Guardrails for Companies to Avoid GAI Liability

Business AI can be reflected in pubic advertising in any media or form, targeted email sent to selected individuals, telephone solicitations seeking customers with interactive AI conversations, images used to represent actual events or products?

A previous post (“AI and Company Boards” dated May 18) advises what the Board ought to ask of management.  What does management do, nuts and bolts and on the ground, to fulfill the Board mandate to obey the law and just “don’t mess up”?

What specific steps can help prevent errors which mislead the customer, overstate their product capabilities, avoid unfair trade practices, and avoid the accusation that you have slandered a person or a competitor?  The answers are derivative of prior posts identifying risk: attend to the nature of he AI you use and design and monitor internal systems that police the generation and content of your AI-assisted or created output.

First, recognize the issues and allocate resources, money and people, to undertake a preventative program. Like any important risk management function, it needs to be owned by someone in management with authority to demand attention and adherence.  Like any important risk, it needs to be on the ERM (enterprise risk management) checklist for each department or function that involves GAI.  It needs to have a direct report up the line to someone who understands the task.

The legal department needs to generate checklists in two directions: upstream as to what GAI is being used, and downstream as to the content generated by that GAI.  Minimum items on checklist:

*Criteria for selection of AI used– screened for internal bias; claims asserted against users; compliance with State and Federal laws confirmed; can it be programmed to collect and store only such data is is central to the business of the company and to exclude the harvesting of information  that is ancillary.

*Handling of use of AI internally–are people working on use of AI properly trained as to risks; are they carefully limiting what data in fact is being harvested; are they trained not to put into the system either company-proprietary information of personal information; have experts addressed non-hacking protection of the AI operation; has management reported with granularity to the board committee responsible for ERM as to company effort in this regard; has inside our outside counsel been kept current so that counsel can in turn advise the company of relevant new law, regulations a court decisions; installation of system to analyze film and photos for AI alteration or generation;  has HR been alerted as to lay-offs, company morale, retraining, job satisfaction, etc.

*Output: who reviews how often output, whatever its form (ads, text, website, product/service literature, press releases, text of verbal programs); prompt reporting of problems, errors etc to legal; avoidance procedure re violation of copyright, trade name, copyright laws.

I suspect that as regulation increases and as GAI issues become fully recognized and fully utilized, outside service entities will arise offering specific and / or comprehensive assistance with respect to the foregoing; this triggers the usual business question: is it cost effective for our company to build this in -house or hire it in?  In turn, the question arises as to the quality of, and contractual obligations and exclusions of, any outside firm

 

Comments are closed.