# Week 12: Technology Governance & Ethics II - Regulation & Implementation

## MBA 590 - Advanced AI Strategy: Prompting and Agentic Frameworks

---

## Overview

Building on last week's foundation of ethical frameworks and principles, this week focuses on the practical aspects of implementing governance: understanding regulatory requirements, conducting bias audits, implementing privacy controls, and establishing human oversight mechanisms. We'll examine real-world regulatory landscapes and translate compliance requirements into operational practices.

### Key Topics
- Global AI regulation landscape (EU AI Act, GDPR, US approaches)
- Implementing bias audits and fairness testing
- Transparency reporting and documentation
- Data privacy controls and security protocols
- Human oversight and human-in-the-loop design
- Compliance monitoring and auditing

## Learning Objectives

By the end of this week, you will be able to:

1. Navigate key regulatory requirements for AI systems globally
2. Conduct bias audits and implement fairness testing
3. Design transparency reporting mechanisms
4. Implement data privacy and security controls
5. Establish effective human oversight mechanisms
6. Create compliance monitoring systems
7. Develop incident response protocols for AI systems

## Academic Readings

1. **European Parliament. (2024).** *EU AI Act: First Regulation on Artificial Intelligence.* (Focus on risk categories and business implications)

2. **Rajpurkar, P., Chen, E., Banerjee, O., & Topol, E. J. (2022).** *AI in health and medicine.* Nature Medicine, 28(1), 31-38. (Discusses regulatory and ethical challenges in a specific high-stakes domain)

In [None]:
# Setup
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import seaborn as sns
from typing import List, Dict, Tuple
import json
from datetime import datetime, timedelta

# Set style for visualizations
plt.style.use('seaborn-v0_8-darkgrid')
sns.set_palette('Set2')

print('Libraries imported successfully')

## 1. Global AI Regulation Landscape

### A. European Union: AI Act

**World's first comprehensive AI regulation** (enacted 2024)

**Risk-Based Approach**:

**Unacceptable Risk** (Banned):
- Social scoring by governments
- Subliminal manipulation causing harm
- Exploitation of vulnerable groups
- Real-time biometric identification in public (limited exceptions)

**High Risk** (Strict Requirements):
- Biometric identification
- Critical infrastructure
- Education and employment
- Essential services (credit scoring, insurance)
- Law enforcement
- Migration and border management
- Justice administration

**Requirements for High-Risk Systems**:
- Risk assessment and mitigation
- High-quality training data
- Activity logging and traceability
- Transparency and user information
- Human oversight measures
- Accuracy, robustness, cybersecurity

**Penalties**: Up to €35M or 7% of global revenue

### B. GDPR (Still Applies)

**Key Provisions for AI**:
- Right to explanation for automated decisions
- Data minimization principles
- Purpose limitation
- Consent requirements
- Right to be forgotten
- Data protection impact assessments (DPIA)

### C. United States Approach

**Federal Level**:
- No comprehensive federal AI law (yet)
- Executive Order on Safe, Secure AI (Oct 2023)
- NIST AI RMF (voluntary)
- Sector-specific regulations (finance, healthcare, etc.)

**State Level**:
- California: CCPA/CPRA (privacy)
- Colorado AI Act (enacted 2024)
- New York City: Automated Employment Decision Tools law
- Illinois: Biometric Information Privacy Act

### D. Other Jurisdictions

**China**: 
- Algorithm Recommendation Regulations
- Deep Synthesis Regulations
- Focus on content control and social stability

