Dynamic AI governance: A recipe for crafting trustworthy AI

AI governance personas and approaches

Exemplifying a persona, government agencies typically follow one of three approaches to AI governance.⁸ Success often comes from fusing these three AI governance personas or approaches.

Guides focus on establishing clear policies and guidelines to promote safe, secure, and transparent outcomes. Guards focus on establishing standardized checklists and stage gate reviews during the AI product life cycle to facilitate quality assurance. Gadgeteers focus on embedding tools in the AI product life cycle to help evaluate the trustworthiness of model outputs. Although agencies may consider all three approaches, they often frontload effort in one area. Consider taking a dynamic approach to AI governance that integrates all three approaches and adapts over time to help achieve trustworthy AI goals.

Guides

Guides focus on establishing enterprise policies to document point-in-time standards with the expectation that others in the organization will follow suit. This approach typically involves policy-setting at different levels of governance, such as the federal, state, or enterprise levels. Examples include:

• Federal and executive office direction: Federal agencies and executive offices set national standards around AI adoption, responsibilities, and future alignment. For example, the White House released a Blueprint for an AI Bill of Rights (2022), which highlights a broad set of policies to guide AI adoption.⁹ The National Institute for Standards and Technology subsequently released an AI Risk Management Framework Playbook (2023), which provides suggested actions to mitigate AI risk in design, development, deployment, and use.¹⁰ Most recently, OMB released memorandum M-24-10 to strengthen governance of AI products that impact the rights and safety of the public. The memorandum includes detailed guidance and requirements, such as designating a chief AI officer, developing an AI strategy, and inventorying AI use cases.¹¹
• Internal policies for relevant stakeholders: Government agencies often use national standards to develop policies tailored to the needs of their organization and partners. For example, following the boom of gen AI, Governor Newsom of California issued an executive order in September 2023 that directed state agencies to develop guidelines for gen AI adoption.¹²

Guides can lay an important foundation but may set policies that are resource-intensive and can potentially cause ineffective operational processes. On their own and without supplementary activities, Guide-driven approaches may fall short because:

1. The pace of AI evolution quickly outdates policy: The fast pace of AI growth, as with the democratization and rapid expansion of gen AI, demonstrates how sudden AI advancements can outdate existing policies. As a result, static policies may limit or delay the adoption of innovative AI technologies that could drive better solutions and outcomes.
2. Guides can become a bottleneck for innovation and effective implementation: Overemphasizing policy-writing can create a resource trap for talent that could deliver more value through effective implementation. Cumbersome policies can also be a barrier to innovation and experimentation that organizations want to move forward.
3. Inflexible policy can create standards gaps that can create additional risk: Organizations often tailor overly prescriptive policies to fit their own needs, which can create inconsistent standards and additional risks. On the other hand, it can be difficult to measure compliance if policy is too broad. Contractors and other third-party entities may have a different set of organizational policies that could affect project compliance. Policy compliance may also create a false sense of security when other risks not covered by policies are still present in the AI product.

Guards

Guards focus on managing AI risks through quality assurance checkpoints during the AI product life cycle. Similar to the Federal Information Security Modernization Act requirements for information systems, Guards aim to establish an approach typically involving two components for AI development, operations, and maintenance:

• Standardized AI product requirements: Guards often establish detailed requirements that AI products must meet prior to the next phase of development, such as specific evaluation metrics and thresholds. For example, OMB memorandum M-24-10 establishes minimum risk management requirements for rights- and safety-impacting AI prior to deployment, such as completing an AI impact assessment and testing performance in a real-world context.¹³ These checklist-style stage gates aim to enhance quality assurance during each phase of the AI product life cycle.
• Standardized procurement requirements: Guards often focus on codifying requirements in solicitation language and contract clauses to ensure third-party vendors comply with the same quality assurance standards. For example, a recently proposed bill—the Federal Artificial Intelligence Risk Management Act of 2023—would require the Federal Acquisition Regulatory (FAR) Council to establish risk-based compliance requirements for the acquisition of AI products.¹⁴ Executive Order 14110 similarly directs the FAR Council to consider amending the Federal Acquisition Regulation as appropriate.¹⁵

Standardized checkpoints and templatized procurement requirements can improve consistency in AI governance by holding both internal and external parties accountable to baseline expectations. Taken on its own, however, the Guards’ approach often faces three primary challenges:

1. Standardized checkpoints may not account for differences in AI products: The use case and technical components of AI products require different methods for evaluating trustworthiness. Safe and rights-respecting AI is particularly important for use cases that directly impact individuals.¹⁶ For example, an AI product that recommends eligibility determinations for human services programs like income assistance may require more rigorous quality assurance checkpoints than an AI product that performs a back-office administrative task like automated trends analysis in expense reports. These nuances in AI products require product-specific metrics and checkpoints.
2. Standardized checkpoints may not account for end users of AI products: While checkpoints can help build quality assurance into the AI product life cycle, they rarely address the legal and reputational risks associated with end users of AI. For example, users may apply AI outputs in unethical ways, such as using inaccurate outputs to spread misinformation. These user-based risks require additional layers of AI governance beyond predefined checkpoints.
3. Standardized checkpoints may not account for changes in AI over time: Like enterprise policies, checkpoints are point-in-time reviews that may miss significant AI risks that develop over time. For example, a model may pass a deployment checkpoint but later suffer from model drift, which refers to a decrease in performance due to environmental changes. These evolutions in AI models require more continuous monitoring than checkpoints alone can provide.

Gadgeteers

Gadgeteers focus on governing AI with platforms and tools that automate governance and management of AI products. This approach typically involves the following components:

• Tools to enhance performance: Gadgeteers often implement tools that improve the quality of AI model outputs. For example, Gadgeteers may use bias detection tools to identify and mitigate sources of inequity in AI products or monitoring tools to detect model drift following deployment.
• Tools to strengthen security: Gadgeteers often employ tools to improve the privacy and security of AI models and their data. For example, red-teaming tools, which simulate real-world adversarial attacks on an AI product, are a common strategy to test the security of machine learning pipelines.
• Tools to promote accountability: Gadgeteers may use tools to help improve accountability and transparency in AI, such as watermarking tools that can enable end users to track AI-generated content or auditing tools that enable agencies to assess compliance with legal and ethical requirements.

Tools can be an effective method for tracking and improving model performance, but the Gadgeteer-focused approach can experience two challenges when implemented without other activities:

1. Tools cannot evaluate the trustworthiness of an AI use case: Prior to development, AI product managers should consider if the intended use of the AI product is a responsible one. To do so, AI product managers should understand the organization’s mission and consider any unintended consequences on the organization’s staff, partners, and beneficiaries.
2. Tools cannot evaluate compliance with all AI policies: Tools can only test and evaluate AI models and their outputs. AI product managers should consider other applicable policies, such as data privacy policies, to confirm that model inputs and uses are also compliant.

Dynamic AI governance

Consider the important aspects of AI governance

Guides, Guards, and Gadgeteers address important aspects of AI governance, but none on their own are sufficient to achieve trustworthy AI goals. Imagine you are embarking on a backpacking expedition. A Guide may help you set a path but may not help you re-route if weather affects your course. A Guard may provide checklists to help you pack, set up a campsite, and complete other milestones on your journey but may not help you face unforeseen obstacles along the way. A Gadgeteer may help you choose durable tents, hiking boots, and other gear, but may not help you evaluate the expedition itself.

To achieve trustworthy AI goals, agencies should integrate all three approaches and incorporate mechanisms for short-term and long-term adaptations in AI governance. Together, the five key features of dynamic AI governance can help form a well-rounded and adaptable governance strategy. 

