AAIA · Question #47
Which of the following is the MOST important course of action for an organization prior to allowing end users to utilize an AI tool?
The correct answer is A. Develop an AI policy with guidelines on appropriate use.. Before end users can safely use an AI tool, an organization must establish a governing AI policy that defines acceptable use, responsibilities, and boundaries. This foundational governance step is required before any operational or technical measures can be meaningfully applied.
Question
Which of the following is the MOST important course of action for an organization prior to allowing end users to utilize an AI tool?
Options
- ADevelop an AI policy with guidelines on appropriate use.
- BDetermine the impact to the disaster recovery plan (DRP).
- CImplement baseline performance metrics.
- DEnsure a cybersecurity insurance clause is in place to include the use of AI.
How the community answered
(69 responses)- A88% (61)
- B3% (2)
- C1% (1)
- D7% (5)
Why each option
Before end users can safely use an AI tool, an organization must establish a governing AI policy that defines acceptable use, responsibilities, and boundaries. This foundational governance step is required before any operational or technical measures can be meaningfully applied.
An AI policy establishes the governance framework that defines how AI tools may and may not be used, who is responsible, what data is permissible to input, and what oversight is required. Without this policy, end users lack guidance on appropriate behavior, and the organization has no enforceable standard against which to assess risk or compliance. Policy creation is the foundational prerequisite that enables all other AI controls to function effectively.
Updating the disaster recovery plan is an important but secondary operational consideration that should follow policy establishment, not precede user access.
Baseline performance metrics are operational controls that are important after deployment but are not the most critical prerequisite before allowing user access.
Cybersecurity insurance is a risk transfer mechanism, not a risk control, and does not substitute for governance policy as a prerequisite for safe AI use.
Concept tested: AI governance policy as prerequisite for deployment
Source: https://www.isaca.org/resources/news-and-trends/industry-news/2023/developing-an-ai-policy-a-practical-guide
Topics
Community Discussion
No community discussion yet for this question.