4 March 2025

When it comes to artificial intelligence, one thing is absolutely certain - the landscape is evolving at an incredibly fast pace, both in terms of the technical advancements of AI models and systems, and also the overall regulatory and guidance landscape. 

If we take a moment, step back, and reflect on things, it is possible to reduce the noise a little and think things through. For most companies, the research, development and use of AI is something that is either meant to be (i) a net positive to society - benefit to the world, (ii) a revenue generating venture, or (iii) a way to create more efficiency in workflows. 

The question then becomes: at what cost do we want to use AI? And while the legal and regulatory obligations are clarified, and should be considered in detail when appropriate, an effective starting point is to think about the intended end-result behind an AI-related initiative, and then work backwards from there. Maybe it's a more efficient contract management system, or a 24/7 customer service offering. But the very last thing should be to implement an AI product or service without properly appreciating that it's the correct action to take. Once the end-result has been established, and you understand the why behind the AI, then it's a matter of proceeding in line with legal and ethical requirements, as well as your risk appetite.

While it is not a complete and final source for AI governance, the National Cyber Security Centre’s Guidelines for secure AI system development are a wonderful place to start. The document is reasonably simple to navigate, isn’t dense or overly technical, and for a non-technical person, it is very useful indeed. 

It is not a complete 'framework' document and should not be the only reading on the matter of AI governance. It does not contain any complicated workflows, fancy visuals, or colourful charts. What is does do is set out the technical and non-technical basics in a very grounded way. It provides practical and actionable guidance for developing and deploying AI systems, and is a must-read for AI legal and governance pros, as well as other executives and product managers.

The NCSC’s guidelines echo this and push for AI development in a responsible, secure, and ethical manner. It notes 4 key areas of focus. These are considered to be the critical aspects of AI governance and development:

1. Secure design: It starts with awareness, training and understanding risks. Think about performance and functionality. Spend time on due diligence.

2. Secure development: Review the supply chain appropriately. Engage in solid data and information governance.

3. Secure deployment: Security and continuous monitoring of infrastructure. Incident response plans. Making it easy to do the right thing.

4. Secure operation and maintenance: Ensure the system is working in line with expectations. Handle information in a lawful way. Make sure compliance operations are fit for purpose.

In terms of key takeaways: (i) the document is helpful because it touches on the overarching risk-based approach which should be the default setting for all companies; (ii) it also provides practical guidance and questions that developers and executives can and should be asking, and doesn't just provide a list of abstract concepts; and (iii) it is endorsed by numerous national agencies, all of whom grouped together to promote the importance of ethics and trustworthiness across the entire AI lifecycle.

So if we think about the whole point of AI regulation in general, the broad consensus globally is to protect people from harm. This could be harm in the form of inaccuracy of information, bias exercised against the person, breach of privacy or intellectual property rights. This is not an exhaustive list! In a world buzzing with AI regulations, white papers, and discussions from every direction, the NCSC guidelines might not be new or flashy, but they help to push the reset button in a meaningful way. If you want to reduce all the noise and get a good foundation for AI governance, then dive into these guidelines. They are an invaluable resource for anyone working with or thinking about AI.

Check out more posts to learn more about AI governance!