IRS Artificial Intelligence Governance and Principles

Finance, , , , , , , , , , , , , , ,

Jan. 3, 2025 /Mpelembe Media/ — This interim guidance memorandum from the IRS Chief Data and Analytics Officer outlines new Internal Revenue Manual (IRM) 10.24.1, establishing AI governance principles and processes. It details requirements for AI use case inventories, approval procedures, and risk management, particularly for safety-impacting or rights-impacting AI. The memorandum stresses compliance with federal mandates like OMB M-24-10 and Executive Orders 13960 and 14110. Responsibilities are assigned to various stakeholders, including the Responsible AI Official (RAIO), DASIB, and the AI Governance PMO. The document also addresses ethical considerations, data sharing, and transparency requirements for AI applications within the IRS.

The IRS ensures responsible AI use through a multi-faceted governance framework that includes establishing principles, assigning roles and responsibilities, implementing a review process, and adhering to ethical standards. This framework is designed to promote trust in AI by ensuring compliance with federal mandates and legislation, while also mitigating risks.

Key aspects of the IRS’s approach to responsible AI use include:

  • Guiding Principles: The IRS’s AI development and use must be lawful, purposeful, accurate, safe, understandable, responsible, traceable, regularly monitored, transparent, and accountable. These principles align with those outlined in Executive Order 13960.
  • Roles and Responsibilities:
    • The Chief Data and Analytics Officer (CDAO) also serves as the Responsible AI Official (RAIO), overseeing AI governance and ensuring compliance with OMB M-24-10 requirements. The RAIO is responsible for the coordination of AI within the IRS, and also supports the Department of Treasury’s Chief Artificial Intelligence Officer (CAIO).
    • Senior executives in each business unit are responsible for managing AI use within their units, adhering to policy, and coordinating AI activity through the AI Governance Project Management Office (PMO).
    • The Data and Analytics Strategic Integration Board (DASIB) is the ultimate decision-making body for AI use within the IRS, providing final approval for safety-impacting or rights-impacting AI.
    • The AI Governance Project Management Office (PMO) facilitates the AI governance process, supporting project teams and ensuring compliance with requirements.
    • The AI Assurance Team, comprised of subject matter experts, validates AI use case compliance with IRS policies, and provides assessments and recommendations to the PMO and DASIB.
    • AI project teams are responsible for preparing governance artifacts and complying with relevant requirements.
  • AI Governance Process:
    • All AI use cases must be documented in an AI use case inventory.
    • The governance process involves several key artifacts, including model cards, datasheets, intake questionnaires, risk of bias assessments, readiness assessment reports, and project summary reports.
    • Before an AI use case is deployed in a production workflow, it must go through a review process involving the AI project team, the PMO, the AI Assurance Team, and DASIB, with DASIB providing final approval for safety-impacting or rights-impacting AI.
    • AI use cases must be reviewed at least annually or when significant modifications are made.
  • Minimum Practices for Safety-Impacting or Rights-Impacting AI: Before using safety-impacting or rights-impacting AI, the IRS must complete an AI impact assessment, conduct real-world performance testing, have independent evaluations, and have procedures in place for ongoing monitoring and risk evaluation. The IRS must also address emerging risk mitigation, provide human training, ensure human oversight of decisions, provide public notice, ensure equity and fairness, incorporate feedback, monitor for AI-enabled discrimination, and provide a mechanism for notification of negatively affected individuals. There must also be human consideration and remedy processes and opt out options.
  • Ethical Standards: The IRS must ensure that AI solutions are guided by ethical standards that protect and prioritise taxpayer rights, adhering to the Taxpayer Bill of Rights.
  • Privacy and Security: All AI use cases must adhere to IRS privacy and security policies, including conducting Privacy and Civil Liberties Impact Assessments (PCLIA) and following Privacy Act requirements.

By implementing these measures, the IRS aims to harness the benefits of AI while ensuring responsible and ethical use.

The Data and Analytics Strategic Integration Board (DASIB) is the ultimate decision-making body for the use of artificial intelligence (AI) within the IRS. The DASIB plays a crucial role in overseeing the responsible implementation of AI within the agency.

