AI and Ethics

https://doi.org/10.1007/s43681-024-00574-8

ORIGINAL RESEARCH

Investigating algorithm review boards for organizational responsible

artificial intelligence governance
Emily Hadley1 · Alan Blatecky1 · Megan Comfort1

Received: 24 May 2024 / Accepted: 4 September 2024

© The Author(s) 2024

Abstract
Organizations are increasingly developing and utilizing artificial intelligence (AI) tools. Responsible AI (RAI) governance
approaches including algorithm review board (ARBs) have emerged as important mechanisms to address potential AI risks
and harms. We interviewed 17 technical contributors at a variety of organizations about their experiences with internal
RAI governance. We summarized the first detailed findings on ARBs in practice, including their membership, scope, and
measures of success. We confirmed known ARBs in finance sectors and revealed extensive use of ARBs in health sectors.
Our findings suggest that Institutional Review Boards alone are insufficient for algorithm governance and that ARBs are
used in tandem with other RAI approaches. Integration with existing processes and leadership buy-in were considered
critical to the success of internal RAI governance. Financial tensions between profit and the cost of RAI were a major
concern for many participants. Future work should explore measurements of success for ARBs and expand analysis of
ARBs to other industries leading in AI implementation.

Keywords Artificial intelligence · Data science · Algorithm · Governance

1 Introduction or proposed as a potential governance approach [6, 8–11].

Theoretical proposals have included an AI Research Review
Responsible development and deployment of data science Committee, AI Ethics Board, and a Data and AI Ethics
and AI approaches requires commitment and action from Committee [9, 12, 13].
a variety of relevant parties. Organizations, including but Other RAI approaches that may operate in tandem with
not limited to public and private companies, government an ARB include internal RAI policies and protocols, Chief
agencies, nonprofits, and academic institutions, can play Data Officers (CDOs), and audits and assessments [1,
a particularly important role in designing and implement- 14–16]. Institutional review boards (IRBs) have also been
ing responsible artificial intelligence (RAI) governance proposed as appropriate for RAI, though with substantial
throughout the data science and AI life cycle [1]. Organiza- limitations [8, 12]. A few organizations have publicly pro-
tional action is acutely important in the United States given vided details on their internal RAI governance approaches
the limited landscape of AI law and regulation [2–7]. Even [17–20]. However, organizations may also not publicize
without a legal mandate, many organizations have reputa- their internal RAI approaches, which makes it hard to
tional, financial, and mission-aligned motivations for imple- understand or appreciate the breadth of approaches and les-
menting internal governance to support RAI [2, 6]. sons learned.
Algorithm review boards (ARBs) or similar committees Additionally, some publicized internal RAI governance
with technical and societal oversight of development and efforts are later followed by a quiet or loud dismantling
deployment of algorithms and AI systems have been used [21–24]. This has been a particularly noticeable phenom-
enon among large tech organizations that have announced
ARBs to great fanfare and then later dismantled them [25,
26]. This suggests that there are lessons that other compa-
Emily Hadley
[email protected] nies can learn about what it takes for committee-like inter-
nal RAI governance efforts to succeed and what may lead
1
RTI International, 3040 East Cornwallis Road, Research to failure.
Triangle Park, NC 27709- 2194, USA

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
 AI and Ethics

In this work, we investigate internal RAI governance deploy a data science or AI tool that leads to great harm [2,
practices with a specific focus on ARBs by interviewing 17 6].
AI practitioners from a variety of organization types and Organizations therefore have a recognized interest in
sectors. We seek to answer the question, “What experi- implementing internal governance approaches to man-
ences have technical practitioners involved in the develop- age and mitigate these risks. Existing literature suggests
ment, use, or regulation of AI had with an ARBs or other that review boards or committees may be appropriate for
RAI approaches?” We also seek to explore the ingredients internal governance of AI [6, 8–11]. Theoretical propos-
required for success and the challenges to internal RAI gov- als have included an AI Research Review Committee, AI
ernance approaches. Ethics Board, and a Data and AI Ethics Committee [9, 12,
We discover that ARBs and similar boards have been 13]. Some of these proposals touch on topics like proposed
implemented, particularly in finance and health sectors, membership of a review board, logistics of board meetings,
although these are not standardized or well measured. We and the scope of board review, although none observe the
provide novel and explicit detail of these ARBs in practice use of these boards in practice. In this work, we aim to con-
and describe their tandem use with other internal gover- tribute real-world observations to this literature. We use the
nance approaches. We hear that IRBs are considered insuf- term “algorithm review board (ARB)” because this type of
ficient for organizational management of RAI. We learn that board or committee is intended to encompass a technical
integration with existing approaches and leadership buy-in and societal review including but not limited to ethics [1,
are among the attributes identified as critical to RAI suc- 44, 45]. “Algorithm” is also a larger umbrella than AI and
cess and overcoming major hurdles including the perceived recognizes that many organizations may want to use the
financial tension of profit with RAI. same review approach for machine learning, data science,
We discuss how practitioners, executives, and other orga- and other algorithms, even if not technically considered AI
nizational actors can use these findings to guide develop- systems.
ment of ARBs. RAI researchers can review the results to One notably similar approach is the use of IRBs [46].
better understand the state of internal governance in practice These review boards have been proven to better ensure the
and regulators can use this work to inform RAI guidelines. safety of human subjects in research, and some have pro-
Future work may continue to define and standardize the posed IRBs as appropriate for RAI [8]. However, others
structure, function, and best practices for effective use of have noted that the purview of IRBs may lack sufficient
ARBs with particular attention to metrics that demonstrate scope to adequately assess, document, and mitigate AI risks
success and effectiveness of ARBs. [12]. In this work, we seek to understand practitioner per-
spectives on the role, if any, for IRBs in RAI internal gover-
nance, and their relationship to ARBs.
2 Background and related work Several other promising approaches have been proposed
or implemented for organizational RAI governance [1, 16].
Prior work has established that data science and AI These may operate in tandem with a review board or com-
approaches have the potential to provide great benefit, but mittee. One approach is the use of policies, procedures, or
also the potential to cause substantial harm [27–30]. Exist- protocols to establish a standardized approach to RAI at an
ing governance and regulatory frameworks are generally organization. Their impact may vary from voluntary sugges-
deemed inadequate or too limited to address these harms tions for best practices to exacting definitions and explicit
[31–34]. New national and international “soft” and “hard” instructions with established consequences for impermissi-
legal governance frameworks have been proposed and are ble actions [47–50]. Another approach is granting one indi-
at varying states of acceptance and implementation [35–38]. vidual specific responsibility for reviewing and approving
These often center RAI principles and may include consid- uses of AI, such as a Chief AI Officer or a Chief Data Officer
eration of concepts like validity, reliability, safety, secu- (CDO) [51, 52]. A 2022 report found that 56% of more than
rity, resiliency, accountability, transparency, explainability, 850 survey organizations relied exclusively on a CDO or
interpretability, privacy, fairness, or mitigation of harmful similar role for RAI compliance [53]. A third approach is
bias [39]. Yet, organizations, including but not limited to the anticipation or measurement of potential harms through
public and private companies, government agencies, non- internal impact assessments or external audits [14, 54, 55].
profits, and academic institutions, are not waiting for these These approaches often explore the technical details of a
frameworks to be established and are already developing proposed AI solution. Results may be reviewed by an ARB
and deploying AI and data science tools [40–43]. In this or similar committee or a CDO. A final approach considered
context, organizations may be opening themselves up to in this work is required RAI training for individual contrib-
substantial reputational and financial risk if they develop or utors [15]. This training may help individuals incorporate

