Artificial Intelligence (AI) increasingly influences people's daily lives and plays a key role in the digital transformation of businesses and public administrations thanks to its ability to automate and facilitate decision-making. The benefits of intelligent systems are extraordinary, but the risks they entail may be even greater, making good AI governance more necessary than ever.

AI governance is responsible for ensuring the effective, efficient and acceptable use of AI by the organisation, which is necessary to implement the business strategy. We must properly differentiate between the scope of AI governance, which is more strategic in nature, and AI management, which is more focused on achieving the objectives set out in the strategy.

As Piattini and Fernández point out, AI governance falls within the scope of ISO/IEC 38507, while AI management falls within the scope of ISO/IEC 42001. There are also many other standards related to quality, security, etc., covering both the model and the data or software used in AI.

Rand advises integrating AI governance practices into existing frameworks rather than creating new ones, as leveraging existing processes promotes efficiency.

Since AI governance must necessarily include data governance, at I2SC we believe it is very interesting to use the UNE 0077 specification as a basis for developing AI governance.

To this end, in accordance with UNE 0077, I2SC proposes five additional and complementary processes for the AI Governance System, in addition to the review -as a first step- of the Data Governance System itself:

• Review of Data Governance within the organisation, and, if necessary, expand its scope to include the governance of all data used by AI systems (training, testing, operation, etc.), so that the data contributes to the good performance of AI systems, obtaining the greatest value while mitigating the risks arising from its acquisition, use and exploitation.
• Establishment of the AI strategy, containing the organisation's vision, goals and objectives to ensure that AI contributes to its good performance, obtaining the greatest value while mitigating the risks arising from its acquisition, use and exploitation.
• Establishment of AI policies, best practices and procedures, with the aim of defining a regulatory organisational environment consisting of policies, best practices and procedures that enable the organisation's AI strategy to be implemented.
• Establishment of organisational structures for the governance, management and use of AI, necessary to assume the related responsibilities and which must be equipped with sufficiently trained human resources to successfully address these responsibilities. Determine other bodies and roles involved in AI management. In particular, those relating to the Chief AI Officer (responsible for AI governance), the AI Projects Office and those responsible for the various AI systems.
• Optimisation of AI risks (regulatory, financial, reputational, security, data protection and privacy, etc.), analysing the possible impact on the organisation, developing sustainable contingency mechanisms and monitoring them continuously. In addition to the ISO/IEC 27000 family of standards, the ISO/IEC 23894 standard is also useful in this process.
• AI Value Optimisation, which aims to determine and optimise the value of the organisation's AI services and assets. Following ISO/IEC TR 21221, we can identify the different benefits that intelligent systems can bring: functional, personal, social, cultural, intellectual, economic, etc.

Furthermore, as the UNE 0077 specification is also based on the ISO/IEC 38500 and COBIT frameworks, AI governance can be easily integrated into any organisation that has implemented (even partially) IT governance elements (and especially processes).