and oversight more feasible and accurate 2. Generate intentional proxies: Models can unintentionally learn racial biases from strong correlations in existing data, even without direct racial information • Operators can intentionally derive demographic insights from less sensitive data, allowing for an efficient inference of demographic information • Most prominent method for this type of inference is known as Bayesian Improved Surname Geocoding 3. Buy data: A way to address missing demographic data; look to data brokers, public data or other data sets to which your organization may have access • Raises parallel concerns to ensure that data source, sharing and purpose limitation considerations align with privacy policies 4. Ask customers/users for data: In many instances, consent is a valid option for collection and use of sensitive data • Depending on size/scope of dataset, having even partial information for sensitive categories may be sufficient for representative testing • Consider asking a select set of users and explain why the sensitive information is needed Resource Burt, Andrew and Brenda Leong. “AI vs. privacy: How to reconcile the need for sensitive data with the principle of minimization.” IAPP, August 16, 2023. Artificial Intelligence Governance Professional -- 184 of 320 -- CASE STUDY Axentis Health Solutions Axentis Health Solutions, a global leader in AI-driven healthcare technologies, faced significant challenges when integrating biometric data into their patient monitoring systems. The organization recognized that handling sensitive data, such as facial recognition and fingerprint scans, required strict adherence to privacy laws like the GDPR and HIPAA. To address these challenges, Axentis implemented a multi-layered governance framework that included rigorous vendor screening processes, ensuring third-party AI models met safety and compliance standards. They also conducted regular risk assessments to identify vulnerabilities in data handling and storage practices. What are the benefits of incorporating encryption protocols and access controls in managing sensitive data within AI technologies? Managing sensitive data in AI systems 181 Module 5: Other laws that apply to AI CASE STUDY: MANAGING SENSITIVE DATA IN AI SYSTEMS Axentis Health Solutions, a global leader in AI-driven healthcare technologies, faced significant challenges when integrating biometric data into their patient monitoring systems. The organization recognized that handling sensitive data, such as facial recognition and fingerprint scans, required strict adherence to privacy laws like the GDPR and HIPAA. To address these challenges, Axentis implemented a multi-layered governance framework that included rigorous vendor screening processes, ensuring third-party AI models met safety and compliance standards. They also conducted regular risk assessments to identify vulnerabilities in data handling and storage practices. By collaborating with legal experts and data scientists, Axentis developed tailored policies to manage sensitive data responsibly, including encryption protocols and access controls. These measures not only ensured compliance but also strengthened patient trust in their innovative AI solutions. DISCUSSION QUESTION What are the benefits of incorporating encryption protocols and access controls in managing sensitive data within AI technologies? POSSIBLE ANSWERS: The benefits are multifold: Compliance with legal obligations • Security of personal data is a key principle to ensure data protection compliance and a requirement under the EU AI Act and various codes, best practices and governance frameworks • Personal data must be appropriately secured to protect it against unauthorized or unlawful processing and against loss, destruction or damage Decrease possibility of security incidents and data breaches • By having implemented a robust governance framework, Axentis is minimizing the possibility of security incidents and data breaches, thereby reducing the possibility of an infringement of legal and contractual obligations Resource saving • This will save Axentis resources (time and money) they may have had to devote to such security incidents or data breaches, including fines or claims Trust • Axentis is also protecting its brand and reputation and building stakeholder trust Audits and/or regulatory or stakeholder queries • Axentis will be best placed to respond to any internal or external auditors or queries from regulators or other stakeholders, including client and potential client assessments Artificial Intelligence Governance Professional 181 -- 185 of 320 -- REVIEW QUESTION A company is developing an AI system to analyze customer data for personalized marketing. During the design phase, the team discusses how to ensure compliance with data privacy laws. They decide to limit the data collected to only what is necessary for the marketing purpose and to inform customers about how their data will be used. Which principles are they applying? A. Data minimization and collection limitation B. Purpose limitation and transparency C. Notice and data collection D. Consent and data subject rights 182 Module 5: Other laws that apply to AI REVIEW QUESTION A company is developing an AI system to analyze customer data for personalized marketing. During the design phase, the team discusses how to ensure compliance with data privacy laws. They decide to limit the data collected to only what is necessary for the marketing purpose and to inform customers about how their data will be used. Which principles are they applying? A. Data minimization and collection limitation B. Purpose limitation and transparency C. Notice and data collection D. Consent and data subject rights Answer: B The correct answer is purpose limitation and transparency, which focus on limiting data use to specific purposes and informing customers about data usage. Artificial Intelligence Governance Professional 182 -- 186 of 320 -- L E S S O N MODULE 5 Other laws that apply to AI 2 Intellectual property laws and AI The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand how intellectual property laws apply to AI (e.g., prohibiting or limiting use of data for AI training). 183 LESSON 2: INTELLECTUAL PROPERTY LAWS AND AI The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand how intellectual property laws apply to AI (e.g., prohibiting or limiting use of data for AI training) (II.B) Artificial Intelligence Governance Professional 183 -- 187 of 320 -- Intellectual property laws and AI • Authorship and ownership of AI-generated works • Copyright challenges • Patent law and inventive AI • Trademark and branding risks • Training data and licensing • Global legal uncertainty Key concerns 184 Module 5: Other laws that apply to AI INTELLECTUAL PROPERTY LAWS AND AI Intellectual property refers to the creations of the human mind utilized in commerce (e.g., inventions, literary and artistic works, designs, symbols, names and images • IP is protected in law by instruments such as patents, copyright and trademarks, which allow individuals to gain recognition or financial benefits from their inventions or creations by granting them rights to control the use of these goods and services for a limited time • Historically, all forms of IP are human-created; advent of GenAI introduces new complexities Traditional IP legal frameworks are being stretched and redefined by the rise of AI. This is a challenging and rapidly evolving space, marked by numerous legal cases progressing through courts worldwide, leading to more questions than answers. Different jurisdictions are not necessarily adopting a consistent approach to these issues, compounding complexities. Key concerns regarding IP and AI: • Authorship & ownership of AI-generated works: The current question is whether IP laws should apply to the creations of AI systems, in the same way that they apply to works created by humans. If so, then who owns the IP rights? • Copyright challenges: The concern is understanding what data can be used to train AI models. A recent U.S case, Bartz v Anthropic PBC (2025), is a significant ruling on whether AI model developers can use copyright-protected works to train their models. While detailed reading of the case and decision is recommended, the court drew a distinction between lawfully obtained material (purchased) and the use of collected pirated copies of material. • Anthropic offered to pay at least $1.5 billion to settle a class-action lawsuit from authors and publishers who accused it of using pirated books to train its Claude chatbot • Patent law and inventive AI: • A number of unsuccessful attempts have been made to the European Patent Office, U.S. Patent Office and UK Patent Office to have an AI system designated as an inventor. • South Africa has recognized AI as an inventor, while Australia initially allowed it but later reversed the decision, requiring inventors to be human. • Trademark and branding risks: While AI might make it easier to create a new logo, design, etc., it’s important to remember that existing trademark legislation must be complied with. • Training data and licensing: The demand for data has never been bigger. It’s important to review the license agreement and/or contract for permitted use. • Global legal uncertainty: Uncertainty persists as organizations navigate a landscape of change that will likely take time to stabilize. This situation is further complicated by the diverse approaches adopted across jurisdictions, making it critical to stay informed about new legislation and case law Artificial Intelligence Governance Professional 184 -- 188 of 320 -- IP legislation and AI Questions regarding legislation as AI evolves 185 How do the principles and protections of copyright laws apply to AI? Can the output of an AI be considered original and therefore warrant copyright protection? If AIs cannot be inventors and develop patentable inventions, how much human intervention/participation is necessary to meet the threshold? Are there laws prohibiting or limiting the use of copyrighted data for AI training? Module 5: Other laws that apply to AI IP LEGISLATION AND AI AI evolves at an exponentially faster pace than legislation and raises new questions as laws develop. IP considerations: • How do the principles and protections of copyright laws apply to AI? • The data scraping and collection practices leveraged to train generative AI systems have already put pressure on the understanding and expectations around intellectual property protections • Can the output of an AI be considered original and therefore warrant copyright protection? • A recent federal court decision determined AIs cannot be listed as "inventors" for the purposes of obtaining a patent • If AIs cannot be inventors and develop patentable inventions, how much human intervention/participation is necessary to meet the threshold? Where is the line and how is it measured? • These are just some questions that courts, government agencies and legislators will have to resolve as AI becomes more prevalent • Are there laws prohibiting or limiting the use of copyrighted data for AI training? • AI systems need lots of data — much of which is copyrighted — and there is a grey area about whether using this data without permission violates IP laws • For example, the EU allows some data use for research under certain conditions but requires licenses for commercial use, while in the U.S., fair use provisions may apply in certain cases, though courts are still figuring that out. In China, there’s a focus on ensuring AI systems respect copyright and data protection rules, but no blanket bans exist. These varying regulations show the challenge of balancing AI innovation with protecting creators' rights. Rely on your legal department to determine how IP laws affect your use of AI. Laws may apply or may be challenged as to whether they apply to your AI use. Examples: generating content that may include protected material; using protected material from your organization in AI applications. Artificial Intelligence Governance Professional 185 -- 189 of 320 -- 186 Awareness of legal issues 186 What are some challenges surrounding AI models and data licensing? Module 5: Other laws that apply to AI CHALLENGES SURROUNDING AI MODELS AND DATA LICENSING A key challenge for AI models and data licensing is determining who owns the data. Protecting IP rights will be critical and must be included when creating an AI model, especially if using third-party AI programs and processes. • Data licenses for AI models must account for a licensor's ownership and permitted use of the data. • In the U.S., some AI providers rely on "fair use" as a copyright infringement defense. Fair use is a legal doctrine promoting freedom of expression by allowing unlicensed use of copyright-protected works in certain circumstances (like criticism, news reporting and research) without permission from or payment to a copyright holder. Data licensing terms can regulate the following concerns between parties: • Designating certain model components as trade secrets. • Protecting model components by limiting the right to use them, designating them as confidential information in the terms and condition, and restricting the use of confidential information. • Determining the license and use rights between provider and user for each model component. • Establishing rights in the terms and conditions. • Liability and indemnification. Key aspects licensees should seek: • Performance metrics to ensure the model is adequately accurate, reliable and robust. • Contractual warranties and indemnities to mitigate the risk of underperformance. • Thorough testing and validation, in advance of the license and on an ongoing basis. Generative AI systems and IP • Copyrights for outputs generated by AI systems: If an AI system generates a work, who owns the copyright of that work: the developer of the AI system or the user? • AI systems may scrape or extract data from publicly available sources, leading to potential misuse of IP. Does the organization’s jurisdiction consider that the use of such material violates IP law? • The U.S. Court of Appeals for the Federal Circuit determined that ONLY humans can be named as inventors on a patent. Thaler v. Vidal, 43 F.4th 1207, 1210 (Fed. Cir. 2022), cert. denied, No. 22-919 (U.S. 24 April 2023). This development has significant implications for any company seeking to protect AI-generated innovations. • In 2020, the European Patent Office published reasoned decisions on the refusal of two patent applications designating AI as an inventor. • The use of AI systems can make it more difficult to detect and enforce violations of IP rights. For example, to identify instances of copyright or trademark infringements when an AI system creates works that are like existing works but not identical. Resources Eisner, Rebecca S., “Artificial Intelligence Licensing.” Mayer Brown LLP, 2020. “Licensing and AI: Understanding the Challenges of Licensing AI Models.” Vinson & Elkins, Feb. 24, 2023. Artificial Intelligence Governance Professional -- 190 of 320 -- CASE STUDY Designova A global technology company, Designova, faced significant challenges in determining authorship and ownership of outputs generated by its AI systems. Designova had developed an AI tool capable of creating innovative product designs, but questions arose regarding who held the intellectual property rights to these outputs. Traditional intellectual property laws, which emphasize human creativity, did not provide clear guidance for AI-generated content. This ambiguity created legal and operational risks, particularly when the AI tool was integrated into client-facing projects. What are the potential risks of not clearly defining ownership attribution for AI-generated outputs in vendor agreements? Navigating AI ownership challenges 187 Module 5: Other laws that apply to AI CASE STUDY: NAVIGATING AI OWNERSHIP CHALLENGES A global technology company, Designova, faced significant challenges in determining authorship and ownership of outputs generated by its AI systems. Designova had developed an AI tool capable of creating innovative product designs, but questions arose regarding who held the intellectual property rights to these outputs. Traditional intellectual property laws, which emphasize human creativity, did not provide clear guidance for AI-generated content. This ambiguity created legal and operational risks, particularly when the AI tool was integrated into client-facing projects. To address these complexities, Designova implemented a comprehensive governance framework. • This framework included policies that explicitly defined ownership attribution for AI-generated outputs and required vendor agreements to specify intellectual property rights. • Additionally, Designova conducted regular risk assessments to ensure compliance with intellectual property laws and mitigate potential conflicts. By taking these proactive measures, Designova successfully aligned its AI governance strategy with existing legal frameworks, reducing risks and fostering innovation in its operations. DISCUSSION QUESTION: What are the potential risks of not clearly defining ownership attribution for AI-generated outputs in vendor agreements? POSSIBLE ANSWERS: If Designova had not clearly defined ownership in the vendor agreements, Designova could be left exposed in several ways: • Other parties not aligning with Designova’s views on ownership • Other parties asserting ownership in conflict to Designova • The above could lead to protracted claims and disputes taking up valuable resources and deflecting attention and energy from Designova’s business • It is important that Designova stays up to date with the changing legal landscape Artificial Intelligence Governance Professional 187 -- 191 of 320 -- REVIEW QUESTION 1 A company is developing an AI model and plans to use large datasets, some of which may include copyrighted material. What is a key challenge they might face regarding intellectual property laws? A. Ensuring AI systems meet minimum performance metrics B. Determining whether AI-generated outputs can be patented C. Balancing the use of copyrighted data with creators' rights D. Establishing ownership of AI-generated trademarks 188 Module 5: Other laws that apply to AI REVIEW QUESTION 1 A company is developing an AI model and plans to use large datasets, some of which may include copyrighted material. What is a key challenge they might face regarding intellectual property laws? A. Ensuring AI systems meet minimum performance metrics B. Determining whether AI-generated outputs can be patented C. Balancing the use of copyrighted data with creators' rights D. Establishing ownership of AI-generated trademarks Answer: C Balancing the use of copyrighted data with creators’ rights is a key challenge as AI systems often require large amounts of data, much of which may be copyrighted, raising questions about fair use and permissions. Option A is a concern for AI system deployment, not directly related to intellectual property laws and training data. Options B and D are challenges related to AI-generated outputs, not specifically about training data. Artificial Intelligence Governance Professional 188 -- 192 of 320 -- L E S S O N MODULE 5 Other laws that apply to AI 3 Nondiscrimination laws and AI The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand how nondiscrimination laws apply to AI (e.g., in the employment, credit, lending, housing and insurance contexts). LESSON 3: NONDISCRIMINATION LAWS AND AI The topics in this lesson align to the following performance indicator on the AIGP body of knowledge: • Understand how nondiscrimination laws apply to AI (e.g., in the employment, credit, lending, housing and insurance contexts). (II.B) Artificial Intelligence Governance Professional 189 -- 193 of 320 -- Nondiscrimination laws and AI Navigating nondiscrimination laws and guidelines presents challenges in relation to AI: • Obtaining bias-free data • Subjective nature of determining discriminatory impact • Acquiring relevant and current data 190 Module 5: Other laws that apply to AI NONDISCRIMINATION LAWS AND AI Navigating nondiscrimination laws and guidelines presents challenges in relation to AI. • It is often difficult to find training data that is free from bias. • Determining discriminatory impact is subjective, so data scientists may interpret what constitutes prejudicial impact differently. • There are challenges acquiring useful data and ensuring it remains up-to-date. • Privacy and data protection laws may restrict movement of this useful information, adding complexities. Generative AI systems, which typically involve multiple processes or many steps to produce a final result, increase complexities with various inputs and outputs involved at each step. • Managing these numerous variables makes the AI system more challenging to regulate, ensure fairness and comply with laws. How nondiscrimination laws apply to AI in different contexts: Health care As the health care industry increasingly uses AI tools for clinical care and administrative duties, concerns over discrimination have given rise to new requirements. • U.S. Department of Health and Human Services Office of Civil Rights final rule (Section 1557) • Prevents discrimination based on race, color, national origin, sex, age or disability in health care settings. • Requires covered entities to proactively identify and address potential discriminatory impacts of AI tools, taking corrective actions if discriminatory treatment is found. • 21st Century Cures Act (U.S.): • Is not AI specific, but promotes the use of advanced technologies, including AI. • Aims to enhance accessibility and transparency of health data to prevent discrimination. Resource Adams, Katie. “Navigating AI in Health Care: HHS’s Nondiscrimination Final Rule is in Effect.” Bipartisan Policy Center. July 19, 2024 Continued on next slide Artificial Intelligence Governance Professional 190 -- 194 of 320 -- Nondiscrimination laws and AI • Insurance • Hiring and employment • Credit and lending • Housing 191 Module 5: Other laws that apply to AI NONDISCRIMINATION LAWS AND AI (CONT.) How nondiscrimination laws apply to AI in different contexts: Insurance • State regulated (U.S.) • Some discrimination is inherent, e.g., younger drivers being charged more for auto insurance, or people with specific health conditions paying higher health insurance premiums • NAIC Model Law (2020) • Guidelines for regulating AI to ensure algorithms (among other things) do not perpetuate unlawful or unethical discrimination • New York state has AI-specific guidance for all insurers authorized to provide insurance in that state Hiring and employment Anti-discrimination laws regarding hiring are well-defined and -developed • EEOC Guidance on AI and Hiring (2021): AI and algorithms used in hiring must comply with existing federal nondiscrimination laws; AI tools must not disproportionally disadvantage people based on protected characteristics • New York City local law mandates specific AI audit for automated employment decisions for NYC employees Credit and lending • FCRA is the foundational law for anti-discrimination requirements in financial services, but no specific AI guidance • Consumer Financial Protection Bureau issued a request for information and comments on how AI is used in credit decision-making in 2021 • Additional guidance from the Federal Reserve, Office of the Comptroller of the Currency and other agencies around how AI can be responsibly included in these practices Housing • Fair Housing Act (1968): still the foundational law governing housing discrimination • Must be able to demonstrate compliance with anti-discrimination rules even when ranked or scored by an AI system • U.S. Dept of Housing and Urban Development (2020): guidance focused on automated decision- making in housing and how algorithms used in rental or mortgage lending decisions must adhere to FHA nondiscriminatory practices Artificial Intelligence Governance Professional 191 -- 195 of 320 -- CASE STUDY Addressing bias in training data 192 Module 5: Other laws that apply to AI InnovateMart A global retail company, InnovateMart, faced challenges in ensuring its AI-driven hiring tool complied with nondiscrimination laws. The tool, designed to streamline candidate selection, inadvertently favored certain demographics due to biased training data. This raised concerns about potential violations of equal employment opportunity regulations. How can audits prevent bias? CASE STUDY: ADDRESSING BIAS IN TRAINING DATA A global retail company, InnovateMart, faced challenges in ensuring its AI-driven hiring tool complied with nondiscrimination laws. The tool, designed to streamline candidate selection, inadvertently favored certain demographics due to biased training data. This raised concerns about potential violations of equal employment opportunity regulations. To address the issue, InnovateMart conducted a comprehensive audit of the AI system, identifying and removing biased data points. They collaborated with data scientists and legal experts to refine the algorithm, ensuring it aligned with legal standards and ethical hiring practices. Additionally, InnovateMart implemented regular bias testing and established a governance framework to monitor the tool's performance over time. They also provided training for HR teams to understand AI limitations and ensure human oversight in decision-making processes. By taking these proactive measures, InnovateMart not only mitigated legal risks but also reinforced its commitment to fair and inclusive hiring practices. DISCUSSION QUESTION: How can audits prevent bias? POSSIBLE ANSWERS: Audits can be a powerful method to assist with detecting, preventing and reducing bias, for the following reasons: • Spotlight: Having an audit process in place that focuses on bias detection shines and maintains a spotlight on the importance of the issue. • Expectations: Audits establish clear expectations for those developing and using the AI tool and its output • Accountability: Audits ensure accountability • Process improvement: Where issues are found, they can be fixed • Guardrails: Audits ensure the guardrails put in place at the start of the process are maintained Artificial Intelligence Governance Professional 192 -- 196 of 320 -- REVIEW QUESTION 1 A large organization is planning to implement an AI-driven tool to streamline its hiring process, aiming to reduce time spent on candidate screening and improve efficiency. However, the company has found indications of bias in the algorithm, favoring certain demographic groups. What should the company do to ensure compliance with nondiscrimination laws? A. Conduct a comprehensive audit to identify and address biased data points in the algorithm. B. Continue using the algorithm as it is to maintain efficiency in the hiring process. C. Modify the algorithm to favor underrepresented groups to counteract the bias. D. Remove all human oversight from the hiring process to ensure objectivity. 193 REVIEW QUESTION 1 A large organization is planning to implement an AI-driven tool to streamline its hiring process, aiming to reduce time spent on candidate screening and improve efficiency. However, the company has found indications of bias in the algorithm, favoring certain demographic groups. What should the company do to ensure compliance with nondiscrimination laws? A. Conduct a comprehensive audit to identify and address biased data points in the algorithm. B. Continue using the algorithm as it is to maintain efficiency in the hiring process. C. Modify the algorithm to favor underrepresented groups to counteract the bias. D. Remove all human oversight from the hiring process to ensure objectivity. Answer: A Conducting an audit helps identify and mitigate biases in the algorithm, ensuring compliance with nondiscrimination laws and promoting fairness. Artificial Intelligence Governance Professional 193 -- 197 of 320 -- L E S S O N MODULE 5 Other laws that apply to AI 4 Consumer protection and product liability The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand how consumer protection laws apply to AI (e.g., prohibiting unfair and deceptive acts or practices). • Understand how product liability laws apply to AI (e.g., prohibiting design or manufacturing defects). 