**Canada**: 
- Artificial Intelligence and Data Act (AIDA) - proposed
- Risk-based approach similar to EU

**UK**: 
- Sector-specific approach
- Focus on existing regulators adapting to AI

In [None]:
# Regulatory landscape comparison

regulations = {
    'Jurisdiction': ['EU', 'EU', 'US Federal', 'US State', 'China', 'Canada', 'UK'],
    'Regulation': [
        'AI Act',
        'GDPR',
        'Executive Order',
        'State Laws (Various)',
        'Algorithm Regulations',
        'AIDA (Proposed)',
        'Sector Approach'
    ],
    'Status': ['Enacted', 'Enacted', 'Active', 'Varies', 'Enacted', 'Proposed', 'Developing'],
    'Scope': ['Comprehensive', 'Data Privacy', 'High-Risk AI', 'Specific Issues', 'Content Control', 'Comprehensive', 'Sector-Specific'],
    'Approach': ['Risk-Based', 'Rights-Based', 'Voluntary+Sector', 'Patchwork', 'Control-Based', 'Risk-Based', 'Adaptive'],
    'Penalties': ['€35M or 7%', '€20M or 4%', 'Varies', 'Varies', 'Severe', 'TBD', 'Sector-dependent'],
    'Business_Impact': ['Very High', 'Very High', 'Medium', 'Medium', 'High', 'High', 'Medium']
}

df_regulations = pd.DataFrame(regulations)

print("GLOBAL AI REGULATION LANDSCAPE")
print("="*80)
print(df_regulations.to_string(index=False))

print("\n" + "="*80)
print("KEY INSIGHTS:")
print("- EU has most comprehensive AI-specific regulation")
print("- US approach is fragmented across federal/state/sector")
print("- GDPR remains critical for data privacy in AI systems")
print("- Global operations require multi-jurisdiction compliance strategy")

In [None]:
# Compliance requirement mapping tool

def assess_compliance_requirements(use_case: str,
                                  jurisdictions: List[str],
                                  processes_personal_data: bool,
                                  high_risk_use: bool,
                                  automated_decisions: bool) -> Dict:
    """
    Assess regulatory compliance requirements for an AI system.
    
    Parameters:
    - use_case: Description of the AI system
    - jurisdictions: List of jurisdictions (e.g., ['EU', 'US', 'China'])
    - processes_personal_data: Whether system processes personal data
    - high_risk_use: Whether use case falls into high-risk categories
    - automated_decisions: Whether system makes automated decisions about individuals
    """
    requirements = []
    
    # EU requirements
    if 'EU' in jurisdictions:
        if high_risk_use:
            requirements.extend([
                'EU AI Act: High-risk system requirements',
                'EU AI Act: Conformity assessment',
                'EU AI Act: CE marking',
                'EU AI Act: Registration in EU database'
            ])
        if processes_personal_data:
            requirements.extend([
                'GDPR: Data Protection Impact Assessment',
                'GDPR: Legal basis for processing',
                'GDPR: Data subject rights (access, deletion, etc.)'
            ])
        if automated_decisions:
            requirements.append('GDPR: Right to explanation for automated decisions')
    
    # US requirements
    if 'US' in jurisdictions:
        if processes_personal_data:
            requirements.extend([
                'US: Review state privacy laws (CCPA, CPRA, etc.)',
                'US: Sector-specific regulations (HIPAA, FCRA, etc.)'
            ])
        if use_case.lower().__contains__('employ'):
            requirements.append('US: NYC Automated Employment Decision Tools law (if applicable)')
    
    # China requirements
    if 'China' in jurisdictions:
        requirements.extend([
            'China: Algorithm filing requirements',
            'China: Content moderation obligations'
        ])
    
    # Universal requirements
    if high_risk_use or automated_decisions:
        requirements.extend([
            'Best Practice: Bias testing and fairness audits',
            'Best Practice: Model documentation and transparency',
            'Best Practice: Human oversight mechanisms'
        ])
    
    return {
        'use_case': use_case,
        'jurisdictions': jurisdictions,
        'total_requirements': len(requirements),
        'requirements': requirements,
        'compliance_complexity': 'High' if len(requirements) > 8 else 'Medium' if len(requirements) > 4 else 'Low'
    }

# Example assessment
example = assess_compliance_requirements(
    use_case="AI-powered resume screening for employment decisions",
    jurisdictions=['EU', 'US'],
    processes_personal_data=True,
    high_risk_use=True,
    automated_decisions=True
)

print("\nCOMPLIANCE ASSESSMENT EXAMPLE")
print("="*80)
print(f"Use Case: {example['use_case']}")
print(f"Jurisdictions: {', '.join(example['jurisdictions'])}")
print(f"Compliance Complexity: {example['compliance_complexity']}")
print(f"\nTotal Requirements: {example['total_requirements']}")
print("\nDetailed Requirements:")
for i, req in enumerate(example['requirements'], 1):
    print(f"{i}. {req}")