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
AI and Ethics

RAI best practices directly into their contributions to AI. In LinkedIn), and snowball sampling from participants. We
this work, we seek to contextualize the use of ARBs in prac- contacted 35 individuals and interviewed 17 between July
tice with other known approaches. and September 2023.
ARBs and similar RAI approaches may be new for sec- All interviewees reported some connection to AI or data
tors and industries, particularly those that have not histori- science in their work, with AI and data science broadly
cally used enterprise risk management or similar regulatory defined. 11 interviewees used technical data science or ana-
approaches. The AI change management literature suggests lytics approaches, with 7 of these individuals involved in
that aligning AI adoption with company values, leadership training and building models and three actively using gen-
buy-in, AI education for all staff, and sufficient budget are erative AI. Of the remaining participants, Of the remaining
important for facilitating adoption of AI [56–58]. Highly 6 interviewees, 3 work in evaluation or regulatory capacities
regulated sectors like finance that already use model risk for data science or AI at their organization or other organi-
management practices like the “three lines of defense” model zations, 3 work in RAI research, and 1 individual works in
may be better positioned to extend existing approaches to AI both areas.
[55]. In this work, we seek to understand the success and
challenges faced by practitioners when implementing RAI 3.2 Interview process
in both highly regulated and less regulated sectors.
Interviews with participants ranged from 30 min to 1 h and
were conducted by video or voice call. Interviews were vol-
3 Methods untary, and all results were anonymized for both individual
and organizational identifiers. The study and interview pro-
To understand the current state of internal governance prac- tocol were reviewed by the RTI International IRB.
tices for RAI with a focus on ARBs, we conducted inter- A structured interview instrument was developed using
views with 17 participants who work with AI or data science the Interview Protocol Refinement (IPR) framework [60].
across a variety of organization types and sectors. Questions were developed and revised iteratively as study
interviews progressed. The interview protocol was piloted
3.1 Participants with two RTI International data scientists and further refined
based on feedback (Online Resource 1).
We utilized a purposive sampling approach with stratified
quotas (minimum n = 3) for type of organization (Academic, 3.3 Qualitative analysis
Government, Industry, Nonprofit) and sector (Finance,
Health, Tech, Other) [59]. The objective was to recruit a The Iterative Categorization technique was utilized for
wide variety of practitioners who have worked with AI and analyzing the qualitative data [61]. Deductive codes were
data science in a range of subject areas. We explicitly chose derived from the structured interview instrument. Inductive
participants who were most likely to actively participate codes, often subcodes to deductive categories, were added
in RAI approaches rather than individuals in leadership or during analysis (Online Resource 1). In the first phase of
marketing roles who might be familiar with RAI approaches analysis, coding extracts were summarized, reviewed, and
but lack practical experience. Given the novelty of ARBs grouped along with qualifiers and identifiers that linked to
and limited prior knowledge of which organizations might the source material. In the second phase of analysis, each
have ARBs, we did not use a purposive sample with only analysis file was read and re-read with attention to patterns
participants with experience with ARBs. and contradictions. These were assessed considering partic-
Table 1 illustrates the varying organization types and sec- ipant attributes, namely organization type and sector. Sum-
tors of participants. We recruited our participants through mary documents were linked together to form the basis of
direct contact; attendance at the 2023 Fairness, Account- the findings.
ability, and Transparency Conference and 2023 Joint Sta-
tistical Meeting; social media posts (e.g., Slack groups and
4 Results
Table 1 Participants by type of organization and sector
Finance Health Tech Other Total Eight interviewees reported use of a review board for
Academic 1 1 1 3 organizational algorithm, data science, or AI governance,
Government 3 3 including all individuals working in the health sector and at
Industry 2 3 3 8
industry finance organizations. These boards typically had
Nonprofit 1 2 3
custom names and though none were officially called an
Total 3 4 5 5 17

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
 AI and Ethics

ARB, they met the definition of an ARB and will be referred scrutiny by the ARB. ARBs in other sectors reported only
to as ARBs in this manuscript. Table 2 provides an over- reviewing documentation or reviewing by request of devel-
view of the details from participants for the organizations opers. Three individuals reported that the intensity of these
that reported using an ARB as part of an internal RAI gov- reviews is calibrated to the potential risks involved with
ernance framework. Seven interviewees who did not report higher risks necessitating more stringent reviews. ARB
current use of an ARB said that an ARB would be a promis- review procedures may involve a scoring system or thresh-
ing approach in their organizations, including three inter- old requirements to guide go/no-go decisions. For some
viewees working in the tech sector. Only one interviewee ARBs, this process is iterative with reviews at multiple
said that an ARB was not a promising approach and cited development checkpoints which allows for committee feed-
the small size of their organization. back to developers for model improvement or conditional
Table 2 highlights the wide variety of expertise and con- implementation. Furthermore, several individuals empha-
tributory roles required for each ARB. Some participants sized the importance of ARB involvement from the plan-
(n = 2) at companies with larger ARBs of 12 or more people ning stage, highlighting a proactive approach to governance
described the use of subcommittees with three or four indi- that aligns with the lifecycle of technology development.
viduals to delegate reviews. Slightly more (n = 5) boards As noted in Table 2, three individuals reported use of an
solicited volunteers for participation on ARBs while the IRB and one individual in the health sector described it as
remaining (n = 3) included board participation as a job role a separate requirement in the RAI process. No individual
or requirement for specific positions. reported IRBs as sufficient or appropriate for ensuring
The extent and rigor of algorithm review processes varied responsible use of AI. Six individuals reported at least one
considerably among ARBs. In the finance sector and some limitation to using IRBs as part of an AI internal governance
of the health sector, every algorithm and model underwent process. These limitations included:

