42.731 Duties of Artificial Intelligence Governance Committee -- Duties of
1,033 words·~5 min read·
/ky/42-731A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Commonwealth Office of Technology regarding artificial intelligence systems -
- Establishment of policies and operating standards on use of artificial
intelligence by state agencies -- Report -- Administrative regulations.
(1)The Commonwealth Office of Technology shall create an Artificial Intelligence
Governance Committee to govern the use of artificial intelligence systems by state
departments, state agencies, and state administrative bodies by:
(a)Developing policy standards and guiding principles to mitigate risks and
protect data and privacy of Kentucky citizens and businesses that adhere to
the latest version of Standard ISO/IEC 42001 of the International
Organization for Standardization;
(b)Establishing technology standards to provide protocols and requirements for
the use of generative artificial intelligence and high-risk artificial intelligence
systems;
(c)Ensuring transparency in the use of artificial intelligence systems;
(d)Maintaining a centralized registry to include current inventory of generative
artificial intelligence systems and high-risk artificial intelligence systems; and
(e)Developing an approval process to include a registry of application, use case,
and decision rationale aimed at mitigation of risks.
(2)The Artificial Intelligence Governance Committee shall develop policies and
procedures to ensure that any department, program, cabinet, agency, or
administrative body that utilizes and accesses the Commonwealth's information
technology and technology infrastructure shall:
(a)Verify the use and development of generative artificial intelligence systems
and high-risk artificial intelligence systems; and
(b)Act in compliance with responsible, ethical, and transparent procedures to
implement the use of artificial intelligence technologies by:
1. Ensuring artificial intelligence models have comprehensive and
complete documentation that is available for review and inspection;
2. Requiring review and intervention by humans dependent on the use case
and potential risk for all outcomes from generative and high-risk
artificial intelligence systems; and
3. Ensuring the use of generative artificial intelligence and high-risk
artificial intelligence systems are resilient, accountable, and explainable.
(3)The Commonwealth Office of Technology shall prioritize personal privacy and the
protection of the data of individuals and businesses as the state develops,
implements, employs, and procures artificial intelligence systems, generative
artificial intelligence systems, and high-risk artificial intelligence systems by
ensuring all departments, agencies, and administrative bodies:
(a)Allow only the use of necessary data in artificial intelligence systems;
(b)Do not allow unrestricted access to personal data controlled by the
Commonwealth; and
(c)Secure all data and implement a timeframe for data retention.
(4)To maintain and secure the technology infrastructure, information technology,
information resources, and personal information, all departments, agencies, and
administrative bodies shall be subject to review of generative artificial intelligence
systems or high-risk artificial intelligence systems.
(5)At a minimum, the executive director of the Commonwealth Office of Technology
shall consider and document:
(a)How the artificial intelligence system will not result in unlawful
discrimination against any individual or group of individuals;
(b)How the use of generative artificial intelligence or other artificial intelligence
capabilities will benefit the citizens of the Commonwealth and serve the
objectives of the department or agency;
(c)To what extent oversight and human interaction of the artificial intelligence
system should be required;
(d)The potential risks, including cybersecurity, data protection and privacy, and
health and safety of individuals and businesses, and a mitigation strategy to
any identified or potential risk; and
(e)The proper control and management for all data possessed by the
Commonwealth to maintain security and data quality.
(a)A department, agency, or administrative body shall disclose to the public,
through a clear and conspicuous disclaimer, when generative artificial
intelligence, artificial intelligence systems, or other artificial intelligence-
related capabilities are used:
1. To render any decision regarding individual citizens or businesses
within the state;
2. In any process, or to produce materials used by the system or humans, to
inform a decision or create an output; or
3. To produce information or outputs accessible by citizens and businesses.
(b)When an artificial intelligence system makes external decisions related to
citizens of the Commonwealth, a department, agency, or administrative body
shall:
1. Disclose how artificial intelligence is used in the decision-making
process;
2. Provide the extent of human involvement in validating and oversight of
any decision made; and
3. Make readily available options for individuals to appeal a consequential
decision that involves artificial intelligence.
(c)Any disclaimer under paragraph
(a)of this subsection shall also provide
information regarding third-party artificial intelligence products or programs,
including but not limited to information as to how the high-risk artificial
intelligence system or generative artificial intelligence system works, such as
system cards or other documented information provided by developers.
(7)The Commonwealth Office of Technology shall establish policies to encompass
legal and ethical frameworks to ensure that any artificial intelligence systems shall
align with existing laws, administrative regulations, and guidelines, which shall be
updated at least annually to maintain compliance as technology and industry best
practices evolve.
(a)Operating standards for utilization of high-risk artificial intelligence systems
shall prohibit the use of a high-risk artificial intelligence system to render a
consequential decision without the design and implementation of a risk
management policy and program for high-risk artificial intelligence systems.
The risk management policy shall:
1. Specify principles, process, and personnel that shall be utilized to
maintain the risk management program; and
2. Identify, mitigate, and document any bias or potential bias that is a
potential consequence of use in making a consequential decision.
(b)Each risk management policy designed and implemented shall at a minimum
adhere to the latest version of Standard ISO/IEC 42001 of the International
Organization for Standardization or another national or internationally
recognized risk management framework for artificial intelligence systems,
and consider the:
1. Size and complexity of the deployer;
2. Nature, scope, and intended use of the high-risk artificial intelligence
system and its deployer; and
3. Sensitivity and volume of data processed.
(9)This section and KRS 42.722 and 42.726 shall not be construed to require the
disclosure of trade secrets, confidential or proprietary information about the design
or use of an artificial intelligence system, or any information which would create a
security risk.
(10)The Commonwealth Office of Technology shall provide education and training of
employees about the benefits and risks of artificial intelligence and allowable use
policies.
(a)The Commonwealth Office of Technology shall transmit reports to the