DOJ Sets its Sights on AI
On September 23rd, 2024, the Department of Justice (DOJ) released updates to its Evaluation of Corporate Compliance Programs guidelines (“guidelines”) with a keen eye on the governance, monitoring, and oversight of Artificial Intelligence (AI) across organizations. Initially published in 2017, the guidelines are intended for federal prosecutors to utilize when assessing the efficacy of a compliance program and its underpinning controls. The DOJ has made several updates to the guidelines which transparently outline what it expects from an effective compliance program; companies should utilize the guidance to inform the design, execution, and evolution of their compliance programs.
Emerging risks, particularly technology and artificial intelligence, were key themes in the 2024 updates. Points to highlight:
Is your risk assessment adequately identifying and integrating emerging risks, including technologies, to ensure capture in the enterprise risk framework?
Does the technology selection process sufficiently assess risks the new technology presents? Does the governance process include identification of mitigants and are the new risks / exposures making their way into the risk framework?
With respect to AI, are use cases understood, are ethical implications identified and deterrents in place to mitigate misuse and insider threat?
What monitoring and oversight are in place with respect to use of AI? What human decision making is integrated into the execution and oversight processes?
The concept of “Proportionate Resource Allocation” with respect to technology assets was introduced; meaning is the funding for technology assets and resources deployed in a balanced manner between the compliance and risk management functions versus the business for commercial purposes? This will be a thorny issue for companies to grapple with as ‘proportionate’ is very subjective and could vary significantly based on internal and external events. As a practical matter, chief risk and compliance officers can ponder the question - Are the businesses operating on Lamborghini-like technology while the control functions get by with the Kia Rio?
Other items not to lose sight of in the updates include reinforcing the usage of ‘lessons learned’ in evolving compliance program design, oversight, training, and policies as well as strengthening the expectations on whistleblower protection and anti-retaliation policies.
Check out RCG Consulting’ July blog on AI for tips on getting your program ready:
