AI is already being used to inform decisions on whether someone should get a job. Whether they should be granted credit or qualify for housing. It’s having major, life-altering impacts, making it critically important that we handle AI responsibly.
That responsible management, however, is more easily said than done. And Christina Montgomery, Chief Privacy and Trust Officer at IBM, is someone who focuses on keeping AI a positive force for change.
“Within IBM, we created an AI Ethics Board—that I currently co-chair—to take on this challenge,” notes Montgomery. “We’ve articulated principles around AI—that it should be transparent and explainable. That it should be privacy preserving, secure, inclusive and fair. And while the board has helped build these principles into our culture, we need more than faith to ensure that we’re holding ourselves accountable to them as a company.”
Fortunately, IBM had accommodated a large influx of regulations like this before.
“Our GDPR [General Data Protection Regulation] compliance is probably the closest analog to what we’ve had to deal with for AI,” adds Lee Cox, Vice President of Integrated Governance, Services, and Research within the IBM Office of Privacy and Responsible Technology. “Prior to that, how we handled data protection-related compliance challenges was more local—many of our programs were regionalized. They got the job done, but we would have needed to put a fair amount of work in to scale them to meet new demands.”
He continues: “But with GDPR and other privacy regulations, we needed to start coordinating on a global level. We needed to adapt quickly as we faced more standards, more obligations, more complexity, more sensitivity about, ‘What’s happening to my data and how is it being consumed?’”
To handle this global oversight, IBM created an enterprise-wide Privacy and AI Management System (PIMS). And based on its successes, Montgomery and her team felt that IBM could augment this tool to better document and track compliance across its AI operations as well.
Much like with privacy, AI had witnessed an avalanche of new regulations—both at a national and regional level—over the previous few years. Similarly, various global alliances and associations had also developed guidelines intended to help keep AI behaving ethically and responsibly. But meeting this growing list of expectations can be hard to achieve at scale.
“We’re a big company,” adds Montgomery. “We operate in 170-plus countries around the world. We consist of over 400 distinct legal entities that do business with 13,000 suppliers and 150,000 business partners. At this size, it can be difficult from a governance perspective to get all of our more than 250,000 employees on the same page.”
In late 2022, the office upgraded PIMS, now powered by IBM® OpenPages® and IBM Knowledge Catalog technology. The solution, which also features innovative systems from the IBM Data and AI portfolio (outlined below), offers a centralized, company-wide platform able to capture, integrate and make transparent the metadata related to data privacy and the entire AI lifecycle, from design to deployment to everyday use.
“With PIMS, our overarching drivers were to standardize, simplify and scale significantly,” recalls Cox. “And now we take a more continuous compliance approach that can help identify the gaps between what we’re doing today and new regulations as they come out.”
“It’s critical that we build trust across the entire ecosystem—our employees, our clients, governments and policymakers,” adds Montgomery. “Which is why we’re very strong proponents of being transparent in terms of our involvement with AI, and that’s essentially what PIMS is helping to provide.”
“Bias is particularly important to consider,” notes Cox. “If you take the flaws of humans and amplify that at scale through AI, those flaws are replicated across multiple systems, making the impact on society much more significant.”
IBM OpenPages serves as the heart of PIMS, providing an automated, centralized workflow to previously siloed governance, risk and compliance (GRC) functions. And IBM Knowledge Catalog delivers the corresponding data catalog to monitor and curate this GRC information along with relevant knowledge assets and relationships.
As part of the IBM AI governance strategy, PIMS also takes advantage of the IBM AI Factsheets feature of IBM Cloud Pak® for Data. This tool tracks the lifecycle of machine learning models from training to production, capturing real-world data that can be used to monitor risks and model drift.
PIMS registers new instances of AI that are put into production by IBM and instances of other algorithmic systems. PIMS adds them to a centralized, company-wide workflow and assess them for potential risks. And once the model is live, the solution provides ongoing monitoring for fairness, quality and drift.
At the same time, as new regulations are passed, PIMS can be used to import these requirements, updating governance models and overall risk assessment efforts.