Table 2 Details of algorithm review boards in practice

1 2 3 4 5 6 7 8
Sector Government Tech Health Health Health Health Finance Finance
Persons Privacy officers, At minimum One-third of Individuals with At minimum, Clinicians Model risk Model risk
Involved research- one per- board from expertise in a regulatory officers, officers,
in Board ers, industry, son from a leadership, ethics, privacy, expert, a bio- with insight with insight
and nonprofit sociotechnical such as lead security, legal, statistician, from data from data
represent-atives background data scientist, operational, and and opera- scientists as scientists as
and one person manager, or clinical areas tional leader; needed needed
from a technical director others as
background needed, such
as a health
equity expert
or the IRB
chair
Selec- Voluntary Voluntary Voluntary Voluntary Job Voluntary Job Job Require-
tion Require-ment Require-ment ment
Process
Scope of Risk-based Review of Review Review of Review Review as Risk-Based Risk-Based
Review Review Documen-tation Everything Documen-tation Everything Requested in Review of Review of
Develop-ment Everything Everything
Use of Not Applicable Separately Not Specified Separately Used Required by Not Not Not
IRB Used Board Applicable Applicable Applicable
Meeting Quarterly Ad Hoc in Ad Hoc Monthly Monthly; Async Async Async
Cadence Release Process in Release Async &
Process Ad Hoc
In Release
Process
Decision Board has no Board has no Majority vote Unanimous vote Co-Chairs Board has Consensus Consensus
Power decision power decision power no decision Approval Approval
power
Mea- Not specified To be N approv- To be N registered Not specified N past due Lack of
sures of determined als; N issues determined tools; N findings public
Success caught before reviews; needing failures as
deploy-ment outcomes of resolution measure of
reviews success

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
AI and Ethics

● The scope of an IRB is limited to research and generally industries mentioned gathering feedback from developers
not required or well known in industry settings. and reviewers about the internal review board process, and
● Data projects are often exempt from IRB review, im- one mentioned wanting to design a survey to better collect
pacting their usefulness in an internal AI governance this information. One individual considered strength of
process. brand reputation and lack of being sued as potential metrics
● Unpopularity and cultural backlash can result from of success.
the perception of IRBs as barriers to expediency and Table 3 details other RAI approaches used at participant
productivity. organizations. Every organization reporting an ARB also
● The conception and principles of an IRB are North had a RAI policy, procedure, or protocol. Policies, proce-
American–centric and not globally known, accepted, or dures, and protocols on AI governance, if any, were gen-
implemented. erally only available internally to staff. The exception was
● IRBs are not designed for long-term monitoring re- government interviewees who all described efforts to proac-
quired for deployment of AI. tively publish public protocols which, while voluntary, were
considered best practice.
ARB meeting logistics also varied. Four individuals, all Four individuals, including three at organizations with
from the finance and health industries, described a mostly ARBs, reported having an individual with responsibility
asynchronous review board process involving review of and decision-making power for approval of algorithms. The
documentation and technical reports with meetings among main benefits reported for this RAI approach was the speed
a smaller operational team as needed. Some individuals with which decisions could be made and clear responsibil-
(n = 3) described having review board meetings scheduled ity in the chain of command. Limitations included lack of
to align with the release process. One participant described broad knowledge such as when an individual lacks expertise
requiring all algorithms to be presented in a setting that was in multiple areas; too much work for one individual result-
also open to the broader data science community within ing in lower output or worse quality; potential conflict of
their organization. A second participant described previ- interest when an individual is making a decision that has
ously requiring all developers to present their RAI reports to direct or indirect impact on their own goals; influence of
the ARB, but then moving to an asynchronous process when personality contributing to an adversarial or permissive
this became too burdensome and challenging to coordinate RAI culture; lack of diverse opinions; and disruption fol-
with calendars. Time for approval varied. One finance inter- lowing employee turnover if this individual leaves without
viewee said low-risk approvals may be nearly instant while an implementation plan.
more complex approvals may take 2 weeks to 1 month. External audits, another promising RAI approach, were
One health interviewee said the full approval process may only reported in active use by individuals in the financial
take over a year with multiple 3- to 7-week checkpoints if sector. While a few other interviewees (n = 3) said that audits
deployed in a setting with electronic health records. Five may be useful, they were joined by seven other individu-
individuals reported that their internal governance commit- als in identifying reasons that audits or assessments were
tees were empowered to make go/no-go decisions about the hard to implement including undefined criteria for effec-
continued development or deployment of an algorithm. Two tive audits, company pushback, and high expense. Only one
of these individuals reported that the decision was made interviewee reported that their organization was actively
through voting. developing employee training related to RAI. Ten individu-
Defining success of an internal governance board was als said that RAI training would be useful, but seven also
a challenge for nearly all interviewees. One interviewee noted that training is often superficial or unduly burden-
explicitly said that this was challenging because there was some if not directly related to an employee’s work.
no clear industry understanding of success. Some interview-
ees (n = 4) from health and finance sectors reported track- 4.1 Ingredients for and challenges to success of
ing logistical metrics like the number of reviews, approvals, internal RAI governance
tools registered, and the percentage of deployed tools that
had completed quarterly or annual monitoring reviews, but When asked a general question about what was needed for
no participant provided a clear threshold for what was con- successful use of RAI internal governance, interviewees
sidered successful. Two individuals from health and finance unaided cited several factors shown in Table 4. The most
sectors reported a desire to attempt to track the number frequently mentioned item was integration with existing
of RAI-related bugs that were identified or mistakes that institutional bodies. Interviewees from the finance sector
were caught in the review process and better quantify anec- described how algorithm review and an ARB-like commit-
dotal reports of these items. Two individuals from health tee fit well with existing governance mechanisms in a risk

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
 AI and Ethics

Table 3 Other internal governance approaches

Sector Algorithm Review Policy, Procedure, Individual with Impact Assessment Training
Board or Similar or Protocol Responsibility or External Audit or Certifi-
cation for
Developers
1 Government X X X
2 Nonprofit X
3 Nonprofit X
4 Tech X X
5 Tech
6 Health X X
7 Nonprofit
8 Academic
9 Health X X In Devel-
opment
10 Government
11 Health X X
12 Government X
13 Health X X
14 Academic X
15 Tech X X
16 Finance X X X X
17 Finance X X X X
Total 8 13 4 2 1

