This is the second part of our AI Governance Series which will focus on how we operationalize the Unique AI Governance Framework. We have already published the first part of this series which focuses on “What is AI Governance about?”. Add link
This paper explores Unique’s own AI Governance Framework, how it came to be and how it is being operationalized within the company and product.
Please stay tuned for more updates on this series where the third part will deep-dive into “What do industry professionals say about Unique’s AI Governance Framework."
The Unique AI Governance Framewor
Background and review of existing frameworks
The rise of GenAI solutions like ChatGPT introduces new risks and responsibilities, particularly in highly regulated industries like banking and insurance. AI Governance has been touted to be an essential pillar in ensuring risk management while creating value. Interest in AI Governance has grown significantly over the last few years, with numerous frameworks emerging since 2016. Key examples include the OECD AI Principles, UNESCO Recommendations on AI Ethics, the EU AI Act, and the US AI Bill of Rights. Efforts to establish AI Governance involve international organizations, governments, and private sector initiatives, with ongoing work to tailor these frameworks to specific industries, including the Financial Services Industry.
For our Unique FinanceGPT, we focused on building on already existing frameworks that represent the current state of the art whilst also accounting for the specialties of a highly regulated industry like financial services. We combined our deep industry understanding with leading AI Governance frameworks published by renowned agencies like FINMA, the National Institute of Standards and Technology (NIST) and several others.
A global report from 2016 covering over 80 AI frameworks from various organizations showed emerging convergence around the principles transparency, justice and fairness, non-maleficence, responsibility and privacy. On a European level, the EU AI Act also acts as a guiding tool for AI Governance. It includes many important principles like Security, Robustness, Transparency, Data Quality/Fairness, Responsibility. Finally, on the Swiss level many organizations are also trying to navigate the AI Governance field. Vischer, a leading law firm, has published a guidance with 11 Principles to help organizations navigate AI. These include responsibility, transparency, fairness, reliability, information security, explainability and human oversight, amongst others. Specifically for the Swiss Financial Services Sector (FSI), FINMA has set out their supervisory expectations, which are built on the four principles of robustness & reliability, non-discrimination, governance & responsibility and transparency & explainability.
Pillars
Our five pillars consist of two that build the foundation of any stable AI Governance initiative: trust and safety & security.
Trust is essential for ensuring that the other pillars can be upheld as it helps to ensure the use of the technology by our customers but also boosts internal trust in the initiative which further improves the outcomes thereof.
Safety & security play into this as well. This ensures that financial services are within the legal guardrails set by regulators and further amplifies the trust in Unique FinanceGPT and specifically in our AI Governance Framework. Building on these two foundational principles are three further essential principles, namely: Accountability, Reliability & Robustness and Explainability & Transparency.
Accountability is essential for ensuring that each user has their rights and their obligations and allows for a more traceable trail of responsibilities. This strengthens each individuals’ sense of responsibility to the upholding of proper AI Governance and further strengthens the other principles and includes for example roles & responsibility definitions or definition of access rights.
Reliability & Robustness encompasses the ability to review how well models are performing (comparing same use cases with different underlying LLMs as well as comparing across different use cases) and delivering the desired outputs. This allows for systematic reviews of and subsequent corrective measures for these models.
Finally, Explainability & Transparency means allowing for users to understand how the model reaches its outputs and ensuring that the model remains human-centered.
Operationalisation
Within Unique and in close co-development with our clients, each of these pillars has been operationalized to ensure that they are not just principles on paper but that they are fully integrated into the entire product. It is important to note that for all AI Governance principles a Shared Responsibility Model is applied meaning that the client and Unique share responsibility with a varying degree regarding different operationalization strategies.
Trust
Within the Unique AI Governance Framework, trust is built by ensuring that Unique’s Responsible AI Policy and Governance is consistently being improved, well documented and easily understandable. Further, we ensure that these policies are thoroughly understood and integrated into Unique’s company culture by investing in AI literacy and training for all our employees, including senior management. Finally, Unique encourages third-party oversight by setting up AI Governance committees and by making Unique’s inventory of GenAI use cases publicly available.
