Effective AI governance requires transparency, but this does not extend to the mandatory disclosure of proprietary methods or trade secrets. While the marketing company should be transparent about the AI's purpose, its limitations, and its adherence to legal standards, revealing the underlying proprietary algorithms of the third-party LLM is not a standard or required practice. Disclosing such information would compromise the technology company's intellectual property and competitive advantage. The principle of explainability focuses on making the outcomes and general logic of an AI system understandable, not on revealing its source code or specific architectural details.

A. Intended purpose: Disclosing the purpose of the AI system is a fundamental aspect of transparency, ensuring stakeholders understand why and how the technology is being used.

C. Compliance with law: A disclosure of legal compliance is a standard component of corporate governance and risk management, providing assurance to clients, users, and regulators.

D. Acknowledgement of limitations: Acknowledging potential inaccuracies, biases, or other limitations is a key principle of responsible and trustworthy AI, managing user expectations and preventing over-reliance.

1. NIST AI Risk Management Framework (AI RMF 1.0)

January 2023.

Section 4.2.2

Page 23: The framework states that the level of transparency can be "constrained by law

policy

or confidentiality considerations (e.g.

intellectual property

trade secrets

or privacy)." This directly supports that proprietary methods are an exception to full disclosure.

2. OECD

"Recommendation of the Council on Artificial Intelligence

" OECD/LEGAL/0449

2019 (updated 2024).

Principle 1.4

"Transparency and explainability": This principle calls for providing "meaningful information

appropriate to the context." This contextual approach allows organizations to balance the need for transparency with the legitimate need to protect intellectual property and trade secrets.

3. European Commission's High-Level Expert Group on AI

"Ethics Guidelines for Trustworthy AI

" April 8

2019.

Chapter II

Page 15 (under "The requirement of Transparency"): The guidelines state

"The transparency requirement must also be balanced against the need to protect intellectual property rights and trade secrets... a trade-off may be needed between transparency and security." This explicitly acknowledges that proprietary information should be protected.

The described AI system, "CrimeBuster 9619," is designed to predict the likelihood of an individual re-offending, which is then used by parole boards. Under the EU AI Act, this constitutes a form of social scoring by a public authority. Article 5(1)(c) of the Act explicitly prohibits AI systems that evaluate or classify individuals based on their behavior or personal characteristics, leading to a "social score" that results in detrimental treatment. A parole decision based on such a score is a clear example of detrimental treatment. Therefore, this application of AI is considered to pose an unacceptable risk to fundamental rights and is banned from being placed on the EU market.

A. Require the company to register the tool with the EU database.

This is a requirement for high-risk AI systems, not for systems that are prohibited and cannot legally enter the market.

B. Be subject approval by the relevant EU authority.

Prohibited systems are not eligible for an approval process; they are banned outright. This process applies to high-risk systems.

C. Require a detailed conformity assessment.

This is the core compliance procedure for high-risk AI systems. Since this system is in the prohibited category, it cannot undergo this assessment.

1. Regulation of the European Parliament and of the Council on laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)

Final Adopted Text (13 March 2024)

P9TA(2024)0138.

Article 5(1)(c) states that the following AI practice shall be prohibited: "an AI system that evaluates or classifies natural persons or groups of natural persons over a certain period of time based on their social behaviour or known

inferred or predicted personal or personality characteristics

with the social score leading to ... detrimental or unfavourable treatment of certain natural persons or whole groups thereof that is unjustified or disproportionate to their social behaviour." The system described fits this definition of a prohibited social scoring system.

2. European Parliament

"EU AI Act: first regulation on artificial intelligence

" Briefing

Page 2

March 2024.

This official briefing document summarizes the regulation and lists "unacceptable risk" AI systems that are banned. It explicitly includes "social scoring systems by public and private actors

" confirming that such systems are prohibited

not just regulated as high-risk.

3. Veale

M.

& Zuiderveen Borgesius

F. (2021). "Demystifying the Draft EU Artificial Intelligence Act." Computer Law Review International

22(4)

Section 3.1.