Table 4 Attributes for RAI success Table 5 Challenges to RAI success

Attribute N Challenge N Reporting
Reporting Financial Tensions 13
Integration with existing institutional governance bodies 10 Educating Staff on Policies 7
or methods Introducing More Bureaucracy 7
Leadership buy-in 6 Ongoing Monitoring 7
High contributor and developer receptivity 6 Vendor and Procurement Challenges 7
Existing regulatory culture 6 Enforcement of Responsibility 6
Transparent use and disclosure of AI systems 4 Scale or Speed of Work 5
Education of staff 4 RAI as Marketing or Performative 4
Required human-in-the-loop review for high-risk 2 Futureproofing 3
decisions
Expectation Setting 3
Size of Company 3
management framework. One interviewee emphasized that
large companies already have functions like legal audit, described how RAI governance was seen as losing money
enterprise risk management, and privacy and security prac- for an organization because it added friction to or slowed
tices, and that internal regulation of AI and data science down development. A few participants (n = 3) expressed
should use the same governance approaches. A second concerns that in economic downturns, internal governance
important factor was leadership buy-in. A few (n = 3) par- structures and roles appear vulnerable, and that internal
ticipants considered this the most important factor for the RAI governance may not be financially viable for small to
success of RAI internal governance. They described how medium sized organizations that are unlikely to see substan-
authentic commitment of executive leaders within an orga- tial profits from AI. Contrasting this perspective, a few indi-
nization to RAI was often accompanied by staff, funding, viduals (n = 2) from finance and healthcare organizations
and attention. One interviewee noted that a single data sci- stressed that patient and customer well-being is paramount,
entist was not going to be successful implementing a scal- especially for maintaining an organization’s reputation, and
able RAI framework. expressed that their organization would not compromise on
Interviewees also raised several potential challenges RAI governance even when it was expensive.
(Table 5) to the success of internal RAI governance. The Participants also highlighted several other challenges
most common issue (n = 13) was financial tensions between when asked a general question about challenges (Table 5).
RAI and profitability. Over a third (n = 7) of individuals These included educating staff on existing and new internal

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
AI and Ethics

RAI efforts, particularly when announcements through participation as part of the job requirement described this
email or messaging apps are ignored, and addressing the per- generally as positive. Organizations considering develop-
ception that governance is unnecessary bureaucracy. Large ment of an ARB should be intentional in deciding what
organizations reported challenges with ongoing monitoring skillsets are needed and how participation is determined.
of deployed AI systems. Vendor issues included a lack of ARBs also varied in degree of algorithm or AI review.
standardized RAI reporting as well as unanswered questions Some ARBs, especially in health care and finance, reviewed
about legal liability in the case of AI harm. Enforcement all models and algorithms, requiring calculation of vari-
of responsibility was seen as a major challenge, especially ous measurements, detailed documentation, and other
at organizations where the ARB lacked go/no go decision organization-specific items. Other organizations only
power for use of algorithms. Large scale projects and the required review of the high-risk deployments while still
need to work fast were seen as potential issues for RAI others reviewed only documentation or only did review as
approaches, including an ARB, which often work more requested by developers. These findings suggest that organi-
slowly. A few individuals noted that it is relatively easy zations are still figuring out what works best, and that what
for RAI governance to be misused as a marketing tool or works well for one organization may not be appropriate for
performative action without substance and that it is hard to another. Most ARBs either met asynchronously or ad hoc
futureproof RAI governance to be adaptable for unknown with a smaller subset of the team, suggesting that the rou-
technologies and uses. Another challenge was setting clear tine logistics did not require frequent meetings. Even ARBs
expectations for what successful RAI governance looks like that did meet regularly met monthly or quarterly rather than
due to the invisibility of preventative success. One individ- weekly or even more often. This suggests that frequent
ual described how new employee performance metrics were meetings are not a hallmark of success for ARBs, and strong
needed because RAI contributors and teams were often logistics that support asynchronous work with smaller and
among the first to be fired as they did not appear to per- less frequent meetings may be preferable.
form well on existing code or efficiency-based performance The strategy for using ARBs to make decisions also
metrics. Finally, company size introduced varied RAI chal- varied. Health and finance generally granted boards go/
lenges, with smaller entities struggling with resources and no-go decision power while the sole government and tech
larger ones battling bureaucracy and siloed departments. examples did not grant decision-making power to the board.
This may reflect differences in corporate culture and defin-
ing a committee as advisory versus regulatory. The decision
5 Discussion process varied among ARBs with decision-making power,
with the spectrum ranging from consensus and unanimous
Nearly half of participants (n = 8) reported having an ARB- decision-making to majority votes to decisions made by
like board or committee tasked with reviewing AI or algo- board co-chairs. This again reflects the lack of standard-
rithms, although most were custom-named, and none were ization in ARBs with choices that likely align with exist-
called an ARB. This reflects a shared perception of the ing culture and processes. Future work may explore which
importance of a review board or committee but also the lack specific attributes are most effective in particular scenarios.
of standardization. Health and finance sectors seemed to Organizations seeking to develop their own RAI internal
have more robust review boards that were also more likely governance approaches can assess the variety of decisions
to require review of all models and algorithms. Although made in this work and select attributes that may be the most
both sectors are known for strong quality management successful in their own working environments.
approaches and rigorous risk management frameworks, the Nearly every participant at a company with an ARB
robust nature of algorithm review with boards and com- struggled to define a measure of ARB success and often
mittees in health care specifically has not been previously focused on the quantitative measures that were easiest to
reported in literature. Organizations in health and finance capture like number of registered tools, number of issues
sectors that use AI without RAI governance should be aware caught, and number of past due findings. Lack of ability to
of and likely seek to emulate the peers described in this measure success may translate to a lack of ability to prove
work. success, linked with other participant concerns that RAI
Most ARBs require a mix of technical and nontechnical individuals and teams are often the first to be fired because
experts, but requirements varied from privacy to ethics to of an inability to convey impact. In addition, the success of
IRB to sociotechnical expertise. This aligns with literature a RAI individual or team is shown in lack of major failure
that suggests that review boards should likely be tailored or effort, which is harder to measure and communicate than
to specific sector and organization needs [12, 13]. Slightly obvious and often harmful AI incidents. Several participants
more ARBs had voluntary participation, and those with expressed the need for better, clearer, and more significant

