TECHNOLOGY
Unpacking the NIST Framework for AI Risk Management
The NACD (National Association of Corporate Directors) Pop-Up Panel on “Governing Artificial Intelligence (AI): Unpacking the National Institute of Standards & Technology (NIST) Framework for AI Risk Management” took place Friday May 5. The discussion was relevant and timely, with 75 people participating.
The program was sponsored by Protiviti and NACD and was put together in real-time to discuss the implications of AI on governance and risk management. The NIST AI Risk Management Framework was discussed, and the panel offered insights on how it can be used by organizations and boards to navigate the AI revolution while mitigating risks. I was honored to join the panel discussion with Jeffery Perry, Ahmed Abbasi, Robert Allen, and Gregory Hedges. The conversation was interactive, with polling questions and chat Q&A, and ended with each panelist providing a final key takeaway.
Many participants reached out to me after the panel and expressed interests to have more in depth conversations. Here is a recap on this topic as a baseline for our future discussions.
Jeff Perry, NACD Chicago Chapter board director moderated the event.
Kathy Hendrickson, Executive Director of NACD Chicago Chapter asked the audience to participate in a poll to gauge their level of understanding of AI and its risk and upside implications. The first poll showed 70% of participants were behind the curve in their understanding of AI, highlighting the need for further education and discussion on this topic. Overall, the discussion provided valuable insights into the current state of AI and its potential for transforming industries, while also emphasizing the importance of responsible and ethical use of this technology.
Greg Hedges, Managing Director at Protiviti explained the basics of AI and its current state of evolution, highlighting the NIST AI risk management framework. Greg explained that AI works as a text predictor engine using machine learning models like ChatGPT4, which creates models using data and parameters to generate new and realistic content. Greg also talked about the various industries where AI is being used, such as finance, healthcare, and manufacturing, and why AI is exploding now, citing reasons such as advancement in computational power and significant investments in AI by corporations. Greg outlined six categories that capture the key concerns for governing AI, including transparency, privacy and data security, fairness, accountability, ethical considerations, and continuous monitoring and improvement. He emphasized the need to embed ethical principles in the development of AI and to use ethical frameworks for big data.
During the discussion on AI risk management, I provided a walk-through of the NIST AI Risk Management Framework, and how organizations and boards can effectively use it. The NIST AI RMF is a guide for managing the risks associated with AI systems, and it was developed in collaboration with the private and public sectors to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. The framework consists of two parts. Part 1 discusses how organizations can frame the risks related to AI and describes the intended audience, while Part 2 comprises the Core of the framework, which describes four specific functions to help organizations address the risks of AI in practice. These functions are Govern, Map, Measure, and Manage, and they can be applied to AI system-specific contexts and at specific stages of the AI lifecycle.
To effectively use the NIST AI RMF, organizations and boards can follow a structured approach to manage AI-related risks, which includes five components: Risk Governance, Risk Assessment, Risk Mitigation, Risk Communication, and Monitoring and Review. This involves establishing policies, procedures, and structures for managing AI-related risks, defining roles and responsibilities for risk management, identifying and analyzing AI-related risks, selecting and implementing controls to reduce the likelihood or impact of AI-related risks, communicating information about AI-related risks and risk management activities to stakeholders, and continuously monitoring AI-related risks and risk management activities, and reviewing the effectiveness of controls and risk management processes.
To implement the framework effectively, organizations and boards can assess the current state of AI use and risk management, establish a cross-functional team, provide training to employees to familiarize them with the framework, and establish clear, measurable goals. By following this approach, organizations and boards can effectively manage the risks associated with AI systems and ensure that they are used in a responsible and ethical manner. Overall, the NIST AI RMF and its resources are a valuable contribution to the development and implementation of trustworthy and responsible AI systems and will help board members and senior executives manage AI-related risks in a transparent and accountable manner.
We discussed the challenges of measuring and managing responsible AI. The panelists note that while measuring responsible AI can be complex, managing it can be even more difficult, given the multiple dimensions of bias that need to be considered, and the natural tension between fairness and privacy. We also discussed how we engage with the board on this topic, with Robert noting that they have had healthy discussions and debates on this emerging risk during their recent board audit committee and risk committee meetings.
The second poll conducted during the conversation showed that all of the above and measures were key areas of challenge for implementing responsible AI across organizations.
