When working with artificial intelligence (AI) systems, there are a couple of things that come to mind when we talk about compliance. The first is the process of adhering to laws, regulations, and standards that are usually set by governments, industry associations, or any other regulatory authorities, and the second is ethical considerations.

In this chapter, we will learn how to develop machine learning (ML) models ethically and responsibly by using the six Responsible AI principles according to Microsoft and how to translate them into a responsible development strategy using Responsible AI tools. Then, we will do an overview of the industry-recognized regulatory compliance standards for Azure Machine Learning and how to enforce them by using Azure Policy. These standards are not only Microsoft benchmarks but also globally accepted frameworks such as the National Institute of Standards and Technology Risk Management Framework (NIST RMF).

In...

As AI systems gain popularity and are used by many people around the world, it raises the question of how ethically these systems perform. This is evident, for example, by the public release of OpenAI’s ChatGPT model. Everyone or almost everyone has used it so far, and it has had some interesting reactions. Many have been impressed, excited, and even loved this new product that can help them be more productive in their work and in their everyday lives. Others have been concerned or even scared of the prospects of this powerful model and how it can very easily mimic human behavior.

The focus of technology has always been to solve problems. We are amid a new technological revolution, and AI has the capability to improve people’s lives very quickly; however, that does not mean that there are no dangers involved. Every individual organization that uses and creates advanced AI systems will need to create a governance system for ethical...

Regulatory compliance is the process of adhering to laws, regulations, and standards that are usually set by governments, industry associations, or any other regulatory authorities. Part of regulatory compliance means that an organization operates within specific legal or regulatory frameworks that apply to the industry and or its geographical location. Regulatory compliance is essential to maintain ethical practices, protect organizations and customers, and mitigate risks. It includes laws and regulations, policies and procedures, risk assessment and management, reporting and documentation, and, finally, monitoring and auditing. Building a culture of compliance within an organization can be difficult, but it is essential. This can include employee training and ensuring that compliance is a priority. However, sometimes, the implementation of security controls might be required in order to ensure that all those processes...

Just by using the Azure Policy service, you have access to the Compliance and Remediation blades, which you can use to monitor your compliance status for free for Azure resources. All you need is an active Azure subscription. Be careful, as there might be costs associated if you enable Azure Policy to an Arc resource. In that case, you can visit the Azure pricing calculator to see associated costs.

Compliance auditing is the process of evaluating an organization’s adherence to relevant laws, regulations, policies, and industry standards. It usually involves a complete inspection of an organization’s practices, procedures, and controls to ensure they align with the established requirements. Compliance audits can be conducted by internal or external auditors, who must be independent of the processes being audited. Internal audits and compliance audits seem to have similar steps; however, they are very different, as compliance audits...

As we saw in the previous section, following the built-in compliance standards and enforcing policies in our resources is relatively easy. However, it is rare that we have only one resource or one subscription to apply those policies to. Usually, we will go through creating development environments and then deploying them again as production environments, and sometimes, we even maintain both with similar policies and enforcement rules.

Recreating a development environment in Azure is easy as there are several ways to replicate resources between resource groups or subscriptions by using, for example, ARM templates and command-line scripts. However, ARM templates are only used to describe one or multiple related resources. Role assignments from role-based access control (RBAC) and policies must be recreated and reassigned to each subscription, resource group, or resource. In this case, we have another service that helps us recreate environments in Azure...

In this chapter, we learned how to develop AI systems responsibly and how to develop an ethical approach using Responsible AI tools. We became familiar with the industry security standards and learned how to enforce them using the Azure Policy service. Reporting and automation for regulatory compliance were never easier as there are a lot of tools we can use to help us view and maintain the compliance status of our services. For reporting and auditing, we have the Compliance and Remediation blades in Azure Policy, Azure Resource Graph Explorer, and command-line tools. To automate environment creation, we can leverage the Azure Blueprints service and IaC.

Now that we have a strategy and some knowledge of multiple security standards available out of the box, let us see how we can implement all those controls and guardrails in our Azure environment. As always when it comes to ML, we will start with the data.

In the next chapter, we will explain data governance and how to...