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
 AI and Ethics

metrics for ARBs. Organizations seeking to implement RAI The second most cited attribute, and for some individuals
approaches should be aware of this challenge and address the most important, was leadership buy-in. This similarly
it up front when hiring RAI staff and developing ARBs. aligns with change management literature that suggests that
Researchers in the RAI space can seek to meaningfully con- leadership buy-in is crucial to driving large-scale change at
tribute by suggesting alternative measures for individual a company [56, 57]. Leadership buy-in comes with attention
and team contributors that are useful in a job evaluation and often additional resources like staff or funding. How-
environment. Future research may also explore the extent to ever, leadership buy-in must be authentic. Executives and
which metrics for ARBs help or hinder the broader justifica- other contributors in leadership roles should seek to edu-
tion of and commitment to RAI in practice. cate themselves on RAI and to meaningfully leverage their
Limited previous literature has theorized that IRBs may power to fund RAI work and staff ARBs.
be good governance tools for RAI [8]; however, this work Many participants expressed concern that profit was at
strongly suggests that IRBs are not appropriate alone for odds with safe, scalable, and reliable tools, and that this
ensuring RAI. More than half of participants discussed financial tension was a major challenge for the success of
the limitations of IRBs, including their limited scope, RAI. This concern echoes concerns among financial ten-
unpopularity, North American–centricity, and lack of use sions related to RAI as seen in literature and the news media
for long-term monitoring beyond human subject research. where companies have reported that ignoring RAI could
Individuals designing an internal AI governance program result in substantial losses, but that the upfront RAI costs
at an organization with an IRB should confer with the IRB may be difficult to meet [65–68]. Two participants from the
to discuss RAI resources needed for research with human health and finance sectors were notable exceptions in saying
subjects within IRB purview but should acknowledge that that they did not observe financial tension with RAI because
use of an IRB is likely insufficient for RAI and other mecha- of the focus on the patient or customer and the importance
nisms such as an ARB are considerably more comprehen- of reputation. Very real labor, time, and resource costs exist
sive and robust. for implementing RAI, and this burden may be particularly
Although ARBs were the focus of this investigation, we large at small organizations. Organizational leaders should
recognized that they were a novel concept and wanted to consider proactive methods to address these costs, such as
also hear about other RAI approaches organizations had obtaining explicit funding for RAI approaches, justifying
attempted or were using. RAI policies and protocols had costs to clients, and seeking effective implementation meth-
higher adoption than ARBs, but participants also expressed ods that will minimize costs where possible.
substantial concern about meaningful impact, especially Organizational leadership should also consider a handful
when they were voluntary or unaccompanied by other RAI of specific challenges. To address ongoing RAI monitoring
efforts. This aligns with existing literature that suggests that of deployed tools, organizations should consider develop-
companies may use policies and protocols for “ethics wash- ing a maintenance plan and obtain funding prior to deploy-
ing” and to give the appearance of caring about RAI, even ment. Organizations should also consider holding vendors
if it is not a real effect [62–64]. Single decisionmakers like a to the same RAI standards as internal tools as more stan-
CDO were also reported in tandem with an ARB, but more dardized documentation and resources may become avail-
individuals described limitations of this approach, including able in the coming years [69–72]. Another major challenge
not being future proof, lack of power or responsibility, lack was educating staff on RAI policies and protocols. Orga-
of diverse opinions or broad knowledge, personality, con- nizational leaders seeking to implement RAI governance
flict of interest, and too much work. Enterprise model risk should work closely with internal communications teams to
management has historically management framework, but explore approaches to best communicate and enforce RAI
participant concerns suggest that this approach may not be approaches. A final consideration is organizational cultural
appropriate for RAI [55]. Participants expressed interest in changes such as developing a culture of responsibility to
audits and employee training, but these were less common meaningfully hold individuals accountable and combat a
than ARBs. culture where RAI is performative or marketing. It is easy
The most cited attribute for successful implementation for organizations to commit to RAI in name only.
of RAI internal governance was integration with existing A few limitations exist for these findings. First, the use of
organizational regulatory approaches. This was particularly a purposive sampling approach means that these results are
important in sectors like health and finance that already from an intentionally narrow sample and are not intended to
have a strong regulatory culture, which may be lacking be broadly generalizable. Second, participants were deliber-
in other sectors like tech. Organizations creating an ARB ately selected to be more technical or task-oriented contribu-
should inventory existing data governance functions and tors and therefore may not have a broad or landscape view of
