Cyber & IT Supervisory Forum - Additional Resources

GOVERN 3.2 Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. About Identifying and managing AI risks and impacts are enhanced when a broad set of perspectives and actors across the AI lifecycle, including technical, legal, compliance, social science, and human factors expertise is engaged. AI actors include those who operate, use, or interact with AI systems for downstream tasks, or monitor AI system performance. Effective risk management efforts include: clear definitions and differentiation of the various human roles and responsibilities for AI system oversight and governance recognizing and clarifying differences between AI system overseers and those using or interacting with AI systems. Suggested Actions Establish policies and procedures that define and differentiate the various human roles and responsibilities when using, interacting with, or monitoring AI systems. Establish procedures for capturing and tracking risk information related to human-AI configurations and associated outcomes. Establish policies for the development of proficiency standards for AI actors carrying out system operation tasks and system oversight tasks. Establish specified risk management training protocols for AI actors carrying out system operation tasks and system oversight tasks. Establish policies and procedures regarding AI actor roles, and responsibilities for human oversight of deployed systems. Establish policies and procedures defining human-AI configurations (configurations where AI systems are explicitly designated and treated

as team members in primarily human teams) in relation to organizational risk tolerances, and associated documentation.

28