Here are the specific functions of the DASIB in IRS AI governance:

  • Oversight of AI Projects: The DASIB oversees the entire portfolio of AI projects at the IRS to ensure they comply with all federal requirements.
  • Final Approval for Safety or Rights Impacting AI: The DASIB provides the final approval for any safety-impacting or rights-impacting AI before it can be used in a production workflow. This ensures that AI systems with the potential to impact safety or individual rights are thoroughly reviewed and approved at the highest level. Authorising Officials must also receive DASIB approval of AI capabilities before granting Authorization to Operate.
  • Decision-Making Body: The DASIB serves as the key decision-making authority for AI use. A majority vote of the DASIB members is needed for approval of an AI use case.
  • Review of Project Summary Reports: The DASIB reviews Project Summary Reports, which include information about the AI project’s purpose, risks, and compliance with applicable governance requirements. These reports also include a recommended monitoring and review plan. The Project Summary Report is compiled by the AI Governance Project Management Office (PMO) and includes a Readiness Assessment Report from the AI Assurance Team.
  • Coordination with AI Governance PMO: The DASIB works in coordination with the AI Governance Project Management Office (PMO) to facilitate the review and approval process.

The DASIB’s role is critical in ensuring that AI is used responsibly and ethically within the IRS, in compliance with federal mandates and legislation. The DASIB acts as a final check to make sure all relevant risks are considered and that the AI is deployed in a safe and compliant manner.

The Responsible Artificial Intelligence Official (RAIO) plays a key role in overseeing the implementation of AI governance within the IRS. The Chief Data and Analytics Officer (CDAO) also serves as the RAIO. This dual role places the CDAO in a central position for ensuring the responsible use of AI across the IRS.

Here are the specific responsibilities of the RAIO:

  • Overseeing Implementation of OMB M-24-10 Requirements: The RAIO is responsible for ensuring that the IRS complies with the requirements of the Office of Management and Budget (OMB) Memorandum M-24-10, which outlines governance, innovation, and risk management practices for AI.
  • Supporting the Treasury CAIO: The RAIO supports the Department of Treasury’s Chief Artificial Intelligence Officer (CAIO) in fulfilling department-level responsibilities related to AI.
  • Coordination of AI Activities: The RAIO is responsible for coordinating all AI activities within the IRS. This includes ensuring that different business units and offices are working together effectively and that AI projects align with the IRS’s overall goals.
  • Maintaining Awareness of AI Activities: The RAIO is tasked with maintaining an awareness of all AI activities within the IRS, which is achieved through the creation and maintenance of the AI use case inventory.
  • Removing Barriers to Responsible AI Use: The RAIO is responsible for identifying and removing any barriers that might impede the responsible use of AI. This includes advancing AI-enabling infrastructure, workforce development, policy, and other resources.
  • Managing AI Risks: The RAIO manages a program that supports the identification and management of risks associated with AI use, especially for AI that is safety-impacting or rights-impacting.
  • Measuring and Monitoring AI Performance: The RAIO works with senior officials to establish processes for measuring, monitoring, and evaluating the ongoing performance of AI applications and whether they are achieving their intended objectives.
  • Ensuring Compliance with Risk Management Requirements: The RAIO oversees compliance with requirements to manage AI risks, including those established in OMB M-24-10 and the NIST AI Risk Management Framework.
  • Conducting Risk Assessments: The RAIO conducts risk assessments of AI applications as necessary to ensure compliance with OMB M-24-10.
  • Waiving AI Applications from OMB M-24-10 Requirements: The RAIO can waive individual AI applications from specific elements of OMB M-24-10, following the process outlined in that document.
  • Ensuring AI Compliance: The RAIO works with other relevant agency officials to ensure that the IRS does not use AI that is not compliant with OMB M-24-10. This can include assisting in evaluating authorisations to operate based on risks from AI use.
  • Overseeing Reporting: The RAIO oversees all internal and external reporting on the use of AI within the IRS.