## 2. Implementing Bias Audits

### Bias Audit Process

**Step 1: Identify Protected Attributes**
- Race/ethnicity
- Gender
- Age
- Disability status
- Religion
- Other legally protected categories

**Step 2: Define Fairness Metrics**

**Demographic Parity**: Equal positive outcome rates across groups
- P(Ŷ=1|A=0) = P(Ŷ=1|A=1)

**Equal Opportunity**: Equal true positive rates across groups
- P(Ŷ=1|Y=1,A=0) = P(Ŷ=1|Y=1,A=1)

**Equalized Odds**: Equal TPR and FPR across groups
- Equal opportunity + equal false positive rates

**Calibration**: Predictions equally accurate across groups
- P(Y=1|Ŷ=p,A=0) = P(Y=1|Ŷ=p,A=1)

**Step 3: Collect Disaggregated Data**

**Step 4: Calculate Metrics by Group**

**Step 5: Assess Disparities**
- Compare metrics across groups
- Apply thresholds (e.g., 80% rule, <10% difference)

**Step 6: Investigate Root Causes**

**Step 7: Implement Mitigations**
- Pre-processing: Adjust training data
- In-processing: Fairness constraints during training
- Post-processing: Adjust predictions

**Step 8: Document and Monitor**

In [None]:
# Bias audit simulation

# Generate synthetic hiring data for demonstration
np.random.seed(42)
n_samples = 1000

# Simulate biased hiring outcomes
data = {
    'applicant_id': range(1, n_samples + 1),
    'gender': np.random.choice(['Male', 'Female'], n_samples, p=[0.6, 0.4]),
    'ethnicity': np.random.choice(['Group A', 'Group B', 'Group C'], n_samples, p=[0.5, 0.3, 0.2]),
    'qualifications_score': np.random.normal(70, 15, n_samples),
}

df = pd.DataFrame(data)
df['qualifications_score'] = df['qualifications_score'].clip(0, 100)

# Simulate biased predictions (gender bias)
# Males get 5-point boost, some ethnicities get different treatment
df['adjusted_score'] = df['qualifications_score'].copy()
df.loc[df['gender'] == 'Male', 'adjusted_score'] += 5
df.loc[df['ethnicity'] == 'Group C', 'adjusted_score'] -= 3

# Hiring decision based on adjusted score
threshold = 75
df['predicted_hire'] = (df['adjusted_score'] >= threshold).astype(int)
df['actual_hire'] = (df['qualifications_score'] >= 73).astype(int)  # True criterion

print("BIAS AUDIT: HIRING ALGORITHM")
print("="*80)
print(f"Total Applicants: {len(df)}")
print(f"Hiring Threshold: {threshold}")
print(f"\nSample Data:")
print(df.head(10).to_string(index=False))

In [None]:
# Calculate fairness metrics by group

def calculate_fairness_metrics(df: pd.DataFrame, protected_attr: str) -> pd.DataFrame:
    """
    Calculate key fairness metrics for each group in a protected attribute.
    """
    metrics = []
    
    for group in df[protected_attr].unique():
        group_data = df[df[protected_attr] == group]
        
        # Selection rate (demographic parity)
        selection_rate = group_data['predicted_hire'].mean()
        
        # True positive rate (equal opportunity)
        true_positives = group_data[group_data['actual_hire'] == 1]
        tpr = true_positives['predicted_hire'].mean() if len(true_positives) > 0 else 0
        
        # False positive rate
        true_negatives = group_data[group_data['actual_hire'] == 0]
        fpr = true_negatives['predicted_hire'].mean() if len(true_negatives) > 0 else 0
        