194 LESSON 4: CONSUMER PROTECTION AND PRODUCT LIABILITY The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Understand how consumer protection laws apply to AI (e.g., prohibiting unfair and deceptive acts or practices). (II.B) • Understand how product liability laws apply to AI (e.g., prohibiting design or manufacturing defects). (II.B) Artificial Intelligence Governance Professional 194 -- 198 of 320 -- Consumer protection laws and AI "Existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices." U.S. Federal Trade Commission - Joint statement by the FTC and other U.S. agencies 195 Module 5: Other laws that apply to AI CONSUMER PROTECTION LAWS AND AI U.S. Federal Trade Commission • Broad authority over general commercial operations to prevent unfair or deceptive practices • Applies to privacy and security concerns related to programs and algorithms (will continue to apply to AI) • AI-specific interpretations of these standards will likely be developed and applied over time The FTC and other U.S. agencies have confirmed existing regulatory frameworks will apply to AI technologies: • "Existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices. The Consumer Financial Protection Bureau, the Department of Justice’s Civil Rights Division, the Equal Employment Opportunity Commission, and the Federal Trade Commission are among the federal agencies responsible for enforcing civil rights, nondiscrimination, fair competition, consumer protection and other vitally important legal protections." The following U.S. laws require interpretation to determine how and when they apply to AI technologies: • Employment: Title VII and EEOC regulations • Consumer finance: Equal Credit Opportunity Act, the Fair Credit Reporting Act • SR 11-7: A regulatory standard set out by the U.S. Federal Reserve Bank that gives guidance on model risk management • OSHA’s guidelines for robotics safety and "hazard analysis" • The Food and Drug Administration’s (FDA) systemic approval processes for software as a medical device Artificial Intelligence Governance Professional 195 -- 199 of 320 -- Legislation and AI EU DSA and product safety laws 196 EU Digital Services Act (DSA): • Overlaps the EU’s General Data Protection Regulation regarding transparency • Increases overall transparency related to online platforms, particularly related to recommender systems and online advertising Be aware of product safety laws: • EU AI Act includes existing product safety laws • U.S. Consumer Product Safety Commission working to develop standards • Many existing product safety laws expanding to include AI • Differences across jurisdictions on whether AI is considered a product under existing law Module 5: Other laws that apply to AI LEGISLATION AND AI: EU DIGITAL SERVICES ACT AND PRODUCT SAFETY LAWS While the focus here is largely U.S. laws and standards, the principles apply to other jurisdictions, such as the EU Digital Services Act (DSA), local intellectual property and competition laws, and AI regulations like the EU AI Act. EU DSA: • Aims to create a safe, transparent and accountable digital environment, preserving innovation and fundamental rights • Overlaps the EU’s General Data Protection Regulation (GDPR) regarding transparency. • Increases overall transparency related to online platforms; for instance: • Recommender systems (AI that makes recommendations to users, such as products): Online platforms should inform users on how these systems impact the way information is displayed. • Online advertising: On the interface where an advertisement is presented, users should be able to access information such as parameters that determined that the advertisement would be presented (e.g., logic used and if it was based on profiling). In addition, be aware of product safety laws: • EU AI Act includes existing product safety laws. • U.S. Consumer Product Safety Commission is working to develop standards. • Many existing product safety laws are being expanded to include AI processes and programs. • There are differences across jurisdictions as to whether AI applies to existing product safety laws. Artificial Intelligence Governance Professional 196 -- 200 of 320 -- Liability reform Fault liability regimes: Action or inaction caused harm How do product liability laws apply to AI? 197 Strict liability regimes: Defect of the product caused harm Who should be held responsible for harm when it is caused by AI? Module 5: Other laws that apply to AI LIABILITY REFORM Product liability law • Economic actors who make and sell products (retailers, distributors, manufacturers) are held responsible for the harm their products may cause • Fault liability regimes • Must be proven that some action or inaction by the product maker caused the harm (e.g., noncompliance with a relevant product safety law; negligence resulting from failure to exercise due care) • Strict liability regimes • Sometimes referred to as no-fault liability regimes • Victims don't need to prove intentional wrongdoing or fault on the part of the product maker, only that the product was defective, and that defect caused the harm Product liability laws and AI • Who should be held responsible for harm when it is caused by AI? • Not developed with AI in mind; uncertainty as to how legal frameworks should apply to AI • Challenges to proving liability and compensating for AI-induced harm in these cases: • Difficult to attribute harm due to the autonomous, constantly evolving and changing nature of AI systems • Machine learning models independently learn how to identify patterns in training data, then apply what they have learned to patterns in new datasets; this happens autonomously and increases in efficiency over time • If the output is generated autonomously by the AI system and leads to some form of harm, it is difficult to attribute responsibility • AI systems are highly complex and technical in nature • AI systems, especially more advanced systems that utilize deep learning and neural network technologies, can be opaque • It can be difficult for those who built and designed AI systems to understand, interpret and explain why a system generates the outputs it does, and it may be even more difficult for courts and other actors to do so Artificial Intelligence Governance Professional 197 -- 201 of 320 -- Liability reform Three types of liability claims: 1. Strict liability 2. Negligence 3. Breach of warranty U.S. liability reform 198 Undetermined if AI systems and services products will be classified as products under U.S. product liability law Module 5: Other laws that apply to AI LIABILITY REFORM: U.S. U.S. product liability laws are determined at state levels • Three types of liability claims apply relatively widely: 1. Strict liability: Victims must prove they were harmed by a defective product 2. Negligence: Product maker has failed to exercise due care, which leads to harm 3. Breach of warranty: Promises about products were not met and harm has been caused • U.S. courts are beginning to apply these principles to liability cases • Minimal guidance on the intersection of AI products and harm and U.S. legal framework for product liability • Undetermined if AI systems and services will be defined and classified as products under U.S. product liability law • Examples: • Rodgers vs. Christie (2020), U.S. District Court, New Jersey: ruled an AI system did not qualify as a product according to the New Jersey Products Liability Act • Connecticut Fair Housing Association vs. CoreLogic Rental Property Solutions (ongoing): plaintiff argues the AI model breaches fair housing requirements • The White House Office of Science and Technology Policy published a blueprint for an AI Bill of Rights, taking guidance from the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA), and incorporated the NIST Risk Management Framework • The FTC has warned that unsubstantiated claims about the accuracy or efficacy of biometric information tools (e.g., facial recognition software or collection of biometric data) may violate the FTC Act • As laws develop, organizations will be exposed to risk of litigation, having to compensate victims and disclosing sensitive information about systems and practices • AI products, research and development teams must be educated about potential liabilities and potential harms AI systems could cause Organizations must prepare for a future in which they may be held liable for a wide range of harms that AI systems cause. This responsibility extends to third-party vendors, as well as organizations that develop, utilize and deploy AI independently, including distributors and importers within the AI supply chain. Artificial Intelligence Governance Professional 198 -- 202 of 320 -- Liability reform EU liability reform 199 Module 5: Other laws that apply to AI Revised Product Liability Directive LIABILITY REFORM: EU EU liability reform September 2025: The Revised Product Liability Directive (Directive 2024/2853) has been adopted and will take effect December 2026, by which Member States must implement it into national laws. Its goal is to make it easier for victims to prove liability and receive compensation when AI causes harm. Revised Product Liability Directive: Expanded scope to digital and AI-enabled products • Includes standalone software, digital manufacturing files (e.g., digital instructions for automatic control of machinery or manufacture of a product), AI-enabled systems, and other digital elements in its definition of “products,” ensuring that liability rules apply to modern technology; also includes cloud-based AI services and digital platforms distributing AI systems • Covers updates and modifications: liability extends to software updates, patches and modifications that later render a product defective Burden of proof and causal link between defects and harm • Introduces rebuttable presumptions of defectiveness of the product to ease the burden of proof for claimants in cases where AI’s complexity makes it difficult to prove a direct causal link between the defect and the harm suffered • Allows courts to infer causality when a defect is highly probable, shifting the burden of proof to the manufacturer to disprove liability • Allows claimants to request the disclosure of technical documentation to support their claims • Judges, however, must balance disclosure with confidentiality protections including trade secrets Harmonized strict liability across the EU • Harmonizes liability laws across EU Member States, ensuring victims of AI-related harm have consistent rights, regardless of where the damage occurs • Retains a strict liability regime, meaning victims do not need to prove negligence — only that the product was defective and caused harm • Liability will apply to defects from updates, upgrades or continuous learning in the AI systems • Ensures broader accountability: manufacturers, importers, authorized representatives, fulfillment service providers, online platform providers (in certain cases, e.g., if they represent that the products are their own or do not identify a liable party), software developers and AI providers can be held liable for defects Continued on next slide Artificial Intelligence Governance Professional 199 -- 203 of 320 -- Liability reform EU liability reform 200 Module 5: Other laws that apply to AI Revised Product Liability Directive LIABILITY REFORM: EU (CONT.) Revised Product Liability Directive: Types of damage covered • Retains covered damages to include (in addition to injury, death and property damage) psychological harm caused by defective AI systems; financial losses from security vulnerabilities or incorrect AI-driven decisions; data loss or corruption, recognizing the value of digital assets as compensable damage Liability chain: Who can be held responsible? • Includes manufacturers; software developers and AI providers; importers and distributors; third- party AI integrators Implications for AI developers and compliance requirements • Requires AI developers to ensure robust testing, validation and risk assessment throughout the life cycle of an AI product, including incorporating cybersecurity updates • Increases requirements around documentation and explainability to prove that AI-driven decisions do not introduce product defects • Requires alignment of liability considerations with the EU AI Act, ensuring their AI models adhere to predefined safety and ethical standards Artificial Intelligence Governance Professional 200 -- 204 of 320 -- CASE STUDY SyntraHome SyntraHome, a leading manufacturer of smart home devices, faced significant challenges when integrating AI-driven features into their product line. After launching an AI-powered thermostat, the company encountered reports of overheating issues that posed safety risks to consumers. Investigations revealed that the defect stemmed from a third-party AI model used to optimize energy efficiency. This incident highlighted the importance of conducting comprehensive risk assessments and establishing clear liability terms with vendors to address potential design and manufacturing defects. What steps can companies take to ensure third-party AI models meet safety and reliability standards before integration into their products? Ensuring AI product safety 201 Module 5: Other laws that apply to AI CASE STUDY: ENSURING AI PRODUCT SAFETY SyntraHome, a leading manufacturer of smart home devices, faced significant challenges when integrating AI-driven features into their product line. After launching an AI-powered thermostat, the company encountered reports of overheating issues that posed safety risks to consumers. Investigations revealed that the defect stemmed from a third-party AI model used to optimize energy efficiency. This incident highlighted the importance of conducting comprehensive risk assessments and establishing clear liability terms with vendors to address potential design and manufacturing defects. To mitigate future risks, SyntraHome implemented a robust governance framework that included rigorous testing protocols and vendor screening processes. It required third-party providers to supply detailed safety documentation and conducted independent evaluations to ensure compliance with product liability standards. Additionally, SyntraHome updated its internal policies to define accountability for AI-related failures, ensuring consumer protection remained a top priority. By taking these proactive measures, the company not only resolved the immediate issue but also strengthened its approach to AI governance, fostering trust and innovation in its product offerings. DISCUSSION QUESTION What steps can companies take to ensure third-party AI models meet safety and reliability standards before integration into their products? POSSIBLE ANSWERS: • Conduct rigorous vendor screening/assessments • Obtain a copy of certification(s) and ensure they are up to date • Verify compliance with relevant industry standards and regulations • Examine safety testing reports, performance benchmarks and technical specifications • Review the vendor’s incident responses procedure • Conduct a security audit • Start with limited pilot deployments to test integration in controlled environments Artificial Intelligence Governance Professional 201 -- 205 of 320 -- REVIEW QUESTION 1 A company uses an AI-powered chatbot to handle customer inquiries. However, the chatbot provides misleading information about the company’s refund policy, causing confusion among customers. Based on consumer protection laws, what is the company’s responsibility in this situation? A. Ensure the chatbot is programmed to provide accurate and transparent information. B. Replace the chatbot with a human customer service representative. C. Limit the chatbot’s use to non-customer-facing tasks. D. Disclose to customers that the chatbot may provide inaccurate information. 202 Module 5: Other laws that apply to AI REVIEW QUESTION 1 A company uses an AI-powered chatbot to handle customer inquiries. However, the chatbot provides misleading information about the company’s refund policy, causing confusion among customers. Based on consumer protection laws, what is the company’s responsibility in this situation? A. Ensure the chatbot is programmed to provide accurate and transparent information. B. Replace the chatbot with a human customer service representative. C. Limit the chatbot’s use to non-customer-facing tasks. D. Disclose to customers that the chatbot may provide inaccurate information. Answer: A Consumer protection laws require companies to avoid deceptive practices, including ensuring their AI systems provide accurate information. Artificial Intelligence Governance Professional 202 -- 206 of 320 -- REVIEW QUESTION 2 A company develops an AI-powered medical diagnostic tool that provides inaccurate results, leading to harm for several patients. What is a key legal challenge in holding the company accountable under product liability laws? A. Proving that the company intentionally caused harm. B. Determining whether the AI system qualifies as a product under the law. C. Establishing that the patients were aware of the AI system's limitations. D. Demonstrating that the AI system was developed using outdated technology. 203 Module 5: Other laws that apply to AI REVIEW QUESTION 2 A company develops an AI-powered medical diagnostic tool that provides inaccurate results, leading to harm for several patients. What is a key legal challenge in holding the company accountable under product liability laws? A. Proving that the company intentionally caused harm. B. Determining whether the AI system qualifies as a product under the law. C. Establishing that the patients were aware of the AI system's limitations. D. Demonstrating that the AI system was developed using outdated technology. Answer: B One of the key challenges is the uncertainty around whether AI systems are classified as products under existing product liability laws. Artificial Intelligence Governance Professional 203 -- 207 of 320 -- Module 6 Governing AI development Artificial Intelligence Governance Professional 204 MODULE 6: GOVERNING AI DEVELOPMENT Introduction The development of AI projects follows a similar life cycle as used for software development, but AI development also focuses on data and requires continuous monitoring and maintenance. In all the phases, policies, procedures, best practices and ethical considerations should be applied in governing the AI project. Defining the business context and AI use case is a crucial first step. This involves understanding the specific needs and objectives the AI model aims to address within the organization. Additionally, performing or reviewing an impact assessment on the AI system helps identify potential risks and benefits, ensuring that the system aligns with business goals and ethical standards. This module will also discuss governing data collection and use in AI design and development. An organization may have legal requirements for data governance; the module also discusses best practices. As the AI is planned, designed and developed, the organization must identify and manage internal and external risks and contributing factors that relate to designing and building the system. Training and testing of the AI must be performed, as well as documented. -- 208 of 320 -- L E S S O N MODULE 6 Governing AI development 1 The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Define the business context and use case of the AI system • Perform or review an impact assessment on the selected AI system • Apply the policies, procedures, best practices and ethical considerations to designing and building the AI system (e.g., purpose of AI, requirements gathering, architecture and model selection, human oversight, data analysis, metric and threshold evaluation, stakeholder engagement and feedback, and operational controls) • Identify and manage the internal and external risks and contributing factors related to designing and building the AI model and system (e.g., using probability/severity harms matrix, using a risk mitigation hierarchy, stakeholder mapping, use case evaluation, benchmarking, pre-deployment pilots and testing) • Document the design and building process (e.g., to establish compliance and manage risks) 205 Governing the planning and design of the AI system LESSON 1: GOVERNING THE PLANNING, DESIGNING AND BUILDING OF THE AI MODEL The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Define the business context and use case of the AI system (III.A) • Perform or review an impact assessment on the selected AI system (III.A) • Apply the policies, procedures, best practices and ethical considerations to designing and building the AI system (e.g., purpose of AI, requirements gathering, architecture and model selection, human oversight, data analysis, metric and threshold evaluation, stakeholder engagement and feedback, and operational controls) (III.A) • Identify and manage the internal and external risks and contributing factors related to designing and building the AI model and system (e.g., using probability/severity harms matrix, using a risk mitigation hierarchy, stakeholder mapping, use case evaluation, benchmarking, pre-deployment pilots and testing) (III.A) • Document the designing and building process (e.g., to establish compliance and manage risks) (III.A) Artificial Intelligence Governance Professional 205 -- 209 of 320 -- Key stages in the AI system development life cycle 206 Module 6: Governing AI development Data collection and preparation Model development Model testing and evaluation Deployment Monitoring and maintenance Planning and design Iterative process KEY CONCEPT: RECALL RECALL: THE AI SYSTEM DEVELOPMENT LIFE CYCLE Key stages: • Planning and design • Data collection and preparation • Model development, including selection and training • Model testing and evaluation • Deployment • Monitoring and maintenance • Decommissioning Note: TEVV is continuous – testing/evaluation/verification/validation occurs across the life cycle; a pre- deployment pilot is a late-stage validation activity under realistic conditions. Artificial Intelligence Governance Professional 206 -- 210 of 320 -- Module 6: Governing AI development Defining the business problem • What are the business objectives and requirements? • Are there alternatives to AI to solve the business problem? • What type of business problem is it? 207 DEFINING THE BUSINESS PROBLEM • Review the business objectives and requirements and define the business problem • Consider alternatives to using AI to solve the business problem, including current systems and other options • Perfection is not the standard of success for an AI solution. Ensure that you contrast AI options with available alternatives, as opposed to an "ideal" solution. Several different types of business problems exist, but three are common to most organizations: 1. Classification: A problem that requires using an AI system to classify data into different types — type A, type B, and potentially more 2. Regression: A problem that requires using an AI system to predict what an organization should do in the future based on past data 3. Recommendation: A problem that requires using an AI system to make a recommendation; e.g., viewer recommendations and product recommendations While these are the traditional categories of AI use, a fourth category has emerged — generative AI used to create content (code, text, images, etc.). Artificial Intelligence Governance Professional 207 -- 211 of 320 -- Use cases for the organization 208 Module 6: Governing AI development Focus on the organizational mission Identify gaps USE CASES FOR THE ORGANIZATION • Next, identify AI use cases; focus on the organizational mission. • What is the mission of your organization? • What does the organization do? • What's important to the organization and what are its main goals? • Then, identify gaps: Where is the organization not meeting its goals? • Use as input for use cases Artificial Intelligence Governance Professional 208 -- 212 of 320 -- Determining the scope 209 Module 6: Governing AI development Impact Effort Fit DETERMINING THE SCOPE • To determine the scope of the project, first prioritize the business problems you want to solve. This will help you determine which use cases to undertake first. • Focus on three qualities: • Impact of use of an AI system for the particular problem • How big of an impact will it have? • Will it solve a bigger problem or a smaller problem? • What is it going to take to do that? • Effort • What types of resources do you need available to implement the AI system? • How long is it going to take? • Fit to prioritize the use case and business case • How well does the use of an AI system fit with the goals of the organization and the identified business problem? • You will also need to identify what laws may apply, and how, as part of the planning and design process. • It is important to look ahead to compliance requirements, because they can impact choices you make in this phase. Artificial Intelligence Governance Professional 209 -- 213 of 320 -- Evaluating data availability 210 Module 6: Governing AI development EVALUATING DATA AVAILABILITY Data is the foundation of any AI system, making it essential to evaluate the availability and quality of data. • Identify the types of data accessible to your organization and assess their accuracy, sufficiency, and relevance to the identified use cases • Explore additional data sources if necessary to ensure alignment with the requirements of the AI system Proper data evaluation minimizes risks and enhances the performance of the AI model and system during development and implementation. Artificial Intelligence Governance Professional 210 -- 214 of 320 -- Establishing a governance structure 211 Module 6: Governing AI development Appoint an executive champion for AI initiatives to enhance support and drive organizational alignment ESTABLISHING A GOVERNANCE STRUCTURE Establishing a robust governance structure is crucial for the planning phase. • Determine whether an AI governance framework exists within your organization and identify the individuals responsible for maintaining and implementing it • Includes defining roles for policy creation, system development and testing oversight • Appointing an executive champion for AI initiatives can enhance support and drive organizational alignment Proper governance ensures accountability, compliance and the successful execution of the AI development process. Artificial Intelligence Governance Professional 211 -- 215 of 320 -- Stakeholder engagement and feedback on AI development Module 6: Governing AI development 212 Stakeholders should weigh in on the AI model being developed Different teams and roles will have distinct questions STAKEHOLDER ENGAGEMENT AND FEEDBACK ON AI DEVELOPMENT Stakeholders who contributed to the development of general AI governance policies must also provide their insights on the specific AI systems currently being developed. Their input is essential for ensuring that the new AI initiatives align with established governance frameworks and meet organizational objectives. Different teams and roles will have distinct questions about the project. For example: • Legal/compliance teams • What specific requirements will impact the use of this model? • What liability might this model create? • Marketing/procurement/sales personnel • What opportunities will this create? • What competitive advantage should be prioritized? • Leadership • Is the AI being developed consistent with our overall values and business model (human rights, environmental impacts, etc.)? Artificial Intelligence Governance Professional 212 -- 216 of 320 -- Operational controls Module 6: Governing AI development 213 Conduct audits and reviews Decide who will: Have operational responsibility Respond to feedback and appeals Own the “kill switch” Conduct audits and reviews Elevate issues OPERATIONAL CONTROLS As part of creating and updating operational controls, the organization must determine who will: • Have real-time operational responsibility • Conduct intermittent or routine audits and reviews • Establish and respond to feedback and appeal mechanisms • Elevate issues when there are emergent (or emergency) situations of concern • Own the “kill switch” for the AI Artificial Intelligence Governance Professional 213 -- 217 of 320 -- Performing impact assessments • Perform or review an algorithmic impact assessment • Should cover data issues and document decisions • Build off existing DPIAs or PIAs if possible • Drawback of using only a PIA or DPIA is they are not AI-specific • Identify gaps between existing processes and what you need for an impact assessment • Consider performing a PIA on underlying training data 214 Module 6: Governing AI development PERFORMING IMPACT ASSESSMENTS In the AI model design phase, it is important to perform or review an impact assessment on the AI model. An impact assessment is a risk management tool used to assess an AI system's benefits, risks and limitations throughout its life cycle. An algorithmic impact assessment should cover the data issues and document decisions your stakeholder group makes. This may include risk identification and mitigation or identifying who approves and accepts risk on behalf of your organization. • Utilize existing resources and processes • Where possible, build off existing data protection impact assessments (DPIAs) or privacy impact assessments (PIAs) • A DPIA is a means to identify risks coming out of the processing of personal data and minimize these risks as much as possible • A PIA is an analysis of how personally identifiable information (PII) is handled, used to help ensure handling conforms to applicable requirements regarding privacy • One drawback of using only a PIA or DPIA is that they are not AI-specific • Ensure you identify gaps between existing processes and what you need for an algorithmic impact assessment Consider performing a PIA on underlying training data • A PIA may not cover everything you need to have in an AI governance document, so you may also want to do a DPIA • You can also tailor your organization’s existing PIAs and DPIAs to ensure they are relevant and effective for your current AI projects Resources "Algorithmic Impact Assessment tool." Government of Canada, updated April 25, 2023. Example of what an AI Impact Assessment should include: “Microsoft Responsible AI Impact Assessment Template.” Microsoft, June 2022. Artificial Intelligence Governance Professional 214 -- 218 of 320 -- Module 6: Governing AI development Risk assessment strategies • Use case evaluation • Stakeholder mapping • Probability/severity harms matrix • Risk mitigation hierarchy 215 RISK ASSESSMENT STRATEGIES Risk assessment strategies serve as essential components for evaluating potential risks. To effectively assess risk, implement the following strategies in the specified order to identify, evaluate, treat and mitigate risks throughout the AI life cycle. 