“There is a plethora of new AI regulations being proposed every year,” notes Cox. “It seems like every US state is in the process of building their own rules. There’s a major signature law coming out of Europe in 2024.”
With this evolving AI regulatory landscape and a continuing responsibility to maintain compliance in data privacy and data governance, IBM created an Integrated Governance Program (IGP). This IGP initiative offers a unified strategy for addressing privacy, AI or algorithmic systems, tech ethics use cases, and data clearance requests—all in the same overarching governance program, which includes PIMS.
The IGP helps IBM manage its compliance program at scale, and this will include the European Union Artificial Intelligence Act—the world’s first comprehensive AI law—which will be adopted in 2024. With IGP, AI can be aligned with the Act’s requirements, which focus on risk, trust, security and transparency, and are expected to drive new levels of human oversight and regulatory compliance for AI both within the EU and across the globe.
In turn, PIMS and associated integrated governance workflows provide increased traceability and reporting capabilities, enabling data clearance reviews to be completed before the data is used for model pretraining, development or fine-tuning. The tool also helps to maintain accurate documentation and records of processing (RoPs), associated training, testing metrics and current predictions—regarding AI and other algorithmic systems. Similarly, IBM staff can use this document trail to verify that remediations are actually completed.
IBM plans for future versions of PIMS to reflect IBM’s latest watsonx™ product suite, including watsonx.governance™. This move is intended to provide IBM with enhanced model lifecycle governance capabilities, key metrics and broader performance benchmarking reports.
Presently, PIMS is tracking and managing over 5,500 enterprise applications and business processes across global IBM operations—all from a single, unified platform. And the automation features delivered by the tool feed relevant key performance indicators (KPIs) to governance dashboards, designed to help simplify management, cut overhead, lower remediation workloads and accelerate speed to compliance.
“Rather than having every asset, every individual, every application, every business process monitored by the process owner—and forcing them to work out what laws need to be complied with—we mask that complexity,” explains Cox. “With PIMS, now they only have to focus on the automatically generated remediation tasks. That translates to thousands of hours of effort saved across all of IBM.”
And as new regulations roll out, IBM can identify and accommodate their requirements much more quickly.
“Our last big project—GDPR—took about 12 months of effort to put in a governance model and tracking solution,” notes Cox. “With PIMS, we can now launch an enterprise-wide regulatory compliance program in greatly reduced times, sometimes as short as six weeks. The information’s already there, which makes it faster and easier to identify gaps and build the campaign. After launch, PIMS can then feed the relevant tracking and remediation data automatically into our dashboards.”
And this speed is critical when accommodating new rules. As Montgomery explains: “When a major regulation is enacted, it’s often unlikely that we’re going to be given a ramp-up time of two to three years. It could be more like four to five months. And if our partners or clients don’t have PIMS or something similar to rely on—tools that deliver always-on inventory management and a robust understanding of what data is used throughout the enterprise—then they are going to struggle with compliance.”
“But when they work with IBM,” she continues, “we can offer a level of transparency that can help our partners and clients build the confidence, the trust that project by project they can adopt this AI technology while managing—keeping an eye on—risk.”
The IBM Office of Privacy and Responsible Technology oversees the creation and administration of global IBM policies regarding the protection and confidentiality of individual and business data. And working in conjunction with the IBM AI Ethics Board, the office guides the governance and relevant decision-making processes for AI ethics policies and practices, building a culture of responsibility and trust throughout IBM.
Legal
© Copyright IBM Corporation 2024. IBM Corporation, IBM Consulting, New Orchard Road, Armonk, NY 10504
Produced in the United States of America, March 2024.
IBM, the IBM logo, ibm.com, IBM Cloud Pak, OpenPages, watsonx, and watsonx.governance are trademarks or registered trademarks of International Business Machines Corporation, in the United States and/or other countries. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/legal/copyright-trademark.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Generally expected results cannot be provided as each client’s results will depend entirely on the client’s systems and services ordered. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with all applicable laws and regulations. IBM does not provide legal advice nor represent or warrant that its services or products will ensure that the client is compliant with any law or regulation.