[Idea]: Example use cases for AI Governance Framework

[vicenteherrera]

Contact Details

vicente.herrera@control-plane.io

What is the idea

I write this issue in behalf of those commenting on the need to have more information on the AI Governance Framework content about example use cases, reference architecture, reference implementation, etc.

There is an existing FINOS project for Common Cloud Controls (CCC) for AI that are already actively working on putting together a reference architecture, employing the building blocks that CCC is already defined. We can collaborate and have sinergy with that group.

What we are advocating here are more abstract examples, in a similar manner for the diagram that was incorporated at the beginning of working on the framework. It was retired because it didn't match many use cases and was misleading people into that the framework was only useful for a system exactly like that.

But on recent conversations, it has surfaced that having several example architectures where people can better map where the risks, mitigations and detective controls are location simplify understanding and prioritizing using the framework.

This could be accompanied by a day-to-day description on how it may look like implementing the framework in specific examples for those architectures, so it's more clear the roadmap that AI teams should follow to make their own projects more secure.

But as mentioned, we do not see a) we should build ourselves a working running examples, as there is already another project working on that or b) describing perfectly the AI system the Governance Framework applies to, as each would be different in several ways. We think on generics that are more a teaching material for people's understanding.

Why is it a good idea

It has already been asked in meetings to bring back the original diagram, as well as providing more guidance on how to apply the framework.

How does it work?

We should discuss in this issue and on working sessions if this is something people are interested in. We should exchange reference information that can better inform us about this, like other architectures described in AI security. We should draft some information about how these examples/use cases could look like. Then we decide how to publish it alongside the framework, then we iterate and finalize.

primer

artificial intelligence

Any other key information

Code of Conduct

• I agree to follow the FINOS Code of Conduct

[lucaborella89]

@robmoffat , @karlmoll and I facilitated a CC4AI workshop the day after OSFF London in which participants started working on such topics. See for example this PR finos/common-cloud-controls#789

For more context on the CC4AI initiative, see the press release here https://www.finos.org/press/global-financial-institutions-and-technology-leaders-collaborate-under-finos-to-launch-open-source-common-controls-for-ai-services

[chamindra]

+1 Agreed @vicenteherrera. We need architecture associated to use-cases to serve as some baseline for threat modelling.

[eddie-knight]

+1 — This fits with the ongoing conversations on recent AIGF calls

[ColinEberhardt]

+1 - I really like the idea of having a number of example use cases, where the primary goal is to help people understand how to apply the framework. These could be visual and potentially interactive.

[pmerrison]

+1 - we have a number of people on the calls from FS firms; perhaps a good first step would be to poll them to discover what AI use cases are actually seeing deployment in firms at the moment and which are on their radar as upcoming?

[awaiken]

+1 - with the caveat that we focus on practicality and implementability