Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Please describe which client data may be used to train AI models and how this is communicated to those clients.
What is the control?
It’s important to clearly communicate how data provided to AI models and services is used, particularly for the case where a third-party AI model is embedded into a service and the full scope of processing may be unclear.
Why should I have it?
Service maintenance and feature development may require AI model tuning and improvement. One aspect of that improvement is the moderation and assessment of outputs for usability and accuracy compared with an understanding of the prompt that was provided. One strategy to achieve this is to incrementally or continuously re-train your model with new information provided by service users.
It’s important to consider risks related to the nature of data and information disclosed by your client to an AI-supported service and any controls that you need to apply to mitigate risks related to confidential or sensitive data being stored and re-used.
Your change process should dictate an approval process for any new or changed AI model or service.
This approval process should include a security risk assessment for the full scope of the proposed AI processing. It should also be assured that any training data provided to models is restricted (as far as practicable) to limit what data is stored and re-used. AI model service contracts should be reviewed to determine any repurposing of service user data to improve your models. The nature of data processing should be explicitly defined in contract terms of service.
The change process should also inform other processes and actions such as the reconfiguration of data loss prevention policies and technical measures where risks exceed tolerance.
The change process should also include the criteria needed to ensure proposed material changes are communicated to existing clients.
There are a growing number of consultancies or individual consultants that will be able to assist in crafting the correct data processing workflow in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.