Ahmad’s super sports fan example is used to illustrate the complexity of measuring fairness in machine learning models. He explained that machine learning models that predict sports outcomes are biased against Chicago sports teams, which is a well-known fact. This bias is experienced across multiple dimensions by Chicago sports fans who follow basketball, football, and baseball. Ahmad argued that this is just one example of the complexity of measuring something as simple as fairness, where we want our models to be fair across different users. He further explained that if we take five demographic diminutions like age, gender, education, income, and so forth, we have to account for 25 combinations of bias for a single machine learning model, and those are not all correlated. Therefore, it is essential to consider all the responsible AI tenants and manage the natural tensions that arise among them.
We also discussed the challenges of deploying AI at global scale. In my opinion, having someone with practical understanding and experience with AI on the Board is crucial. I pointed out that the NIST AI RMF Playbook is 48 pages long, reading it without legal background can be challenging. Having deployed AI at a global financial institution for over five years and has been serving on the boards for AI companies, I believe that educating employees, developers, contractors on the risk implications of collecting data and developing responsible AI is essential. In addition, integrating AI into existing systems can be complex and require resources with certain skill-sets to maintain. Organizations need to also think about the psychological impact of AI on employees, customers and contractors and maintain the trust and credibility that was previously established.
Greg added the different ways that AI can be used in manufacturing to improve efficiency, accuracy, and safety of manufacturing processes, such as quality control, process optimization, and predictive maintenance. Greg believed that boards should explore all the different ways that AI can be used in manufacturing. He also emphasizes the need to consider both the promise and threat of AI.
The third poll question was raised about the level at which the AI risk management framework has the potential for the greatest impact. The options presented were at the company level, sector level, government, or geographic level, or all of the above. The poll result showed that 70% people believe AI risk management framework has the greatest impact at the Company level. This result could be biased due to the majority of the attendees being from corporations.
We discussed the potential implications of a company taking responsible AI actions using the new framework, while competitors in the industry or other geographics do not?
Ahmad suggested that without regulations, companies have to choose their own adventure in AI governance, and there may be trade-offs to consider. They drew parallel to privacy and the GDPR in Europe, where the precautionary principle and innovation have sometimes been at odds. However, I noted that investing in ethical AI practices and building a positive brand reputation for being socially responsible can enhance customer trust, leading to increased sales and customer and employee loyalty in the long-term. Overall, the panelists agreed that the AI risk management framework has the potential to create a source of competitive advantage for companies, but investing in ethical AI practices requires a long-term commitment.
The panelists highlighted the use of AI in companies and the impact it has on leadership, risk management, and privacy. We discussed how companies are navigating the use of AI to maintain control over their outputs and intellectual property. I shared thoughts on how board committees are adding areas of oversight to their charters to address AI, with technology and cyber often sitting on the audit committee if the risk committee does not exist. Robert emphasized the importance of validating data, managing sensitive information, and having private ring-fenced internal programs to protect critical IP.
Jeff asked each panelist to provide their final key takeaway at the end.
-
Ahmad emphasized the potential economic benefits of AI and data monetization, but also highlighted the need for solid governance and responsibility to address concerns around fairness and privacy.
-
Robert discussed the importance of cross-functional collaboration within organizations to effectively manage the risks and opportunities presented by AI. He suggested that boards should inquire about how AI is being managed internally and what groups are involved.
-
Greg recommended that board members should actively seek out insights and questions abound by AI during board meetings, potentially using tools like ChatGPT to help generate new ideas and perspectives.
-
Jeff encouraged board members to be proactive in their oversight of AI and to help organizations navigate the responsible use of AI. He noted that directors can play a key role in ensuring that AI is used in a responsible and effective manner.
-
I shared my ABCs of AI risk management:
-
Alignment with business objectives: The outcome of AI can only be as good as the quality of its data input. AI deployment should be aligned with business objective and measurable impact. Organization needs to be mindful about risks associated with AI disinformation, discrimination, and bias.
-
Balancing trade-offs: A comprehensive approach to risk management calls for balancing tradeoffs among the trustworthiness characteristics. It is crucial to Assess the trustworthiness characteristics and the relative risks, impacts, costs, benefits and your risk tolerance by a wide range of stakeholders.
-
Collective responsibility: Successful risk management depends upon a sense of collective responsibility among AI actors. That’s why the Board and risk management function benefits from diverse perspectives, disciplines, professions, and experiences.
I walked away from the panel impressed with the wealth of knowledge of the panelists and active participation from the attendees. I hope these insights give you some inspiration and practical guidance on navigating the AI revolution while mitigating risks.
A special shout out to Kathy Hendrickson, Kathleen Horn Clevenger, Jeffery Perry, and Gregory Hedges for their efforts behind the scenes to make this Pop-Up program seamless.