This academic analysis of the Act's draft (the principles of which were carried into the final text) explains the rationale behind prohibiting social scoring

noting that it "creates a serious risk of discrimination and exclusion" and can "violate the right to human dignity

" which is the foundational logic for banning systems like the one in the question. (DOI: https://doi.org/10.9785/cri-2021-220402)

The Acceptable Use Policy (AUP) is the most important policy for assessing the operational implications of a third-party AI model. The AUP explicitly outlines the vendor's rules regarding the intended and prohibited uses of their service. For a governance team, this document is paramount as it defines the contractual and ethical boundaries within which the AI model can be operated. It directly addresses questions of how the model can be integrated into workflows, what tasks it can perform, and what constitutes misuse, which are central to evaluating operational and ethical risks before deployment.

B. The privacy policy focuses on how the provider handles personal data, not the functional or operational rules for using the AI model.

C. The security policy describes measures to protect the system from threats, which is a technical risk assessment, not a guide to its proper operational use.

D. The code of conduct policy governs the behavior of the vendor's employees, not the operational use of the AI product by a customer.

1. NIST. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0). U.S. Department of Commerce

National Institute of Standards and Technology. In the Govern function

subcategory GOVERN.P5 (p. 20) states that for procurement

organizations should understand the "AI system’s intended uses and capabilities." The AUP is the primary policy document that formally defines these intended uses and restrictions for a third-party product.

2. Floridi

L.

& Cowls

J. (2019). A Unified Framework of Five Principles for AI in Society. Harvard Data Science Review

1(1). https://doi.org/10.1162/99608f92.8cd550d1. The principle of "Beneficence" (promoting well-being) and "Non-maleficence" (preventing harm) requires a clear understanding of an AI system's intended application domain and limitations. An AUP is the operational tool that codifies these principles by defining acceptable and unacceptable uses.

3. Stanford University. (2023). CS 182: Ethics

Public Policy

and Technological Change Course Syllabus. Course materials frequently discuss how Terms of Service and Acceptable Use Policies serve as the primary governance instruments that define the scope of permissible actions for users of a technology platform

thereby setting the operational rules.

The AI technology described is a multi-modal model because it is designed to process and integrate information from multiple distinct data types, or "modalities." In this case, the modalities are text, video, images, and sound. Multi-modal AI systems leverage the combination of these different data sources to achieve a more comprehensive and contextually rich understanding of the input, which is essential for tasks like accurately tagging diverse content. This approach mimics the human ability to synthesize information from various senses to interpret the world.

A. Deductive inference: This is a form of logical reasoning that derives specific conclusions from general premises, not a classification of an AI model based on its input data types.

C. Transformative AI: This is a broad, strategic term describing AI with a significant societal or business impact, not a specific technical category for a model's architecture.

D. Expert system: This is a type of AI that emulates the decision-making of a human expert in a narrow domain, typically using a predefined knowledge base and rules, rather than processing multiple raw data types.

1. Baltrušaitis

T.

Ahuja

C.

& Morency

L. P. (2018). "Multimodal Machine Learning: A Survey and Taxonomy." IEEE Transactions on Pattern Analysis and Machine Intelligence

41(2)

423-443. Section I (Introduction) defines multimodality as building models that can "process and relate information from multiple modalities

" listing examples such as video

audio

and text. (DOI: https://doi.org/10.1109/TPAMI.2018.2798607)

2. Stanford University. (2021). CS224N: NLP with Deep Learning

Winter 2021

Lecture 15: Multimodality and Language. Slide 4

"What is multimodality?"

defines the concept as connecting language to other modalities like vision (images

video) and audio

which directly aligns with the scenario described in the question. (Available at: http://web.stanford.edu/class/cs224n/slides/cs224n-2021-lecture-15-multimodality.pdf)

3. Russell

S. J.

& Norvig

P. (2020). Artificial Intelligence: A Modern Approach (4th ed.). Pearson. Chapter 8

"First-Order Logic

" discusses inference methods like deduction. Chapter 9

"Inference in First-Order Logic

" details the mechanisms. This source distinguishes logical reasoning from model architectures.