The RAIO’s role is central to the IRS’s AI governance framework, ensuring that AI is used responsibly, ethically, and in compliance with federal guidelines. The RAIO is responsible for the overall coordination, risk management, and compliance of AI projects.

Several key stakeholders participate in the IRS AI governance process, each with specific roles and responsibilities to ensure the responsible and ethical use of AI. These stakeholders include:

  • The Chief Data and Analytics Officer (CDAO), who also serves as the Responsible AI Official (RAIO), oversees the implementation of AI governance and ensures compliance with federal guidelines, including OMB M-24-10. The RAIO is responsible for the coordination of AI within the IRS, supports the Treasury CAIO, maintains awareness of AI activities, removes barriers to responsible AI use, manages AI risks, and ensures AI compliance.
  • Senior executives in each business unit are responsible for managing AI use within their units, ensuring compliance with policy, and coordinating AI activity through the AI Governance Project Management Office (PMO).
  • The Data and Analytics Strategic Integration Board (DASIB) is the ultimate decision-making body for the use of AI within the IRS. The DASIB oversees the portfolio of AI projects, ensures compliance with federal requirements, and gives final approval for the deployment of safety-impacting or rights-impacting AI into a production workflow.
  • The AI Governance Project Management Office (PMO) is a team that facilitates and administers the AI governance process. The PMO supports project teams, facilitates communication between stakeholders, and documents compliance with governance requirements. The PMO also compiles reports for DASIB and facilitates reviews.
  • The AI Assurance Team is a cross-functional team of subject matter experts who validate AI use case compliance with IRS policies and processes. They review submitted artifacts, including impact assessments, to ensure that the necessary assessments are completed in a manner that meets IRS policy requirements. They provide the AI Governance PMO and DASIB with assessments and recommendations of a use case’s readiness to be deployed.
  • AI Project Teams are teams of IRS employees and/or contractors who are developing or maintaining an AI use case. They are responsible for working with the PMO to prepare governance artifacts and comply with all relevant governance requirements.

These stakeholders work together to ensure that AI is used responsibly, ethically, and in compliance with applicable laws and policies. The CDAO/RAIO is responsible for the overall coordination and compliance, while the DASIB provides final approval for significant AI use cases. The PMO, AI Assurance Team and AI project teams also contribute to the AI governance process through their support, assessment, and documentation roles.

The Chief Data and Analytics Officer (CDAO) at the IRS has a multifaceted role regarding Artificial Intelligence (AI), which is central to the agency’s AI governance and implementation. The CDAO’s responsibilities include:

  • Serving as the Responsible AI Official (RAIO): The CDAO also serves as the RAIO, which means they are responsible for overseeing the IRS’s implementation of AI governance, as well as ensuring compliance with the Office of Management and Budget (OMB) Memorandum M-24-10. The RAIO coordinates all AI activity within the IRS.
  • Supporting the Treasury CAIO: The CDAO, in their role as RAIO, supports the Department of Treasury’s Chief Artificial Intelligence Officer (CAIO) in fulfilling their responsibilities related to AI. This ensures that the IRS’s AI efforts align with the broader Treasury Department’s goals and requirements.
  • Maintaining Awareness of AI Activities: The CDAO is responsible for maintaining awareness of all AI activities within the IRS. This is done through the creation and maintenance of the AI use case inventory.
  • Removing Barriers to Responsible AI Use: The CDAO identifies and removes any obstacles that may hinder the responsible use of AI, such as advancing AI-enabling infrastructure, workforce development, and policy.
  • Managing AI Risks: The CDAO manages a program that supports the identification and management of risks associated with AI use, especially for safety-impacting or rights-impacting AI. This includes ensuring compliance with risk management requirements.
  • Overseeing Reporting: The CDAO oversees all internal and external reporting on the use of AI within the IRS. This ensures transparency and accountability in the agency’s AI activities.
  • Guiding AI Sharing and Collaboration: The CDAO directs the sharing and release of AI code, models and datasets. This is done in coordination with relevant AI governance stakeholders, to facilitate reuse and collaboration. All sharing and release must comply with the Privacy Act and IRC 6103.
  • Program Owner: The office of the CDAO, whose executive serves as the RAIO, is the program office responsible for overseeing the IRS AI governance program.