1. Use case evaluation – planning and design stages: • Recommended for all types of AI models. • Determines if the organizational need warrants AI use and informs the type of AI model suitable for the organizational need. • Methodically evaluate AI use cases on multiple areas, such as ease of implementation, strategic alignment and required expertise. Flag relevant risks as part of the assessment. 2. Stakeholder mapping – planning and design stages: • Recommended for all types of AI models. • Project management step which ensures the correct parties are part of the decision-making process. • Map stakeholder interests and maintain open lines of communication to identify risks early on, align with stakeholder objectives and make informed decisions. 3. Probability/severity harms matrix – design and development stages: • Recommended for all types of AI models • Basic risk assessment which rates a risk on the severity of the harm and its probability of occurring, then multiplies the severity score with the probability score 4. Risk mitigation hierarchy – design, development and implementation stages: • Recommended for all types of AI models. • Basic risk assessment strategy critical during AI development and implementation. • Used in tandem with the harms matrix – this is the “now what” portion of identifying risks. Risks are identified and a managed according to their impact. • Involves avoiding a risk, minimizing a risk, and remediating and/or offsetting a risk’s impact. Artificial Intelligence Governance Professional 215 -- 219 of 320 -- Module 6: Governing AI development Risk assessment strategies • Benchmarking • Pre-deployment pilots 216 RISK ASSESSMENT STRATEGIES Risk assessment strategies serve as essential components for evaluating potential risks. To effectively assess risk, implement the following strategies in the specified order to identify, evaluate, treat and mitigate risks throughout the AI life cycle. 5. Benchmarking – planned in late-design* stage; executed once a candidate model exists (often during early development/testing): • Recommended especially for machine learning models, neural networks and reinforcement learning. • Particularly useful when dealing with AI models that are less transparent (e.g., “black box” models) • Using standardized tests to evaluate and compare the performance of different AI systems on elements like accuracy, speed and how they handle complex tasks. • Can be a broader benchmarking tool or one that evaluate specific aspects of models, such as certain aspects of the language understanding of an LLM. 6. Pre-deployment pilots – planned in late-design* stage; executed during deployment readiness, immediately before “go-live”: • Recommended for all types of AI models. • A trial phase that happens before deploying the AI. • Ideally, the pilot settings and conditions will match that of production as closely as possible. • Pilots are intended to determine whether the AI works as expected and provide a chance to make updates before deployment. Your stakeholder group should work together to measure risks in your algorithm and AI system. Use a repeatable process and choose methodologies to use routinely. *Late design (in this course): the end of planning and design when objectives, constraints, controls and acceptance criteria are stable enough for evaluation evidence to shape final decisions. Artificial Intelligence Governance Professional 216 -- 220 of 320 -- REVIEW QUESTION 1 Why is it important to evaluate data availability during the planning phase of an AI system? A. To ensure the data aligns with the requirements of the AI system B. To identify the stakeholders responsible for data governance C. To determine the key performance indicators (KPIs) for success D. To establish a governance structure for the AI system 217 Module 6: Governing AI development REVIEW QUESTION 1 Why is it important to evaluate data availability during the planning phase of an AI system? A. To ensure the data aligns with the requirements of the AI system B. To identify the stakeholders responsible for data governance C. To determine the key performance indicators (KPIs) for success D. To establish a governance structure for the AI system Answer: A Evaluating data availability ensures that the data is accurate, sufficient, and relevant to the AI system's requirements, which is critical for its success. Artificial Intelligence Governance Professional 217 -- 221 of 320 -- L E S S O N MODULE 6 2 Governing data collection and use in AI design and development The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Establish and follow the requirements for data governance (e.g., assess and document lawful rights to collect and use data, and assess data quality, quantity, integrity and fit-for-purpose) • Establish and document data lineage and provenance 218 Governing AI development LESSON 2: GOVERNING DATA COLLECTION AND USE IN AI DESIGN AND DEVELOPMENT The topics in this lesson align to the following performance indicators on the AIGP body of knowledge:  Establish and follow the requirements for data governance (e.g., assess and document lawful rights to collect and use data, and assess data quality, quantity, integrity and fit-for-purpose) (III.B)  Establish and document data lineage and provenance (III.B) Artificial Intelligence Governance Professional 218 -- 222 of 320 -- DATA LIFE CYCLE Collection Gathering data about an individual Use Sharing data for any purpose Disclosure Sharing or providing access to personal data Retention Saving the data until destruction Destruction Making personal data unrecoverable Key areas of oversight: Training data governance Evaluation and testing Deployment Monitoring and drift detection Decommissioning 219 Governance across the AI data life cycle Module 6: Governing AI development GOVERNANCE ACROSS THE AI DATA LIFE CYCLE AI data governance does not stop at collection. It must span the entire life cycle, from ingestion to decommission. In addition, AI data governance involves cross-functional data stewardship, where responsibilities are assigned across privacy, risk, ML, legal and governance teams for ongoing oversight of data across all phases. Key areas of oversight: • Training data governance • Validate lawful basis, data minimization, accuracy, and diversity during the training phase. • Assess bias risks. • Maintain reproducibility logs. • Evaluation and testing • Govern the use of validation/test sets, including fairness metrics, drift testing and edge case analysis. • Embed explainability obligations early. • Deployment • Implement data governance policies for real-time data inputs, human-in-the-loop models and retraining triggers. • Enforce access controls and logging. • Monitoring and drift detection • Continuously audit input/output data for data drift, concept drift and changes in quality or representativeness. • Flag anomalies for governance review. • Decommissioning • Secure deletion or archiving of datasets, training artifacts and output logs in accordance with regulatory retention policies. • Document rationales and impacts. More info on decommissioning later in this lesson. Artificial Intelligence Governance Professional 219 -- 223 of 320 -- Data WHAT data is required? HOW MUCH data is needed? HOW is data collected? WHERE is data stored? Questions to ask 220 Module 6: Governing AI development DATA: QUESTIONS TO ASK AI systems are all about data. If you don’t have the right data, enough data, or accurate data, it will not be usable or the AI system will not perform well. Questions to ask in relation to data for your AI model: • What data is required? • How much data is needed? • How is data collected? • Where is data stored? Further considerations: • Do you have the right data to make your AI system usable? • What type of data is accessible to you and usable? • Do you need to look for new data? • Are there jurisdictional data requirements to anticipate? • Examples: • Privacy requirements • Data localization laws • Regulatory disclosures (for example, KYC standards. KYC stands for "Know Your Customer,” and is a process by which financial institutions verify information on customers and assess if funding sources for their activities is legitimate.) • More detailed information on legal compliance is covered later in this training; however, it is important to note that at this stage the organization should investigate what the compliance obligations may be and build this into the development process. Artificial Intelligence Governance Professional 220 -- 224 of 320 -- Module 6: Governing AI development Data lineage and provenance 221 221 Tracks the flow of data over time, providing a record of data throughout its life cycle: where it originated, how it changed and its destination. Commonly used to gain context about historical processes and trace issues back to a root cause. Data lineage Tracks and logs the history and origin of data, covering its life cycle from creation and collection to transformation. It includes details about sources, processes, actors and methods. Used to ensure data integrity/quality and to identify the applicable laws or regulations related to the origins of the data. Data provenance DATA LINEAGE AND PROVENANCE Data lineage and provenance are two related but distinct concepts critical for effective data governance. • Chart data lineage and provenance • Data lineage tracks the flow of data over time, providing a record of data throughout its life cycle: where it originated, how it changed and its destination. • It is commonly used to gain context about historical processes and trace issues back to a root cause . • It is an audit trail for data at a very granular level. These details are helpful for debugging data errors. • Data provenance is similar to data lineage but refers specifically to the first instance of the data or its source. It tracks and logs the history and origin of data, covering its life cycle from creation and collection to transformation. It includes details about sources, processes, actors and methods. • It helps ensure data integrity and quality. • It determines which laws, regulations or directives apply as it ties to origins of the data. • Document data lineage and provenance • Dataset documentation should include information on data lineage and provenance to the extent that it is available. • Tools like data sheets or the templates included with model inventories can be used to document this. Artificial Intelligence Governance Professional 221 -- 225 of 320 -- Module 6: Governing AI development Data gathering considerations Data quality 222 Bad data going into a system … … means bad results coming out. DATA GATHERING CONSIDERATIONS: DATA QUALITY Data gathering refers to the process of collecting and preparing data for analysis and use in AI systems. • Involves identifying the necessary data sources, determining the methods of collection and ensuring that the gathered data is relevant and of high quality • Effective data gathering is fundamental to the success of AI projects, as it sets the foundation for accurate modeling and decision-making Data quality • Assess data for training the algorithm • Accurate? • Representative of data to be used? • Nonbiased? • Statistical sampling can help identify data gaps • Information systems development, in general, is concerned with data quality • "Garbage in, garbage out": If you have bad data going into a system, you will end up with bad results coming out • Examine the quality of the data going into the AI design and the overall system and model Artificial Intelligence Governance Professional 222 -- 226 of 320 -- Data gathering considerations Data formats 223 Module 6: Governing AI development Structured or unstructured? Static or streaming? DATA GATHERING CONSIDERATIONS: DATA FORMATS • Structured vs. unstructured • Structured: organized and formatted for databases. Typically resides in fixed fields, such as rows and columns in a spreadsheet. • Examples: customer names and addresses in a database, transaction dates in a ledger • Unstructured: lacks a specific structure and does not fit neatly into typical database fields. Includes a variety of data formats including text, dates, numbers and facts. • Examples: social media posts; media such as videos, audio recordings and images • The main differences between structured and unstructured data formats are organization, storage, processing requirements and tools that manage and analyze them. Structured data is easier to analyze and supports business intelligence and quantitative uses, while unstructured data is better for predictive analytics and qualitative insights. • Unstructured data is now being used in new ways, including in generative AI. Most data produced is unstructured. • Semi-structured: does not adhere to a rigid structure like structured data but has properties making it easier to process and analyze than unstructured data. It uses tags, elements or other markers to provide information about content. • Key characteristics include having a flexible schema and using a hierarchy • Examples: XML files; email with a standard format also containing free-form text • Useful in scenarios where data sources are diverse or evolving • Static vs. streaming • Static: data that does not change • Example: Historical data, such as records of past sales • Streaming: data that changes • Example: Data about customer visits to a website that changes every visit Artificial Intelligence Governance Professional 223 -- 227 of 320 -- Wrangling/preparing data • Most time-consuming step in the development life cycle • Involves converting raw data to valuable information • Five V’s of data preparation: 1. Volume 2. Velocity 3. Variety 4. Veracity 5. Value 224 Module 6: Governing AI development The five V’s WRANGLING/PREPARING DATA: THE FIVE V’S • The most time-consuming step in the development life cycle (about 80% of the entire life cycle) • It is important to do this properly, so the system has good input and output • Involves taking raw data and converting it to valuable information • Most raw data is not usable; it must be reformatted in a certain way to use in the system • The five V's of data preparation: 1. Volume • How much data do you have? • How large is the data set or data sets that you're going to be using? This is necessary to understand how much preparation you're going to need to do. 2. Velocity • How often does it get updated? • Does it regularly change? 3. Variety • What type of data is it? • Is it structured, unstructured or another type of data? 4. Veracity • How accurate is it? • How trustworthy is it? • Did you get it from a source that you know is reliable, so you don't have to worry that the data might not be correct? 5. Value • What is the outcome that you want from the use of the AI system? • Will the data get you there? • Is it the right data to use? Artificial Intelligence Governance Professional 224 -- 228 of 320 -- Wrangling/preparing data Considerations 225 Module 6: Governing AI development Cleansing Labeling Anonymization Data minimization Privacy-enhancing technologies (PETs) WRANGLING/PREPARING DATA: CONSIDERATIONS • Cleansing • Removing erroneous and irrelevant data from the data sets • Ensures proper AI system performance and reliability • Labeling • Tagging or annotating the data to identify what kind it is • Makes data understandable for machine learning models • Anonymization • A method to protect privacy that involves removing items from the data that could identify individuals, like name, Social Security number, phone number and address • Completely anonymizing data is difficult because individuals can be identified in many ways and combining data sets can potentially reidentify them • Purpose specification and data minimization • Data should not be involved as input or training for a model if the data is not necessary for a specific application • Minimizing the use of personal data helps to protect individuals’ privacy • Privacy-enhancing technologies (PETs) • Differential privacy • Blurs data using an algorithm that keeps it meaningful but makes it nonspecific • Individuals are unidentifiable but the data is still usable • Federated learning • A new way to train models/machine learning method that does not require sharing sensitive data among different locations • The global model is in a central location such as "the cloud." Different locations download the global model and train it on their local data. • Only updates of the local model, not the training data itself, are sent to the central location, where they are aggregated into the global model • The process is iterated until the global model is fully trained • Can help solve problems, such as diagnosing an illness using data from different locations where symptoms may be seen Artificial Intelligence Governance Professional 225 -- 229 of 320 -- Model features 226 Module 6: Governing AI development with subject matter experts Work the same features for training and testing Use unnecessary features Avoid MODEL FEATURES • Work with subject matter experts to select the features • A feature is a specific measurable aspect or characteristic, such as height, color or substance • Feature engineering involves identifying the set of features most important for the analysis being done • Example: in calculating a credit score, it is not important to know a person’s height, but it may be important to know their age • Use the same features for training and testing the model to avoid inconsistencies between the two • Avoid any unnecessary features that you do not need • Makes testing more difficult • Waste of money and resources to develop Consider using feature flags to make it easier to address areas like the need to rollback features if an issue occurs or when deploying to multiple jurisdictions with differing requirements. • The use of feature flags is a deployment technique that allows you to turn some functionality of an application off without needing to deploy new code. • You can deploy new features into a production environment but restrict their availability to particular users or groups at run time. Artificial Intelligence Governance Professional 226 -- 230 of 320 -- Feature engineering 227 Module 6: Governing AI development Improves model performance Reduces computational costs Boosts model explainability FEATURE ENGINEERING Feature engineering is transforming data into useful representations (features). It includes: • Reducing feature information overlap • Feature optimization • Removal of certain features to narrow scope • Regeneration of the entire the feature set Purposes of effective feature engineering: 1. Improving model performance: Improving AI model or pipeline performance is the most important purpose • Data scientists attempt to derive and structure datasets so a model can optimally learn the relationships of a feature to targets • Goal: curating and creating a subset of features providing the greatest predictive power for an AI model 2. Reducing computational costs • Decreasing computational and storage costs of models and improving latency for training models and making predictions. Reduced cost is due to fewer computational requirements. • Computational effectiveness is improved through: • Reducing the number of features, and thus the amount of data, to process and store for training • Reducing the number of features and data in an API call • Ensuring the data is valuable and provides predictive power for a model, which increases its usefulness to users and value for the business • Write once, serve twice: well-written feature definitions that are versioned and tested can be mirrored for both training and production usage • Snapshotting a model’s business logic and definitions for future users and developers 3. Boosting model explainability • Model explainability/interpretability: degree to which someone can consistently predict a model’s result; highly valuable and required in many AI use cases • Essential to help ensure fairness, privacy, reliability, robustness, causality and trust. In other words, it affects situations where models can significantly impact users and the larger society, directly or indirectly. Artificial Intelligence Governance Professional 227 -- 231 of 320 -- Decommissioning AI systems: data risks, requirements and governance • Residual risk management • Data disposal and retention • Model archiving • Documentation obligations • Communications • Knowledge retention • Security risks • Downstream dependencies • Third-party AI • Governance checklist Key concerns and governance considerations 228 Module 6: Governing AI development DECOMMISSIONING AI SYSTEMS: DATA RISKS, REQUIREMENTS AND GOVERNANCE At the end of its life cycle, the AI system must be decommissioned. This phase of the project occurs when the use case is no longer needed, the system no longer delivers value or it is replaced with more advanced technology. • Residual risk management • Use formal shutdown procedures that address ongoing exposure, as decommissioned AI systems may still pose risks due to archived models or retained training data. • Data disposal and retention • Securely dispose of or anonymize training, validation and inference data in compliance with applicable laws. • Ensure no data retention beyond purpose. • Model archiving • For retained models (e.g., for audit or legal defense), ensure encryption, access control and a justification for retention. • Apply privacy-preserving archiving techniques wherever possible. • Documentation obligations • Maintain records of decommissioning activities, including justifications, stakeholders, residual risks and audit logs, in alignment with ISO 42001 (AI Management Systems). • Communications • Notify stakeholders of model retirement, especially if models impact services or decisions. • For high-risk or regulated use cases, consider issuing external notifications. • Knowledge retention • Capture lessons learned, performance issues and governance challenges. • Security risks • Ensure endpoints, APIs and model artifacts are securely taken offline and validated as non- exploitable, as decommissioned models can still be vulnerable. • Downstream dependencies • Map and monitor applications or services that rely on models that will be decommissioned. • Implement failovers or redirect logic where necessary. • Third-party AI • When decommissioning third-party models, ensure the contract exit clauses cover data return/deletion, liability waivers and post-deployment audits. • Governance checklist • Use an AI Decommission Checklist that includes data, models, infrastructure, documentation, risk sign-off and post-mortem review. Artificial Intelligence Governance Professional 228 -- 232 of 320 -- REVIEW QUESTION 1 What is a technique that protects information about training data from being revealed by "blurring" data points using an algorithm to generate values that remain meaningful yet nonspecific? A. Minimization B. Differential privacy C. Anonymization D. Federated learning 229 Module 6: Governing AI development REVIEW QUESTION 1 What is a technique that protects information about training data from being revealed by "blurring" data points using an algorithm to generate values that remain meaningful yet nonspecific? A. Minimization B. Differential privacy C. Anonymization D. Federated learning Answer: B. Differential privacy The use of differential privacy blurs the data using an algorithm that keeps the data meaningful but makes it nonspecific (e.g., individuals are not identifiable). Artificial Intelligence Governance Professional 229 -- 233 of 320 -- REVIEW QUESTION 2 Which of the following is a key consideration during the data wrangling process to ensure data quality and privacy? A. Implementing federated learning for distributed model training B. Data cleansing to remove erroneous or irrelevant data C. Data labeling to annotate datasets with relevant tags D. Using feature flags to manage model features 230 Module 6: Governing AI development REVIEW QUESTION 2 Which of the following is a key consideration during the data wrangling process to ensure data quality and privacy? A. Implementing federated learning for distributed model training B. Data cleansing to remove erroneous or irrelevant data C. Data labeling to annotate datasets with relevant tags D. Using feature flags to manage model features Answer: B. Data cleansing to remove erroneous or irrelevant data Data cleansing is a critical step in data wrangling as it ensures data quality by removing errors and irrelevant information, which also helps address privacy concerns. Federated learning is a technique for training models while preserving data privacy, but it is not a direct consideration during the data wrangling process. While data labeling is important for machine learning, it is not a direct consideration for ensuring data quality and privacy during data wrangling. Feature flags are used to manage features in models, not directly related to ensuring data quality and privacy during data wrangling. Artificial Intelligence Governance Professional 230 -- 234 of 320 -- L E S S O N MODULE 6 GOVERNING AI DEVELOPMENT 3 Governing the development of the AI system The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Apply the policies, procedures, best practices and ethical considerations to designing and building the AI system (e.g., purpose of AI, requirements gathering, architecture and model selection, human oversight, data analysis, metric and threshold evaluation, stakeholder engagement and feedback and operational controls) • Plan and perform training and testing of the AI model and system (e.g., unit, integration, validation, performance, security, bias and interpretability) • Identify and manage issues and risks during training and testing of the AI model and system • Document the training and testing process (e.g., to validate results, establish compliance and manage risks) • Document the designing and building process (e.g., to establish compliance and manage risks) 231 LESSON 3: GOVERNING THE DEVELOPMENT OF THE AI SYSTEM The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Apply the policies, procedures, best practices and ethical considerations to designing and building the AI system (e.g., purpose of AI, requirements gathering, architecture and model selection, human oversight, data analysis, metric and threshold evaluation, stakeholder engagement and feedback and operational controls) (III.A) • Plan and perform training and testing of the AI model and system (e.g., unit, integration, validation, performance, security, bias and interpretability) (III.B) • Identify and manage issues and risks during training and testing of the AI model and system (III.B) • Document the training and testing process (e.g., to validate results, establish compliance and manage risks) (III.B) • Document the designing and building process (e.g., to establish compliance and manage risks) (III.A) Artificial Intelligence Governance Professional 231 -- 235 of 320 -- Developing the AI system 232 Module 6: Governing AI development Building and refining the model to meet specific objectives DEVELOPING THE AI SYSTEM The development phase of an AI system involves building and refining the model to meet specific objectives. • Begins with defining the features of the model and ensuring consistency between training and testing datasets • Collaboration with subject matter experts is crucial for selecting relevant features and performing feature engineering • Transforming raw data into meaningful inputs for the model is essential Model training is an iterative process where different models are trained, tested and fine-tuned to achieve optimal performance. • Evaluation metrics guide the testing phase to ensure the model meets system requirements and business goals • Testing on new data, beyond the training dataset, is essential for confirming the model's ability to generalize effectively • Reliable outcomes in real-world scenarios depend on thorough testing and validation Artificial Intelligence Governance Professional 232 -- 236 of 320 -- Human oversight of AI development 233 Module 6: Governing AI development Three lines of defense model 1st line • Management and process owners 2nd line • Teams responsible for emerging risks 3rd line • Internal staff (e.g., internal audit team) HUMAN OVERSIGHT OF AI DEVELOPMENT: 3LOD MODEL • A best practice, and sometimes a legal requirement • How much oversight is needed may be determined by data type and sensitivity, application of the automated tool and jurisdiction One effective approach is the Three lines of defense (3LOD) model, a governance model for optimizing risk management that can be applied to AI development. 1. The first line of defense is management and process owners, who are responsible for implementing risk management policies and procedures 2. The second line of defense is teams responsible for identifying and addressing emerging risks in daily operations by way of compliance and oversight 3. The third line of defense is internal staff, such as an internal audit team, who perform independent audits on the effectiveness of the organization’s risk management efforts and report results The 3LOD model can be used with a principle known as the “effective challenge principle” • Asserts that individuals with the proper expertise should have an opportunity to challenge a risk management model to help identify its limitations and ultimately create a more effective model Artificial Intelligence Governance Professional 233 -- 237 of 320 -- Determining the system architecture Choose an algorithm according to the desired level of accuracy and interpretability of the data. • What do you want to learn from the data? • How will it help solve the business problem? • What are the other requirements and constraints? 