CHATTANOOGA, TENNESSEE - Much discussion swirls about ethics in artificial intelligence (AI), but the process of developing and deploying AI models also deserves attention. When considering best practices, compliance, and risk mitigation with any emerging technology such as AI, understanding how similar challenges have been solved historically is helpful. Sarbanes Oxley (Sarbox or SOX) information technology (IT) controls have been used successfully for nearly 20 years to mitigate risks and may be deployed to improve AI model development and deployment processes.
SOX is United States federal legislation governing financial reporting for publicly traded companies. While financial compliance is core to the legislation, it also holds significant provisions for assessing IT risks and controls. The objective of SOX is to safeguard companies from risk associated with rogue software code, manipulation of data, security, and other IT risks that may affect financial performance and reporting. While IT SOX controls are also helpful for developing controls to meet Health Insurance Portability and Accountability Act (HIPAA) compliance, this article will focus on applying software development lifecycle controls and access controls for software code and databases in the deployment of AI models.
The software development lifecycle is the process of developing software from design to release into production. When new code is written, it is first deployed to a development environment and then to a testing environment where it is tested prior to release in production. AI model development follows similar processes and hence similar controls might be applied.
The first step to developing IT controls for AI model deployment is for a management team to design the controls. Controls are a set of formal, written rules and procedures. They must incorporate the risks of each model, how and who will be involved in deve
The content herein is subject to copyright by The Yuan. All rights reserved. The content of the services is owned or licensed to The Yuan. Such content from The Yuan may be shared and reprinted but must clearly identify The Yuan as its original source. Content from a third-party copyright holder identified in the copyright notice contained in such third party’s content appearing in The Yuan must likewise be clearly labeled as such.