Artificial intelligence is becoming increasingly involved in everyday decision-making, often in ways that are not immediately visible. As AI systems become more influential, organisations need to understand not only what these systems can do, but also how they should be governed.
In this session, Greg Hutchins explores the growing importance of AI governance, trust, risk, assurance, and the rules of engagement for autonomous decision-making. Drawing on first-hand stories of AI risk-based decision-making, this presentation offers a practical look at how organisations can better manage AI systems and prepare for the future of AI assurance.
Professor Kahyaoglu is an Associate Professor of Finance at the Accounting and Finance Department of Izmir Bakircay University as well as the Edior and Chief of the ACG Journal. Her professional and academic interests include financial markets and instruments, applied econometrics, energy markets, corporate governance, risk management, fraud accounting, sustainable finance, ethics, and auditing.
Greg Hutchins is an author and risk management expert whose work focuses on AI governance, AI risk, ISO-based management systems, auditing, and assurance. He is the author of several books on AI governance, AI risk management, ISO 42001, enterprise risk management, and value-added auditing.
The strategic landscape of organizational oversight is undergoing a seismic shift as we move from predictable IT environments to the era of autonomous decision-making. The transition from causal data relationships to “black box” AI necessitates a radical departure from traditional governance.
Unlike previous technological shifts, modern AI represents a move from Informational systems—where a user can choose to accept or reject data—to Decisional systems, which are increasingly baked into the very fabric of national and corporate infrastructure.
This loss of the traditional audit trail demands a multifaceted governance approach categorized into four strategic levels:
The Essential Ingredients of Trust
Decision-Making Systems: A Strategic Comparison
Feature | Traditional Causal Systems | Generative AI Black Boxes |
|---|---|---|
Data Relationship | Highly Causal / Correlative | Unknown / Hallucinatory |
Audit Trail | Verifiable connection (Input to Output) | Opaque; the “Logic Gap” |
System Nature | Informational (User-vetted) | Decisional (Infrastructure-integrated) |
Output Integrity | Predictable and verifiable | Capable of lying, cheating, blackmailing, or resisting shutdowns |
To manage this new uncertainty, organizations must adopt the AI Assurance Stack, a bespoke framework designed to answer three key questions:
The AI Risk Management Spectrum
The Human-Centric Control Hierarchy
Critical Action Items for Auditors
Term | Definition |
|---|---|
AI Agency | The degree of autonomy, freedom, and purpose an individual maintains when interacting with AI systems and surveillance. |
AI Sovereignty | The level of governance regarding who controls the historical narrative, cultural messaging, and legal context of a nation through AI. |
AIMS | Artificial Intelligence Management System; a structured framework (like ISO 42001) for organizational AI oversight. |
Black Box | A system where the internal workings are unknown or opaque, making it impossible to see how inputs are transformed into outputs. |
Conformity Assessment | A process, often involving third-party auditing, to verify that an AI system meets specific regulatory or safety standards (e.g., the CE mark). |
Human in the Loop | A control state where a human acts as an intermediary or facilitator in every transaction between the machine and the outcome. |
Human on the Loop | A control state where a human acts as an architect or designer, overseeing the process and interpreting the machine’s diagnostics. |
Human over the Loop | A high-level control state where humans maintain absolute command and oversight, preventing machines from accessing critical functions. |
ISO 42001 | The international auditable standard for AI management systems, used to establish trust through certification. |
NIST AI RMF | The National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework; a comprehensive U.S. guide for managing AI risks. |
RAG (Retrieval-Augmented Generation) | A technical mechanism used to ensure data inputted into an AI system is known and controllable, helping to verify the fidelity of outputs. |
Techno-Colonialism | A phenomenon where dominant technical powers exert control over other nations through the dependency on their AI software and infrastructure. |
Link to the policy: GGA Privacy Policy 2021
The Good Governance Academy (“GGA”) strives for transparency and trust when it comes to protecting your privacy and we aim to clearly explain how we collect and process your information.
It’s important to us that you should enjoy using our products, services and website(s) without compromising your privacy in any way. The policy outlines how we collect and use different types of personal and behavioural information, and the reasons for doing so. You have the right to access, change or delete your personal information at any time and you can find out more about this and your rights by contacting the GGA, clicking on the “CONTACT” menu item or using the details at the bottom of the page.
The policy applies to “users” (or “you”) of the GGA website(s) or any GGA product or service; that is anyone attending, registering or interacting with any product or service from the GGA. This includes event attendees, participants, registrants, website users, app users and the like.
Our policies are updated from time-to-time. Please refer back regularly to keep yourself updated.