234 Module 6: Governing AI development Selecting a model DETERMINING THE SYSTEM ARCHITECTURE • When selecting the model, choose an algorithm according to the desired level of accuracy and interpretability of the data. • What do you want to learn from the data? • How will it help solve the business problem? • What are the other requirements and constraints? • Examples: • Do you have a time constraint for completing the model? How does that impact the available training time? • Are additional efforts needed to ensure the data is completely accurate? Artificial Intelligence Governance Professional 234 -- 238 of 320 -- Training, testing and validation Training • Train, test, evaluate and retrain different models • Identify the best model and settings • Iterative Testing • Test models on relevant evaluation metrics for consistent and expected performance • Use new data, not the training data Validation • Validate models against use cases and expected outcomes • Document results and observed behavior 235 Module 6: Governing AI development TRAINING, TESTING AND VALIDATION For training, testing and validation, use representational subsets of your original dataset: • Training data • Used to train the machine learning model • Test data • Used to test the performance of the machine learning model • Both should include all types of data used in the original dataset or to be used in the final product • Training • Train, test, evaluate and retrain different models to determine what the best model is to use • Determine the best settings to achieve the desired outcome for your AI system • Iterative: fine tuning different models to help ensure the best possible outcome for your needs • Testing • Test your models on relevant evaluation metrics for consistent and expected performance within identified metrics • Based on previously developed metrics determined as soon as you know your system requirements • Develop metrics to determine how to evaluate that requirements were met • Test on new data • Helps to ensure your models generalize well and meet your business goals overall • Validation • Validate your models against real-world use cases and expected outcomes to confirm alignment with system requirements • Document the validation results, including test conditions, model version, data set used for that model and observed behavior • Allows for challenger models to be accurately created • Allows for transparency with regulatory agencies and consumers Artificial Intelligence Governance Professional 235 -- 239 of 320 -- Module 6: Governing AI development Training the AI model Core concepts 236 Training data shapes the model’s behavior and must be: • Representative • Fair • Compliant Understand what the model is optimizing for (e.g., accuracy, fairness, efficiency) The initial training phase establishes the model, while fine- tuning tailors it to specific tasks or domains. DATA IS FUNDAMENTAL MODEL OBJECTIVES TRAINING vs. FINE-TUNING TRAINING THE AI MODEL Model training is the “process of ‘teaching’ a machine learning model to optimize performance on a training dataset of sample tasks relevant to the model’s eventual use cases.” – IBM • AI governance professionals do not need to be expert model builders, but understanding how training an AI model works helps ensure sound oversight • Data is fundamental: Training data shapes the behavior of the model. Governance must ensure that the data is: • Representative (encompasses diverse scenarios) • Fair (free from harmful biases) • Compliant (adheres to privacy and legal standards) • Model objectives: It is crucial to understand what the model is optimizing for (e.g., accuracy, fairness, efficiency) • This understanding directly impacts risk management and accountability • Training vs. fine-tuning: The initial training phase establishes the model, while fine-tuning tailors it to specific tasks or domains • Governance must diligently track both processes Resources “Topic: What is model training?” IBM. Artificial Intelligence Governance Professional 236 -- 240 of 320 -- Module 6: Governing AI development Test and validate the AI system Types of testing 237 Accuracy Robustness Reliability Privacy Interpretability Safety Bias TEST AND VALIDATE THE AI SYSTEM: TYPES OF TESTING It is important to continuously validate and test your algorithm, to ensure integrity and performance of the AI • Your risks should inform testing • The purpose, algorithm type, whether you integrate with third-party tools and specific regulations for your organization’s sector will determine what kind of testing is required • Types of testing can include: • Accuracy • Robustness • Reliability • Privacy • Interpretability • Safety • Bias • One way to address privacy in AI is to use PETs applied to training and testing data along with other privacy protective measures. Some common PETs include homomorphic encryption, differential privacy, deidentification/obfuscation techniques and federated learning. Artificial Intelligence Governance Professional 237 -- 241 of 320 -- Metric and threshold evaluation Module 6: Governing AI development 238 • Establish what measures or metrics will be applied • Establish technical or legal thresholds • Create baseline or benchmarks for performance • Monitor performance over time against thresholds SYSTEM AUDITS are among the most common mechanisms used to provide assurance on specific AI performance functions Performance Reliability Safety METRIC AND THRESHOLD EVALUATION A best practice for evaluating performance when designing and building the AI model. These are among the most common mechanisms used to provide assurance on specific AI performance functions. • Establish what measures or metrics will be applied • Example: using the Adverse Impact Ratio (AIR) to evaluate model outputs will assess the system for bias, that is, it will demonstrate whether a system operates fairly across subsets of users based on minority characteristics • Establish the technical or legal thresholds for those measurements • Ensure thresholds align with industry standards and regulatory requirements • Create baseline or benchmarks for AI system performance • Performance is compared to a predetermined threshold value and is deemed over, at, or under the threshold. For the legal standard for bias, the operator may choose to apply U.S. employment law benchmarks such as the “4/5s rule” for unacceptable levels of disparate impact. • Monitor performance measurements over time against identified thresholds • Use automated tools to track deviations and generate alerts for significant changes System audits “Audit” can mean assessing the computational performance of the AI model, as described above, or can mean a comprehensive assessment of the whole AI governance framework that includes the review of policy and technical controls to ensure responsible operations and oversight of AI systems in operation. • Audits aim to reduce risk, build trust, improve performance and ensure compliance • Governments are beginning to require accountability mechanisms, including AI model audits and system assessments, aligned with use case and risk level • Audits of AI systems assess contextual performance, reliability and safety • Performance assessments evaluate how effectively the AI system achieves its intended goals (i.e., does it work?) • Reliability assessments focus on the system’s consistency and robustness (i.e., does it work in real world conditions, over time?) • Safety assessments aim to prevent harm and ensure ethical operation (i.e., does it work without causing undue harm and how do its operational context/methods impact safety?) Resources: Shirkhanloo, Anjella. “Beyond compliance: The case for adaptive AI governance.” IAPP, Feb. 19, 2025. Kumarasamy, Jey and Brenda Leong. “Practical considerations for bias audits under NYC Local Law 144.” IAPP, June 28, 2023. Continued on next slide Artificial Intelligence Governance Professional 238 -- 242 of 320 -- Module 6: Governing AI development Metric and threshold evaluation 239 • Algorithmic impact assessments • Bias and fairness testing • Explainability and interpretability evaluations • Data governance and quality review • Verification of compliance with regulations • Confirmation of accountability and human oversight What should audits include? METRIC AND THRESHOLD EVALUATION (CONT.) Internal AI governance policies should call for audits that include: • Algorithmic impact assessments • Bias and fairness testing • Explainability and interpretability evaluations • Data governance and quality review • Verification of compliance with regulations • Confirmation of accountability and human oversight Auditors may be internal or external, and for the near term will be challenged with how to perform model and system audits successfully when there are not yet any widely adopted precedents for handling AI use cases. • One potential solution is adapting existing auditing frameworks and codes of ethics from other contexts such as security or financial systems Resources: Shirkhanloo, Anjella. “Beyond compliance: The case for adaptive AI governance.” IAPP, Feb. 19, 2025. Kumarasamy, Jey and Brenda Leong. “Practical considerations for bias audits under NYC Local Law 144.” IAPP, June 28, 2023. Artificial Intelligence Governance Professional 239 -- 243 of 320 -- 240 Module 6: Governing AI development Test and validate the AI system • Align testing to use case • Conduct repeatability assessments, adversarial testing, threat modeling • Establish multiple layers of mitigation • Awareness of attributes unique to AI • Review previous incidents TEST AND VALIDATE THE AI SYSTEM • Align the testing data and processes to the use case • Use cases may need differing amounts of detail. Some may also require more security or privacy, depending on the algorithm’s purpose. • Include cases the AI has not previously seen; i.e., "edge" cases • Include "unseen" data (data not part of the training data set) • Include potentially malicious data in the test • You may need to do a more intense search of bias issues and mitigations • Conduct repeatability assessments to ensure the AI consistently produces similar outcomes • Understand how imperative it is if the AI does not consistently perform as intended, in the context of areas like safety regulations • In determining assessments to use, ensure you understand the risks stakeholders identified • Conduct adversarial testing and threat modeling to identify security threats • How does the AI/ML program behave with malicious or inadvertently harmful input? • What are the security threats to the system? • Establish multiple layers of mitigation to stop failures at different system levels or modules • Evaluating AI system performance should consider attributes unique to these systems, such as brittleness, hallucinations, embedded bias, uncertainty and false positives. • Brittleness: performing successfully in one instance yet failing in another instance • Hallucinations: instances where a gen AI model creates content that contradicts the source or creates factually incorrect output under the appearance of fact • Reviewing previous incidents can help you identify areas of risk • Review databases of known AI incidents to understand the breadth of potential issues • Review the organization’s documented analyses of data, training, and any previous incidents. Future testing and analysis can be tailored to regulatory and industry requirements and the AI system’s purpose. Resource AI Incident Database Artificial Intelligence Governance Professional 240 -- 244 of 320 -- Understand your resources and where best to put them to address risks and mitigations Resources 241 Module 6: Governing AI development Test and validate the AI system TEST AND VALIDATE THE AI SYSTEM Resources • Not every organization has the resources to evaluate every system • Understand your resources and where best to put them to address risks and mitigations • Higher-risk areas (e.g., AI used in aviation) should have higher resources put toward mitigation • Lower-risk areas (e.g., an algorithm that predicts which pictures of a cat will get more clicks) will have lower testing, validation and security requirements • Within an organization, this may mean dedicating more resources to HR’s use of AI than marketing’s use of AI to send emails • There are many resources available to help you find the right tools and metrics to evaluate your AI • One example is the OECD’s Catalogue of Metrics and Tools for Trustworthy AI Artificial Intelligence Governance Professional 241 -- 245 of 320 -- How to monitor and maintain Module 6: Governing AI development Manage and monitor AI systems Understand documented purposes and risks from stakeholder group Inventory all AI systems Attach a risk score to each system Understand the organization’s security protocols What industry- specific standards apply? 242 MANAGE AND MONITOR AI SYSTEMS AFTER DEPLOYMENT: HOW TO MONITOR AND MAINTAIN Monitoring your system involves understanding the documented purposes and risks from your stakeholder group. • One way to do this is to inventory all your AI systems and attach a risk score to each system. • This risk score will help you allocate appropriate resources to that system. • It will also highlight the frequency with which you need to review the algorithm to evaluate whether it still meets its purpose. You should also evaluate if there has been drift or changes in the algorithm, as well as how to allocate auditing resources. • Continuously improve the system by retraining with new data as needed and with human input and feedback. • Ensure there is a procedure in place to deactivate a system or localize it as needed. • Legal requirements • Performance issues • Create a "challenger model" (a new model) to test and compare against the existing model ("champion model") to test for drift, unexpected results, etc. It is important to also understand what your organization's security protocols are and what industry-specific standards apply. • One example is referring to the NIST Risk Management Framework (RMF) both from a privacy and data security standpoint, as well as from an AI standpoint. • Meeting those basic security requirements is critical not just for the system itself, but also for that algorithm. • One drawback of just using existing security protocols is that they often are not AI-specific. • Some AI-specific risks that your organization might need to consider include model inversion, extraction, poisoning and evasion. Artificial Intelligence Governance Professional 242 -- 246 of 320 -- • Document planning, design and development steps and stakeholder group decisions • Use standard documents and templates • Document the training and testing processes 243 Documentation Module 6: Governing AI development ##### DOCUMENTATION It is critical for the organization to document model planning, design and development steps • All decisions the group makes should be documented, whether the decisions address regulatory requirements or not • Documentation should also include: • Model cards or facts sheets • Provide standardized information about the model and its function/output • Counterfactual explanations • Details on what new or different input may affect the output of the AI process • How adverse impacts may be remediated • Determine what level of impact requires remediation • Appoint appropriate individuals or teams to address • Method of deployment • What platform will you use (cloud, onsite, hybrid)? • Will your infrastructure support deployment? • One way the stakeholder group can create and maintain effective documentation is to use standard documents for your organization and templates that can guide how to evaluate and document decisions as you go It is crucial to document processes for training and testing (including outcomes and anything you changed based on testing), as compliance may require audits • Document all decisions and updates — these will be critical for informing future audits • If your organization is small or under-resourced, many companies and resources are available to help with AI auditing and documentation Artificial Intelligence Governance Professional 243 -- 247 of 320 -- Create a communication plan Module 6: Governing AI development Regulators Consumers • Compliance and disclosure obligations • Explainability • Document risks and mitigation processes • Data and risk classifications • Transparency about the AI functionality • What data will be used and how 244 CREATE A COMMUNICATION PLAN FAQs, online or internal documentation, model or system cards, UI copy. Regulators: • Compliance and disclosure obligations • Explainability • Document risks and mitigation processes • Data and risk classifications Consumers: • Transparency as to the functionality of AI • What data will be used and how Artificial Intelligence Governance Professional 244 -- 248 of 320 -- REVIEW QUESTION 1 True or false? An AI governance team should document all decisions they make during the development life cycle of an algorithm, whether the decisions address regulatory requirements or not. A. True B. False 245 Module 6: Governing AI development REVIEW QUESTION 1 True or false? An AI governance team should document all decisions they make during the development life cycle of an algorithm, whether the decisions address regulatory requirements or not. A. True B. False Answer: A. True Artificial Intelligence Governance Professional 245 -- 249 of 320 -- REVIEW QUESTION 2 Your organization is developing an AI system for automating loan approvals. What is a critical step to ensure the system aligns with governance best practices? A. Skipping documentation to speed up development B. Conducting thorough testing and validation of the AI system C. Relying solely on the training dataset for evaluation D. Avoiding stakeholder feedback during development 246 Module 6: Governing AI development REVIEW QUESTION 2 Your organization is developing an AI system for automating loan approvals. What is a critical step to ensure the system aligns with governance best practices? A. Skipping documentation to speed up development B. Conducting thorough testing and validation of the AI system C. Relying solely on the training dataset for evaluation D. Avoiding stakeholder feedback during development Answer: B. Conducting thorough testing and validation of the AI system Testing and validation are essential to ensure the AI system operates reliably, securely and aligns with governance best practices. Artificial Intelligence Governance Professional 246 -- 250 of 320 -- Module 7 Governing AI deployment Artificial Intelligence Governance Professional 247 MODULE 7: GOVERNING AI DEPLOYMENT Introduction Whatever the details of the AI’s development, potential for customization, and intended use are, all organizations deploy AI as a final step before it can be used. Best practices exist for preparing for and executing deployment, as well as post-implementation activities, to be discussed in this module. It is important to understand the different ways AI can be deployed, and the advantages and disadvantages to each. Continuous monitoring, maintenance and retraining of AI models are crucial for ensuring their reliability and safety over time. This is not a one-time effort but a continuous commitment. Organizations face unique issues when deploying proprietary AI systems. There can be some increased liability and potential risks; ways to manage these are discussed in this module. Implementing policies to manage third-party risks and evaluating key terms in vendor or licensing agreements are crucial steps in mitigating risks. -- 251 of 320 -- L E S S O N MODULE 7 1 Key considerations in planning for AI deployment The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Evaluate and update existing policies (e.g., data privacy, security, data governance, intellectual property) for AI • Understand the differences in AI deployment options (e.g., cloud vs on- premise vs edge, and using the AI model as-is or with fine-tuning, retrieval augmented generation, agentic architectures, or other techniques to improve performance and fit) • Perform or review an impact assessment on the selected AI system • Identify and understand risks and opportunities that are unique to a company deploying its own proprietary AI model (e.g., increased obligations and higher potential liability • Create, update and implement policies, assessments and contracts to manage third-party risk (e.g., procurement, supply chain, human resources and acceptable use) • Identify and evaluate key terms and risks in the vendor or licensing agreement 248 Governing AI deployment LESSON 1: KEY CONSIDERATIONS IN PLANNING FOR AI DEPLOYMENT The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Evaluate and update existing policies (e.g., data privacy, security, data governance, intellectual property) for AI (I.C) • Understand the differences in AI deployment options (e.g., cloud vs on-premise vs edge, and using the AI model as-is or with fine-tuning, retrieval augmented generation, agentic architectures, or other techniques to improve performance and fit) (IV.A) • Perform or review an impact assessment on the selected AI system (IV.B) • Identify and understand risks and opportunities that are unique to a company deploying its own proprietary AI model (e.g., increased obligations and higher potential liability (IV.B) • Create, update and implement policies, assessments and contracts to manage third-party risk (e.g., procurement, supply chain, human resources and acceptable use) (I.C) • Identify and evaluate key terms and risks in the vendor or licensing agreement (IV.B) Artificial Intelligence Governance Professional 248 -- 252 of 320 -- Deploying the AI Whatever the details of development, customization and intended use, AI is deployed before use Module 7: Governing AI deployment 249 Best practices exist to prepare for and execute deployment, and for post-implementation DEPLOYING THE AI Deploying or implementing the AI is the final step in the AI life cycle. Who developed it? • An organization may be deploying AI they developed or AI they acquired from a vendor Is it customized/customizable? • The AI system may be customized for the organization’s use, or completely off-the-shelf with no option for fine-tuning Who will use it? • The organization may be deploying the AI for customer or external-facing use, or only for employees to use internally Whatever the answers are to the above questions, all organizations deploy or implement AI as a final step before it can be used. Artificial Intelligence Governance Professional 249 -- 253 of 320 -- Evaluate and update existing policies 250 Module 7: Governing AI deployment Take a risk-centric approach Do you need to be on the cutting edge? Consider processes/policies holistically Include AI procured from others EVALUATE AND UPDATE EXISTING POLICIES Organizations should first review their existing policy framework to determine any gaps regarding AI governance requirements. This may include tailoring existing policies to address AI, or may require the addition of new policies altogether. Organizations that have a solid data governance framework can leverage this as a starting point and update their existing data governance policies to include requirements for AI development Additional policies that should be reviewed for gaps, or considered for addition could include: • Data privacy policies: should ensure compliance with regulations while safeguarding sensitive information processed by AI systems • Security policies: update to account for AI-specific risks, such as adversarial attacks or vulnerabilities in machine learning models • Intellectual property policies: address ownership and usage rights for AI-generated outputs and proprietary algorithms • Engineering/model ops policies: address the development life cycle and best practices for AI engineering • Open source and platform policies: address the organization’s position on using open-source models and platforms such as AWS or Google’s Model Garden Considerations 1. Adopt a risk-centric approach: Organizations often operate with limited resources. Therefore, it is important to concentrate efforts on the most significant areas, particularly those that present the highest risks. 2. Evaluate cutting-edge intent: Assess the organization's commitment to being at the forefront of AI technology. Determine whether security and privacy policies can be adjusted accordingly, incorporating risk acceptance into the organization's practices. Be aware of legal requirements that may apply to specific areas, such as automated decision-making and the deployment of frontier models, which represent the most advanced capabilities of AI. 3. Integrate policies holistically: Consider how AI governance aligns with existing processes and policies. Organizations should strive to create policies that are flexible and can apply to different laws, industries and technologies whenever feasible. 4. Address procurement of AI models: If the organization will procure AI models from external sources, this must be explicitly addressed within the governance policies. Artificial Intelligence Governance Professional 250 -- 254 of 320 -- Understanding deployment requirements • Requirements vary by factors like model type and use case • Deploying the AI requires: • Choosing a deployment environment • Packaging the model into a format that allows it to be deployed • Making the model accessible for real-world use 251 Module 7: Governing AI deployment UNDERSTANDING DEPLOYMENT REQUIREMENTS • Deployment requirements can vary due to many factors, including the type of AI model and proposed use case • Governance professionals should understand what AI deployment requires: • Choosing a deployment environment (the model’s infrastructure/platform – where and how it runs) Most popular environments: 1. Cloud-based: a third-party cloud provider hosts the model and handles infrastructure • Easy to scale and reduced investment in hardware; however, there may be latency and security risks due to a third party handling the data 2. On-premise: hosting the model on your organization’s servers and hardware • Greater control over deployment infrastructure (especially important if you handle sensitive data or are in a regulated sector); however, may require a greater upfront hardware investment 3. Edge: hosting the model on edge devices like smartphones • May decrease latency and increase privacy; however, the model may be limited by edge device hardware, which can limit computational power • Packaging the model into a format that allows it to be deployed. A common option is containerization, or packaging the model and dependencies (i.e., everything the model needs to run) into a self-contained unit. Containers reduce compatibility issues and make it easier to deploy the model in different environments. • Making the model accessible for real-world use (also called exposing the model); allows systems or applications to interact with the model. Options for this include using REST APIs and embedding into an application. • Specific to gen AI: understanding the following: • Whether the AI model is being used as-is, or was fine-tuned • Whether retrieval-augmented generation was used: a process that optimizes LLM output by referencing a knowledge base beyond training data sources • What vector and/or graph databases are used? • Are agentic architectures an appropriate option? (see next slide) Artificial Intelligence Governance Professional 251 -- 255 of 320 -- Deployment options Agentic architectures Module 7: Governing AI deployment Agentic AI amplifies all the risks that apply to traditional AI, predictive AI and generative AI because greater agency means more autonomy and therefore less human interaction. These risks must be addressed through both technological means and through human accountability for testing and outcomes. A robust operational framework for governance and lifecycle management is required. – IBM 252 DEPLOYMENT OPTIONS: AGENTIC ARCHITECTURES Agentic AI systems function as active participants within digital environments; they do not exist passively. Rather, they engage with, interact with, and influence the environment, requiring distinct infrastructure, risk models and governance frameworks. • Infrastructure: must support autonomy, long-term memory and multi-step actions • Risk models: requires dynamic decision-making risk modeling, real-time monitoring, audit trails, explainability, human-in-the-loop and override mechanisms; must account for emergent behaviors. Organizations are adopting behavioral simulations, scenario-based risk modeling and multi-agent risk frameworks (e.g., MAESTRO) to manage agentic AI risks. • Governance frameworks: must be dynamic, multi-layered and proactive. To guide adoption while managing risks, organizations can use a three-tiered framework of guardrails to enable governance of agentic AI that scales with use case risk and potential impact: tier 1: foundational guardrails; tier 2: risk-based guardrails; and tier 3: societal guardrails Best practices for safety when deploying agentic AI include: • Human evaluation of suitability of agent tasks • Constraining the action space and requiring human approval • Making default behaviors the least disruptive • Providing explainability of agent actions • Automated monitoring by other AI systems • Providing reliable attribution of agent actions • Providing interruptibility (graceful shutdown capabilities) Examples of agentic AI deployment: • Customer support agents • Personal AI assistants • AI research assistants • Workflow automation bots Resources Boinodiris, Phaedra and Jon Parker. “The evolving ethics and governance landscape of agentic AI.” IBM. Huang, Ken. “Agentic AI Threat Modeling Framework: MAESTRO.” Cloud Security Alliance, June 2, 2025. “AI agents: Opportunities, risks, and mitigations.” IBM AI Ethics Board, March 2025. Domin, Heather. “AI governance in the agentic era.” IAPP, July 2025. Artificial Intelligence Governance Professional 252 -- 256 of 320 -- • Determine applicable laws and policies • Consider available system options • Document appropriate uses of your AI • Assess the organization’s risk tolerance • Perform or review a risk assessment • Identify and evaluate key terms and risks in licensing agreements • Use sufficient test, evaluation, verification and validation cycles 253 Module 7: Governing AI deployment Other considerations OTHER CONSIDERATIONS • Determine the laws and policies that apply • Includes laws that are AI-specific, sector-specific laws, pertaining to privacy, etc. • For example, in the U.S., HIPAA may cover underlying training data in the health care field • Consider available system options, including redress • Document appropriate uses of your AI to prevent use for a different purpose not intended in the creation of the AI • AI will not have the same appropriate factors when used for a new purpose • Documentation and communication are critical • Assess the organization’s risk tolerance • Perform or review a risk assessment on the AI system • Identify and evaluate key terms and risks in the vendor or licensing agreement • Build timeline to include sufficient test, evaluation, verification and validation cycles In many scenarios, there will not be one perfect answer for developing AI when you have competing values • For example, there may be a requirement to have more accuracy than privacy • Understand which of these areas your organization is going to prioritize, with consensus from the stakeholder group, and document that decision Artificial Intelligence Governance Professional 253 -- 257 of 320 -- Scenario 2 A U.S. furniture company, Jason Home Furnishings, deployed a virtual agent for customer questions. It can answer inquiries about product status and deliveries and replaced roughly 80 percent of customer interactions previously done by a human. The virtual agent was trained on the organization’s inventory database and historical customer data to help ensure it can answer any questions from current or future customers. Customers do not know whether they are communicating with a human or virtual agent. A customer, sensing that the virtual agent was not a human, decided to test its limits. Through the chat feature, the customer asked the agent if it could swear and say distasteful things about Jason Home Furnishings, and it complied. Module 7: Governing AI deployment Continued on next slide 254 SCENARIO 2 A U.S. furniture company, Jason Home Furnishings, deployed a virtual agent for customer questions. It can answer inquiries about product status and deliveries and replaced roughly 80 percent of customer interactions previously done by a human. The virtual agent was trained on the organization’s inventory database and historical customer data to help ensure it can answer any questions from current or future customers. Customers do not know whether they are communicating with a human or virtual agent. A customer, sensing that the virtual agent was not a human, decided to test its limits. Through the chat feature, the customer asked the agent if it could swear and say distasteful things about Jason Home Furnishings, and it complied. Continued on next slide Artificial Intelligence Governance Professional 254 -- 258 of 320 -- Scenario 2 How do the following OECD AI Principles relate to the Jason Home Furnishings incident? How could operationalizing them differently have improved outcomes with the virtual assistant? 