The CDAO’s role is to ensure that AI is used responsibly, ethically, and in compliance with all relevant federal guidelines and policies. The CDAO’s dual role as RAIO places them at the center of the IRS’s AI governance framework. The CDAO’s responsibilities include overseeing AI activities, managing risks, ensuring compliance, and fostering responsible AI innovation. The CDAO also has the authority to oversee enterprise-level data and analytics activities, which includes the use of AI.

The IRS categorises AI impact primarily by determining whether an AI use case is safety-impacting or rights-impacting. This determination is crucial, as it triggers specific minimum practices and governance processes. Here’s a breakdown of how the IRS categorises AI impact:

  • Safety-Impacting AI: This refers to AI whose output produces an action or serves as a principal basis for a decision that has the potential to significantly impact safety. This includes impacts on:
    • Human life or well-being, including loss of life, serious injury, bodily harm, biological or chemical harms, occupational hazards, harassment or abuse, or mental health
    • Climate or environment, including irreversible or significant environmental damage
    • Critical infrastructure, including the critical infrastructure sectors defined in Presidential Policy Directive 21 or any successor directive and the infrastructure for voting and protecting the integrity of elections
    • Strategic assets or resources, including high-value property and information marked as sensitive or classified by the Federal Government
  • Rights-Impacting AI: This refers to AI whose output serves as a principal basis for a decision or action concerning a specific individual or entity that has a legal, material, binding, or similarly significant effect on their:
    • Civil rights, civil liberties, or privacy, including but not limited to freedom of speech, voting, human autonomy, and protections from discrimination, excessive punishment, and unlawful surveillance
    • Equal opportunities, including equitable access to education, housing, insurance, credit, employment, and other programs where civil rights and equal opportunity protections apply
    • Access to or the ability to apply for critical government resources or services, including healthcare, financial services, public housing, social services, transportation, and essential goods and services

How the IRS Determines if AI is Safety- or Rights-Impacting:

  • The IRS reviews each AI use case to determine if it matches the definitions provided by the OMB.
  • AI used for purposes identified by the OMB as presumed safety-impacting or rights-impacting will be considered as such, unless a context-specific and system-specific risk assessment determines otherwise.
  • The Treasury CAIO, in coordination with officials like the IRS RAIO, makes the final determination.
  • Stakeholders involved in this determination include the AI Governance PMO, AI Assurance Team, DASIB, and RAIO.

Minimum Practices for Safety- or Rights-Impacting AI:

  • By December 1, 2024, the IRS must follow minimum practices for safety-impacting or rights-impacting AI.
  • These minimum practices include:
    • AI impact assessments
    • Real-world performance testing
    • Independent evaluations
    • Ongoing monitoring and risk evaluation
    • Emerging risk mitigation
    • Human training and assessment
    • Human oversight of decisions or actions
    • Public notice and plain language documentation
    • Equity and fairness measures
    • Incorporation of feedback
    • Ongoing monitoring and mitigation for AI-enabled discrimination
    • Notification of negatively affected individuals
    • Human consideration and remedy processes
    • Opt-out options
  • The IRS must document their implementation of these practices and be prepared to report them.

Exemptions:

  • The IRS is not required to follow these minimum practices when using AI solely for evaluation of vendors or commercial capabilities for procurement or for achieving conformity with the requirements of the minimum practices.
  • The Treasury CAIO can grant extensions or waivers for certain requirements after a risk assessment, but must justify it, and waivers can be revoked at any time.

By categorising AI as either safety-impacting or rights-impacting, the IRS can apply the appropriate level of scrutiny, oversight, and risk management, ensuring responsible AI implementation in accordance with federal mandates and guidelines.