1. A clear framework for trustworthy AI to inform governance activities: A dynamic approach to AI governance can start by adopting the Guide mindset and outlining a set of principles that defines trustworthy AI in the context of an agency’s mission and goals.¹⁷ To do so, organizations should consider what needs to be true about their AI products to maintain the trust of staff, partners, and the public. Organizations may choose to adapt principles outlined by the Executive Office of the President or other government agencies. For example, the Blueprint for an AI Bill of Rights includes principles like safe and effective systems and data privacy, while OMB Memorandum M-21-06 includes principles like flexibility and interagency coordination.¹⁸ An effective framework should address both technical considerations (for example, the need for reliable, secure AI model outputs) and functional considerations (for example, the ability for end users to interpret AI model outputs). This type of framework can provide members of an agency with a shared understanding of what trustworthy AI means for their organization and a reference point for future governance decisions.
2. Measurable outcomes to track progress and protect against quality issues: A dynamic approach can incorporate the Guards’ mindset by establishing a clear list of expected outcomes for AI governance tied to the agency’s mission, vision, and trustworthy AI principles. By outlining requirements, enablers, and barriers to success, these outcomes help agencies identify and prioritize AI governance activities that can have the greatest impact on AI trustworthiness. For example, if non-discrimination is a core component of the agency’s trustworthy AI framework, the agency may include a percentage increase in model fairness in its list of expected outcomes and use metrics like equalized odds to measure progress.¹⁹ When establishing measurable outcomes for AI governance, agencies should consider trade-offs between different goals. For example, AI models that are easier to interpret may have less predictive accuracy.²⁰
3. Tools and feedback mechanisms to support continuous improvement: A dynamic approach incorporates the Gadgeteer mindset by building in tools to accelerate AI governance processes like performance monitoring. In particular, a dynamic approach creates avenues by which staff, partners, and end users can consistently share feedback on AI products in a timely fashion. Government agencies may consider traditional avenues for public input, such as the White House’s public listening sessions, panel discussions, and formal request for information to inform the Blueprint for the AI Bill of Rights.²¹ Government agencies may also consider nontraditional avenues to gather live input, such as public red-teaming competitions like those conducted at the 2023 DEF CON convention in partnership with the White House Office of Science and Technology Policy.²² For more frequent feedback, agencies can also turn to automatic feedback mechanisms, such as gathering citizen feedback directly from websites, as frequent feedback mechanisms provide critical information about AI risks and opportunities, helping agencies to improve AI products over time.
4. Continuous adaptations to stay abreast of new challenges: A dynamic approach is inherently one that adapts to changes in AI technology, such as recent advancements in gen AI. ChatGPT became the fastest-growing consumer application in history when it reached 100 million monthly active users two months after launch.²³ Moreover, 31% of the 2,835 business and technology leaders who participated in Deloitte’s State of Generative AI in the Enterprise Survey expect gen AI to substantially transform their organization and industry in less than one year.²⁴ To keep pace with these and other evolutions in AI, government agencies should regularly revisit and enhance policies, checklists, and tools to ensure they continue to meet the agency’s trustworthy AI goals.
5. Humans in the loop to tailor AI governance to mission needs: A dynamic approach should rely on maintaining a minimum number of individuals at the enterprise, business unit, and product level to design AI governance to meet the specific, nuanced risks of AI products and the environments in which they operate. While some AI products may not require human oversight for all model actions and outputs, humans in the loop provide an important layer of governance for higher-risk AI products that impact the safety and rights of the public.²⁵ Teams with a combined focus on AI technology, the agency’s mission, and the individuals and communities the agency serves are often well-equipped to play the human-in-the-loop role.

What next?

As AI adoption spreads and AI technology grows in sophistication, the need for effective governance is expected to increase, and in turn, so would a need for those who can oversee the integration of dynamic AI governance. Agencies with the greatest success will likely require individuals with the instincts of Guides, the sensibilities of Guards, and the savviness of Gadgeteers to drive dynamic AI governance. To do so, agencies should bring together individuals who understand the potential benefits of AI technology, can identify current and future challenges with AI governance, and are intimately familiar with the agency’s mission. These cross-functional teams can strategically link AI governance activities to the agency’s mission, vision, and desired outcomes.

In the coming years, there will likely continue to be an increasingly systematic focus on building and maintaining responsible and effective AI solutions. Just as safety features in cars work together and evolve over time to effectively protect drivers and passengers, government agencies should integrate and continuously adapt AI governance approaches to proactively instill trustworthy AI principles across the enterprise. By leaving room for future changes, this dynamic approach to AI governance can set the foundation for truly trustworthy AI practices.