Tune in for the upcoming fireside chat with Christie Hefner, Ken Chenault, and Andrea Hegelgans, a provocative conversation on “The Role of the Board in Societal Issues” on May 23.
TECHNOLOGY
Next-gen chips, Amazon Q, and speedy S3
AWS re:Invent, which has been taking place from November 27 and runs to December 1, has had its usual plethora of announcements: a total of 21 at time of print.
Perhaps not surprisingly, given the huge potential impact of generative AI – ChatGPT officially turns one year old today – a lot of focus has been on the AI side for AWS’ announcements, including a major partnership inked with NVIDIA across infrastructure, software, and services.
Yet there has been plenty more announced at the Las Vegas jamboree besides. Here, CloudTech rounds up the best of the rest:
Next-generation chips
This was the other major AI-focused announcement at re:Invent: the launch of two new chips, AWS Graviton4 and AWS Trainium2, for training and running AI and machine learning (ML) models, among other customer workloads. Graviton4 shapes up against its predecessor with 30% better compute performance, 50% more cores and 75% more memory bandwidth, while Trainium2 delivers up to four times faster training than before and will be able to be deployed in EC2 UltraClusters of up to 100,000 chips.
The EC2 UltraClusters are designed to ‘deliver the highest performance, most energy efficient AI model training infrastructure in the cloud’, as AWS puts it. With it, customers will be able to train large language models in ‘a fraction of the time’, as well as double energy efficiency.
As ever, AWS offers customers who are already utilising these tools. Databricks, Epic and SAP are among the companies cited as using the new AWS-designed chips.
Zero-ETL integrations
AWS announced new Amazon Aurora PostgreSQL, Amazon DynamoDB, and Amazon Relational Database Services (Amazon RDS) for MySQL integrations with Amazon Redshift, AWS’ cloud data warehouse. The zero-ETL integrations – eliminating the need to build ETL (extract, transform, load) data pipelines – make it easier to connect and analyse transactional data across various relational and non-relational databases in Amazon Redshift.
A simple example of how zero-ETL functions can be seen is in a hypothetical company which stores transactional data – time of transaction, items bought, where the transaction occurred – in a relational database, but use another analytics tool to analyse data in a non-relational database. To connect it all up, companies would previously have to construct ETL data pipelines which are a time and money sink.
The latest integrations “build on AWS’s zero-ETL foundation… so customers can quickly and easily connect all of their data, no matter where it lives,” the company said.
Amazon S3 Express One Zone
AWS announced the general availability of Amazon S3 Express One Zone, a new storage class purpose-built for customers’ most frequently-accessed data. Data access speed is up to 10 times faster and request costs up to 50% lower than standard S3. Companies can also opt to collocate their Amazon S3 Express One Zone data in the same availability zone as their compute resources.
Companies and partners who are using Amazon S3 Express One Zone include ChaosSearch, Cloudera, and Pinterest.
Amazon Q
A new product, and an interesting pivot, again with generative AI at its core. Amazon Q was announced as a ‘new type of generative AI-powered assistant’ which can be tailored to a customer’s business. “Customers can get fast, relevant answers to pressing questions, generate content, and take actions – all informed by a customer’s information repositories, code, and enterprise systems,” AWS added. The service also can assist companies building on AWS, as well as companies using AWS applications for business intelligence, contact centres, and supply chain management.
Customers cited as early adopters include Accenture, BMW and Wunderkind.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
TECHNOLOGY
HCLTech and Cisco create collaborative hybrid workplaces
Digital comms specialist Cisco and global tech firm HCLTech have teamed up to launch Meeting-Rooms-as-a-Service (MRaaS).
Available on a subscription model, this solution modernises legacy meeting rooms and enables users to join meetings from any meeting solution provider using Webex devices.
The MRaaS solution helps enterprises simplify the design, implementation and maintenance of integrated meeting rooms, enabling seamless collaboration for their globally distributed hybrid workforces.
Rakshit Ghura, senior VP and Global head of digital workplace services, HCLTech, said: “MRaaS combines our consulting and managed services expertise with Cisco’s proficiency in Webex devices to change the way employees conceptualise, organise and interact in a collaborative environment for a modern hybrid work model.
“The common vision of our partnership is to elevate the collaboration experience at work and drive productivity through modern meeting rooms.”
Alexandra Zagury, VP of partner managed and as-a-Service Sales at Cisco, said: “Our partnership with HCLTech helps our clients transform their offices through cost-effective managed services that support the ongoing evolution of workspaces.