        # Precision
        predicted_positives = group_data[group_data['predicted_hire'] == 1]
        precision = predicted_positives['actual_hire'].mean() if len(predicted_positives) > 0 else 0
        
        metrics.append({
            'Group': group,
            'Count': len(group_data),
            'Selection_Rate': selection_rate,
            'True_Positive_Rate': tpr,
            'False_Positive_Rate': fpr,
            'Precision': precision
        })
    
    return pd.DataFrame(metrics)

# Analyze by gender
gender_metrics = calculate_fairness_metrics(df, 'gender')
print("\n" + "="*80)
print("FAIRNESS METRICS BY GENDER")
print("="*80)
print(gender_metrics.to_string(index=False))

# Calculate disparities
male_selection = gender_metrics[gender_metrics['Group'] == 'Male']['Selection_Rate'].values[0]
female_selection = gender_metrics[gender_metrics['Group'] == 'Female']['Selection_Rate'].values[0]
disparity_ratio = female_selection / male_selection if male_selection > 0 else 0

print(f"\nDemographic Parity Analysis:")
print(f"  Male Selection Rate: {male_selection:.1%}")
print(f"  Female Selection Rate: {female_selection:.1%}")
print(f"  Disparity Ratio: {disparity_ratio:.2f}")
print(f"  80% Rule: {'PASS' if disparity_ratio >= 0.8 else 'FAIL'}")

# Analyze by ethnicity
ethnicity_metrics = calculate_fairness_metrics(df, 'ethnicity')
print("\n" + "="*80)
print("FAIRNESS METRICS BY ETHNICITY")
print("="*80)
print(ethnicity_metrics.to_string(index=False))

In [None]:
# Visualize bias audit results

fig, axes = plt.subplots(1, 2, figsize=(15, 6))

# Gender comparison
metrics_to_plot = ['Selection_Rate', 'True_Positive_Rate', 'Precision']
x = np.arange(len(metrics_to_plot))
width = 0.35

male_values = gender_metrics[gender_metrics['Group'] == 'Male'][metrics_to_plot].values[0]
female_values = gender_metrics[gender_metrics['Group'] == 'Female'][metrics_to_plot].values[0]

axes[0].bar(x - width/2, male_values, width, label='Male', alpha=0.8)
axes[0].bar(x + width/2, female_values, width, label='Female', alpha=0.8)
axes[0].set_ylabel('Rate', fontweight='bold')
axes[0].set_title('Fairness Metrics by Gender', fontweight='bold', fontsize=14)
axes[0].set_xticks(x)
axes[0].set_xticklabels(['Selection\nRate', 'True Positive\nRate', 'Precision'])
axes[0].legend()
axes[0].axhline(y=0.8, color='red', linestyle='--', alpha=0.5, label='80% threshold')
axes[0].grid(True, alpha=0.3, axis='y')
axes[0].set_ylim(0, 1)

# Ethnicity comparison
ethnicity_metrics.plot(x='Group', y='Selection_Rate', kind='bar', ax=axes[1], legend=False, alpha=0.8)
axes[1].set_ylabel('Selection Rate', fontweight='bold')
axes[1].set_xlabel('Ethnicity Group', fontweight='bold')
axes[1].set_title('Selection Rate by Ethnicity', fontweight='bold', fontsize=14)
axes[1].axhline(y=df['predicted_hire'].mean(), color='red', linestyle='--', alpha=0.5, label='Overall Rate')
axes[1].legend()
axes[1].grid(True, alpha=0.3, axis='y')
axes[1].set_ylim(0, 1)
axes[1].tick_params(axis='x', rotation=0)

plt.tight_layout()
plt.show()

print("\nBIAS AUDIT FINDINGS:")
print("- Gender bias detected: Males have higher selection rate")
print("- Ethnicity bias detected: Group C has lower selection rate")
print("- Recommendation: Implement debiasing techniques and re-audit")

## 3. Transparency and Documentation

### Model Cards

Standardized documentation for ML models:

**Required Sections**:
1. **Model Details**: Version, type, architecture, developer
2. **Intended Use**: Primary use cases, out-of-scope uses
3. **Training Data**: Sources, size, preprocessing, limitations
4. **Performance**: Metrics by subgroup, test conditions
5. **Fairness Assessment**: Bias testing results
6. **Limitations**: Known issues, failure modes
7. **Ethical Considerations**: Risks, mitigation strategies
8. **Recommendations**: Deployment guidance, monitoring needs