1. Inclusive growth, sustainable development and well-being 2. Human-centered values and fairness 3. Transparency and explainability 4. Robustness, security and safety 5. Accountability Module 7: Governing AI deployment 255 How do the following OECD AI Principles relate to Jason Home Furnishings’ incident? How could operationalizing them differently have improved outcomes? Possible answers: 1. Inclusive growth, sustainable development and well-being • Conducting an impact assessment could help ensure the use of a virtual agent provides a beneficial outcome for the business and customers. 2. Human-centered values and fairness • Keep AI systems in check to ensure that they are not harming a particular person or group of individuals either by design or inadvertently. • Appropriate governance includes checking that data is fit for use, accurate, high-quality and privacy-preserving. Inappropriate training data may have contributed to the incident. 3. Transparency and explainability • It was not made clear that the customer was interacting with a virtual agent. Being transparent about automated processes is an important aspect of strong AI governance. • Understanding how an AI system works helps in creating alerts if it behaves unexpectedly. Full explainability is not always possible, as there may be trade-offs with system accuracy or efficiency; however, being able to interpret a system’s logic leads to better resolutions. This is particularly important if the developer and the deployer are not the same. 4. Robustness, security and safety • Establish a clear process to alert the team of incidents so they can take corrective action, which may include suspending the system or changing features. • There could have been a more significant impact if the customer had malicious intentions. For example, could the virtual agent be tricked into providing personal data? 5. Accountability • Having a governance process throughout an AI system’s life cycle is vital. At each phase there are important guardrails for mitigating harms. • It can be helpful to establish an internal or external governance review board with subject matter experts knowledgeable in all aspects of AI development and implementation. • Before deploying a system, establish clear accountability for who makes decisions, how decisions are made and what happens if something goes wrong. Artificial Intelligence Governance Professional 255 -- 259 of 320 -- Risks and opportunities for an organization deploying its own proprietary AI model • The nature of the data may create transparency issues • Data sources: copyrighted data, ownership • Ownership of output • Limiting the potential for the model to be used for a risky purpose • Potential for different or increased requirements on proprietary models, such as with data breaches • Additional liabilities being both provider and deployer Module 7: Governing AI deployment 256 RISKS AND OPPORTUNITIES FOR AN ORGANIZATION DEPLOYING ITS OWN PROPRIETARY AI MODEL Proprietary AI can present several unique challenges. • One challenge can be the nature of the data used • For example, if a proprietary dataset is used, or proprietary AI build off a proprietary dataset, there may be transparency issues • The organization may not be able to be as open with documentation for procurers, oversight entities or the public. • In this case, work with the AI governance team and legal team to find ways the organization can be as transparent as possible • There can also be challenges with ascribing ownership • If a user uses the proprietary model to create a new work, who owns the new work? • The organization should have clear guidelines about ownership in any acquisitions frameworks, contracts, terms of service and agreements • If the algorithm could be used for a risky purpose, consider how to limit the potential for this • Review user agreement or contractual terms and consider what regulations apply that dictate steps for helping to prevent a risky use from occurring • There may be different or increased requirements on proprietary models because their development may be more secretive • For example, there may be different requirements if a data breach occurs with a proprietary model vs. one that is not proprietary • Additional liabilities are incurred by being both the provider and the deployer. Opportunities related to proprietary AI: • Ability to source the data used to train the model and as such, gain a better understanding of the data and its origin, leading to better transparency • Ability to better fulfill governance reporting and regulatory requirements given model ownership and build • Organization is less susceptible to security issues and other potential problems with open source and third party models • Better opportunity for purpose fit, where proprietary models can be built with the exact need in mind as opposed to retraining and tailoring open source or third party models Artificial Intelligence Governance Professional 256 -- 260 of 320 -- Third-party products and risks Usually one of two contexts: 1. Integration into business operations 2. A tool for internal employee use 257 Module 7: Governing AI deployment THIRD-PARTY PRODUCTS AND RISKS Deploying third-party AI products can accelerate innovation, but it also introduces risks. Third-party products most often fall into one of two contexts – an externally provided program/system/model that will be: 1. Integrated into business operations, either internally, or externally/consumer facing Examples Resume screening, targeted advertising, generating scores for credit offers, and chatbots or other customer service features Considerations • Need AI-specific, comprehensive risk assessments and ongoing monitoring for performance/outputs, etc. (for example, the NIST AI Risk Management Framework) • Should fall under general AI governance processes for security, upgrades and other management functions 2. Cleared as a tool for employees to use for their own activities Examples ChatGPT and other LLMs, image generators, text assistants like Grammarly and various CoPilot features/applications Considerations • Need at least an initial review and documentation of any performance measures the vendor/supplier provides • Need a use policy and oversight for compliance to monitor for changing risks over time as new applications and business use cases emerge • They are usually lower risk than the first category, but not always There are risks introduced with the use of third-party models, regardless of which of the two contexts are in use. These might include: • Data lineage and traceability issues, when there is ambiguity regarding the origin and nature of the original training data used • Downstream issues that may require the model to be taken offline (e.g., copyright lawsuits regarding the original training data used for training the model) • Model output ownership and control depending on the licensing agreement • Data handling and security risks depending on the development environment • Quality and model performance may not be a good fit for the task Artificial Intelligence Governance Professional 257 -- 261 of 320 -- Managing third-party risk Module 7: Governing AI deployment 258 Deployers and users of third-party AI systems may not have full visibility or control over that system. MANAGING THIRD-PARTY RISK Managing third-party risk is a particular challenge since a third-party AI system’s user or deployer may not have full visibility or control over that system. Organizations should create and regularly update policies, assessments and contracts to manage third-party risk. • Policies must ensure compliance with legal and ethical standards while mitigating risks associated with AI deployment • Should be adaptable to evolving technologies and regulatory landscapes • Need to establish risk level associated with third-party AI systems • Can adapt existing procurement processes and vendor screening tools to address AI aspects of the products or services • Based on risk, establish internal policies around use/complementing the third-party Acceptable Use Policy; ensure employees understand the limitations • Collaborate with the engineering team to ensure: • Best practices are maintained around testing for performance fit and governance requirements e.g., accuracy, transparency, fairness • Contingency plans are in place in case of issues with the model or vendor • Most importantly, organizations should have clear AI-specific procurement and inventory management policies and functions that document and address requirements Be sure to screen vendor agreements thoroughly. • Review vendor agreements to ensure compliance with internal requirements, focusing on data security, acceptable use and liability limitations. Artificial Intelligence Governance Professional 258 -- 262 of 320 -- Evaluating key terms and risks in a vendor or licensing agreement Module 7: Governing AI deployment • Data considerations • Security/safety • Bias metrics • Type of product • Technical specs • Model performance results • How the model will be monitored/maintained • Terms of use 259 EVALUATING KEY TERMS AND RISKS IN A VENDOR OR LICENSING AGREEMENT There are many areas to evaluate when procuring AI from a third party. Some key items to look for and assess in an agreement include: • Data considerations • Do they have legal rights to the data used? • Was personal data minimized during collection and de-identified before being used for training or testing? • If they will collect data your organization uses with the model, how will they use it? • Security/safety • What are the model’s identified risks? • What is the potential for the model to fail, be misused, be attacked and be used for a high- risk activity? • Are incident response plans in place for AI-related risks? • Bias metrics • What steps have been taken to minimize bias? • Have they established that the AI function does not lead to statistical inaccuracies, bias or discrimination in results that apply to people? • Type of product (for instance: Is it meant for the organization’s internal use, or external-facing? Does it generate content?) • Technical specs (e.g., the model types the AI function provides; type of datasets used to train) • Model performance results • What has been done to ensure model stability and prevent inaccurate outputs? • How will the model be monitored/maintained? • Terms of use; for example: • Is the organization allowed to fine-tune the model? • If the model generates content, what is specified regarding intellectual property and model outputs? Artificial Intelligence Governance Professional 259 -- 263 of 320 -- REVIEW QUESTION 1 What is a key factor to consider when selecting an AI deployment environment? A. The number of employees in the organization B. The organization's marketing strategy C. The organization's budget and computational needs D. The availability of open-source AI models 260 Module 7: Governing AI deployment REVIEW QUESTION 1 What is a key factor to consider when selecting an AI deployment environment? A. The number of employees in the organization B. The organization's marketing strategy C. The organization's budget and computational needs D. The availability of open-source AI models Answer: C Budget and computational needs are critical factors in determining the most suitable deployment environment, as they directly impact the feasibility and performance of the AI system. Artificial Intelligence Governance Professional 260 -- 264 of 320 -- REVIEW QUESTION 2 What is one unique challenge organizations face when deploying a proprietary AI model they developed? A. Evaluating vendor agreements for intellectual property rights B. Ensuring compatibility with third-party vendor systems C. Managing increased obligations and potential liability D. Minimizing latency in cloud-based environments 261 Module 7: Governing AI deployment REVIEW QUESTION 2 What is one unique challenge organizations face when deploying a proprietary AI model they developed? A. Evaluating vendor agreements for intellectual property rights B. Ensuring compatibility with third-party vendor systems C. Managing increased obligations and potential liability D. Minimizing latency in cloud-based environments Answer: C. Managing increased obligations and potential liability. Organizations deploying their own proprietary AI models face unique challenges, including increased obligations and higher potential liability. Evaluating vendor agreements for intellectual property rights (option A) is specific to deploying third-party AI systems, not proprietary models developed by the organization. Ensuring compatibility with third-party vendor systems (option B) is more relevant to organizations deploying third-party AI systems rather than proprietary models they developed. Minimizing latency in cloud-based environments (option D) can be a challenge, but is more specific to deployment environments like cloud-based systems rather than a unique challenge of proprietary AI models. Artificial Intelligence Governance Professional 261 -- 265 of 320 -- L E S S O N MODULE 7 Governing AI deployment 2 Governing the release, monitoring and maintenance of the AI system The topics in this lesson align to the following performance indicators on the AIGP body of knowledge: • Assess readiness and prepare for release into production (e.g., creating the model card and satisfying conformity requirements) • Conduct continuous monitoring of the AI model and system and establish a regular schedule for maintenance, updates and retraining • Conduct periodic activities to assess the AI system’s performance, reliability and safety (e.g., audits, red teaming, threat modeling and security testing) • Make public disclosures to meet transparency obligations (e.g., technical documentation, instructions for use to deployers, and post-market monitoring plans) Continued on next slide 262 LESSON 2: GOVERNING THE RELEASE, MONITORING AND MAINTENANCE OF THE AI SYSTEM The topics in this lesson align to the following performance indicators on the AIGP body of knowledge:  Assess readiness and prepare for release into production (e.g., creating the model card and satisfying conformity requirements) (III.C)  Conduct continuous monitoring of the AI model and system and establish a regular schedule for maintenance, updates and retraining (III.C)  Conduct periodic activities to assess the AI system’s performance, reliability and safety (e.g., audits, red teaming, threat modeling and security testing) (III.C)  Make public disclosures to meet transparency obligations (e.g., technical documentation, instructions for use to deployers, and post-market monitoring plans) (III.C) Continued on next slide Artificial Intelligence Governance Professional 262 -- 266 of 320 -- L E S S O N MODULE 7 Governing AI deployment 2 ( c o n t . ) Governing the release, monitoring and maintenance of the AI system • Forecast and reduce risks of secondary or unintended uses and downstream harms • Manage and document incidents, issues and risks • Create and implement a policy and controls to deactivate or localize an AI system as necessary (e.g., due to regulatory requirements or performance issues) • Apply the policies, procedures, best practices and ethical considerations to the deployment of an AI system (e.g., data governance, risk management, issue management, user training) • Collaborate with cross-functional stakeholders to understand why incidents arise from AI systems (e.g., brittleness, lack of robustness, lack of quality data, insufficient testing, and model or data drift) 263 LESSON 2: GOVERNING THE RELEASE, MONITORING AND MAINTENANCE OF THE AI SYSTEM (CONT.) The topics in this lesson align to the following performance indicators on the AIGP body of knowledge:  Forecast and reduce risks of secondary or unintended uses and downstream harms (IV.C)  Manage and document incidents, issues and risks (III.C)  Create and implement a policy and controls to deactivate or localize an AI system as necessary (e.g., due to regulatory requirements or performance issues) (IV.C)  Apply the policies, procedures, best practices and ethical considerations to the deployment of an AI system (e.g., data governance, risk management, issue management, user training) (IV.C)  Collaborate with cross-functional stakeholders to understand why incidents arise from AI systems (e.g., brittleness, lack of robustness, lack of quality data, insufficient testing, and model or data drift) (III.C) Artificial Intelligence Governance Professional 263 -- 267 of 320 -- CHAT A readiness assessment should be used to determine whether an AI system is ready to release into production. What questions should a readiness assessment answer? Let’s talk about… 264 Module 7: Governing AI deployment CHAT Let’s talk about… A readiness assessment should be used to determine whether an AI system is ready to release into production. What questions should a readiness assessment answer? Answers • Does the AI system do what you want it to do? • Did all the testing turn out well? • Has it been verified that the AI satisfies requirements for conformity, such as for specific regulations? • Are there any issues with the quality of the data? • Has the model card been created? Artificial Intelligence Governance Professional 264 -- 268 of 320 -- 265 Module 7: Governing AI deployment Periodic assessment of the AI system Key areas to assess: • Performance • Reliability • Safety: Audits | Red teaming | Threat modeling | Security testing PERIODIC ASSESSMENT OF THE AI SYSTEM The AI development team should conduct periodic activities to assess the AI model. AI governance professionals can work collaboratively with the technologists to ensure governance requirements are maintained, for example, ensuring that bias and fairness principles are considered when assessing the model’s performance over time. Key areas to assess include the system’s: • Performance. How to assess? Audits, red teaming, challenger models, performance metrics, user feedback, statistical methods to analyze output consistency • Reliability. How to assess? Audits, stress tests, analyzing historical data, user feedback, establishing benchmarks for system performance • Safety. How to assess? Audits, red teaming, threat modeling, security testing Definitions: • Red teaming tests the security of an AI system by simulating adversarial attacks to evaluate its performance against benchmarks and expose vulnerabilities. This process reveals security risks, model flaws, biases, and misinformation. The findings are shared with developers for remediation, helping to secure the product before public release. • A challenger model is a new/alternative AI model tested against an existing, production-proven model (the “champion”) to determine if it can improve performance or achieve better results based on the same set of data. • Stress tests simulate extreme scenarios and are essential for evaluating the performance and stability of AI systems under various conditions. They help identify vulnerabilities and ensure that the system can handle unexpected loads or inputs. • Threat modeling is an analytical process of identifying, understanding, addressing and communicating security risks. Various models and tools may be used, including structured testing methodologies and visual diagrams, to map out potential vulnerabilities and threats. Testing the system: questions to ask • Were the goals achieved? • As the system is in use, are there secondary or unintended outputs? • Do these result in additional risks or harms that need to be addressed? • Can these or others be predicted by using a challenger model? • Because of automation bias, the process should not rely too heavily on the output • Human interpretation and oversight must be included in evaluating the output and determining whether the system is not only working correctly but also is working better than what it replaced or the existing viable alternatives Artificial Intelligence Governance Professional 265 -- 269 of 320 -- Manage and monitor data quality • Are there deviations in accuracy? • Is the model making irregular decisions? • Are there data drifts that could affect performance? 266 Module 7: Governing AI deployment Assessing performance 266 MANAGE AND MONITOR DATA QUALITY The organization has already determined and documented details. Now, it must continue to monitor AI performance during and after deployment and follow existing protocols and industry standards. • Continuously monitor how the model is performing; for example, look for: • Deviations in accuracy • Irregular decisions made by the model • Drifts in data that might affect the performance of the model Artificial Intelligence Governance Professional 266 -- 270 of 320 -- Risks and mitigations Module 7: Governing AI deployment Manage and monitor AI systems • Use current best practices • Conduct red teaming exercises • Consider bug bashing/bug bounties • Document using model cards and the standard documentation • Snapshot the algorithm and its outputs • Monitor risks from third parties 267 MANAGE AND MONITOR AI SYSTEMS: RISKS AND MITIGATIONS Best practices evolve constantly, so it is important to use current best practices when continuously managing and monitoring internal and external risks. • Determine and prioritize the level of the risks and the appropriate responses. • Conduct internal or external red teaming exercises for AI systems. These should also be done pre- deployment. • Consider bug bashing/bug bounties to generate user engagement and extensive feedback. • Some risks are more predictable • For example, AI being used for a purpose it was not originally modeled for. • Another predictable risk is introducing new data into an algorithm. • “New data” is intended to mean not just new content of the same type (such as a new year’s worth of customer data), but also data of a different nature — for example, if prospect data started to be combined with customer data. • If there is new data because the model will now be used for a different purpose, different datasets could be brought in and make it challenging to assess if the model still works as intended Documentation can help mitigate risk. There are different ways to document risk, including: • Using model cards to document original purpose and new purposes • A form of documentation that organizations can use to record critical information about a model, such as key features, data used, number of versions, bias or explainability reports, explanations about intended use, performance metrics and benchmarked evaluation in various conditions, such as across different cultures, demographics or race • Using your organization’s standard documentation Another mitigation option is keeping snapshots of an algorithm and its outputs • If there is an issue, you can refer to a previous iteration and identify what changed in the newer iteration You should also monitor risks from third parties • Authorized third parties with whom you are purposely interacting • Malicious third parties who actively work to corrupt your system Artificial Intelligence Governance Professional 267 -- 271 of 320 -- Changes to the model 268 Module 7: Governing AI deployment The model can change if the data changes Monitor and maintain to avoid model drift Define a baseline to measure future iterations CHANGES TO THE MODEL AI systems potentially require more attention than other types of systems. Effective management of data and model changes is integral to responsible AI governance because it helps ensure models continue to remain effective, compliant and aligned with business objectives. • Over time, the model can change due to input data changes • Monitor and maintain the model to prevent model drift due to the complex implementation environment and potential data changes during the model's usage • Model drift occurs when the relationship between input data and output predictions changes over time. This means the conditions under which the model was trained no longer apply, causing a decline in model performance. • Example: a spam detection model that fails to recognize new types of spam when the nature of spam evolves • Create a challenger model to test and compare against the existing model • Continue to iterate the model to improve performance as the data changes. In addition, you can keep models up to date by retraining them with fresh data that reflects the most current trends and patterns. • Define a baseline to measure future iterations of the model Artificial Intelligence Governance Professional 268 -- 272 of 320 -- • Use your incident response plan • Identify the issue and understand to whom it needs to be reported • Understand risks based on third-party integration and third-party tools the AI integrates with • Have the ability for a human to shut down an algorithm, remotely or without direct access What to do when the AI system not performing as it should 269 Module 7: Governing AI deployment Manage and monitor AI systems after deployment MANAGE AND MONITOR AI SYSTEMS AFTER DEPLOYMENT What to do when the system AI is not performing as it should • Consider it an incident and use your incident response plan • This is the best mitigation your organization can have • Identify the issue and understand to whom it needs to be reported, both within and outside of your organization • Document the mitigation and how you have communicated about the event It is important to understand what risks there are based on a third-party integration • Understand what third-party tools your AI is integrating with • If there is an incident, you may need to notify groups using these third-party tools, whether they are partners or are inside your organization, because an incident’s impact may not just affect the tool you are working on There should be the ability for a human to shut down an algorithm remotely or without direct access if it is not performing properly, especially if it has privacy impacts or the risks of using the algorithm are so great that there cannot be any room for error. Artificial Intelligence Governance Professional 269 -- 273 of 320 -- Manage and monitor AI systems Potential negative downstream consequences include: • Resentment with poorly-implemented projects • False sense of safety and privacy • Unintended consequences Module 7: Governing AI deployment 270 Assessing potential consequences and communicating updates MANAGE AND MONITOR AI SYSTEMS: ASSESSING POTENTIAL CONSEQUENCES AND COMMUNICATING UPDATES AI professionals should be aware of potential downstream consequences, which include: • Resentment with poorly-implemented interventions, such as: • A lack of transparency and clarity about decisions, which can result in a perception of unfairness, arbitrariness or ideological influence. • Superficial policies or guardrails meeting the letter of the law but not the spirit of it. • False sense of safety and privacy • Researchers and reviewers may believe all possible risks are addressed but overlook something significant. This could be dangerous, especially if there are incentives to mask or reframe some risks. • One-time evaluation of risk vs. continuous monitoring of changing AI risks over time. • Unintended consequences • Example: If researchers or developers are required to reflect on potential misuses of their work, an unintended consequence could be a "roadmap" for malicious actors. Guidelines to address potential negative consequences and maintain open communication with intended users/data subjects: 1. Review potential downstream consequences early in research and development. 2. Categorize AI research and downstream consequences by risk level. 3. Normalize discussions about downstream consequences of AI research and development. 4. Be fully transparent and proactive in identifying negative downstream consequences. 5. Develop common protocols for responsible product development, deployment and continuous improvement. • Information on updates to AI capabilities should be freely available and use clear language. It should address potential downstream consequences, including use guidance, and optimization and mitigation strategies. Artificial Intelligence Governance Professional 270 -- 274 of 320 -- Disclosures and transparency obligations Module 7: Governing AI deployment 271 • Under most laws, must disclose any AI being used • Example: EU AI Act’s requirements for providers and deployers • Some use cases or contexts require disclosure • Disclosure may be required so users can exercise rights or legal protections DISCLOSURES AND TRANSPARENCY OBLIGATIONS • Different contexts require different types of notice; no single type of notice fills the AI requirement in all cases. • Under most laws, must disclose any AI being used. • The FTC (U.S.) has been clear that disclosure is required for almost any engagement. • The EU AI Act has rules for AI providers and deployers: • Providers must provide specific notices and information to enterprise customers and end users. • Deployers have disclosure requirements in both directions: to users about the system and to the provider about incidents that occur with the system. • Both providers and deployers must document ongoing monitoring required and provide to those in their workstream, and sometimes to regulators or the public. • Disclosures can be required based on use case or context • Areas like financial services, health information and education may have additional disclosure requirements, such as an obligation to disclose when a process is using AI. • There can be requirements to disclose information beyond the fact that AI is in place (for example, if bias testing was done or the user has an opportunity to opt out of using AI). • The financial services industry uses adverse action notices when AI is used and a user is turned down for something, like a loan. • There are other aspects of using an AI system that may require that AI be identified so users know how to exercise their rights or legal protections. For example, they may have appeal or redress options when an outcome is not in their favor and AI was used. • As AI becomes more integrated, and in ways less obvious than before, its use may be seen as the usual way to do business, making transparency requirements grow in importance. Artificial Intelligence Governance Professional 271 -- 275 of 320 -- Module 7: Governing AI deployment Incidents, issues and risks Manage and document all incidents, issues and risks • Create an incident response plan • Collaborate with stakeholders to understand the causes 272 INCIDENTS, ISSUES AND RISKS AI can have issues and incidents. Organizations must have a response plan for these, in the same way they should have a response plan for data privacy incidents. Organizations must effectively manage and document any incidents, issues, and risks associated with their AI systems. A critical component of this process is the establishment and implementation of an incident response plan. Treat every occurrence as an incident and utilize the incident response plan as the primary mitigation strategy for the organization. • Identify the issue and understand to whom it needs to be reported, both within and outside of the organization • Keep information about incidents or issues in an AI registrar • Document the mitigation and communication about the event If incidents arise from the AI model, collaborate with stakeholders to understand why. Reasons that incidents may occur include: • brittleness • lack of robustness • lack of quality data • insufficient testing • model or data drift Understand what third-party tools the AI is integrating with. If there is an incident, it may be necessary to notify groups using these third-party tools, whether they are partners or are inside the organization, because an incident’s impact may not just affect one tool. Artificial Intelligence Governance Professional 272 -- 276 of 320 -- Module 7: Governing AI deployment Awareness of AI auditing and accountability issues 273 • Assessments and audits are common mechanisms for accountability • Consider data protection rules for automated decision-making • Automation in AI governance can help organizations stay competitive and meet regulations AWARENESS OF AI AUDITING AND ACCOUNTABILITY There are cases where enhanced accountability and/or audits are required. • The appropriate goal and method to advance AI accountability likely depends on risk level, sector, use case and legal/regulatory requirements. • Assessments and audits are among the most common mechanisms used to provide assurance on AI system characteristics. • Processing personal data: data protection rules for automated decision-making may apply. • Governments and organizations are developing AI governance tools with accountability mechanisms, helping to foster responsible development and deployment. Automated checks for AI governance and associated ethical issues • AI governance automation is crucial to stay competitive and meet regulations. Manual validation may require expertise in each algorithm type, which can be slow, costly and prone to human error. Delays can cause an organization to fall behind competitors or miss audit deadlines. • Automation makes documenting and validating AI governance more efficient. It also enables enterprises to institutionalize processes and policies to continuously collect evidence. Examples of automation tools: • AI Verify, launched by the Singapore government, is an AI governance testing framework and toolkit to help systems meet performance benchmarks. It validates AI system performance against 11 ethics principles. • The Model Card Regulatory Check app automates regulatory compliance of AI systems based on accepted AI documentation tools like model cards. Resources “Singapore launches world’s first AI testing framework and toolkit to promote transparency,” Infocomm Media Developemnt Authority, May 25, 2022. Model Card Regulatory Check. OECD.AI, uploaded April 13, 2023. Artificial Intelligence Governance Professional 273 -- 277 of 320 -- REVIEW QUESTION 1 Recommended practices for monitoring AI systems for risk after deployment include which of the following? Select all that apply. A. Conduct red teaming exercises B. Document using model cards and the organization’s standard documentation C. Keep snapshots of an algorithm and its outputs D. Monitor risks from third parties 274 Module 7: Governing AI deployment REVIEW QUESTION 1 Recommended practices for monitoring AI systems for risk after deployment include which of the following? Select all that apply. A. Conduct red teaming exercises B. Document using model cards and the organization’s standard documentation C. Keep snapshots of an algorithm and its outputs D. Monitor risks from third parties Answers: All answers are correct. Artificial Intelligence Governance Professional 274 -- 278 of 320 -- REVIEW QUESTION 2 Why is it important to monitor an AI model for data drift after deployment? A. To avoid the need for retraining the model B. To reduce the frequency of audits C. To eliminate the need for human oversight D. To ensure the model continues to meet its intended purpose 275 Module 7: Governing AI deployment REVIEW QUESTION 2 Why is it important to monitor an AI model for data drift after deployment? A. To avoid the need for retraining the model B. To reduce the frequency of audits C. To eliminate the need for human oversight D. To ensure the model continues to meet its intended purpose Answer: D. Monitoring for data drift helps identify changes in the relationship between input data and predictions, ensuring the model remains effective and aligned with its original purpose. Artificial Intelligence Governance Professional 275 -- 279 of 320 -- Conclusion AI Governance Global 2026: two events AI Governance Global Europe AIGP training: 1-2 June 2026 Workshops: 2 June 2026 Conference: 3-4 June 2026 DUBLIN More information 276 Privacy. Security. Risk. + AI Governance Global AIGP training: 6-7 October 2026 Workshops: 7 October 2026 Conference: 8-9 October 2026 SEATTLE More information Join us at one of the 2026 AI Governance Global conferences to learn about all the latest developments, laws, regulations, technologies and best practices in the ever-changing world of AI governance. AI Governance Global Europe AIGP training dates: 1–2 June 2026 Workshops: 2 June 2026 Conference dates: 3–4 June 2026 DUBLIN AI Governance Global North America AIGP training dates: 6–7 October 2026 Workshops: 7 October 2026 Conference dates: 8–9 October 2026 SEATTLE Artificial Intelligence Governance Professional 276 -- 280 of 320 -- Conclusion THANK YOU! • Train and study your resources for a minimum of 30 hours • Review the IAPP’s AIGP body of knowledge and "Key Terms for AI Governance" glossary • Subscribe to the IAPP’s AI Governance Dashboard newsletter • See tips on how to prepare for certification Next steps 277 Verify your knowledge and skills in AI governance by taking the AIGP certification exam, based off the same body of knowledge as the AIGP training. IAPP certifications are respected around the world as a gold standard. THANK YOU! Next steps Verify your knowledge and skills in AI governance by taking our AIGP certification exam, based off the same body of knowledge as our AIGP training. IAPP certifications are respected around the world as a gold standard. • Train and study your resources for a minimum of 30 hours. • Review: • The Resources list PDF. • The IAPP’s AIGP body of knowledge and AIGP Candidate Handbook. • The "Key Terms for AI Governance" glossary. • Explore content, resources and networking in the IAPP’s online AI Governance Center. • Subscribe to the IAPP’s AI Governance Dashboard newsletter via the Subscription Center. • Review tips on how to prepare for certification. • Visit the IAPP website to find ways to engage with peers through KnowledgeNets and LinkedIn live broadcasts. • For those interested, purchase a practice exam to experience the complexity and difficulty of the real exam without the pressure. Artificial Intelligence Governance Professional 277 -- 281 of 320 -- -- 282 of 320 -- Appendix -- 283 of 320 -- 1 ©2026 IAPP. Not for reproduction, distribution or republication. ARTIFICIAL INTELLIGENCE GOVERNANCE PROFESSIONAL TRAINING ANSWER KEY Correct answers are bolded. MODULE 1: FOUNDATIONS OF ARTIFICIAL INTELLIGENCE LESSON 1 Review question According to the OECD, which of the following are included in the five dimensions that should be used to classify AI systems? Select all that apply. A. Data and input B. AI model C. Tasks and output D. Economic context E. People and planet The OECD helps organizations to classify AI systems and examine risks to those systems. The OECD’s five dimensions to classify AI systems are people and planet, economic context, data and input, AI model and tasks and output. LESSON 2 Review question 1 An AI system studies a large set of unlabeled data and tries to detect hidden patterns within it. What type of machine learning is being used in this example? A. Forecasting B. Supervised learning C. Unsupervised learning D. Reinforcement learning Unsupervised learning models do not rely on labeled datasets and are able to identify differences, similarities and other patterns without human supervision. Review question 2 True or false? AI and machine learning mean the same thing and can be used interchangeably. A. True -- 284 of 320 -- 2 ©2026 IAPP. Not for reproduction, distribution or republication. B. False AI and machine learning are related but are not the same thing. Machine learning is a technique for achieving AI. It uses algorithms to review data, learn from it, then make predictions or decisions, rather than being explicitly programmed to perform a task. AI refers to machines that perform tasks ordinarily requiring human intelligence. In simple terms, AI can be thought of as the result (machines exhibiting intelligence), and machine learning as a process by which that result can be achieved (teaching the machine). Review question 3 Which of the following models would be most appropriate for an analysis of relationships between two variables? A. Linear/statistical model B. Computer vision C. Reinforcement learning D. Decision tree model Linear/statistical models use a linear equation to model the relationship between two variables, such as sales and pricing, or time of day and volume of road traffic. MODULE 2: AI IMPACTS AND RESPONSIBLE PRINCIPLES LESSON 1 Review question 1 Which of the following are examples of types of privacy concerns regarding the use of AI? Select all that apply. A. De-identifying personal data B. Business reputation C. Lack of transparency of use D. Appropriation of personal data for model training Privacy concerns with the use of AI mentioned in this lesson include de-identifying personal data (removing identifiers such as name or address; however, it is possible to reidentify an individual if data is aggregated or combined with other data), lack of transparency of use (individuals should know when AI is being used) and appropriation of personal data for model training (individuals may consent for one particular use of their data, but not for training an AI system). Review question 2 True or false? Using AI-driven tools for job marketing and hiring could result in a negative economic impact by failing to reach key demographic groups. A. True B. False Job opportunities may not reach people of all demographic groups if an AI model used for marketing or job recruitment has bias in favor of specific subgroups. LESSON 2 Review question 1 -- 285 of 320 -- 3 ©2026 IAPP. Not for reproduction, distribution or republication. Which of the following best describes how the OECD guidelines influence AI governance? A. They focus solely on data privacy and security in AI systems B. They provide a framework for ensuring AI systems are human-centric and transparent C. They are legally binding regulations for all organizations using AI D. They mandate specific technologies to be used in AI systems The OECD guidelines are not legally binding regulations but serve as a set of recommended practices for ethical AI governance. While data privacy and security are important, the OECD guidelines also address broader principles like fairness, accountability and transparency. Review question 2 Which of the following is a foundational control to mitigate ethical risks posed by AI? A. Avoiding the use of external audits for AI systems B. Implementing a diverse and cross-functional team for AI evaluation C. Relying solely on automated systems to monitor AI behavior D. Focusing only on technical performance metrics A diverse and cross-functional team helps identify and address potential ethical risks by bringing varied perspectives and expertise to AI evaluation. MODULE 3: AI GOVERNANCE AND RISK MANAGEMENT LESSON 1 Review question 1 Which connections can be drawn between the size of a company or organization and its approach to AI governance? Select all that apply. A. The size is likely related to the number of AI systems involved. B. The size may affect the likelihood of new positions being created for AI responsibilities. C. A smaller company is more likely to create new AI-specific offices. D. Larger companies will likely have a lower risk tolerance than smaller companies. A and B were both included in this lesson as ways company/organization size may impact the AI governance approach. A larger, not smaller, company is more likely to create new AI-specific offices. Finally, no relationship was discussed between a company’s size and its risk tolerance. LESSON 2 Review question 1 What are ways in which a practitioner can engage and attain buy-in for a responsible AI program from organizational leadership? Select all that apply. A. Identify early adopters or proponents among leadership B. Describe how responsible AI is a competitive differentiator -- 286 of 320 -- 4 ©2026 IAPP. Not for reproduction, distribution or republication. C. Show how existing programs are sufficient to mitigate AI risk D. Show how the organization can anticipate and mitigate regulatory concerns and demonstrate a commitment to trustworthy products Ways to engage leadership and buy-in for a responsible AI governance program include: 1) Identifying early adopters or proponents - those in leadership already using AI who would support improved governance. 2) Informing leadership how responsible AI can be a competitive differentiator. 3) Explaining applicable regulatory concerns for using AI, and how a strong governance program helps with mitigation. Review question 2 What is the most important aspect of establishing a practical and responsible AI governance program? A. Identifying engineering teams building AI capabilities B. Understanding organizational structure and culture C. Understanding the competitor’s capabilities and governance programs D. Building a strongly hierarchical governance program for the organization A practical and responsible AI governance program should always tailor AI governance to the context of the organization. Those establishing the program should have a thorough understanding of the organization's structure and culture. LESSON 3 Review question 1 Given that organizations have finite resources, including those dedicated to risk management, how should they prioritize those resources to adequately govern AI systems? A. Allocate resources equally across all risk levels B. Focus the majority of resources on high-risk areas C. Distribute resources based on stakeholder preferences D. Prioritize resources based on the cost of implementation Organizations must develop policies and processes to assess risk levels and then allocate their resources accordingly; i.e., by focusing resources on high-risk- and medium-risk-rated AI. Focusing on high-risk areas ensures that the most critical risks are addressed first, aligning with best practices in risk management. Review question 2 The NIST AI Risk Management Framework notes that "organizations can establish board committees for AI risk management and oversight functions and integrate those functions within the organization’s broader enterprise risk management approaches." What are examples of how organizational management can demonstrate this? Possible answers: • Support AI risk management roles at all levels of the organization • Ensure appropriate authority and resources to perform risk management are allocated throughout the organization • Determine and document roles, responsibilities and delegation of authorities to personnel involved in the design, development, deployment, assessment and monitoring of the AI -- 287 of 320 -- 5 ©2026 IAPP. Not for reproduction, distribution or republication. • Ensure AI solutions provide sufficient information to assist in making informed decisions and document accordingly • Allocate roles, responsibilities and authority to relevant stakeholders MODULE 4: AI REGULATION LESSON 1 Review question 1 Which of the following statements best describes the consistent approach found in global AI-specific legislation? A. Transparency requirements are optional in most AI-specific regulations B. Providers and deployers share identical responsibilities under all AI-specific laws C. A risk-based approach is commonly used, with higher-risk systems facing stricter obligations D. AI systems are regulated uniformly across all jurisdictions to ensure global consistency Global AI-specific legislation consistently employs a risk-based approach, where higher-risk systems are subject to stricter obligations. LESSON 2 Review question 1 Which of the following best describes the purpose of a risk-based AI regulation framework? A. To ban all AI systems that pose any level of risk. B. To ensure all AI systems are subject to the same regulations. C. To classify AI systems based on their risk levels and apply appropriate rules and obligations. D. To promote the use of AI systems without any regulatory oversight. Risk-based AI regulation frameworks aim to classify AI systems into categories like prohibited, high, limited, or minimal risk, and apply rules accordingly. An AI conformity assessment is required depending on the AI system or the technology’s risk to health, safety and fundamental rights of individuals. The requirement is not just for cases where personal data is processed. LESSON 3 Review question 1 A company is developing a high-risk AI system for public use. To comply with major AI laws, what must they ensure regarding data governance? A. The data used is relevant, representative and regularly checked for errors or bias B. The data is sourced exclusively from public databases C. The data is anonymized before any processing D. The data is stored indefinitely for future audits Major AI laws require that training, validation, and test data for high-risk AI systems meet these criteria to ensure fairness and accuracy. -- 288 of 320 -- 6 ©2026 IAPP. Not for reproduction, distribution or republication. LESSON 4 Review question 1 A company is deploying a general-purpose AI model in a high-risk health care application. What is a critical step they must take to ensure compliance with transparency requirements? A. Publish a detailed summary of the training data used for the model B. Ensure the model is only used in low-risk applications C. Keep the training data confidential D. Ensure the model is only used by internal teams Publishing a detailed summary of the training data is a key transparency requirement, ensuring users and regulators understand the model's development process. MODULE 5: OTHER LAWS THAT APPLY TO AI LESSON 1 CASE STUDY: Managing sensitive data in AI systems Axentis Health Solutions, a global leader in AI-driven healthcare technologies, faced significant challenges when integrating biometric data into their patient monitoring systems. The organization recognized that handling sensitive data, such as facial recognition and fingerprint scans, required strict adherence to privacy laws like the GDPR and HIPAA. To address these challenges, Axentis implemented a multi-layered governance framework that included rigorous vendor screening processes, ensuring third-party AI models met safety and compliance standards. They also conducted regular risk assessments to identify vulnerabilities in data handling and storage practices. By collaborating with legal experts and data scientists, Axentis developed tailored policies to manage sensitive data responsibly, including encryption protocols and access controls. These measures not only ensured compliance but also strengthened patient trust in their innovative AI solutions. DISCUSSION QUESTION What are the benefits of incorporating encryption protocols and access controls in managing sensitive data within AI technologies? POSSIBLE ANSWERS: The benefits are multifold: Compliance with legal obligations • Security of personal data is a key principle to ensure data protection compliance and a requirement under the EU AI Act and various codes, best practices and governance frameworks • Personal data must be appropriately secured to protect it against unauthorized or unlawful processing and against loss, destruction or damage Decrease possibility of security incidents and data breaches • By having implemented a robust governance framework, Axentis is minimizing the possibility of security incidents and data breaches, thereby reducing the possibility of an infringement of legal and contractual obligations -- 289 of 320 -- 7 ©2026 IAPP. Not for reproduction, distribution or republication. Resource saving • This will save Axentis resources (time and money) they may have had to devote to such security incidents or data breaches, including fines or claims Trust • Axentis is also protecting its brand and reputation and building stakeholder trust Audits and/or regulatory or stakeholder queries • Axentis will be best placed to respond to any internal or external auditors or queries from regulators or other stakeholders, including client and potential client assessments Review question 1 A company is developing an AI system to analyze customer data for personalized marketing. During the design phase, the team discusses how to ensure compliance with data privacy laws. They decide to limit the data collected to only what is necessary for the marketing purpose and to inform customers about how their data will be used. Which principles are they applying? A. Data minimization and collection limitation B. Purpose limitation and transparency C. Notice and data collection D. Consent and data subject rights The correct answer is purpose limitation and transparency, which focus on limiting data use to specific purposes and informing customers about data usage. LESSON 2 CASE STUDY: Navigating AI ownership challenges A global technology company, Designova, faced significant challenges in determining authorship and ownership of outputs generated by its AI systems. Designova had developed an AI tool capable of creating innovative product designs, but questions arose regarding who held the intellectual property rights to these outputs. Traditional intellectual property laws, which emphasize human creativity, did not provide clear guidance for AI-generated content. This ambiguity created legal and operational risks, particularly when the AI tool was integrated into client- facing projects. To address these complexities, Designova implemented a comprehensive governance framework. • This framework included policies that explicitly defined ownership attribution for AI-generated outputs and required vendor agreements to specify intellectual property rights. • Additionally, Designova conducted regular risk assessments to ensure compliance with intellectual property laws and mitigate potential conflicts. By taking these proactive measures, Designova successfully aligned its AI governance strategy with existing legal frameworks, reducing risks and fostering innovation in its operations. DISCUSSION QUESTION: What are the potential risks of not clearly defining ownership attribution for AI-generated outputs in vendor agreements? POSSIBLE ANSWERS: -- 290 of 320 -- 8 ©2026 IAPP. Not for reproduction, distribution or republication. If Designova had not clearly defined ownership in the vendor agreements, Designova could be left exposed in several ways: • Other parties not aligning with Designova’s views on ownership • Other parties asserting ownership in conflict to Designova • The above could lead to protracted claims and disputes taking up valuable resources and deflecting attention and energy from Designova’s business It is important that Designova stays up to date with the changing legal landscape Review question 1 A company is developing an AI model and plans to use large datasets, some of which may include copyrighted material. What is a key challenge they might face regarding intellectual property laws? A. Ensuring AI systems meet minimum performance metrics B. Determining whether AI-generated outputs can be patented C. Balancing the use of copyrighted data with creators' rights D. Establishing ownership of AI-generated trademarks Balancing the use of copyrighted data with creators’ rights is a key challenge as AI systems often require large amounts of data, much of which may be copyrighted, raising questions about fair use and permissions. Option A is a concern for AI system deployment, not directly related to intellectual property laws and training data. Options B and D are challenges related to AI-generated outputs, not specifically about training data. LESSON 3 CASE STUDY: Addressing bias in training data A global retail company, InnovateMart, faced challenges in ensuring its AI-driven hiring tool complied with nondiscrimination laws. The tool, designed to streamline candidate selection, inadvertently favored certain demographics