We follow a proactive approach to compliance which enables us to reduce any potential misuse of credentials, securely store and manage client data, adhere to highest privileged access standards, and respond swiftly to emerging threats. Unique FinanceGPT is designed to provide exceptional resistance to data exfiltration, and we recognize that security has to be integrated across the company within the development life cycle, IT operations, and business processes. Collectively, we refer to these measures and processes as the Unique Compliance Layer.
Read the full whitepaper on our compliance layer here.
Safety & Security
At Unique, we aim to meet the highest standards of compliance by going beyond just staying within the law. We have officially received ISO 27001 and ISO 9001 certifications, which regulate business quality, security and risks and recently also became SOC 2 compliant which demonstrates our commitment to data security and privacy, building trust with our customers, and meeting regulatory requirements. Further, Unique is a Microsoft partner and all data is stored on Microsoft Azure Cloud hosted in Switzerland (or any other location chosen by the clients). Unique servers are located within Unique’s own private cloud, and we manage our APIs carefully to not allow any untrusted external connections. Finally, we work closely with our customers to ensure Data Leakage Prevention (DLP) when integrating Unique’s products into an organizations existing ecosystem (e.g., disclaimer information, terms of use, training, Technical and Organizational Measures (TOMs), opt-out from training, and prompt checking for Microsoft Azure OpenAI Services, etc.).
Find out more here.
Accountability
Unique FinanceGPT allows for accountability through measures which can be deployed by Unique, the client or within a shared responsibility framework. Our product has the option to define different workspaces which allows for different settings in different spaces for defined users. A workspace means that you can chose the type of users, the ingested documents, define access rights and pre-define prompts, if required. Using workspaces makes sure that users and space managers are only allowed to see content for which they have access rights for. Further, Unique FinanceGPT has a clearly defined role concept which lays out how access to rights can be defined within our product. The access role concept has four layers: Zitadel Roles, Unique Roles, Space Access and Scope Access. This allows for differing levels of access and clear accountability for different assigned roles. Finally, we give clients the ability to establish a clear governance of data owners within the Unique FinanceGPT
Reliability & Robustness
Due to the rise of new LLMs (Large Language Models) and tendency of clients for using different LLMs for various uses cases (e.g. GPT-4 for a summarization use case, Mistral self-trained model for directives search), Unique has made it possible to cross-check the results for different models. Thanks to our built-in FSI Benchmarking capabilities, models can be routinely checked by benchmarking outputs in different spaces to expected answers. Our user-friendly dashboard allows you to easily track which models and question sets are working well and which need improvement. Further, based on the benchmarking set, administrators can also manually review answers and help to improve the reliability of future outputs ensuring a human-in-the-loop approach.
In addition, Unique offers a “hallucination checker” which provides information to the end user of the potential level of hallucination.
Explainability & Transparency
One of the largest challenges when working with GenAI is the potential hallucination of Large Language Models. For FSI clients, it is of greatest importance to ensure unbiased, factually correct answers to the end users. Using Retrieval Augmented Generation (RAG), Unique FinanceGPT makes it possible to retrieve information from client-specific data sources (e.g. Sharepoint, internal Wiki, Excel documents, etc.). By employing RAG, the LLM is supplemented with information specific to the client while still leveraging the capabilities of an LLM. Using RAG means that client-specific data can be used to generate answers but no data is shared with the LLM or LLM provider (e.g. Microsoft).The model can therefore retrieve the relevant information from the external source, augment the retrieved information with the user’s prompt and then send it all to the LLM to generate a response that can easily be retraced by the user. Unique FinanceGPT displays the internal data sources used and an end user can easily click on them and fact check.
In Summary
With the growing importance of AI Governance, particularly in regulated industries such as financial services, Unique FinanceGPT offers a one stop shop with build-in of the latest industry standards for compliance, security, and responsible AI practices. Unique’s approach to AI Governance for FinanceGPT builds on existing frameworks, emphasizing transparency, fairness, responsibility, and industry-specific considerations, including FINMA’s principles for the Swiss financial sector. The framework’s operational pillars are trust, safety & security, accountability, reliability & robustness, and explainability & transparency. These pillars ensure compliance, data security, and a robust AI model review process, promoting responsible AI use. Unique employs a shared responsibility model with clients to enforce these principles, ensuring AI governance is integral to product development and operations.