### Transparency Reporting

**Internal Reporting**:
- Regular bias audits
- Performance monitoring
- Incident tracking
- Compliance attestations

**External Reporting** (as required):
- Public model cards
- Impact assessments
- Algorithmic transparency reports
- Regulatory filings

In [None]:
# Model card template

model_card_template = {
    "model_details": {
        "name": "Resume Screening Model v2.1",
        "version": "2.1.0",
        "date": "2025-11-17",
        "model_type": "Binary Classification (LLM-based)",
        "developer": "HR Technology Team",
        "contact": "ai-ethics@company.com"
    },
    "intended_use": {
        "primary_uses": [
            "Initial screening of job applications",
            "Ranking candidates for human review"
        ],
        "primary_users": ["HR recruiters", "Hiring managers"],
        "out_of_scope": [
            "Final hiring decisions (requires human review)",
            "Performance evaluation of existing employees",
            "Use outside of hiring context"
        ]
    },
    "training_data": {
        "sources": "Historical hiring data 2020-2024",
        "size": "50,000 applications",
        "preprocessing": "PII removal, standardization, deduplication",
        "limitations": "Historical data may reflect past biases"
    },
    "performance": {
        "overall_metrics": {
            "accuracy": 0.82,
            "precision": 0.78,
            "recall": 0.85,
            "f1_score": 0.81
        },
        "performance_by_group": "See fairness assessment section"
    },
    "fairness_assessment": {
        "bias_testing_date": "2025-11-01",
        "protected_attributes_tested": ["gender", "ethnicity", "age"],
        "findings": "Initial bias detected and mitigated. Current system meets 80% rule.",
        "ongoing_monitoring": "Monthly bias audits"
    },
    "limitations": [
        "May not generalize to roles significantly different from training data",
        "Requires periodic retraining to avoid drift",
        "Cannot assess soft skills or cultural fit",
        "English language only"
    ],
    "ethical_considerations": {
        "risks": [
            "Potential for bias amplification",
            "Privacy concerns with applicant data",
            "Over-reliance on automated screening"
        ],
        "mitigations": [
            "Regular bias audits and retraining",
            "Strict data governance and access controls",
            "Mandatory human review for all final decisions",
            "Candidate appeal process"
        ]
    },
    "recommendations": {
        "deployment": "Use as decision support only, not autonomous decision-making",
        "monitoring": "Monthly performance and bias monitoring",
        "human_oversight": "All recommendations reviewed by trained HR staff",
        "retraining": "Quarterly model updates with bias testing"
    }
}

print("MODEL CARD EXAMPLE")
print("="*80)
print(json.dumps(model_card_template, indent=2))

## 4. Data Privacy and Security Controls

### Privacy Controls

**1. Data Minimization**
- Collect only necessary data
- Limit retention periods
- Regular data purging

**2. Purpose Limitation**
- Use data only for stated purposes
- Obtain consent for new uses
- Document all use cases

**3. Access Controls**
- Role-based access (RBAC)
- Principle of least privilege
- Access logging and auditing

**4. Anonymization/Pseudonymization**
- Remove direct identifiers
- Aggregate data where possible
- Assess re-identification risks

**5. Encryption**
- Data at rest encryption
- Data in transit encryption
- Key management procedures

**6. Data Subject Rights**
- Access requests
- Correction/deletion
- Portability
- Objection to processing

### Security Controls

**1. Adversarial Robustness**
- Test against adversarial examples
- Input validation and sanitization
- Anomaly detection

