AI Tool Risk Assessment and Approval Procedure (SEC-PROC-007)
1. Purpose
To define the formal process for submitting a new AI tool for consideration and for the AI Governance Committee to perform a risk assessment to ensure its use aligns with company policies and risk appetite.
2. Scope
This procedure applies to all employees and contractors who wish to use a new Artificial Intelligence (AI) tool for business purposes, especially those that may process sensitive or confidential company or customer data.
3. Overview
This procedure outlines the workflow for the review and approval of new AI tools. It details the submission process for an employee, the required information for the request, and the steps the AI Governance Committee takes to conduct a thorough risk assessment before formally approving or denying its use.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Employee/Requestor | Submits an “AI Tool Risk Assessment and Approval Form” to the AI Governance Committee. |
| 2 | Employee/Requestor | Provides all required information, including the tool’s purpose, data sensitivity, privacy impact, and vendor documentation. |
| 3 | AI Governance Committee | Reviews the submission and conducts a risk assessment, considering factors like data security, privacy, compliance, and operational impact. |
| 4 | AI Governance Committee | Formally approves or denies the request in writing, documenting the rationale for the decision and any conditions for use. |
| 5 | AI Governance Committee | Maintains a register of all approved and denied AI tools. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-5 | SOC 2 | CC2.1 |
| 1-5 | NIST AI Risk Management Framework | Entire Framework |
6. Artifact(s)
A completed AI Risk Assessment and Approval Form.
7. Definitions
AI: Artificial Intelligence.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Employee/Requestor | Initiates the review process and provides complete and accurate information about the proposed AI tool. |
| AI Governance Committee | Conducts the risk assessment, makes the final approval decision, and maintains records of all assessments. |