ISO 42001 and HUDERIA
Two frameworks with different DNA → ISO/IEC 42001:2023 is an AI management system standard for any size and industry, while HUDERIA is the Council of Europe's human-rights impact methodology built on a risk-based, Proportionality principle-driven approach with eight principles.
Two more frameworks with very different DNA → a management system standard and a human rights impact methodology.
- ISO/IEC 42001:2023 (AI management system) → guidance for using AI responsibly and effectively across applications · integrated approach to managing AI projects from risk assessment to effective treatment of risks · applies to organisations of any size and industry developing, providing or using AI · process integrates the AI management system into the organisation's processes and overall management structure (objectives, interested parties, policy · risks and opportunities · trustworthiness concern processes · management of suppliers, partners and third parties).
- HUDERIA (Council of Europe) → Human Rights, Democracy and the Rule of Law Impact Assessment for AI → creates a basis for legal frameworks from existing human rights laws · risk-based approach on specific principles · methodology follows the proportionality principle · a method for assessing and grading the likelihood of risks · process → identify impacted rights → assess the impact → assess governance mechanisms (mitigation, stakeholder involvement, effective remedy, accountability, transparency) → monitor and evaluate continuously.
HUDERIA's eight principles → human dignity · human freedom and autonomy · prevention of harm · fairness, nondiscrimination, equality, diversity and inclusiveness · data protection and the right to privacy · democracy · rule of law · social and economic rights.
Choosing your framework → what to weigh: principles (the foundation, capture all values, restrictive vs permissive stance) · risk tolerance (may vary within the organisation, industry or jurisdiction prohibitions) · jurisdiction (multiple regimes? can you comply with all?) · industry requirements · AI's relationship to business strategy (creating vs using provided systems, vendor vetting and compliance) · AI purpose and use case (org-wide vs one department changes the risk level) · size and ability to implement (monetary, technical and staff resources). Then review systems already in use against principles, jurisdictional requirements and risk levels.
Module 3's seven takeaways → 1) Clarify roles for developers, providers, deployers, users · 2) Engage leadership early with champions and honesty about maturity · 3) Customise governance via the six differentiators, picking centralised, decentralised or hybrid · 4) Implement policies across nine oversight areas, starting with the use case assessment · 5) Train everyone on terminology, strategy and governance (AI literacy is law under EU AI Act Article 4) · 6) Conduct assessments (use case assessments before implementation and continuously; AIIAs gauge severity per ISO 42005) · 7) Integrate risk management, aligning AI risk strategies with NIST RMF, ISO 42001 and HUDERIA → gaps get exploited. Mnemonic bank → Governors Map, Measure, Manage (NIST Core functions) · Very Safe Systems Explain Privacy Fairly & Accountably (7 trustworthy characteristics) · TEVV (test, evaluate, verify, validate).