**2. Model Security**
- Protect model weights/parameters
- Prevent model extraction
- Monitor for unusual queries

**3. Infrastructure Security**
- Secure deployment environments
- Network segmentation
- Regular security updates

**4. Incident Response**
- Detection and alerting
- Response procedures
- Communication plans
- Post-incident review

In [None]:
# Privacy and security controls checklist

controls_checklist = {
    'Control_Category': [
        'Data Minimization',
        'Purpose Limitation',
        'Access Controls',
        'Anonymization',
        'Encryption',
        'Data Subject Rights',
        'Adversarial Robustness',
        'Model Security',
        'Infrastructure Security',
        'Incident Response'
    ],
    'Priority': ['High', 'Critical', 'Critical', 'High', 'Critical', 'Critical', 
                 'Medium', 'High', 'Critical', 'High'],
    'Implementation_Difficulty': ['Low', 'Medium', 'Medium', 'High', 'Low', 'High',
                                   'High', 'Medium', 'Medium', 'Medium'],
    'Regulatory_Requirement': ['GDPR', 'GDPR', 'GDPR+Security', 'GDPR', 'GDPR+Security', 
                               'GDPR', 'Best Practice', 'Best Practice', 'Security', 'Security'],
    'Key_Tool_or_Practice': [
        'Data inventory and classification',
        'Consent management system',
        'IAM system with RBAC',
        'De-identification tools',
        'AES-256 encryption',
        'Data subject request portal',
        'Adversarial testing tools',
        'Model versioning and access logs',
        'SIEM, firewalls, patching',
        'Incident response playbook'
    ]
}

df_controls = pd.DataFrame(controls_checklist)

print("\nPRIVACY & SECURITY CONTROLS CHECKLIST")
print("="*80)
print(df_controls.to_string(index=False))

print("\n" + "="*80)
print("CRITICAL PRIORITY CONTROLS:")
critical = df_controls[df_controls['Priority'] == 'Critical']
for idx, row in critical.iterrows():
    print(f"\n{row['Control_Category']}:")
    print(f"  Tool/Practice: {row['Key_Tool_or_Practice']}")
    print(f"  Difficulty: {row['Implementation_Difficulty']}")

## 5. Human Oversight Mechanisms

### Human-in-the-Loop (HITL) Design Patterns

**1. Human-in-Command**
- AI provides recommendations
- Human makes final decision
- **Use for**: High-stakes decisions, complex judgment

**2. Human-on-the-Loop**
- AI operates autonomously
- Human monitors and can intervene
- **Use for**: Real-time systems, operational contexts

**3. Human-out-of-the-Loop**
- AI operates fully autonomously
- Human reviews outcomes periodically
- **Use for**: Low-stakes, high-volume decisions

### Designing Effective Oversight

**Key Principles**:

1. **Meaningful Control**: Humans must have genuine ability to influence outcomes
2. **Appropriate Information**: Provide sufficient context without overwhelming
3. **Time to Decide**: Adequate time for human judgment
4. **Skill Match**: Human reviewers with appropriate expertise
5. **Avoid Automation Bias**: Design to prevent rubber-stamping

**Warning Signs of Ineffective Oversight**:
- >95% of AI recommendations accepted without change
- Review time <10 seconds for complex decisions
- Humans can't articulate reasoning for decisions
- No mechanism to provide feedback to improve AI

In [None]:
# Human oversight decision framework

def determine_oversight_level(stakes: str, 
                             reversibility: str,
                             volume: str,
                             ai_confidence: str) -> Dict:
    """
    Determine appropriate level of human oversight.
    
    Parameters:
    - stakes: 'Low', 'Medium', 'High', 'Critical'
    - reversibility: 'Easy', 'Moderate', 'Difficult', 'Impossible'
    - volume: 'Low' (<100/day), 'Medium' (100-1000/day), 'High' (>1000/day)
    - ai_confidence: 'Low' (<70%), 'Medium' (70-90%), 'High' (>90%)
    """
    
    # High stakes or irreversible always requires human-in-command
    if stakes in ['High', 'Critical'] or reversibility in ['Difficult', 'Impossible']:
        return {
            'oversight_level': 'Human-in-Command',
            'description': 'AI provides recommendations; human makes all final decisions',
            'review_rate': '100%',
            'automation_allowed': False,
            'rationale': 'High stakes or irreversible decisions require human judgment'
        }
    