due to biased training data. This raised concerns about potential violations of equal employment opportunity regulations. To address the issue, InnovateMart conducted a comprehensive audit of the AI system, identifying and removing biased data points. They collaborated with data scientists and legal experts to refine the algorithm, ensuring it aligned with legal standards and ethical hiring practices. Additionally, InnovateMart implemented regular bias testing and established a governance framework to monitor the tool's performance over time. They also provided training for HR teams to understand AI limitations and ensure human oversight in decision-making processes. By taking these proactive measures, InnovateMart not only mitigated legal risks but also reinforced its commitment to fair and inclusive hiring practices. DISCUSSION QUESTION: How can audits prevent bias? POSSIBLE ANSWERS: Audits can be a powerful method to assist with detecting, preventing and reducing bias, for the following reasons: • Spotlight: Having an audit process in place that focuses on bias detection shines and maintains a spotlight on the importance of the issue. • Expectations: Audits establish clear expectations for those developing and using the AI tool and its output • Accountability: Audits ensure accountability -- 291 of 320 -- 9 ©2026 IAPP. Not for reproduction, distribution or republication. • Process improvement: Where issues are found, they can be fixed • Guardrails: Audits ensure the guardrails put in place at the start of the process are maintained Review question 1 A large organization is planning to implement an AI-driven tool to streamline its hiring process, aiming to reduce time spent on candidate screening and improve efficiency. However, the company has found indications of bias in the algorithm, favoring certain demographic groups. What should the company do to ensure compliance with nondiscrimination laws? A. Conduct a comprehensive audit to identify and address biased data points in the algorithm. B. Continue using the algorithm as it is to maintain efficiency in the hiring process. C. Modify the algorithm to favor underrepresented groups to counteract the bias. D. Remove all human oversight from the hiring process to ensure objectivity. Conducting an audit helps identify and mitigate biases in the algorithm, ensuring compliance with nondiscrimination laws and promoting fairness. LESSON 4 CASE STUDY: Ensuring AI product safety SyntraHome, a leading manufacturer of smart home devices, faced significant challenges when integrating AI-driven features into their product line. After launching an AI-powered thermostat, the company encountered reports of overheating issues that posed safety risks to consumers. Investigations revealed that the defect stemmed from a third-party AI model used to optimize energy efficiency. This incident highlighted the importance of conducting comprehensive risk assessments and establishing clear liability terms with vendors to address potential design and manufacturing defects. To mitigate future risks, SyntraHome implemented a robust governance framework that included rigorous testing protocols and vendor screening processes. It required third-party providers to supply detailed safety documentation and conducted independent evaluations to ensure compliance with product liability standards. Additionally, SyntraHome updated its internal policies to define accountability for AI-related failures, ensuring consumer protection remained a top priority. By taking these proactive measures, the company not only resolved the immediate issue but also strengthened its approach to AI governance, fostering trust and innovation in its product offerings. DISCUSSION QUESTION What steps can companies take to ensure third-party AI models meet safety and reliability standards before integration into their products? POSSIBLE ANSWERS: • Conduct rigorous vendor screening/assessments • Obtain a copy of certification(s) and ensure they are up to date • Verify compliance with relevant industry standards and regulations • Examine safety testing reports, performance benchmarks and technical specifications • Review the vendor’s incident responses procedure • Conduct a security audit • Start with limited pilot deployments to test integration in controlled environments -- 292 of 320 -- 10 ©2026 IAPP. Not for reproduction, distribution or republication. Review question 1 A company uses an AI-powered chatbot to handle customer inquiries. However, the chatbot provides misleading information about the company’s refund policy, causing confusion among customers. Based on consumer protection laws, what is the company’s responsibility in this situation? A. Ensure the chatbot is programmed to provide accurate and transparent information. B. Replace the chatbot with a human customer service representative. C. Limit the chatbot’s use to non-customer-facing tasks. D. Disclose to customers that the chatbot may provide inaccurate information. Consumer protection laws require companies to avoid deceptive practices, including ensuring their AI systems provide accurate information. Review question 2 A company develops an AI-powered medical diagnostic tool that provides inaccurate results, leading to harm for several patients. What is a key legal challenge in holding the company accountable under product liability laws? A. Proving that the company intentionally caused harm. B. Determining whether the AI system qualifies as a product under the law. C. Establishing that the patients were aware of the AI system's limitations. D. Demonstrating that the AI system was developed using outdated technology. One of the key challenges is the uncertainty around whether AI systems are classified as products under existing product liability laws. MODULE 6: GOVERNING AI DEVELOPMENT LESSON 1 Review question 1 Why is it important to evaluate data availability during the planning phase of an AI system? A. To ensure the data aligns with the requirements of the AI system B. To identify the stakeholders responsible for data governance C. To determine the key performance indicators (KPIs) for success D. To establish a governance structure for the AI system Evaluating data availability ensures that the data is accurate, sufficient, and relevant to the AI system's requirements, which is critical for its success. LESSON 2 Review question 1 What is a technique that protects information about training data from being revealed by "blurring" data points using an algorithm to generate values that remain meaningful yet nonspecific? A. Minimization B. Differential privacy -- 293 of 320 -- 11 ©2026 IAPP. Not for reproduction, distribution or republication. C. Anonymization D. Federated learning The use of differential privacy blurs the data using an algorithm that keeps the data meaningful but makes it nonspecific (e.g., individuals are not identifiable). Review question 2 Which of the following is a key consideration during the data wrangling process to ensure data quality and privacy? A. Implementing federated learning for distributed model training B. Data cleansing to remove erroneous or irrelevant data C. Data labeling to annotate datasets with relevant tags D. Using feature flags to manage model features Data cleansing is a critical step in data wrangling as it ensures data quality by removing errors and irrelevant information, which also helps address privacy concerns. Federated learning is a technique for training models while preserving data privacy, but it is not a direct consideration during the data wrangling process. While data labeling is important for machine learning, it is not a direct consideration for ensuring data quality and privacy during data wrangling. Feature flags are used to manage features in models, not directly related to ensuring data quality and privacy during data wrangling. LESSON 3 Review question 1 True or false? An AI governance team should document all decisions they make during the development life cycle of an algorithm, whether the decisions address regulatory requirements or not. A. True B. False Review question 2 Your organization is developing an AI system for automating loan approvals. What is a critical step to ensure the system aligns with governance best practices? A. Skipping documentation to speed up development B. Conducting thorough testing and validation of the AI system C. Relying solely on the training dataset for evaluation D. Avoiding stakeholder feedback during development Testing and validation are essential to ensure the AI system operates reliably, securely and aligns with governance best practices. MODULE 7: GOVERNING AI DEPLOYMENT LESSON 1 Review question 1 What is a key factor to consider when selecting an AI deployment environment? -- 294 of 320 -- 12 ©2026 IAPP. Not for reproduction, distribution or republication. A. The number of employees in the organization B. The organization's marketing strategy C. The organization's budget and computational needs D. The availability of open-source AI models Budget and computational needs are critical factors in determining the most suitable deployment environment, as they directly impact the feasibility and performance of the AI system. Review question 2 What is one unique challenge organizations face when deploying a proprietary AI model they developed? A. Evaluating vendor agreements for intellectual property rights B. Ensuring compatibility with third-party vendor systems C. Managing increased obligations and potential liability D. Minimizing latency in cloud-based environments Organizations deploying their own proprietary AI models face unique challenges, including increased obligations and higher potential liability. Evaluating vendor agreements for intellectual property rights (option A) is specific to deploying third-party AI systems, not proprietary models developed by the organization. Ensuring compatibility with third-party vendor systems (option B) is more relevant to organizations deploying third- party AI systems rather than proprietary models they developed. Minimizing latency in cloud-based environments (option D) can be a challenge, but is more specific to deployment environments like cloud-based systems rather than a unique challenge of proprietary AI models. LESSON 2 Review question 1 Recommended practices for monitoring AI systems for risk after deployment include which of the following? Select all that apply. A. Conduct red teaming exercises B. Document using model cards and the organization’s standard documentation C. Keep snapshots of an algorithm and its outputs D. Monitor risks from third parties All answers are correct. Review question 2 Why is it important to monitor an AI model for data drift after deployment? A. To avoid the need for retraining the model B. To reduce the frequency of audits C. To eliminate the need for human oversight D. To ensure the model continues to meet its intended purpose -- 295 of 320 -- 13 ©2026 IAPP. Not for reproduction, distribution or republication. Monitoring for data drift helps identify changes in the relationship between input data and predictions, ensuring the model remains effective and aligned with its original purpose. -- 296 of 320 -- -- 297 of 320 -- ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. ARTIFICIAL INTELLIGENCE GOVERNANCE PROFESSIONAL TRAINING RESOURCES GENERAL AI Governance Dashboard newsletter, via the IAPP Subscription Center: https://iapp.org/news/subscriptions. AI Governance Profession Report. IAPP and Credo AI. April 2025. https://iapp.org/resources/article/ai-governance- profession-report/. “Global AI Legislation Tracker.” IAPP, September 2023. https://iapp.org/resources/article/global-ai-legislation-tracker. IAPP AI Governance Center (https://iapp.org/about/ai-governance) and Artificial Intelligence topic page (https://master.dzlm3qdfgauh1.amplifyapp.com/resources/search?all_resource_dates_desc%5BrefinementLis t%5D%5Bresource_tags.subject.subject%5D%5B0%5D=AI%20and%20machine%20learning): content, resources and networking opportunities. IAPP AIGP body of knowledge and exam blueprint v2.1. https://iapp.org/certify/aigp/ IAPP conferences: European conference: https://iapp.org/conference/iapp-ai-governance-global-europe. North American conference: https://iapp.org/conference/iapp-psr. IAPP “How to prepare” page. https://iapp.org/certify/how-to-prepare/ “Key Terms for AI Governance.” IAPP. Updated July 2025. https://iapp.org/resources/ai-governance-glossary MODULE 1: FOUNDATIONS OF ARTIFICIAL INTELLIGENCE Lesson 1 AI – general Artificial Intelligence. OECD. https://www.oecd.org/digital/artificial-intelligence. OECD Framework for the Classification of AI Systems: a tool for effective AI policies. https://oecd.ai/en/classification. “The Spectrum of Artificial Intelligence.” Future of Privacy Forum. https://fpf.org/wp- content/uploads/2021/01/FPF_AIEcosystem_illo_03.pdf UN AI Advisory Body. “Governing AI for Humanity.” September 2024. https://www.un.org/sites/un2.un.org/files/governing_ai_for_humanity_final_report_en.pdf AI governance “AI ethics & governance.” Accenture. https://www.accenture.com/us-en/services/applied-intelligence/ai-ethics- governance. AI Risk Management Framework. NIST. https://www.nist.gov/itl/ai-risk-management-framework. -- 298 of 320 -- 2 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Baruch, Tang, Jain, Gong, Murchison, Adams and Harrington. “Our Responsible AI Principles in Practice.” LinkedIn Engineering blog, April 13, 2023. https://www.linkedin.com/blog/engineering/responsible-ai/our-responsible-ai- principles-in-practice. Casovan, Jones and Chaudhry. “AI Governance in Practice Report 2024.” IAPP and FTI Consulting, June 2024. https://iapp.org/resources/article/ai-governance-in-practice-report. “Empowering responsible AI practices.” Microsoft. https://www.microsoft.com/en-us/ai/responsible-ai. “The Ethical Norms for the New Generation Artificial Intelligence, China.” International Research Center for AI Ethics and Governance, September 27, 2021. https://ai-ethics-and-governance.institute/2021/09/27/the-ethical-norms- for-the-new-generation-artificial-intelligence-china. “Ethics of Artificial Intelligence.” UNESCO. https://www.unesco.org/en/artificial-intelligence/recommendation-ethics. IEEE Standard Model Process for Addressing Ethical Concerns during System Design. https://xplorestaging.ieee.org/document/9536679. ISO/IEC TR 24028:2020 Information technology/Artificial intelligence/Overview of trustworthiness in artificial intelligence. ISO. May 2020. https://www.iso.org/standard/77608.html. OECD AI Principles overview. OECD, updated May 2024. https://oecd.ai/en/ai-principles. “Privacy and AI Governance Report.” IAPP and FTI Consulting, January 2023. https://iapp.org/resources/article/ai- governance-report-summary. Recommendation of the Council on Artificial Intelligence. OECD Legal Instruments, Updated November 7, 2023. https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449. “Responsible AI from principles to practice.” Recorded January 31, 2022. Brookings. https://www.brookings.edu/ events/responsible-ai-from-principles-to-practice. Responsible AI Practices. Google. https://ai.google/responsibility/principles/#our-ai-principles-in-action. Tools for trustworthy AI. OECD, June 28, 2021. https://www.oecd.org/science/tools-for-trustworthy-ai-008232ec- en.htm. Cloud computing “Artificial Intelligence in Cloud Computing.” Datacenters.com Cloud, May 25, 2023. https://www.datacenters.com/news/artificial-intelligence-in-cloud-computing. Mohmad, Parvin. “Top 5 Ways Artificial Intelligence Impacts Cloud Computing.” Analytics Insight, February 26, 2023. https://www.analyticsinsight.net/top-5-ways-artificial-intelligence-impacts-cloud-computing/. MODULE 1: Lesson 2 AI language models. OECD, April 13, 2023. https://www.oecd-ilibrary.org/science-and-technology/ai-language- models_13d38f92-en. Berkeley Artificial Intelligence Research. https://bair.berkeley.edu/blog. “Human-AI Interfaces and Robotics.” The Alan Turing Institute. https://www.turing.ac.uk/research/research- programmes/artificial-intelligence-ai/robotics. “LLMs vs. SLMs: The Differences in Large & Small Language Models.” Splunk. Feb. 17, 2025. https://www.splunk.com/en_us/blog/learn/language-models-slm-vs-llm.html -- 299 of 320 -- 3 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. “Machine Learning vs Deep Learning vs LLMs vs GenAI: Explained and How are they Different from Each Other?” Cloud 4C. May 3, 2024. https://www.cloud4c.com/blogs/genai-vs-machine-learning-vs-deep-learning-vs-llms. Rouse, Margaret. "ChatGPT." Techopedia, updated March 14, 2024. https://www.techopedia.com/definition/34933/chatgpt. “The Battle of the Brains: Large Language Models vs. Small Language Models.” Iovox. https://www.iovox.com/blog/ai-llm-vs-slm “The Privacy Expert’s Guide to AI and Machine Learning.” Future of Privacy Forum Oct. 2018, https://fpf.org/wp- content/uploads/2018/10/FPF_Artificial-Intelligence_Digital.pdf “Topic: What is an AI model?” IBM. https://www.ibm.com/think/topics/ai-model "Topic: What is deep learning?" IBM. https://www.ibm.com/topics/deep-learning. "Topic: What is generative AI?" IBM. https://research.ibm.com/blog/what-is-generative-AI. "Topic: What is machine learning?" IBM. https://www.ibm.com/topics/machine-learning. "Topic: What is Natural Language Processing (NLP)?" AWS. https://aws.amazon.com/what-is/nlp. MODULE 1: Lesson 3 “Understanding and managing the AI lifecycle.” U.S. General Services Administration. https://coe.gsa.gov/coe/ai- guide-for-government/understanding-managing-ai-lifecycle/. Patel, Rakesh. “AI development life cycle: A comprehensive guide.” Space Technologies. Oct. 18, 2025. https://www.spaceo.ai/blog/ai-development-life-cycle/ Weller, Suzanne. “Streamline AI Governance with Informatica.” Informatica, May 27, 2025. https://www.informatica.com/blogs/streamline-ai-governance-with-informatica.html# MODULE 2: AI IMPACTS AND RESPONSIBLE PRINCIPLES Lesson 1 Acemoglu, Daron. “Harms of AI.” MIT, August 2021. https://economics.mit.edu/sites/default/files/publications/Harms%20of%20AI.pdf. Akselrod, Olga. “How Artificial Intelligence Can Deepen Racial and Economic Inequities.” ACLU, July 13, 2021. https://www.aclu.org/news/privacy-technology/how-artificial-intelligence-can-deepen-racial-and-economic- inequities. AI Risk Repository. MIT. https://airisk.mit.edu. (Database of over 700 AI risks categorized by cause and risk domain) “Artificial Intelligence: Threats and Opportunities.” European Parliament, updated June 20, 2023. https://www.europarl.europa.eu/news/en/headlines/society/20200918STO87404/artificial-intelligence-threats- and-opportunities. Calo, M. Ryan. (2011). "The Boundaries of Privacy Harm," Indiana Law Journal: Vol. 86: Iss. 3, Article 8. https://www.repository.law.indiana.edu/ilj/vol86/iss3/8. Citron, Danielle Keats and Solove, Daniel J. Privacy Harms. February 9, 2021. GWU Legal Studies Research Paper No. 2021-11, GWU Law School Public Law Research Paper No. 2021-11, 102 Boston University Law Review 793 (2022). https://ssrn.com/abstract=3782222. -- 300 of 320 -- 4 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. CSET AI Harm Taxonomy for AIID. Accessed December 4, 2024. https://incidentdatabase.ai/taxonomy/csetv1. (Note: CSET is the Center for Security and Emerging Technology at Georgetown University; AIID is the AI Incident Database). “EPIC publishes report on generative AI harms.” Daily Dashboard. IAPP, May 23, 2023. https://epic.org/new-epic- report-sheds-light-on-generative-a-i-harms/. “FTC Report Cautions Against Using AI to Combat Online Harms.” Daily Dashboard. IAPP, June 17, 2022. https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-report-warns-about-using-artificial- intelligence-combat-online-problems?utm_source=govdelivery. ForHumanity Center, founded by Ryan Carrier. https://forhumanity.center. Hamilton, Isobel Asher. “Amazon built an AI tool to hire people but had to shut it down because it was discriminating against women.” Insider, Oct. 10, 2018. https://www.businessinsider.com/amazon-built-ai-to-hire- people-discriminated-against-women-2018-10. Jones, Elsabet and Baylee Easterday. “Artificial Intelligence’s Environmental Costs and Promise.” Council on Foreign Relations, June 28, 2022. https://www.cfr.org/blog/artificial-intelligences-environmental-costs-and-promise. Kennedy, Brian, Eileen Yam, Emma Kikuchi, Isabelle Pula and Javier Fuentes. “How Americans View AI and Its Impact on People and Society.” Pew Research Center. Sept. 17, 2025. https://www.pewresearch.org/science/2025/09/17/how-americans-view-ai-and-its-impact-on-people-and- society/ Koerner, Katharina and Brandon Lalonde. “Federated learning: Supporting data minimization in AI.” The Privacy Advisor. IAPP, Feb. 28, 2023. https://iapp.org/news/a/federated-learning-supporting-data-minimization-in-ai. NIST AI Risk Management Framework. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf. PANOPTIC Privacy Threat Model. https://ptmworkshop.gitlab.io/#/panoptic. Schwartz, Gabrielle, Joe Jones, Uzma Chaudhry. “The Intersection of Privacy and AI Governance.” IAPP Resource Center, May 2024. https://iapp.org/resources/article/the-intersection-of-privacy-and-ai-governance. Smuha, Nathalie A. “Beyond the individual: governing AI’s societal harm.” Internet Policy Review. 10(3), Sept. 30, 2021. https://policyreview.info/articles/analysis/beyond-individual-governing-ais-societal-harm. Shelby, Renee, Shalaleh Rismani, Kathryn Henne, A Jung Moon, Negar Rostamzadeh, Paul Nicholas, N’Mah Yilla- Akbari, et al. “Sociotechnical Harms of Algorithmic Systems: Scoping a Taxonomy for Harm Reduction.” July 19, 2023. https://arxiv.org/pdf/2210.05791 “Unfairness by Algorithm: Distilling the Harms of Automated Decision-Making.” Future of Privacy Forum, Dec. 2017. https://fpf.org/wp-content/uploads/2017/12/FPF-Automated-Decision-Making-Harms-and-Mitigation-Charts.pdf MODULE 2: Lesson 2 Altman, Sam. “Teen safety, freedom, and privacy.” OpenAI, Sept. 16, 2025. https://openai.com/index/teen-safety- freedom-and-privacy/ De Laat, Paul B. “Companies Committed to Responsible AI: From Principles towards Implementation and Regulation?” 2021. https://link.springer.com/article/10.1007/s13347-021-00474-3 “How to Make AI More Ethical, Transparent, and Useful for Everyone.” U.S. Chamber of Commerce. Interview with IBM’s Chief Privacy Officer, 2022. https://www.uschamber.com/technology/how-to-make-ai-more-ethical- transparent-and-useful-for-everyone. -- 301 of 320 -- 5 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. "Impact: AI Ethics." IBM. https://www.ibm.com/impact/ai-ethics. Long, Ryan E. “Artificial Intelligence Liability: The Rules are Changing.” Center for Internet and Society, Stanford University Law School, March 17, 2023. https://cyberlaw.stanford.edu/blog/2023/03/artificial-intelligence- liability-rules-are-changing-1. “Microsoft Unveils Framework for Responsible AI.” Daily Dashboard. IAPP, June 22, 2022. https://iapp.org/news/b/microsoft-unveils-framework-for-responsible-ai. “OECD AI Principles.” https://oecd.ai/en/ai-principles. Relationship to Existing Law and Policy: Blueprint for an AI Bill of Rights. U.S. Government. https://www.whitehouse.gov/ostp/ai-bill-of-rights/relationship-to-existing-law-and-policy. Responsible AI Management. IAPP and Ohio State University. June 2024. https://iapp.org/resources/article/ohio-state- report-responsible-ai-management/ Social Principles of Human-Centric AI. Council for Social Principles of Human-centric AI, March 2019. https://ai.bsa.org/wp-content/uploads/2019/09/humancentricai.pdf. Stanford University, SQ7. How Should Governments Act to Ensure AI is Developed and used Responsibly | One Hundred Year Study on Artificial Intelligence (AI100), 2021. https://ai100.stanford.edu/gathering-strength-gathering- storms-one-hundred-year-study-artificial-intelligence-ai100-2021-1/sq7#LAWS. "What is explainable AI?" IBM. https://www.ibm.com/topics/explainable-ai. MODULE 3: AI GOVERNANCE AND RISK MANAGEMENT Lessons 1 and 2 “Building Data and Artificial Intelligence Ethics Committees.” Northeastern University Ethics Institute and Accenture, 2019. https://www.accenture.com/us-en/services/applied-intelligence/ai-ethics-governance. Chiancone, Chris. LinkedIn: “How Upskilling and Reskilling Can Empower Your Workforce for the AI Revolution.” https://www.linkedin.com/pulse/how-upskilling-reskilling-can-empower-your-workforce-ai-chiancone. “HUDERIA Methodology.” Nov. 28, 2024. https://rm.coe.int/cai-2024-16rev2-methodology-for-the-risk-and-impact- assessment-of-arti/1680b2a09f. ISO/IEC 22989:2022: Artificial intelligence concepts and terminology. https://www.iso.org/standard/74296.html ISO/IEC 42001:2023: Artificial intelligence management system. https://www.iso.org/standard/42001 Koerner, Katharina and Jake Frazier. “Report on Responsible AI and Privacy Governance – Discussion of Findings.” Recorded May 3, 2023. IAPP: Portsmouth, NH. Web conference. https://iapp.org/resources/article/web- conference-report-on-responsible-ai-and-privacy-governance-discussion-of-findings. Pouget, Hadrien. “What will the role of standards be in AI governance?” Ada Lovelace Institute, April 5, 2023. https://www.adalovelaceinstitute.org/blog/role-of-standards-in-ai-governance. Schuett, Jonas, Anka Reuel and Alexis Carlier. “How to Design an AI Ethics Board.” https://arxiv.org/pdf/2304.07249.pdf. Mahay, Monica, Nils Müller and Erica Werneman Root. “Understanding AI literacy.” IAPP. Jan. 15, 2025. https://iapp.org/news/a/understanding-ai-literacy. -- 302 of 320 -- 6 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. MODULE 3: Lesson 3 Buehler, Dooley, Grennan and Singla. “Getting to know—and manage—your biggest AI risks.” McKinsey & Company, May 3, 2021. https://www.mckinsey.com/capabilities/quantumblack/our-insights/getting-to-know-and-manage- your-biggest-ai-risks. ISO/IEC 42005:2025: AI system impact assessment. 2025. https://www.iso.org/standard/42005. “Levels of a Risk Matrix.” Vector Solutions, June 25, 2019. https://www.vectorsolutions.com/resources/blogs/levels- of-a-risk-matrix. National Association of Insurance Commissioners (NAIC) Principles on Artificial Intelligence (AI), August 2020. https://content.naic.org/sites/default/files/inline- files/AI%20principles%20as%20Adopted%20by%20the%20TF_0807.pdf NIST AI RMF Playbook. https://www.nist.gov/itl/ai-risk-management-framework/. NIST ARIA: https://ai-challenges.nist.gov/aria. NIST Generative AI Profile. