AI Compliance Audit: Does My Company Need One?

Since the public launch of ChatGPT in late 2022, the availability of artificial intelligence (AI) tools has skyrocketed. AI technologies have been integrated into a wide range of existing consumer and enterprise products. New products featuring AI capabilities have been launched and gained widespread traction.

For businesses of any size, these developments raise important questions. How is the enterprise using AI tools? Is that usage consistent with applicable regulatory requirements and/or the company’s governance framework?

An AI compliance audit, whether internal or external, can uncover the answers to those questions. For legal advice on conducting an effective audit, contact a science and technology lawyer.

Legal Context for AI Compliance Audits

In the United States, there is no single federal law directly addressing how businesses should use artificial intelligence.

Some states have started to adopt laws specific to AI, such as the Colorado Artificial Intelligence Act, which requires protection of private data and safeguards against algorithmic discrimination.

In addition, companies that do business overseas must take care to comply with local laws in the countries where they operate. Notably, in Europe, the EU Artificial Intelligence Act classifies AI systems according to their levels of risk and imposes certain obligations on both the developers and users of these systems.

Companies must also ensure that their AI usage complies with existing sector-specific laws and regulations. In the United States, these include:

• The Health Insurance Portability and Accountability Act (HIPAA) in the healthcare field
• The Federal Reserve’s Guidance on Model Risk Management in the banking field

Outside of the U.S., many countries have comprehensive data protection laws, such as the European Union’s General Data Protection Regulation (GDPR).

Get Help With Technology Law Matters

Technology law is changing and catching up. For legal help with tech law and regulation, use the Super Lawyers directory to find a technology lawyer near you.

Find a lawyer today

Frameworks for Carrying Out Artificial Intelligence Audits

A number of voluntary frameworks exist to help companies and other institutions shape their AI governance models.

For example, the National Institute of Standards and Technology (NIST) issued an AI Risk Management Framework in 2023 in collaboration with the public and private sectors. Many institutions have adopted this framework.

Internationally, Singapore’s Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission (PDPC) have developed a Model Artificial Intelligence Governance Framework. This framework aims to foster trusted generative AI development. Many private sector companies across different jurisdictions use this framework.

Steps in the AI Audit Process

The AI audit process will typically look into:

1. What datasets do AI systems have access to for training and processing?
2. Which machine learning or other AI models is the company using?
3. How are employees using AI their workflows?

Findings from these inquiries give business leaders insight into how their enterprise is using AI, where they may need to put new controls in place, and how they can pursue AI-driven growth consistently with broader business priorities.

Governance and Risk Management Considerations

Employees and managers who use AI tools must align their decision-making with business priorities and risk management. An AI audit addresses these and other important questions, including:

• Is the company using customer and user data in ways those customers and users would expect or consent to? Does the use of AI introduce data privacy concerns?
• Does the company’s use of AI tools expose it to possible security breaches? Does it need new cybersecurity measures to address those risks?
• As the business incorporates third-party AI systems and tools into its processes, can the enterprise absorb the likelihood of future cost increases?
• If the business expects AI to drive cost savings through automation of manual work, are the systems reliable at achieving the desired outcomes?
• Could the company’s use of artificial intelligence in publicly visible ways cause reputational harm among some constituencies?
• Does the business have a responsible AI policy incorporating ethical, environmental, and other considerations? If so, is everyone within the company held accountable to it?

While some of these questions may implicate specific technology laws and regulations, they also boil down to whether management has visibility into how the company is being run.

The rapid growth and change associated with AI may require new governance and risk management measures to ensure that these questions can be answered with a “yes.”

Who Can Carry Out an AI Compliance Audit

Large businesses, especially in regulated industries, typically already have robust internal compliance teams and audit functions. Outside consultants may be able to assist internal stakeholders with standing up AI legal and regulatory compliance programs.

For smaller businesses without dedicated internal audit resources, it may be more necessary to bring in outside help.

While AI governance is a new and evolving area, consultants and law firms that specialize in artificial intelligence may be able to help a small business audit their compliance with AI laws, regulations, and ethical considerations. For businesses that choose to bank heavily on AI-driven transformation, bringing on dedicated audit resources becomes more important.

Find Legal Help

For legal guidance on AI use and compliance requirements, reach out to a local science and technology law attorney.