seek opportunities for integration. the full RAI governance landscape at an organization. This

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
AI and Ethics

is a particular issue at large organizations where individu- a major concern for many participants. Future work should
als may not have awareness of RAI approaches upstream explore measurements of success for ARBs and evaluation
or downstream of their contributions. Finally, interviewees of ARBs in other industries with early adoption of AI.
were conducted in summer 2023, which preceded the US
AI Executive Order in October 2023 and provisional EU Supplementary Information The online version contains
supplementary material available at https://doi.org/10.1007/s43681-
AI Act in December 2023. These regulations may influence 024-00574-8.
the RAI approaches described in this text, particularly those
shared by individuals affiliated with government institutions Acknowledgements The authors would like to thank the anonymous
or that operate in the EU. participants who generously contributed their time and perspectives.
Organizations considering implementing internal RAI The authors would also like to thank Stephanie Hawkins and Jamia
Bachrach for their insights.
approaches can use the findings from this work to inform
their own decisions. Specifically, organizations considering Author contributions All authors contributed to the study conception
an ARB can use these results to inform development of their and design. Material preparation, data collection and analysis were
own ARB. Individual contributors and organizational lead- performed by Emily Hadley and Megan Comfort. The first draft of the
ers can also learn from that successes and challenges that manuscript was written by Emily Hadley and all authors commented
on previous versions of the manuscript. All authors read and approved
participants shared. Government regulators can use these the final manuscript.
findings to inform rules and regulations related to internal
RAI approaches, particularly ARBs or similar committees Funding This study was funded by RTI International.
for review of algorithms.
One major area of future work is defining metrics of suc- Data availability Interview protocol and deductive code data are avail-
able in the Online Supplement. Participant data is not available to pro-
cess for ARBs. No participant felt entirely confident in their tect participant privacy.
own metrics, and multiple participants mentioned concerns
that insufficient metrics may lead to RAI individual con-
Declarations
tributors or teams continuing to be fired because they do not
typically perform as well on existing employment metrics. Consent to participate Verbal informed consent was obtained prior to
Other future work may more directly measure which RAI each interview.
approaches are more successful than others with explicit
consideration of effectiveness by company size. This is Competing interests The authors have no competing interests to de-
clare that are relevant to the content of this article.
particularly important for small organizations that lack suf-
ficient resources for robust RAI implementation. Finally, Open Access This article is licensed under a Creative Commons
future work should investigate the use of ARBs and other Attribution-NonCommercial-NoDerivatives 4.0 International License,
RAI approaches in industries with early adoption of AI, which permits any non-commercial use, sharing, distribution and
such as manufacturing, transportation, and energy. reproduction in any medium or format, as long as you give appropri-
ate credit to the original author(s) and the source, provide a link to the
Creative Commons licence, and indicate if you modified the licensed
material. You do not have permission under this licence to share
6 Conclusion adapted material derived from this article or parts of it. The images or
other third party material in this article are included in the article’s Cre-
ative Commons licence, unless indicated otherwise in a credit line to
Organizations are not waiting for AI legislation and are the material. If material is not included in the article’s Creative Com-
already implementing internal RAI governance approaches, mons licence and your intended use is not permitted by statutory regu-
reflecting the importance of RAI governance for addressing lation or exceeds the permitted use, you will need to obtain permission
the risks of AI. ARB-like boards are already in use, particu- directly from the copyright holder. To view a copy of this licence, visit
http://creativecommons.org/licenses/by-nc-nd/4.0/.
larly in health and finance sectors. Numerous differences
exist in review board structure, scope, logistics, and deci-
sion power, suggesting ad hoc or customized development.
References
Other RAI approaches including policies and procedures,
CDOs, and audits and assessments are used in tandem with 1. Hadley, E., the United States: Prioritizing Policies for Further-
ARBs. IRBs alone were considered insufficient for ensuring ing Responsible Artificial Intelligence in. IEEE Int Conf Big
RAI development and deployment. Integration with exist- Data Big Data [Internet]. 2022 [cited 2023 Nov 16]. pp. 5029–38.
ing processes, particularly in sectors like health and finance (2022). https://ieeexplore.ieee.org/document/10020551
2. Kaminski, M.E. Regulating the Risks of AI [Internet]., Roch-
with strong regulatory cultures, and leadership buy-in were ester, N.Y.: [cited 2024 Jan 5]. (2022). https://papers.ssrn.com/
considered critical to the success of internal RAI gover- abstract=4195066
nance. Financial tensions between profit and RAI cost were 3. Kang, C., Satariano, A., As, A.I., Booms: Lawmakers Struggle to
Understand the Technology. N Y Times [Internet]. Mar 3 [cited