    # Low confidence requires more oversight
    if ai_confidence == 'Low':
        return {
            'oversight_level': 'Human-in-Command',
            'description': 'AI provides recommendations; human makes all final decisions',
            'review_rate': '100%',
            'automation_allowed': False,
            'rationale': 'Low AI confidence requires human verification'
        }
    
    # High volume + medium stakes + good AI = human-on-the-loop
    if volume == 'High' and stakes == 'Medium' and ai_confidence == 'High':
        return {
            'oversight_level': 'Human-on-the-Loop',
            'description': 'AI operates autonomously with human monitoring and intervention capability',
            'review_rate': '10-20% sampling',
            'automation_allowed': True,
            'rationale': 'High volume and high confidence enable automation with monitoring'
        }
    
    # Low stakes + easy reversibility = human-out-of-loop possible
    if stakes == 'Low' and reversibility == 'Easy':
        return {
            'oversight_level': 'Human-out-of-the-Loop',
            'description': 'AI operates fully autonomously; human reviews aggregated outcomes',
            'review_rate': 'Weekly aggregate review',
            'automation_allowed': True,
            'rationale': 'Low stakes and easy reversibility allow full automation'
        }
    
    # Default: human-in-command for safety
    return {
        'oversight_level': 'Human-in-Command (Default)',
        'description': 'AI provides recommendations; human makes all final decisions',
        'review_rate': '100%',
        'automation_allowed': False,
        'rationale': 'Conservative default for unclear scenarios'
    }

# Example scenarios
scenarios = [
    {'name': 'Hiring Decision', 'stakes': 'High', 'reversibility': 'Difficult', 'volume': 'Medium', 'ai_confidence': 'High'},
    {'name': 'Spam Filtering', 'stakes': 'Low', 'reversibility': 'Easy', 'volume': 'High', 'ai_confidence': 'High'},
    {'name': 'Loan Approval', 'stakes': 'High', 'reversibility': 'Moderate', 'volume': 'High', 'ai_confidence': 'Medium'},
    {'name': 'Product Recommendation', 'stakes': 'Low', 'reversibility': 'Easy', 'volume': 'High', 'ai_confidence': 'Medium'},
]

print("\nHUMAN OVERSIGHT RECOMMENDATIONS")
print("="*80)

for scenario in scenarios:
    result = determine_oversight_level(
        scenario['stakes'],
        scenario['reversibility'],
        scenario['volume'],
        scenario['ai_confidence']
    )
    print(f"\n{scenario['name'].upper()}:")
    print(f"  Recommended: {result['oversight_level']}")
    print(f"  Description: {result['description']}")
    print(f"  Review Rate: {result['review_rate']}")
    print(f"  Rationale: {result['rationale']}")

## 6. Practical Exercise

### Design a Governance Implementation Plan

In [None]:
# YOUR TURN: Create governance implementation plan for your AI system

my_governance_plan = """
AI SYSTEM DESCRIPTION:
Name: [Your AI system]
Use Case: [What does it do?]
Jurisdictions: [Where will it operate?]
User Impact: [Who is affected and how?]

REGULATORY COMPLIANCE:
Applicable Regulations:
1. [Regulation]: [Key requirements]
2. [Regulation]: [Key requirements]
3. [Regulation]: [Key requirements]

Compliance Actions:
- [Action 1]: [Timeline and owner]
- [Action 2]: [Timeline and owner]

BIAS AUDIT PLAN:
Protected Attributes to Test: [List attributes]
Fairness Metrics: [Which metrics?]
Acceptable Thresholds: [Define thresholds]
Audit Frequency: [How often?]
Responsible Party: [Who conducts audits?]

TRANSPARENCY & DOCUMENTATION:
Model Card: [Will you create one? When?]
Internal Reporting: [What and to whom?]
External Reporting: [Any public disclosures?]
Documentation Updates: [How often?]

PRIVACY & SECURITY:
Priority Controls:
1. [Control]: [Implementation approach]
2. [Control]: [Implementation approach]
3. [Control]: [Implementation approach]

Data Protection Measures:
- Data minimization: [How?]
- Encryption: [What type?]
- Access controls: [Who has access?]

