Model Auditing Guidelines for Data Teams

Internal Audit’s Essential AI Role In a recent presentation for the ISACA and IIA Nigeria I said – boldly no doubt! – that the most important thing that an auditor can do in the AI era is to provide assurance that the AI systems being used are explainable. After the session I received a message asking me how would someone audit an AI system for explainability – or what is more often referred to in the AI ecosystem as “interpretability” being the ability to understand the decision-making process of a model and how it arrives at its predictions. As I set out to write this evening a response I saw the below tweet from a person that I consider to be one of the leading rational voices on AI (and if you are not following him you are missing out) – being Ethan Mollick Associate Professor at Wharton where he studies the effects of AI on work, entrepreneurship, and education. With his equal confusion in mind that not even the AI companies can properly explain what they have made, I wondered how in the world would an audit team go about auditing interpretability. Here is my take based on ... guess what ... basic audit principles! ~ What’s the AI Model Actually Doing? ~ 1 - What decision is the AI helping make? Understand the business process it’s influencing. 2 - Who uses the output? Know which roles rely on the model to take action. 3 - Why was it built? Clarify the goal it was designed to achieve. 4 - Does it replace human judgment or support it? Know if AI is making or informing decisions. 5 - How often is it used? Frequent use increases the risk of unnoticed problems. ~ What Data Feeds the Model? ~ 6 - Do you know the data's origin and is it clean and recent? Outdated or messy data means unreliable results. 7 - Who owns the data? Check who’s responsible for its accuracy. 8 - Was the data tested for bias? Biased data can lead to unfair outcomes. 9 - What happens if the data is wrong? Assess the impact of bad inputs. ~ How Does the Model Actually Work? ~ 10 - Can someone explain the model in plain language? If not, that's a red flag. 11 - Are the most important factors clear? Know which inputs matter most. 12 - Can the outputs be challenged? Decisions shouldn’t be taken as final without review. ~ Who’s Involved in the Model Lifecycle? ~ 13 - Who built the model? Know the developer’s qualifications and intent. 14 - Who checks if it’s working properly? Ongoing monitoring is essential. 15 - Are the users trained? Users need to know how to interpret outputs. ~ Are There Proper Controls? ~ 16 - Is there documentation? Models should have clear instructions and records. 17 - Who can change the model? Restrict editing to approved people. ~ Can We Test It ? ~ 18 - Can you recreate a result? Audit needs repeatability. 19 - Can the Board understand the risk? If leadership can’t grasp it, the model isn’t ready. Have answers to all of these and your system is explainable. If not - keep trying!

Dear AI Auditors, Bias Testing for Machine Learning Models Bias creates risk long before anyone calls it out. Leaders rely on model outputs to make decisions about customers, pricing, hiring, and access. Your audit tests whether fairness exists by design or by assumption. You keep the approach disciplined. You focus on evidence. 📌 Define the decision and affected groups You identify what the model decides or influences. You determine who feels the impact. You confirm that leadership understands potential harm. You avoid testing bias in isolation from context. 📌 Review training data composition You analyze source datasets. You check representation across key attributes. You identify imbalances, gaps, and proxies. You flag historical data that embeds past inequities. 📌 Evaluate feature selection You review features used by the model. You test correlation with protected attributes. You highlight indirect signals that drive biased outcomes. You focus on features that teams rarely question. 📌 Test fairness metrics You confirm that the fairness criteria exist. You review the metrics used. You test results across groups. You flag models with no measurable fairness standards. 📌 Assess model performance by segment You compare accuracy and error rates across populations. You identify disparities hidden by overall performance scores. You show leaders where risk concentrates. 📌 Review bias mitigation controls You evaluate techniques used to reduce bias. You review retraining practices. You confirm controls run regularly. You flag one-time tests treated as permanent fixes. 📌 Validate governance and accountability You review approval processes for bias risk. You confirm ownership for monitoring. You test escalation paths. You flag unclear accountability. 📌 Inspect production monitoring You test whether bias is monitored after deployment. You review alerts and thresholds. You identify models running without oversight. 📌 Close with decision-level reporting You translate bias findings into legal, reputational, and operational risk. You show leaders what changes protect trust and compliance. #AIAudit #ModelBias #CyberVerge #ResponsibleAI #ITAudit #InternalAudit #AICompliance #DataGovernance #RiskManagement #TechLeadership #GRC #MachineLearning

Many AI governance frameworks assume you're building the model. But what if you're not? If your organization deploys, integrates, or operates AI systems built by someone else, you've probably noticed the guidance gap. You're on the hook for responsible use but the playbooks are written for teams with access to training data and model weights you'll never see. ISO/IEC 42001 and ETSI EN 304 223 are different. Both explicitly recognize that AI governance isn't just a developer problem. I wrote up a practical breakdown of how these two standards work together: → ISO 42001 gives you the management system: policies, risk assessments, roles, audit cycles → EN 304 223 gives you the security specifics: threat modeling, access controls, supply chain requirements, secure decommissioning Neither is perfect alone. Together, they get you closer to an AI governance program that's defensible, auditable, and actually implementable. The post covers: ✅ What each standard does (and doesn't do) ✅ Where they complement each other ✅ The gaps you'll still need to fill ✅ Practical steps to get started If you're in legal, compliance, privacy, or security and you're trying to figure out how to govern AI systems you didn't build, this is for you. Link in comments 👇 #AIGovernance #ResponsibleAI #ISO42001 #Compliance #Privacy #AIRisk

If you’re stepping into AI governance and wondering where to begin, this is your first map. 📘 The Artificial Intelligence Auditing Framework by The The Institute of Internal Auditors Inc. is foundational — and that’s exactly why it works. It doesn’t assume expertise. It doesn’t skip steps. It builds a shared understanding of how auditors can engage with AI in a responsible, structured way. 🛠️ Why is it worth your time? It translates AI risks into familiar audit terms — roles, controls, governance, assurance. It offers basic but comprehensive coverage of the most critical areas: Where and how to start mapping AI use in your organization What questions to ask across departments (especially when no formal AI policy exists) How to build a central AI inventory What to include in an acceptable use policy How to integrate AI into enterprise risk management Where the auditor fits in both advisory and assurance roles What the C-suite and Board need to hear — and how to say it 🔍 Inside the framework you'll find: ✅ Part 1 – Overview Covers AI history, adoption levels, and common architectures Explains key concepts like Reactive vs Limited Memory AI, and why they matter to auditors ✅ Part 2 – Getting Started Practical tools for identifying AI use across your organization Prompts for conversations with IT, legal, data teams, and the C-suite Tips on building AI inventories, classifying risks, and using the Three Lines Model ✅ Part 3 – AI Auditing Framework Outlines roles for Governance, Management, and Internal Audit Breaks down strategy, data governance, cybersecurity, vendor risk, and internal controls Links to COBIT, COSO, ISO 42001, and NIST AI RMF Aligns with assurance goals without overwhelming practitioners ✅ Part 4 – Practitioner’s Guide & Checklist A plain-language checklist to scope, assess, and document AI maturity and gaps Includes concrete action items like reviewing audit logs, inventorying use cases, and evaluating explainability === Did you like this post? Connect or Follow 🎯 Jakub Szarmach Want to see all my posts? Ring that 🔔.