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
 AI and Ethics

2023 Mar 3]; (2023). https://www.nytimes.com/2023/03/03/tech- 22. Cahn, A.F.: The first effort to regulate AI was a spec-
nology/artificial-intelligence-regulation-congress.html tacular failure [Internet]. Fast Co. 2019 [cited 2023
4. Leffer, L.: Biden’s Executive Order on AI Is a Good Start, Experts Sep 12]. https://www.fastcompany.com/90436012/
Say, but Not Enough [Internet]. Sci. Am. [cited 2024 Jan 5]. the-first-effort-to-regulate-ai-was-a-spectacular-failure
https://www.scientificamerican.com/article/bidens-executive- 23. Knight, W.: Elon Musk Has Fired Twitter’s ‘Ethical AI’ Team.
order-on-ai-is-a-good-start-experts-say-but-not-enough/ Wired [Internet]. [cited 2024 Jan 5]; https://www.wired.com/
5. Robles, P., Mallinson, D.J.: Catching up with AI: Pushing toward story/twitter-ethical-ai-team/
a cohesive governance framework. Polit Policy. 51, 355–372 24. Microsoft lays off entire AI ethics team while going all out on
(2023) ChatGPT [Internet]: Pop. Sci. 2023 [cited 2023 Mar 17]. https://
6. Board oversight of algorithmic risk| Deloitte US [Internet], www.popsci.com/technology/microsoft-ai-team-layoffs/
Deloitte, U.S.: [cited 2023 Nov 17]. https://www2.deloitte.com/ 25. Goldman, S.: Why Meta and Twitter’s AI and ML lay-
us/en/pages/center-for-board-effectiveness/articles/board-over- offs matter| The AI Beat [Internet]. VentureBeat.
sight-of-algorithmic-risk.html 2022 [cited 2024 Jan 5]. https://venturebeat.com/ai/
7. AI Regulation is Coming: - What is the Likely Out- why-meta-and-twitters-ai-and-ml-layoffs-matter-the-ai-beat/
come? [Internet]. [cited 2024 Jan 5]. https:// 26. Vynck, G.D., Oremus, W., As, A.I.: booms, tech firms are laying
w w w. c s i s . o r g / b l o g s / s t r a t e g i c - t e c h n o l o g i e s - b l o g / off their ethicists. Wash Post [Internet]. 2023 Apr 3 [cited 2024
ai-regulation-coming-what-likely-outcome Jan 5]; https://www.washingtonpost.com/technology/2023/03/30/
8. Blackman, R., If Your Company Uses, A.I., It Needs an tech-companies-cut-ai-ethics/
Institutional Review Board:. Harv Bus Rev [Internet]. 27. McGregor, S.: Preventing repeated Real World AI failures by cat-
2021 Apr 1 [cited 2023 Nov 17]; https://hbr.org/2021/04/ aloging incidents: The AI Incident Database. Proc. AAAI Conf.
if-your-company-uses-ai-it-needs-an-institutional-review-board Artif. Intell. 35, 15458–15463 (2021)
9. Tiell, S.: Create an Ethics Committee to Keep Your 28. Nasim, S.F., Ali, M.R., Kulsoom, U.: Artificial Intelligence Inci-
AI Initiative in Check [Internet]. Harvard Busi- dents & Ethics A Narrative Review. Int. J. Technol. Innov. Manag
ness Review; (2019). https://hbr.org/2019/11/ IJTIM. 2, 52–64 (2022)
create-an-ethics-committee-to-keep-your-ai-initiative-in-check 29. Tomašev, N., Cornebise, J., Hutter, F., Mohamed, S., Picciariello,
10. Equity and Bias in Algorithms: A Discussion of the Landscape and A., Connelly, B., et al.: AI for social good: Unlocking the oppor-
Techniques for Practitioners| Amstat News [Internet]. 2022 [cited tunity for positive impact. Nat. Commun. 11, 2468 (2020)
2023 Nov 17]. https://magazine.amstat.org/blog/2022/09/01/ 30. Yeasmin, S.: Benefits of Artificial Intelligence in Medicine. 2nd
algorithms/ Int Conf Comput Appl Inf Secur ICCAIS [Internet]. 2019 [cited
11. Your business’s A.I: needs an ethics watchdog with teeth [Internet]. 2024 Jan 5]. pp. 1–6. (2019). https://ieeexplore.ieee.org/abstract/
Fortune. [cited 2023 Nov 17]. https://fortune.com/2022/03/04/ document/8769557
artificial-intelligence-ai-watchdog-review-board/ 31. Buolamwini, J., Friedman, B.: Opinion| How the Federal Gov-
12. Jordan, S.R.: Designing Artificial Intelligence Review Boards: ernment Can Rein In A.I. in Law Enforcement. N Y Times
Creating Risk Metrics for Review of AI. IEEE Int Symp Technol [Internet]. 2024 Jan 2 [cited 2024 Jan 8]; https://www.nytimes.
Soc ISTAS [Internet]. 2019 [cited 2024 Jan 8]. pp. 1–7. (2019). com/2024/01/02/opinion/ai-police-regulation.html
https://ieeexplore.ieee.org/abstract/document/8937942 32. Cath, C.: Governing artificial intelligence: ethical, legal and tech-
13. How to Design an AI Ethics: Board| GovAI [Internet]. [cited nical opportunities and challenges. Philos Transact A Math Phys
2024 Jan 8]. https://www.governance.ai/research-paper/ Eng Sci [Internet]. 2018 [cited 2024 Jan 8];376. https://www.
how-to-design-an-ai-ethics-board ncbi.nlm.nih.gov/pmc/articles/PMC6191666/
14. Institute, A.N.: Algorithmic Accountability: Moving Beyond 33. Ruschemeier, H.: AI as a challenge for legal regulation– the scope
Audits [Internet]. AI Inst. 2023 [cited 2024 Jan 5]. https://ainow- of application of the artificial intelligence act proposal. ERA
institute.org/publication/algorithmic-accountability Forum. 23, 361 (2023)
15. September: 2, Salesforce Debuts AI Ethics Model: How Ethical 34. Will the White House AI Executive Order deliver
Practices Further Responsible Artificial Intelligence [Internet]. on its promises? [Internet]: Brookings. [cited
Salesforce. 2021 [cited 2024 Jan 5]. (2021). https://www.sales- 2024 Jan 8]. https://www.brookings.edu/articles/
force.com/news/stories/salesforce-debuts-ai-ethics-model-how- will-the-white-house-ai-executive-order-deliver-on-its-promises/
ethical-practices-further-responsible-artificial-intelligence/ 35. House, T.W.: Executive Order on the Safe, Secure, and Trust-
16. Taeihagh, A.: Governance of artificial intelligence. Policy Soc. worthy Development and Use of Artificial Intelligence [Internet].
40, 137–157 (2021) White House. 2023 [cited 2024 Jan 8]. https://www.whitehouse.
17. Responsible Use of Technology: The Salesforce Case gov/briefing-room/presidential-actions/2023/10/30/executive-
Study [Internet]. World Econ. Forum. [cited 2023 order-on-the-safe-secure-and-trustworthy-development-and-use-
Sep 25]. https://www.weforum.org/whitepapers/ of-artificial-intelligence/
responsible-use-of-technology-the-salesforce-case-study/ 36. Artificial Intelligence Act: deal on comprehensive rules for trust-
18. Why we launched DeepMind: Ethics & Society [Inter- worthy AI| News| European Parliament [Internet]. 2023 [cited
net]. [cited 2023 Mar 17]. https://www.deepmind.com/blog/ 2024 Jan 8]. https://www.europarl.europa.eu/news/en/press-
why-we-launched-deepmind-ethics-society room/20231206IPR15699/artificial-intelligence-act-deal-on-
19. CMS Technical Review Board [Internet]: [cited 2024 Jan 5]. comprehensive-rules-for-trustworthy-ai
https://www.cms.gov/tra/Foundation/FD_0060_Foundation_ 37. Blueprint for an AI Bill of Rights| OSTP [Internet]: White
TRB.htm House. [cited 2024 Jan 8]. https://www.whitehouse.gov/ostp/
20. AI Ethics [Internet]: [cited 2024 Jan 5]. https://www.adobe.com/ ai-bill-of-rights/
about-adobe/aiethics.html 38. An Overview of Emerging Global AI Regulations [Inter-
21. Budds, D.: New York City’s AI task force stalls [Inter- net]: Securiti. [cited 2024 Jan 8]. https://securiti.ai/
net]. Curbed NY. [cited 2023 Sep 12]. (2019). ai-regulations-around-the-world/
h t t p s : / / n y. c u r b e d . c o m / 2 0 1 9 / 4 / 1 6 / 1 8 3 3 5 4 9 5 / 39. Trustworthy and Responsible AI. NIST [Internet]: [cited 2023 Nov
new-york-city-automated-decision-system-task-force-ai 17]; (2022). https://www.nist.gov/trustworthy-and-responsible-ai