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf. “Risk-based approaches to AI governance, Part 1.” Hertie School Centre for Digital Governance, August 2, 2021. https://www.hertie-school.org/en/digital-governance/research/blog/detail/content/risk-based-approaches-to-ai- governance-part-1. “Risk-based approaches to AI governance, Part 2.” Hertie School Centre for Digital Governance, August 16, 2021. https://www.hertie-school.org/en/digital-governance/research/blog/detail/content/risk-based-approaches-to-ai- governance-part-2. Simbeck, Katharina. “They shall be fair, transparent, and robust: auditing learning analytics systems.” AI Ethics, May 1, 2023. https://link.springer.com/article/10.1007/s43681-023-00292-7. MODULE 4: AI REGULATION “AI Guide for Government: A Living and Evolving Guide to the Application of Artificial Intelligence for the U.S. Federal Government.” U.S. General Services Administration (GSA) Center of Excellence. https://coe.gsa.gov/coe/ai-guide- for-government/introduction/index.html. Choi, Kyoungjin. “Analyzing South Korea’s Framework Act on the Development of AI.” IAPP, Jan. 23, 2025. https://iapp.org/news/a/analyzing-south-korea-s-framework-act-on-the-development-of-ai. Andrews, Caitlin. “Japan passes innovation-focused AI governance bill.” IAPP, June 4, 2025. https://iapp.org/news/a/japan-passes-innovation-focused-ai-governance-bill. Andrews, Caitlin. “With SB 53, California puts AI disclosure requirements on the map.” IAPP, Oct. 1, 2025. https://iapp.org/news/a/with-sb-53-california-puts-ai-disclosure-requirements-on-the-map. The Artificial Intelligence and Data Act. Government of Canada, accessed Nov. 2024. https://ised- isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act. The Artificial Intelligence and Data Act — Companion Document. Government of Canada, accessed July 2023. https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act-aida- companion-document. -- 303 of 320 -- 7 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Casovan, Ashley. “Notes from the AI Governance Center: What the EU's proposed Digital Omnibus means for AI governance professionals.” IAPP, 17 December 2025. https://iapp.org/news/a/notes-from-the-ai-governance- center-what-the-eu-s-proposed-digital-omnibus-means-for-ai-governance-professionals. Chng, Darren Grayson and Joe Jones. “Global AI Governance Law and Policy: Singapore.” IAPP, Feb. 2024. https://iapp.org/resources/article/global-ai-governance-singapore. Council of Europe. METHODOLOGY FOR THE RISK AND IMPACT ASSESSMENT OF ARTIFICIAL INTELLIGENCE SYSTEMS FROM THE POINT OF VIEW OF HUMAN RIGHTS, DEMOCRACY AND THE RULE OF LAW (HUDERIA METHODOLOGY). Rev2, Nov. 28, 2024. https://rm.coe.int/cai-2024-16rev2-methodology-for-the-risk-and-impact- assessment-of-arti/1680b2a09f. Creemers, Rogier, Graham Webster and Helen Toner. “Translation: Internet Information Service Algorithmic Recommendation Management Provisions – Effective March 1, 2022.” DigiChina, Stanford University. Jan. 10, 2022. https://digichina.stanford.edu/work/translation-internet-information-service-algorithmic- recommendation-management-provisions-effective-march-1-2022/. D'Souza, Arjun Adrian. “India's foray into regulating AI.” IAPP, April 24, 2024. https://iapp.org/news/a/indias-foray- into-regulating-ai. Duball, Joe. “U.S. President Trump signs state AI executive order, legal questions remain.” IAPP, 12 December 2025. https://iapp.org/news/a/as-us-president-trump-signs-state-ai-executive-order-legal-questions-remain. “EU AI Act: 101.” IAPP, March 2024. https://iapp.org/resources/article/eu-ai-act-101. “The EU AI Act: Guide for In-House Lawyers.” Hunton, Feb. 2025. ai-act-guide.pdf “EU AI Act: Next Steps for Implementation.” IAPP, Feb. 2024. https://iapp.org/resources/article/eu-ai-act-timeline/ “EU AI Act: Where to Start.” IAPP, March 2024. https://iapp.org/l/eu-ai-act-where-to-start. European Approach to Artificial Intelligence. European Commission. https://digital- strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence. Executive Order on Removing Barriers to American Leadership in Artificial Intelligence. Jan. 2025. https://www.whitehouse.gov/presidential-actions/2025/01/removing-barriers-to-american-leadership-in- artificial-intelligence/. Fazlioglu, Müge. “EU AI Act Compliance Matrix.” IAPP, updated May 2024. https://iapp.org/resources/article/eu-ai- act-compliance-matrix/ Fazlioglu, Müge and Joe Jones, “EU Digital Omnibus: Analysis of Key Changes,” IAPP, 9 December 2025. https://iapp.org/news/a/eu-digital-omnibus-analysis-of-key-changes. “Global AI Law and Policy Tracker.” IAPP, updated May 2025. https://iapp.org/resources/article/global-ai-legislation- tracker/. “Governor Newsom signs SB 53, advancing California’s world-leading artificial intelligence industry.” Office of Governor Gavin Newsom. Sept. 29, 2025. https://www.gov.ca.gov/2025/09/29/governor-newsom-signs-sb-53- advancing-californias-world-leading-artificial-intelligence-industry/. IAPP. “Unpacking the EU Digital Package: What It Means for Compliance.” LinkedIn Live, 4 December 2025. https://www.linkedin.com/events/7399152740578381824/. -- 304 of 320 -- 8 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. “Interim Measures for the Management of Generative Artificial Intelligence Services.” China Law Translate. July 13, 2023. https://www.chinalawtranslate.com/en/generative-ai-interim/. ISO 22989:2022: Information technology/Artificial intelligence/Artificial intelligence concepts and terminology. ISO. July 2022. https://www.iso.org/standard/74296.html. ISO/IEC 42001:2023 Information technology/Artificial intelligence/Management system. ISO/IEC, Dec. 2023. https://www.iso.org/standard/81230.html. “Living Repository to Foster Learning and Exchange on AI Literacy.” European Commission, Feb. 4, 2025. https://digital-strategy.ec.Europa.eu/en/library/living-repository-foster-learning-and-exchange-ai-literacy. Patel, Oliver. “EU AI Act Cheat Sheet.” IAPP, Dec. 2023. https://iapp.org/resources/article/eu-ai-act-cheat-sheet. “People come first in Australia's new AI Safety Standard.” Australian Department of Industry, Science and Resources. Sept. 5, 2024. https://www.industry.gov.au/news/people-come-first-australias-new-ai-safety-standard. “Privacy Commissioner’s Office Publishes ‘Artificial Intelligence: Model Personal Data Protection Framework’”. Office of the Privacy Commissioner for Personal Data, Hong Kong. June 11, 2024. https://www.pcpd.org.hk/english/news_events/media_statements/press_20240611.html. Roccia, Isabelle. “A view from Brussels: How, when will the Omnibus yield results?” IAPP, 8 January 2026. https://iapp.org/news/a/a-view-from-brussels-how-when-will-the-omnibus-yield-results- . Roccia, Isabelle. “A view from Brussels: Will the EU pause the AI Act?” IAPP, 3 July 2025. https://iapp.org/news/a/a- view-from-brussels-will-the-eu-pause-the-ai-act. Andrews, Caitlin. “South Korea’s AI Basic Act Puts Another AI Governance Regulation on the Map.” IAPP, Jan. 16, 2025. https://iapp.org/news/a/south-korea-s-ai-basic-act-puts-another-ai-governance-regulation-on-the-map. "U.S. State AI Governance Legislation Tracker." IAPP, Oct. 2025. https://iapp.org/resources/article/us-state-ai- governance-legislation-tracker. "Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems." Government of Canada, Sept. 2023. https://ised-isde.canada.ca/site/ised/en/voluntary-code-conduct- responsible-development-and-management-advanced-generative-ai-systems. Zhang, Laney. “China: Generative AI Measures Finalized.” Law Library of Congress, July 18, 2023. https://www.loc.gov/item/global-legal-monitor/2023-07-18/china-generative-ai-measures-finalized. Zheng, Sarah and Jane Zhang. “China Wants to Regulate Its Artificial Intelligence Sector Without Crushing It.” Bloomberg. August 14, 2023. https://time.com/6304831/china-ai-regulations/. Zheng, Sarah, Zheping Huang and Jane Zhang. “China Takes Friendlier Approach to AI in Finalized Guidelines.” Bloomberg. July 13, 2023. https://www.bloomberg.com/news/articles/2023-07-13/china-unveils-final-version-of- generative-ai-rules. MODULE 5: OTHER LAWS THAT APPLY TO AI Lesson 1 Burt, Andrew and Brenda Leong. “AI vs. privacy: How to reconcile the need for sensitive data with the principle of minimization.” IAPP, August 16, 2023. https://iapp.org/news/a/ai-vs-privacy-how-to-reconcile-the-need-for- sensitive-data-with-the-principle-of-minimization. -- 305 of 320 -- 9 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Church, Peter. “AI & the GDPR: Regulating the minds of machines.” Linklaters. https://www.linklaters.com/en/insights/blogs/digilinks/ai-and-the-gdpr-regulating-the-minds-of-machines. “Copyright Office Releases Part 2 of Artificial Intelligence Report,” Jan. 29, 2025. https://www.copyright.gov/newsnet/2025/1060.html#:~:text=The%20Office%20confirms%20that%20the. “EDPB opinion on AI models: GDPR principles support responsible AI.” European Data Protection Board. December 18, 2024. https://www.edpb.europa.eu/news/news/2024/edpb-opinion-ai-models-gdpr-principles-support- responsible-ai_en. Fazlioglu, Müge. “How privacy and data protection laws apply to AI: Guidance from global DPAs.” IAPP, May 29, 2024. https://iapp.org/news/a/how-privacy-and-data-protection-laws-apply-to-ai-guidance-from-global-dpas. Fazlioglu, Müge. “Refresher: The GDPR's Six Legal Bases for Data Processing.” IAPP Resource Center, Jan. 2023. https://iapp.org/resources/article/refresher-the-gdprs-six-legal-bases-for-data-processing. GDPR Art 9: Processing of special categories of personal data, April 27, 2016. https://eur- lex.europa.eu/eli/reg/2016/679/oj/eng#art_9. Hengesbaugh, Brian. “How existing data privacy laws may already regulate data-related aspects of AI.” Privacy Perspectives. IAPP. June 7, 2023. https://iapp.org/news/a/how-existing-data-privacy-laws-may-already-regulate- data-related-aspects-of-ai. Leong, Brenda and Andrew Burt. “AI vs. privacy: How to reconcile the need for sensitive data with the principle of minimization.” IAPP, August 16, 2023. https://iapp.org/news/a/ai-vs-privacy-how-to-reconcile-the-need-for- sensitive-data-with-the-principle-of-minimization. Leveraging privacy governance for the responsible use of AI. IAPP LinkedIn Live, broadcast on Feb. 15, 2023. https://iapp.org/resources/article/leveraging-privacy-governance-for-the-responsible-use-of-ai. Sartor, Giovanni, et al. "The impact of the General Data Protection Regulation (GDPR) on artificial intelligence." Think Tank, European Parliament, June 25, 2020. https://www.europarl.europa.eu/thinktank/en/document/EPRS_STU(2020)641530. MODULE 5: Lesson 2 Chuks-Okeke, Ekene, Natalie Linero and Brenda Leong. “Generative AI and intellectual property: Copyright implications for AI inputs, outputs.” IAPP, August 7, 2024. https://iapp.org/news/a/generative-ai-and-intellectual- property-copyright-implications-for-ai-inputs-outputs. Chuks-Okeke, Ekene, Natalie Linero and Brenda Leong. “Generative AI and intellectual property: The evolving copyright landscape.” IAPP, July 31, 2024. https://iapp.org/news/a/generative-ai-and-intellectual-property-the- evolving-copyright-landscape. “Licensing and AI: Understanding the Challenges of Licensing AI Models.” Vinson & Elkins, Feb. 24, 2023. https://www.velaw.com/insights/licensing-and-ai-understanding-the-challenges-of-licensing-ai-models. Myers, Andrew. “Reexamining ‘Fair Use’ in the Age of AI”. Stanford University Human-Centered Artificial Intelligence, June 5, 2023. https://hai.stanford.edu/news/reexamining-fair-use-age-ai. Eisner, Rebecca S., “Artificial Intelligence Licensing.” Mayer Brown LLP, 2020. https://www.mayerbrown.com/- /media/files/perspectives events/publications/2020/09/tb_fall20_ofnoteipt.pdf. MODULE 5: Lesson 3 -- 306 of 320 -- 10 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Adams, Katie. “Navigating AI in Health Care: HHS’s Nondiscrimination Final Rule is in Effect.” Bipartisan Policy Center. July 19, 2024. https://bipartisanpolicy.org/blog/navigating-ai-in-health-care-hhss-nondiscrimination-final-rule-is- in-effect. “EEOC Releases New Resource on Artificial Intelligence and Title VII.” U.S. Equal Employment Opportunity Commission, May 18, 2023. https://www.eeoc.gov/newsroom/eeoc-releases-new-resource-artificial-intelligence- and-title-vii. Francis, Simone R.D. and Zachary V. Zagger. “New York City Adopts Final Rules on Automated Decision-making Tools, AI in Hiring.” Ogletree Deakins, April 7, 2023. https://ogletree.com/insights/new-york-city-adopts-final- rules-on-automated-decision-making-tools-ai-in-hiring. MODULE 5: Lesson 4 Artificial intelligence liability directive briefing. European Parliament. February 2023. https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/739342/EPRS_BRI(2023)739342_EN.pdf. Artificial Intelligence topic page. U.S. Federal Trade Commission. https://www.ftc.gov/industry/technology/artificial- intelligence. Atleson, Michael. “Keep your AI claims in check.” FTC Business Blog, Feb. 27, 2023. https://www.ftc.gov/business- guidance/blog/2023/02/keep-your-ai-claims-check. The Digital Services Act package. European Commission. https://digital-strategy.ec.europa.eu/en/policies/digital- services-act-package. Kirk, Deborah J., et al. "European Commission Proposes Reform on Liability Rules for Artificial Intelligence." Latham & Watkins LLP, Dec. 22, 2022. https://latham.london/2022/12/european-commission-proposes-reform-on- liability-rules-for-artificial-intelligence. Long, Ryan E. "Artificial intelligence liability: The rules are changing." The Center for Internet and Society at Stanford Law School, March 17, 2023. https://cyberlaw.stanford.edu/blog/2023/03/artificial-intelligence-liability-rules-are- changing-1. Maliha, George, Sara Gerke, Ravi B. Parikh, and I. Glenn Cohen. "To Spur Growth in AI, We Need a New Approach to Legal Liability." Harvard Business Review, July 13, 2021. https://hbr.org/2021/07/to-spur-growth-in-ai-we-need-a- new-approach-to-legal-liability. MODULE 6: GOVERNING AI DEVELOPMENT AI Incident Database: https://incidentdatabase.ai. "Algorithmic Impact Assessment tool." Government of Canada, updated April 25, 2023. https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/responsible- use-ai/algorithmic-impact-assessment.html. “A Step by Step Guide to AI Model Development.” Attri, Dec. 15, 2023. https://attri.ai/blog/ai-model-development- life-cycle. “A Step by Step Guide to AI Model Development.” Data Science Central, Sept. 7, 2021. https://www.datasciencecentral.com/a-step-by-step-guide-to-ai-model-development. Catalogue of Tools & Metrics for Trustworthy AI. OECD. https://oecd.ai/en/catalogue/tools. -- 307 of 320 -- 11 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Golbin, Ilana. “Algorithmic Impact Assessments: What Are They and Why Do You Need Them?” PwC, Oct. 28, 2021. https://www.pwc.com/us/en/tech-effect/ai-analytics/algorithmic-impact-assessments.html. Kumarasamy, Jey and Brenda Leong. “Practical considerations for bias audits under NYC Local Law 144.” IAPP, June 28, 2023. https://iapp.org/news/a/practical-considerations-for-bias-audits-under-nyc-local-law-144/. "Microsoft AI: Tools and practices." Microsoft. https://www.microsoft.com/en-us/ai/tools-practices. “Microsoft Responsible AI Impact Assessment Template.” Microsoft, June 2022. https://blogs.microsoft.com/wp- content/uploads/prod/sites/5/2022/06/Microsoft-RAI-Impact-Assessment-Template.pdf Shirkhanloo, Anjella. “Beyond compliance: The case for adaptive AI governance.” IAPP, Feb. 19, 2025. https://iapp.org/news/a/beyond-compliance-the-case-for-adaptive-ai-governance. “Topic: What is model training?” IBM. https://www.ibm.com/think/topics/model-training. MODULE 7: GOVERNING AI DEPLOYMENT AI Incident Database. https://incidentdatabase.ai. Boinodiris, Phaedra and Jon Parker. “The evolving ethics and governance landscape of agentic AI.” IBM. https://www.ibm.com/think/insights/ethics-governance-agentic-ai. Domin, Heather. “AI governance in the agentic era.” IAPP, July 2025. https://iapp.org/resources/article/ai- governance-in-the-agentic-era/. Huang, Ken. “Agentic AI Threat Modeling Framework: MAESTRO.” Cloud Security Alliance, June 2, 2025. https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro. “AI agents: Opportunities, risks, and mitigations.” IBM AI Ethics Board, March 2025. https://www.ibm.com/downloads/documents/us-en/1227c12efb38b2b3. Model Card Regulatory Check. OECD.AI, uploaded April 13, 2023. https://oecd.ai/en/catalogue/tools/model-card- regulatory-check. Stalla-Bourdillon, Leong, Hall and Burt. “Warning Signs: The Future of Privacy and Security in an Age of Machine Learning.” Future of Privacy Forum. Sept. 2019. https://fpf.org/wp-content/uploads/2019/09/WarningSigns.pdf. “Singapore launches world’s first AI testing framework and toolkit to promote transparency,” Infocomm Media Developemnt Authority, May 25, 2022. https://www.imda.gov.sg/resources/press-releases-factsheets-and- speeches/press-releases/2022/sg-launches-worlds-first-ai-testing-framework-and-toolkit-to-promote-transparency -- 308 of 320 -- 12 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. ARTIFICIAL INTELLIGENCE GOVERNANCE PROFESSIONAL TRAINING Body of Knowledge Mapping (v2.1.0) Min Max DOMAIN I: UNDERSTANDING THE FOUNDATIONS OF AI GOVERNANCE 16 20 Domain I — Understanding the foundations of AI governance focuses on what AI governance is, including the common principles and pillars to build an AI governance program. This domain covers best practices regardless of industry, sector or size. COMPETENCIES PERFORMANCE INDICATORS MODULE 4 6 I.A Understand what AI is and why it needs governance. Know the generally accepted definitions and types of AI. 1 Identify the types of risks and harms posed by AI to individuals, groups, organizations and society (e.g., misalignment with objectives, ethics and bias risk, and complexity and scalability). 2 Identify the unique characteristics of AI that require a comprehensive approach to governance (e.g., complexity, opacity, autonomy, speed and scale, potential for harm or misuse, data dependency, and probabilistic versus deterministic outputs). 1 Identify and apply the common principles of responsible AI (e.g., fairness, safety and reliability, privacy and security, transparency and explainability, accountability and human- centricity). 2 5 7 I.B Establish and communicate organizational expectations for AI governance. Define roles and responsibilities for AI governance stakeholders. 3 Establish cross-functional collaboration in the AI governance program (e.g., for efficacy and diversity of expertise and perspective). 3 Create and deliver a training and awareness program to all stakeholders on AI terminology, strategy and governance. 3 Differentiate approaches to AI governance based upon company size, maturity, industry, products and services, objectives and risk tolerance. 3 Identify differences among AI developers, providers, deployers and users from a governance perspective (e.g., with respect to responsibilities, opportunities and needs). 3 -- 309 of 320 -- 13 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. 6 8 I.C Establish policies and procedures to apply throughout the AI life cycle. Create and implement policies to ensure oversight and accountability across all AI life cycle stages (e.g., use case assessment, risk management, ethics by design, data acquisition and use, model and system development, training and testing, deployment and monitoring, documentation and reporting and incident management). 2, 3, 6, 7 Evaluate and update existing policies (e.g., data privacy, security, data governance, intellectual property) for AI. 7 Create, update and implement policies, assessments and contracts to manage third-party risk (e.g., procurement, supply chain, human resources and acceptable use). 3, 7 Min Max DOMAIN II: UNDERSTANDING HOW LAWS, STANDARDS AND FRAMEWORKS APPLY TO AI 19 23 Domain II — Understanding how laws, standards and frameworks apply to AI focuses on existing laws that apply to AI, as well as AI-specific laws, standards and frameworks. For the AI governance professional, this means an understanding of the major elements of current AI laws (e.g., the EU AI Act, the South Korean AI Basic Law, US federal and state AI laws that apply to private-sector organizations). COMPETENCIES PERFORMANCE INDICATORS MODULE 4 6 II.A Understand how existing data privacy laws apply to AI. Understand how transparency, choice, lawful basis and purpose limitation requirements apply to AI. 5 Understand how data minimization and privacy-by-design requirements apply to AI. 5 Understand how obligations on data controllers apply to AI (e.g., regarding privacy impact assessments, use of third-party processors, cross-border data transfers, data subject rights, automated decision-making, incident management, breach notification and record keeping). 5 Understand the requirements that apply to sensitive or special categories of data (e.g., biometrics). 5 4 6 II.B Understand how other types of existing laws apply to AI. Understand how intellectual property laws apply to AI (e.g., prohibiting or limiting use of data for AI training). 5 Understand how non-discrimination laws apply to AI (e.g., in the employment, credit, lending, housing and insurance contexts). 5 Understand how consumer protection laws apply to AI (e.g., prohibiting unfair and deceptive acts or practices). 5 Understand how product liability laws apply to AI (e.g., prohibiting design or manufacturing defects). 5 -- 310 of 320 -- 14 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. 5 7 II.C Understand the main elements of AI-specific laws. Understand the risk classification framework for AI (e.g., prohibited/high/limited/minimal risk) and what systems/uses fall into each category. 4 Understand the key requirements around risk management, data governance, technical documentation, conformity/impact assessments and record keeping. 4 Understand the key requirements around human oversight, transparency and notification, and quality management. 4 Understand the distinct requirements for general-purpose AI models. 4 Understand the enforcement framework and penalties for noncompliance. 4 Understand the differences in requirements based on organizational context (e.g., providers, deployers, importers, and distributors). 4 4 6 II.D Understand the main industry standards and tools that apply to AI. Understand the Organisation for Economic Co-operation and Development (OECD) principles, framework, policies and recommended practices for trustworthy AI. 2 Understand the NIST AI Risk Management Framework and Playbook (e.g., the core functions, categories and subcategories). 3 Understand the core ISO AI standards (i.e., 22989, 42001 and 42005). 3 Min Max DOMAIN III: UNDERSTANDING HOW TO GOVERN AI DEVELOPMENT 21 25 Domain III — Understanding how to govern AI development focuses on the responsibilities of AI governance professionals with respect to designing, building, training, testing and maintaining AI systems. COMPETENCIES PERFORMANCE INDICATORS MODULE 6 8 III.A Govern the designing and building of the AI system. Define the business context and use case of the AI system. 6 Perform or review an impact assessment on the AI system. 6 Apply the policies, procedures, best practices and ethical considerations to designing and building the AI system (e.g., purpose of AI, requirements gathering, architecture and model selection, human oversight, data analysis, metric and threshold evaluation, stakeholder engagement and feedback and operational controls). 6 -- 311 of 320 -- 15 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Identify and manage the internal and external risks and contributing factors related to designing and building the AI model and system (e.g., using probability/severity harms matrix, using a risk mitigation hierarchy, stakeholder mapping, use case evaluation, benchmarking, pre-deployment pilots and testing). 3, 6 Document the designing and building process (e.g., to establish compliance and manage risks). 6 6 8 III.B Govern the collection and use of data in training and testing the AI model and system. Establish and follow the requirements for data governance (e.g., assess and document lawful rights to collect and use data, and to assess data quality, quantity, integrity and fit-for- purpose). 6 Establish and document data lineage and provenance. 6 Plan and perform training and testing of the AI model and system (e.g., unit, integration, validation, performance, security, bias and interpretability). 6 Identify and manage issues and risks during training and testing of the AI model and system. 6 Document the training and testing process (e.g., to validate results, establish compliance and manage risks). 6 8 10 III.C Govern the release, monitoring and maintenance of the AI system. Assess readiness and prepare for release into production (e.g., creating the model card and satisfying conformity requirements). 7 Conduct continuous monitoring of the AI system and establish a regular schedule for maintenance, updates and retraining. 7 Conduct periodic activities to assess the AI system’s performance, reliability and safety (e.g., audits, red teaming, threat modeling and security testing). 7 Manage and document incidents, issues and risks. 7 Collaborate with cross-functional stakeholders to understand why incidents arise from AI systems (e.g., brittleness, lack of robustness, lack of quality data, insufficient testing, and model or data drift). 7 Make public disclosures to meet transparency obligations (e.g., technical documentation, instructions for use to deployers, and post-market monitoring plans). 7 -- 312 of 320 -- 16 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Min Max DOMAIN IV: UNDERSTANDING HOW TO GOVERN AI DEPLOYMENT AND USE 21 25 Domain IV — Understanding how to govern AI deployment and use focuses on the responsibilities of AI governance professionals with respect to selecting an AI model, then deploying and using it responsibly through ongoing monitoring, maintenance, and other key obligations. This domain applies in any deployment context, such as a company deploying its own proprietary model or one from a third party. COMPETENCIES PERFORMANCE INDICATORS MODULE 6 8 IV.A Evaluate key factors and risks relevant to the decision to deploy the AI system. Understand the context of the AI use case (e.g., business objectives, performance requirements, data availability, ethical considerations and workforce readiness). 6 Understand the differences in AI model types (e.g., classic vs generative, proprietary vs open source, small vs large, and language vs multimodal capabilities). 1 Understand the differences in AI deployment options (e.g., cloud vs on-premise vs edge, and using the AI model as-is or with fine-tuning, retrieval augmented generation, agentic architectures or other techniques to improve performance and fit). 7 5 7 IV.B Perform key activities to assess the AI system. Perform or review an impact assessment on the selected AI system. 7 Identify and evaluate key terms and risks in the vendor or licensing agreement. 7 Identify and understand the risks and opportunities that are unique to a company deploying its own proprietary AI model (e.g., increased obligations and higher potential liability). 7 9 11 IV.C Govern the deployment and use of the AI system. Apply the policies, procedures, best practices and ethical considerations to the deployment of an AI system (e.g., data governance, risk management, issue management, user training). 7 Conduct continuous monitoring of the AI model and system and establish a regular schedule for maintenance, updates and retraining. 7 Conduct periodic activities to assess the AI system's performance, reliability and safety (e.g., audits, red teaming, threat modeling and security testing). 7 Document incidents, issues, risks and post-market monitoring plans. 6, 7 Forecast and reduce risks of secondary or unintended uses and downstream harms. 7 Establish external communication plans. 6, 7 -- 313 of 320 -- 17 ©2026 IAPP. All rights reserved. Not for reproduction, distribution or republication. Create and implement a policy and controls to deactivate or localize an AI system as necessary (e.g., due to regulatory requirements or performance issues). 7 -- 314 of 320 -- -- 315 of 320 -- Ready to get certified? Leave the stress and pass the test IAPP certification is a valuable way to demonstrate expertise in privacy or artificial intelligence governance. Here’s a breakdown of the key details and strategies you need to prepare effectively: Exam Details: • Registration: Exams are available year-round. You must schedule and complete your test within one year of purchase. You can purchase your exam through the IAPP store: https://store.iapp.org/certification • Cost: The exam fee is USD649 for IAPP members, USD799 for nonmembers, and USD625 for retakes. • Structure: The exam includes 100 multiple-choice questions, some of which are scenario-based, with one or more correct answers. The time limit is two hours and 45 minutes . • Scoring: The exam is pass/fail. If you do not pass, you will receive a scoring breakdown to help you focus on areas for improvement. A seven-day waiting period is required before retaking the exam. Preparation resources: • Body of knowledge and exam blueprint: This resource provides an outline of exam topics and their weight, helping you focus your study efforts. Visit each designation page for exam prep tools: https://iapp.org/certify • Practice exams: Official practice exams, available for purchase, replicate the format and length of the actual test, offering valuable preparation insights: https://store.iapp.org/exam-prep • Certification Candidate Handbook: This guide provides detailed information about the certification process and exam expectations: https://iapp.org/certify/candidate-handbook -- 316 of 320 -- Study Strategies: • Prepare: Providing you with respected credentials requires a rigorous certification process that includes demanding exams. IAPP certification exams are rigorous assessments. We strongly recommend careful preparation, even for degreed professionals who have passed other certification tests. We suggest you train and study for a minimum of 30 hours. • Self-assessment: Use the body of knowledge and practice exams to evaluate your readiness and identify areas for improvement. • Active engagement: Create flashcards and chapter summaries to reinforce your understanding. • Study groups: Collaborate with peers to gain new perspectives and deepen your comprehension of complex topics. • Time management: Use the exam blueprint to allocate study time effectively, focusing on topics with a higher number of questions. • Real-world context: Explore IAPP publications and resources to see how privacy concepts apply in practical scenarios. By following these strategies and using the recommended resources, you can approach your exam with confidence. Find this information, with hyperlinks to the relevant resources mentioned above, on the IAPP website: https://iapp.org/certify/how-to-prepare -- 317 of 320 -- • Discounts on events, products and programs, including study materials for our globally respected certifications, accredited by the ANSI National Accreditation Board. • E-publications delivering top privacy news to your inbox. • Access to members-only tools, research, articles, and more in our online Resource Center. • Myriad networking opportunities, including free KnowledgeNet chapter meetings to help you connect locally. • Free web conferences on critical issues in digital responsibility. • Publications like our annual “Salary and Jobs Report.” • IAPP Career Central, the best place to advertise for the digital responsibility talent you need. • Cooperative programs — your “in” — with other national and international enterprises. • Includes your certification maintenance fee to keep IAPP certifications current. • My IAPP — your personal, membership hub. • A 200-person-strong IAPP staff to help you achieve your professional goals. IAPP member benefits at-a-glance Join over 90,000 members in 150-plus countries and gain access to the ultimate in resources for digital responsibility professionals with an IAPP membership. News You are busy. We make it easy to stay on top of the headlines. Certify IAPP certification is what employers want. We can help you advance your career and increase your earning potential. Learn Free web conferences give you instant access to the latest and greatest in privacy, AI governance and cybersecurity law. Connect It is all about who you know. Targeted online and face-to-face networking opportunities give you access to the people you want to meet. Resources Our Resource Center is a one-stop-shop for practical tools and research to help you tackle your biggest challenges. Talk to us. +1 603.427.9200 / membership@iapp.org -- 318 of 320 -- Presented to: Certificate of ATTENDANCE For J. Trevor Hughes IAPP President & CEO Number of: Date Aended: AI Governance Professional Inst ructor -Led Training -- 319 of 320 -- -- 320 of 320 --
Bellwether · 2026 Marco