𝐌𝐨𝐬𝐭 𝐀𝐈 𝐟𝐚𝐢𝐥𝐮𝐫𝐞𝐬 𝐚𝐫𝐞 𝐧𝐨𝐭 𝐓𝐞𝐜𝐡𝐧𝐢𝐜𝐚𝐥, 𝐓𝐡𝐞𝐲 𝐚𝐫𝐞 𝐀𝐈 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐅𝐚𝐢𝐥𝐮𝐫𝐞𝐬. Here are the 10 Principles that prevent costly Production Disasters: 𝟏.𝐏𝐑𝐎𝐌𝐏𝐓 𝐚𝐧𝐝 𝐌𝐎𝐃𝐄𝐋 𝐋𝐈𝐍𝐄𝐀𝐆𝐄 & 𝐕𝐄𝐑𝐒𝐈𝐎𝐍𝐈𝐍𝐆 • Version data, prompt code, and models (MLflow, DVC) • Track data sources and transformations • Support rollback and A/B testing 𝟐. 𝐂𝐋𝐄𝐀𝐑 𝐀𝐂𝐂𝐎𝐔𝐍𝐓𝐀𝐁𝐈𝐋𝐈𝐓𝐘 • Define RACI with escalation paths • Log decisions tied to model versions • Add approval gates at deploy and monitor stages 𝟑. 𝐑𝐄𝐀𝐋-𝐓𝐈𝐌𝐄 𝐎𝐁𝐒𝐄𝐑𝐕𝐀𝐁𝐈𝐋𝐈𝐓𝐘 • Monitor data, prediction, and concept drift • Set SLO alerts before performance drops • Maintain feedback loops with full lineage 𝟒. 𝐂𝐑𝐎𝐒𝐒-𝐅𝐔𝐍𝐂𝐓𝐈𝐎𝐍𝐀𝐋 𝐆𝐎𝐕𝐄𝐑𝐍𝐀𝐍𝐂𝐄 • Run regular AI risk and ethics reviews • Use NIST AI RMF for risk assessment • Gate high-risk models before launch 𝟓. 𝐅𝐀𝐈𝐑𝐍𝐄𝐒𝐒 & 𝐁𝐈𝐀𝐒 𝐓𝐄𝐒𝐓𝐈𝐍𝐆 • Audit fairness across protected groups • Monitor subgroup performance drift • Define acceptable parity metrics 𝟔. 𝐒𝐀𝐅𝐄 𝐅𝐀𝐈𝐋𝐔𝐑𝐄 𝐃𝐄𝐒𝐈𝐆𝐍 • Use circuit breakers and rule-based fallbacks • Enable fast rollout and rollback • Keep human workflows for edge cases 𝟕. 𝐒𝐋𝐎𝐬 𝐋𝐈𝐍𝐊𝐄𝐃 𝐓𝐎 𝐁𝐔𝐒𝐈𝐍𝐄𝐒𝐒 𝐊𝐏𝐈𝐬 • Define SLOs for latency, accuracy, and cost • Trigger alerts based on business impact • Automate fixes when limits are breached 𝟖. 𝐃𝐀𝐓𝐀 𝐆𝐎𝐕𝐄𝐑𝐍𝐀𝐍𝐂𝐄 & 𝐐𝐔𝐀𝐋𝐈𝐓𝐘 • Enforce data contracts and quality checks • Validate data before inference • Retrain when drift crosses limits 𝟗. 𝐄𝐗𝐏𝐋𝐀𝐈𝐍𝐀𝐁𝐈𝐋𝐈𝐓𝐘 & 𝐀𝐔𝐃𝐈𝐓𝐀𝐁𝐈𝐋𝐈𝐓𝐘 • Use SHAP/LIME for black-box models • Maintain model cards and datasheets • Log feature attributions for audits 𝟏𝟎. 𝐇𝐔𝐌𝐀𝐍-𝐈𝐍-𝐓𝐇𝐄-𝐋𝐎𝐎𝐏 • Provide ranked outputs with confidence • Capture human corrections • Define SLAs for manual review 𝐖𝐇𝐀𝐓 𝐓𝐄𝐀𝐌𝐒 𝐆𝐄𝐓 𝐖𝐑𝐎𝐍𝐆 They treat Governance as Paperwork, not Infrastructure. 𝐑𝐞𝐬𝐮𝐥𝐭: • Models deployed without lineage tracking • No Accountability when Failures occur • Drift goes undetected for Months • Bias discovered after impact • No rollback capability 𝐌𝐘 𝐑𝐄𝐂𝐎𝐌𝐌𝐄𝐍𝐃𝐀𝐓𝐈𝐎𝐍 Before production, verify: ✓ Lineage tracked? ✓ Accountability defined? ✓ Observability configured? ✓ Cross-functional review complete? ✓ Fairness tested? ✓ Failure modes designed? ✓ SLOs linked to KPIs? ✓ Data governance enforced? ✓ Explainability implemented? ✓ Human review defined? 𝐖𝐡𝐢𝐜𝐡 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞 𝐚𝐫𝐞 𝐲𝐨𝐮 𝐦𝐢𝐬𝐬𝐢𝐧𝐠? ♻️ Repost this to help your network get started ➕ Follow Anurag(Anu) Karuparti for more PS: If you found this valuable, join my weekly newsletter where I document the real-world journey of AI transformation. ✉️ Free subscription: https://lnkd.in/exc4upeq #GenAI #AIAgents #AIGovernance