As organisations increasingly adopt AI, robust governance is essential. These 10 questions highlight key areas organisations should consider to guide their AI adoption.
Artificial intelligence (AI) can provide many opportunities and benefits for organisations. However, it can also introduce or exacerbate risks. Responsible AI adoption requires having the right governance in place to both seize the opportunities and manage the risks of adoption.
The following high-level questions aim to help organisations at the beginning of their AI governance journeys to assess whether they have the right top-level measures to direct and control their use of AI. It will also help in setting up the foundations to support future independent AI assurance.
These considerations do not replace formal governance or assurance but are intended to be a prompt to start understanding areas of importance.
Six questions to assess top-level measures
1. Have you defined an AI strategy for your organisation?
An AI strategy helps ensure that AI adoption is considered, targeted and aligned in relation to the organisation’s business strategy and wider organisational goals. Having a strategy also helps an organisation to determine its resourcing needs and to focus available resources on the most relevant and impactful areas.
2. Have you defined and communicated an AI policy, along with the relevant processes and procedures?
An AI policy is critical to helping an organisation’s key stakeholders, including employees and suppliers, understand ownership, accountabilities, roles and responsibilities, and the organisation’s expectations for development, implementation and use of AI.
Clear ownership prevents ambiguity about accountability and responsibilities for AI model and system performance, compliance, risk management and ethical use.
An AI policy can provide employees with the confidence to develop, implement and use AI responsibly, by clarifying the “rules of the road”, including opportunities and guardrails to manage risks. It can also promote consistency, allowing management to effectively govern and oversee AI adoption. AI policies should be reviewed, updated and communicated regularly, to reflect both technological developments and organisational changes.
Policies are supported by procedures, which help employees translate policy requirements into day-to-day activities by further defining responsibilities, and providing step-by-step guidance on how tasks should be performed to comply with the AI policy.
Relevant questions to explore include whether the policies and procedures define:
- who is accountable overall for AI governance and risk management within the organisation;
- who is responsible for bringing together the various capabilities required to govern AI effectively; and
- roles, responsibilities and accountabilities across the entire AI system life cycle.
3. Have you implemented proportionate risk management that aligns to your organisation’s strategy and risk appetite?
AI governance is not ‘one size fits all’; the level of governance and controls required is determined by the level of risk. Risk assessments should consider not only broader high-level risks such as security, but also the inherent risk of each specific use case. This includes impact assessments of ethical elements covering fairness, autonomy and harm. They should also evaluate societal implications and principles beyond technical compliance and consider the risk of non-compliance with relevant laws and regulations.
An organisation-wide risk taxonomy defining types of risks and how they are measured is key to ensuring consistency in the assessment and communication of risk.
The organisation’s management (first line) should set risk tolerances, and the board should review and approve risk levels and set the organisation’s overall risk appetite.
Once risks have been assessed, mitigation measures should be implemented in line with the level of risk and the organisation’s risk appetite and tolerance.
Most organisations will rely on third parties for development and implementation of AI. Risk assessments should consider risks presented by relevant third parties.
4. Have you defined the interaction between AI and humans, including when, where and how humans will be involved?
Human intervention points should be defined, commensurate with the level of risk. Any activities such as overrides should be logged, reviewed and used to improve the system, ensuring accountability and continuous improvement.
5. Have you implemented a process to monitor and oversee your AI systems?
AI models are constantly adapting and evolving in response to feedback and training data. They can deteriorate silently without monitoring, a concept known as model drift. Organisations should have retraining protocols and measures to detect any degradation of model performance (drift detection) in place.
6. Have you implemented measures to ensure that staff are skilled and empowered to adopt AI?
People are crucial to an organisation’s ability to adopt and scale AI. Employees should be taken along on the AI journey with clear communication of the purpose for adopting AI, benefits to be achieved, and how they will be impacted. Training needs should be identified as part of the change programme, and plans put in place to upskill employees in relevant areas including technical skills, human skills (for example, critical thinking and judgement), and the organisation’s own AI policies and procedures. Training should be an ongoing process as the organisation’s implementation and use of AI evolves.
Four additional considerations for higher-risk systems
1. Can you explain to relevant internal and external stakeholders how the AI system reaches its decisions in business terms?
If decisions cannot be explained, they cannot be understood or justified. Organisations should require interpretable outputs and documented logic. The type and quantity of information provided depends on the stakeholder and the level of risk.
2. Is relevant input data complete, accurate, tested for bias and traceable to its source, owner and validation date?
Faulty or unverified data creates systemic risk. Data lineage, which tracks the flow of data from origin to final destination, and consent records are essential for compliance and trustworthiness.
3. Have appropriate controls been implemented to mitigate cyber security risks?
Cyber risks in relation to AI can exist in AI models themselves as well as in their integration and interaction with wider AI systems. Developments such as agentic AI further highlight the importance of cyber security. Organisations should implement measures to manage risks including information leakage, introduction of malicious data into a model’s training data (data poisoning), inappropriate access and insecure code generation.
4. Do you have policies and procedures to provide clear guidance for reporting and handling significant AI failures or harmful outputs?
Organisations need clear feedback, escalation and remediation plans for operational resilience and regulatory defence. This includes having the right contractual clauses to define liability, as well as defining crisis management and communication procedures for incident management, considering relevant topics such as cyber security alongside AI risks. Processes should consider both internal elements such as whistleblowing, reporting and complaints, as well as external engagement and communication, including with the organisation’s lawyers.
Additional guidance on AI governance controls and activities is available from various sources, including:
- standards like ISO 42001 AI Management Systems (AIMS);
- regulations like the EU AI Act; and
- frameworks like the National Institute of Standards and Technology (NIST) AI Risk Management Framework.
Accounting Intelligence
ICAEW has created a suite of resources to support members in building their understanding of AI, including opportunities and challenges.