By now, almost every organisation has considered the potential of Generative AI (GenAI) for their organisation. However, adopting GenAI also introduces risks. Deloitte’s State of Generative AI in the Enterprise survey indicates that deepfakes, misinformation, data privacy concerns and inaccurate results are critical barriers to successful GenAI adoption. An independent assessment or validation, in order to identify and mitigate these risks, can help. This is why Deloitte has developed the GenAI Safety Check, which enables you to be in control of your GenAI applications, helps you to align GenAI with your strategy, and share this valuable information with your stakeholders.
GenAI applications are used in complex technical and governance environments that integrate with various technologies, processes, and human tasks. To enhance successful adoption of GenAI, our GenAI Safety Check goes beyond an assessment of the technical elements of robustness, safety, and implementation. Our GenAI Safety Check validates the purpose and scope of your GenAI application, to verify the GenAI application aligns with your business case as part of your wider strategy, and the Safety Check ensures that the application delivers the promised benefits while adhering to regulatory, security, and ethical standards. All too often, the underlying technologies of GenAI based applications are not developed in-house, which means that risks around transparency may arise. The GenAI Safety Check is an essential tool for an independent analysis, bringing transparency and explainability. Thus, it supports organisations with developing and deploying secure, private, transparent, fair, robust, responsible, accountable, and lawful GenAI applications, as measured by Deloitte’s Trustworthy AI Framework.
A GenAI Safety Check can be performed after acquiring or developing a GenAI application, but ideally always before going live. Some organisations use a detailed lifecycle and may prefer to have their validation activities spread out over multiple stages of the GenAI application’s maturity. These stages include the proof of concept to establish the GenAI use case, the minimum viable product that will be tested in a pilot, and the entire GenAI application that will be deployed, as well as periodic checks after deployment.
Depending on the use case of the GenAI application, the GenAI Safety Check will be tailored to address the use case-specific risks. For instance, for a GenAI chatbot, the Safety Check emphasizes the validation of user interaction, transparent communication, security aspects of user input, and data privacy elements. For a GenAI application that provides summaries of documents, the Safety Check emphasizes the validation of metrics of correctness, scope restrictions, and user training and literacy to prevent incorrect summaries.
A GenAI Safety Check should be conducted independently of the team that designs or deploys the GenAI application. Either internally - for instance, by a department not involved - or externally. An independent safety check ensures a comprehensive and impartial assessment of Generative AI applications because the check leverages the latest in-depth knowledge, specialised expertise of GenAI validation techniques, and industry benchmarks, while maintaining objectivity.
Our GenAI Safety Check produces a comprehensive report covering the details of the GenAI application and its context, identifying risks, and making recommendations to resolve these risks, classified according to the urgency and effort involved. Recommendations can be on a technical level (e.g., data and technology) and a non-technical level (e.g., strategy, people, and processes) according to the dimensions in Deloitte’s Trustworthy AI framework.
We review identified risks and recommendations together at the end of the GenAI Safety Check to ensure the value of the report for your organisation and other stakeholders. A follow-up of the provided recommendations will help your organisation to use GenAI responsibly. The report can be produced in the Deloitte letterhead or your own letterhead.
The application of the GenAI Safety Check covers the five dimensions of strategy, people, process, data, and technology. While the exact activities may differ based on the GenAI use case, the organisation’s context, and the application's maturity stage, the activities outlined below illustrate the approach.
To validate that the GenAI application's use case is beneficial for your organisation and does not pose strategic risks, we analyse whether the application is able to fulfil its intended purpose. Furthermore, an adequate maintenance plan is needed to support the quality of the application after deployment.
To identify risks that may arise from human interaction with the GenAI application, we validate both the defined roles and responsibilities and the GenAI literacy of people working with GenAI. Additionally, we may analyse the clarity and best practices around work procedures and instructions for users, and the process and thoroughness with which internal and external stakeholders were consulted and informed.
Process risks usually arise when existing processes have not been adapted to GenAI's demands. Hence, we assess the processes surrounding the development and deployment of the GenAI application for risks through activities such as validating internal policies around development, including third-party contracting, and procedures that ensure regulatory compliance, such as documentation and sign-offs. Further, we may validate both the plan for operation and monitoring, in order to ensure that mechanisms are in place to support the continued quality of the application and to identify future emerging risks.
To assess data risks, we examine the data used for the GenAI application, for example data in a connected database in a retrieval augmented generation (RAG) architecture, prompt data, and - where available - training data used by the GenAI vendor. Additionally, we assess the data governance in place and emphasize data access rights and privileges, data privacy, and anonymisation.
The activities to assess technology risks can differ, depending on the architecture of the GenAI application, especially if third-party components are involved. Generally, we verify elements regarding cybersecurity, implementation, architecture, controls, audit logs, and back-ups. Other, more specific elements include the accuracy, consistency, and reproducibility of outputs and check for biases and hallucinations.
Depending on your organisation's needs, our approach can be expanded with external frameworks such as the EU AI Act and ethical guidelines and frameworks. We always tailor our approach to your organisation’s specific policies, standards, and context. Finally, we leverage our experience and insights on best practices. Depending on the GenAI Safety Check specifics, stage, and scope, some themes may be validated more thoroughly.
Would you like to know how Deloitte can assist you with assessing your (generative) AI application by means of our AI Safety Check approach, or support you in setting up an assessment approach in-house? Feel free to contact us to discuss this further.