HUMAN OVERSIGHT:
Oversight Level: [Human-in-command / on-loop / out-of-loop]
Justification: [Why this level?]
Review Process: [How will humans review?]
Review Rate: [What percentage or frequency?]
Escalation: [When to escalate to humans?]

INCIDENT RESPONSE:
Potential Incidents:
- [Incident type]: [Response procedure]
- [Incident type]: [Response procedure]

Response Team: [Who responds?]
Communication Plan: [Internal and external communication]

MONITORING & CONTINUOUS IMPROVEMENT:
KPIs to Track:
- [KPI 1]: [Target and frequency]
- [KPI 2]: [Target and frequency]

Review Cycles:
- Monthly: [What is reviewed?]
- Quarterly: [What is reviewed?]
- Annually: [What is reviewed?]

IMPLEMENTATION TIMELINE:
Month 1-3: [What will be implemented?]
Month 4-6: [What will be implemented?]
Month 7-12: [What will be implemented?]
"""

print(my_governance_plan)

## 7. Discussion Questions

1. **Regulatory Strategy**: How should a global organization balance different regulatory requirements across jurisdictions (EU AI Act vs. US patchwork)?

2. **Bias Metrics**: Different fairness metrics can conflict (demographic parity vs. equal opportunity). How do you choose which metric to prioritize?

3. **Transparency vs. IP**: How do you balance transparency requirements with protecting proprietary technology?

4. **Privacy vs. Performance**: Better AI often requires more data. How do you balance privacy protection with model performance?

5. **Automation Bias**: How do you prevent human reviewers from simply rubber-stamping AI recommendations?

6. **Cost of Compliance**: Comprehensive governance is expensive. How do you justify the investment to leadership?

7. **Evolving Standards**: Regulations and best practices evolve rapidly. How do you build adaptable governance?

8. **High-Stakes Domains**: In domains like healthcare or criminal justice, what additional safeguards beyond standard frameworks are necessary?

### Your Reflections:

[Write your responses here]

## 8. Key Takeaways

1. **Regulation is here** - AI-specific laws are being enacted globally, particularly in the EU

2. **Risk-based approach** - Most frameworks categorize AI systems by risk level with proportionate requirements

3. **Bias audits are essential** - Regular fairness testing is both ethically necessary and increasingly legally required

4. **Documentation matters** - Model cards and transparency reports are becoming standard practice

5. **Privacy is non-negotiable** - GDPR and similar laws apply strict requirements to AI systems processing personal data

6. **Human oversight is critical** - High-stakes decisions require meaningful human control, not just automation

7. **Compliance is ongoing** - Governance is not one-time but requires continuous monitoring and improvement

8. **Proactive beats reactive** - Building governance early is easier and cheaper than retrofitting

## 9. Looking Ahead to Week 13

Next week, we'll shift to **Developing Technology Strategy & Portfolio Management**.

We'll explore:
- Frameworks for technology strategy development
- Aligning initiatives with business goals
- Project prioritization methodologies
- Portfolio management for technology initiatives
- Roadmap development

**Assignment 3 Due This Week**: Tech-Ready Operating Model Design

**Preparation:** Inventory your organization's current and planned AI/technology initiatives. How are they prioritized today?

## Additional Resources

### Regulations:
- EU AI Act full text: [https://artificialintelligenceact.eu/](https://artificialintelligenceact.eu/)
- GDPR compliance resources: [https://gdpr.eu/](https://gdpr.eu/)
- US AI Executive Order: [https://www.whitehouse.gov/ai/](https://www.whitehouse.gov/ai/)

### Bias Auditing:
- Fairlearn (Microsoft): Open-source fairness assessment toolkit
- AI Fairness 360 (IBM): Bias detection and mitigation toolkit
- Google's What-If Tool: Model understanding and fairness

### Documentation:
- Model Cards for Model Reporting (Google)
- Datasheets for Datasets (Microsoft)
- FactSheets (IBM)

### Privacy:
- NIST Privacy Framework
- IAPP (International Association of Privacy Professionals) resources
- Privacy-preserving ML techniques overview

---

*End of Week 12 Notebook*