The IRS must document its AI practices in several key areas, with specific requirements for safety-impacting and rights-impacting AI, as well as general governance and monitoring. Here is a breakdown of when documentation is required:

  • AI Use Case Inventory: All IRS AI use cases must be documented in the AI use case inventory upon receiving approval to begin work from program or function leadership. AI project teams are responsible for maintaining the accuracy and currency of their use case’s information in the inventory. Each entry for a safety-impacting or rights-impacting AI use case must include accessible documentation in plain language, which may serve as public notice.
  • Minimum Practices for Safety-Impacting or Rights-Impacting AI: The IRS is required to document its implementation of the minimum practices for safety-impacting or rights-impacting AI and must be prepared to report on these practices as part of the annual AI use case inventory, during periodic accountability reviews, or upon request.
    • AI Impact Assessment: The IRS must document a completed AI impact assessment before using safety-impacting or rights-impacting AI. This assessment should be updated periodically and must include the intended purpose, potential risks, and data quality.
    • Real-World Performance Testing: The testing process and results must be documented to demonstrate that the AI achieves its expected benefits and that associated risks are sufficiently mitigated.
    • Independent Evaluations: The IRS must document that it has reviewed relevant AI documentation, including the impact assessment and real-world performance testing results, to ensure the AI is working correctly and that its benefits outweigh its potential risks. This is completed via the AI governance process.
    • Ongoing Monitoring and Risk Evaluation: The procedures for monitoring the AI’s functionality and detecting changes in its impact on rights and safety, including human reviews, must be documented. The IRS will document compliance with these requirements through the AI Governance process.
    • Emerging Risk Mitigation: The steps taken to mitigate new or altered risks to rights or safety must be documented.
    • Human Oversight: Compliance with the requirements for human oversight of AI decisions or actions must be documented through the AI governance process.
    • Equity and Fairness: When using rights-impacting AI, the IRS must document its assessment of the AI’s impact on equity and fairness, particularly when using data that contains information about a protected class. Any steps to mitigate algorithmic discrimination must also be documented.
    • Ongoing Monitoring and Mitigation for AI-enabled Discrimination: As part of the ongoing monitoring requirements, the IRS must document its process for assessing and mitigating AI-enabled discrimination.
  • AI Governance Process: The AI Governance Project Management Office (PMO) documents compliance with all applicable governance requirements.
    • Model Card and Datasheet: For each AI use case, the IRS must document a model card and datasheet. The model card provides detailed information about the AI model, and the datasheet documents the data used by the AI.
    • Readiness Assessment Report: The AI Assurance Team documents its assessment of a use case’s compliance with applicable IRS policies regarding privacy, security, etc. in a Readiness Assessment Report.
    • Project Summary Report: The AI Governance PMO issues a Project Summary Report to the Data and Analytics Strategic Integration Board (DASIB) summarizing an AI use case’s purpose, benefits, risks, compliance with applicable governance requirements, and recommended monitoring and review plan.
    • DASIB approval: The AI Governance PMO will capture, document, and archive DASIB members’ votes on the use of safety-impacting or rights-impacting use cases. The AI Governance PMO will also archive all submitted reports and artifacts.
  • Annual Reviews: For use cases previously approved for production, AI project teams must review their use case at least annually, or when significant modifications are made. The updated information, including performance metrics, must be submitted to the AI Governance PMO for AI governance review. The AI Governance PMO is responsible for ensuring these reviews are completed annually and for maintaining documentation of review completion.
  • Significant Modifications: Any significant modifications to an AI use case must be reported to the AI Governance PMO, who will work with the project team to ensure that required actions for continued use are completed.
  • Sharing and Collaboration: When sharing AI code, models, and data assets, the IRS must document the process followed, ensuring it complies with the Privacy Act and IRC 6103. This includes any risk assessments performed to avoid unintended disclosure of data.

In summary, documentation of IRS AI practices is a continuous process, occurring throughout the AI lifecycle. It is essential for maintaining compliance, ensuring transparency, and mitigating risks associated with AI use, especially when it involves safety or individual rights.

Related posts:

  1. Threats, Incoming AI Regulations, and Exponential AI Adoption Among Top Trends to Prepare For, Says Info-Tech Research Group
  2. Does AI have a right to free speech? Only if it supports our right to free thought
  3. Was The UK AI summit held at at Bletchley Park museum a recruitment for next generation of government agents?
  4. Guidelines on how best to utilize AI tools for coding