CHATTANOOGA, TENNESSEE - Much discussion swirls about ethics in artificial intelligence (AI), but the process of developing and deploying AI models also deserves attention. When considering best practices, compliance, and risk mitigation with any emerging technology such as AI, understanding how similar challenges have been solved historically is helpful. Sarbanes Oxley (Sarbox or SOX) information technology (IT) controls have been used successfully for nearly 20 years to mitigate risks and may be deployed to improve AI model development and deployment processes.   

SOX is United States federal legislation governing financial reporting for publicly traded companies. While financial compliance is core to the legislation, it also holds significant provisions for assessing IT risks and controls. The objective of SOX is to safeguard companies from risk associated with rogue software code, manipulation of data, security, and other IT risks that may affect financial performance and reporting. While IT SOX controls are also helpful for developing controls to meet Health Insurance Portability and Accountability Act (HIPAA) compliance, this article will focus on applying software development lifecycle controls and access controls for software code and databases in the deployment of AI models. 

The software development lifecycle is the process of developing software from design to release into production. When new code is written, it is first deployed to a development environment and then to a testing environment where it is tested prior to release in production. AI model development follows similar processes and hence similar controls might be applied. 

The first step to developing IT controls for AI model deployment is for a management team to design the controls. Controls are a set of formal, written rules and procedures. They must incorporate the risks of each model, how and who will be involved in deve