“As we reimagine the modern office, we are making it easier to support collaboration and productivity among workers, whether they are in the office or elsewhere.”
Cisco’s Webex collaboration devices harness the power of artificial intelligence to offer intuitive, seamless collaboration experiences, enabling meeting rooms with smart features such as meeting zones, intelligent people framing, optimised attendee audio and background noise removal, among others.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
TECHNOLOGY
Canonical releases low-touch private cloud MicroCloud
Canonical has announced the general availability of MicroCloud, a low-touch, open source cloud solution. MicroCloud is part of Canonical’s growing cloud infrastructure portfolio.
It is purpose-built for scalable clusters and edge deployments for all types of enterprises. It is designed with simplicity, security and automation in mind, minimising the time and effort to both deploy and maintain it. Conveniently, enterprise support for MicroCloud is offered as part of Canonical’s Ubuntu Pro subscription, with several support tiers available, and priced per node.
MicroClouds are optimised for repeatable and reliable remote deployments. A single command initiates the orchestration and clustering of various components with minimal involvement by the user, resulting in a fully functional cloud within minutes. This simplified deployment process significantly reduces the barrier to entry, putting a production-grade cloud at everyone’s fingertips.
Juan Manuel Ventura, head of architectures & technologies at Spindox, said: “Cloud computing is not only about technology, it’s the beating heart of any modern industrial transformation, driving agility and innovation. Our mission is to provide our customers with the most effective ways to innovate and bring value; having a complexity-free cloud infrastructure is one important piece of that puzzle. With MicroCloud, the focus shifts away from struggling with cloud operations to solving real business challenges” says
In addition to seamless deployment, MicroCloud prioritises security and ease of maintenance. All MicroCloud components are built with strict confinement for increased security, with over-the-air transactional updates that preserve data and roll back on errors automatically. Upgrades to newer versions are handled automatically and without downtime, with the mechanisms to hold or schedule them as needed.
With this approach, MicroCloud caters to both on-premise clouds but also edge deployments at remote locations, allowing organisations to use the same infrastructure primitives and services wherever they are needed. It is suitable for business-in-branch office locations or industrial use inside a factory, as well as distributed locations where the focus is on replicability and unattended operations.
Cedric Gegout, VP of product at Canonical, said: “As data becomes more distributed, the infrastructure has to follow. Cloud computing is now distributed, spanning across data centres, far and near edge computing appliances. MicroCloud is our answer to that.
“By packaging known infrastructure primitives in a portable and unattended way, we are delivering a simpler, more prescriptive cloud experience that makes zero-ops a reality for many Industries.“
MicroCloud’s lightweight architecture makes it usable on both commodity and high-end hardware, with several ways to further reduce its footprint depending on your workload needs. In addition to the standard Ubuntu Server or Desktop, MicroClouds can be run on Ubuntu Core – a lightweight OS optimised for the edge. With Ubuntu Core, MicroClouds are a perfect solution for far-edge locations with limited computing capabilities. Users can choose to run their workloads using Kubernetes or via system containers. System containers based on LXD behave similarly to traditional VMs but consume fewer resources while providing bare-metal performance.
Coupled with Canonical’s Ubuntu Pro + Support subscription, MicroCloud users can benefit from an enterprise-grade open source cloud solution that is fully supported and with better economics. An Ubuntu Pro subscription offers security maintenance for the broadest collection of open-source software available from a single vendor today. It covers over 30k packages with a consistent security maintenance commitment, and additional features such as kernel livepatch, systems management at scale, certified compliance and hardening profiles enabling easy adoption for enterprises. With per-node pricing and no hidden fees, customers can rest assured that their environment is secure and supported without the expensive price tag typically associated with cloud solutions.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
-
SEARCHENGINES7 days ago
Daily Search Forum Recap: October 3, 2024
-
WORDPRESS7 days ago
WP Engine sues WordPress co-creator Mullenweg and Automattic, alleging abuse of power
-
SEARCHENGINES6 days ago
Google Ranking Volatility Record, Forbes Advisor Slapped, Bing Generative Search Experience & More
-
WORDPRESS6 days ago
Automattic demanded web host pay $32M annually for using WordPress trademark
-
SEO4 days ago
Google’s AI Overviews Avoid Political Content, New Data Shows
-
SEO7 days ago
YouTube Extends Shorts To 3 Minutes, Adds New Features
-
SEO6 days ago
8% Of Automattic Employees Choose To Resign
-
SEARCHENGINES4 days ago
Google Shopping Researched with AI