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
AI and Ethics

40. Enholm, I.M., Papagiannidis, E., Mikalef, P., Krogstie, J.: Arti- 59. Campbell, S., Greenwood, M., Prior, S., Shearer, T., Walkem,
ficial Intelligence and Business Value: A literature review. Inf. K., Young, S., et al.: Purposive sampling: Complex or simple?
Syst. Front. 24, 1709–1734 (2022) Research case examples. J. Res. Nurs. JRN. 25, 652–661 (2020)
41. Ouyang, F., Zheng, L., Jiao, P.: Artificial intelligence in online 60. Castillo-Montoya, M.: Preparing for interview research: The
higher education: A systematic review of empirical research from interview protocol refinement Framework. Qual. Rep. 21, 811–
2011 to 2020. Educ. Inf. Technol. 27, 7893–7925 (2022) 831 (2016)
42. Rajpurkar, P., Chen, E., Banerjee, O., Topol, E.J.: AI in health and 61. Neale, J.: Iterative categorization (IC): A systematic technique
medicine. Nat. Med. 28, 31–38 (2022) for analysing qualitative data. Addict. Abingdon Engl. 111, 1096–
43. How Businesses Are Using Artificial Intelligence: In 2024– 1106 (2016)
Forbes Advisor [Internet]. [cited 2024 Jan 8]. https://www.forbes. 62. Bietti, E.: From ethics washing to ethics bashing: a view on tech
com/advisor/business/software/ai-in-business/ ethics from within moral philosophy. Proc 2020 Conf Fairness
44. Concha, J., News Corp: CEO urges creation of ‘algorithm review Account Transpar [Internet]. New York, NY, USA: Association
board,’ slams Silicon Valley giants [Internet]. The Hill. 2018 [cited for Computing Machinery; 2020 [cited 2024 Jan 9]. pp. 210–9.
2024 Jan 22]. https://thehill.com/homenews/media/387236- https://doi.org/10.1145/3351095.3372860
news-corp-ceo-urges-creation-of-algorithm-review-board-slams- 63. van Maanen, G.A.I., Ethics: Ethics washing, and the need to
silicon-valley/ Politicize Data Ethics. Digit. Soc. 1, 9 (2022)
45. Manea, A.: Moral Injury to inform analysis of post-traumatic 64. Schultz, M., Conti, L.G., Seele, P. Corporate Legitimacy via Digi-
stress disorder. Sr. Theses;1–59. (2023) tal Ethicswashing? A Systematic Review on Misleading AI Com-
46. Abbott, L., Grady, C.: A systematic review of the empirical lit- munication. Acad Manag Proc. 2023:14727. (2023)
erature evaluating IRBs: What we know and what we still need to 65. Bessen, J., Impink, S.M., Seamans, R.: The Cost of Ethical AI
learn. J. Empir. Res. Hum. Res. Ethics. 6, 3–19 (2011) Development for AI Startups. Proc 2022 AAAIACM Conf AI
47. Our Principles [Internet]: Google AI. [cited 2022 Sep 26]. https:// Ethics Soc [Internet]. New York, NY, USA: Association for Com-
ai.google/principles/ puting Machinery; 2022 [cited 2024 Jan 9]. pp. 92–106. https://
48. Facebook’s five pillars of Responsible AI [Inter- doi.org/10.1145/3514094.3534195
net]: [cited 2024 Jan 8]. https://ai.meta.com/blog/ 66. Rama, B.G.: 01/02/2024. Ignoring Responsible AI Could Cost
facebooks-five-pillars-of-responsible-ai/ Orgs at Least $1 M - [Internet]. Pure AI. [cited 2024 Jan 9].
49. Trustworthy Artificial Intelligence (AI)™| Deloitte US [Inter- https://pureai.com/articles/2024/01/02/responsible-ai-cost.aspx
net]. [cited 2024 Jan 8]. https://www2.deloitte.com/us/en/pages/ 67. Adapting Your Organization for Responsible AI [Internet].
deloitte-analytics/solutions/ethics-of-ai-framework.html Bain: [cited 2024 Jan 9]. (2024). https://www.bain.com/insights/
50. Microsoft Responsible: AI Standard v2 General Requirements. adapting-your-organization-for-responsible-ai/
Impact Assess 68. New report documents the business benefits of: ‘respon-
51. 8 ways chief data officers can demonstrate value| MIT Sloan sible AI’| MIT Sloan [Internet]. 2024 [cited 2024 Jan
[Internet]: [cited 2023 Sep 19]. (2023). https://mitsloan.mit.edu/ 9]. https://mitsloan.mit.edu/ideas-made-to-matter/
ideas-made-to-matter/8-ways-chief-data-officers-can-demon- new-report-documents-business-benefits-responsible-ai
strate-value 69. Dor, L.M.B., Coglianese, C.: Procurement as AI Governance.
52. Survey details data: officers’ priorities, challenges IEEE Trans. Technol. Soc. 2, 192–199 (2021)
for 2023| MIT Sloan [Internet]. 2023 [cited 2023 Sep 70. mbracken, Federal: CISO says White House targeting AI pro-
19]. https://mitsloan.mit.edu/ideas-made-to-matter/ curement as part of conversation on looming executive order,
survey-details-data-officers-priorities-challenges-2023 guidance [Internet]. FedScoop. 2023 [cited 2024 Jan 9]. https://
53. From, A.I.: compliance to competitive advantage [Internet]. fedscoop.com/federal-ciso-chris-derusha-ai-procurement-ai-
[cited 2024 Jan 8]. https://www.accenture.com/us-en/insights/ executive-order-guidance/
artificial-intelligence/ai-compliance-competitive-advantage 71. Adopting, A.I., Responsibly: Guidelines for Procurement of AI
54. Selbst, A.D. An Institutional View Of Algorithmic Impact Assess- Solutions by the Private Sector [Internet]. World Econ. Forum.
ments [Internet]., Rochester, N.Y.: [cited 2024 Jan 8]. (2021). [cited 2024 Jan 9]. https://www.weforum.org/publications/adopt-
https://papers.ssrn.com/abstract=3867634 ing-ai-responsibly-guidelines-for-procurement-of-ai-solutions-
55. Comptroller’s Handbook: Model Risk Management. Office of the by-the-private-sector/
Comptroller of Currency (2021) 72. A guiding framework to vetting public sector technology vendors
56. Errida, A., Lotfi, B.: The determinants of organizational change [Internet]: Ford Found. [cited 2024 Jan 9]. https://www.fordfoun-
management success: Literature review and case study. Int. J. dation.org/work/learning/research-reports/a-guiding-framework-
Eng. Bus. Manag. 13, 18479790211016273 (2021) to-vetting-public-sector-technology-vendors/
57. Fountaine, T., McCarthy, B., Saleh, T. Building the AI-Powered
Organization (2019) Publisher’s note Springer Nature remains neutral with regard to juris-
58. Responsible, A.I., BCG Glob: at a Crossroads [Internet]. [cited dictional claims in published maps and institutional affiliations.
2024 Jan 9]. (2023). https://www.bcg.com/publications/2023/
ai-responsibility-at-crossroads

13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers and authorised users (“Users”), for small-
scale personal, non-commercial use provided that all copyright, trade and service marks and other proprietary notices are maintained. By
accessing, sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of use (“Terms”). For these
purposes, Springer Nature considers academic use (by researchers and students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and conditions, a relevant site licence or a personal
subscription. These Terms will prevail over any conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription
(to the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of the Creative Commons license used will
apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may also use these personal data internally within
ResearchGate and Springer Nature and as agreed share it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not
otherwise disclose your personal data outside the ResearchGate or the Springer Nature group of companies unless we have your permission as
detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial use, it is important to note that Users may
not:

1. use such content for the purpose of providing other users with access on a regular or large scale basis or as a means to circumvent access
control;
2. use such content where to do so would be considered a criminal or statutory offence in any jurisdiction, or gives rise to civil liability, or is
otherwise unlawful;
3. falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association unless explicitly agreed to by Springer Nature in
writing;
4. use bots or other automated methods to access the content or redirect messages
5. override any security feature or exclusionary protocol; or
6. share the content in order to create substitute for Springer Nature products or services or a systematic database of Springer Nature journal
content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a product or service that creates revenue,
royalties, rent or income from our content or its inclusion as part of a paid for service or for other commercial gain. Springer Nature journal
content cannot be used for inter-library loans and librarians may not upload Springer Nature journal content on a large scale into their, or any
other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not obligated to publish any information or
content on this website and may remove it or features or functionality at our sole discretion, at any time with or without notice. Springer Nature
may revoke this licence to you at any time and remove access to any copies of the Springer Nature journal content which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or guarantees to Users, either express or implied
with respect to the Springer nature journal content and all parties disclaim and waive any implied warranties or warranties imposed by law,
including merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published by Springer Nature that may be licensed
from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a regular basis or in any other manner not
expressly permitted by these Terms, please contact Springer Nature at

[email protected]