Effective AI governance is fundamentally a multidisciplinary and cross-cutting function. AI systems impact virtually every part of an organization, including legal, ethics, data science, IT, security, and business operations. Therefore, a foundational characteristic of a successful governance program is the engagement of a cross-functional team. This team brings together diverse expertise and perspectives to ensure that policies are comprehensive, risks are identified from all angles (e.g., technical, legal, reputational), and the governance framework is integrated throughout the organization's structure and culture. Without this collaborative approach, governance efforts would be siloed and incomplete.

B. Reliance on tested vendor management processes: This is a specific component of a broader AI governance program, not its foundational characteristic.

C. Thorough reviews of a company’s public filings with experts: This is an external-facing due diligence or compliance activity, not a core, internal principle of how AI governance operates.

D. Uniform policies and procedures across developer, deployer and user roles: Policies must be tailored to the distinct responsibilities and contexts of different roles; a uniform approach would be ineffective.

---

1. National Institute of Standards and Technology (NIST). (2023). AI Risk Management Framework (AI RMF 1.0).

Reference: Page 12

Section 3.1

"GOVERN." The document states

"Governance is a cross-cutting function... Effective governance requires accountability structures to implement AI risk management processes. This includes assigning roles

responsibilities

and lines of communication for different teams..." This highlights the need for coordination across various teams

which is the essence of a cross-functional approach.

2. World Economic Forum. (2021). AI Governance: A Holistic Approach to Implement Responsible AI.

Reference: Page 10

"Set up the governance structure." The report explicitly recommends establishing a "cross-functional steering committee" as a key step. It suggests this committee should include "representatives from legal

compliance

data

technology

business

and other relevant functions" to ensure a holistic view.

3. Ransbotham

S.

Kharlamov

A.

& Mazumdar

S. (2023). The New Rules of AI Governance. MIT Sloan Management Review.

Reference: In the section "Establish a Cross-Functional Governance Team

" the article states

"Effective governance requires a cross-functional team that includes business

analytics

and IT leaders... This team should be responsible for setting AI policies

overseeing AI projects

and ensuring that AI is used ethically and responsibly." This directly identifies the cross-functional team as a requirement for effective governance.

The scenario describes the collection of several data points (full name, date of birth, gender, IP address, and location) for an app whose stated purpose is to analyze user-uploaded images and videos for lifestyle recommendations. This collection practice directly implicates two core GDPR principles.

1. Data Minimization (Article 5(1)(c)): This principle requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." It is questionable whether a user's full name, specific date of birth, gender, and continuous location data are all strictly necessary to analyze images and provide lifestyle advice.

2. Purpose Limitation (Article 5(1)(b)): This principle mandates that data be "collected for specified, explicit and legitimate purposes." Collecting excessive data suggests it might be used for other, unstated purposes, thereby violating this principle.

B. Accountability is the controller's responsibility to demonstrate compliance, not the violation itself. Lawfulness cannot be determined as the legal basis (e.g., consent) is not mentioned.

C. Transparency relates to informing users about data processing, which is not detailed in the scenario. Accuracy is about ensuring data is correct, which is not the issue here.

D. Integrity and Confidentiality relate to securing data against unauthorized access or breaches, not the principles governing the scope of initial data collection.

1. General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679.

Article 5(1)(b): "Personal data shall be... collected for specified

explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes..."

Article 5(1)(c): "Personal data shall be... adequate

relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)..."

2. Stanford University

"GDPR: Key Requirements." Stanford University IT. Accessed 2023.

In its summary of GDPR principles

the resource explains that Data Minimization requires organizations to "ensure the personal data you are processing is... limited to what is necessary for the purposes." It also defines Purpose Limitation as requiring data to be "collected for specified

explicit

and legitimate purposes." The scenario presents a clear conflict with these requirements.

3. Voigt

P.

& Von dem Bussche

A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer.

In Chapter 4

"Principles relating to processing of personal data

" the authors explain that data minimization (p. 81) is a key obligation to limit collection to what is necessary for the purpose. They further clarify that purpose limitation (p. 78) restricts processing to the specific purposes for which the data was originally collected

preventing function creep. The app's broad data collection for a narrow purpose violates both concepts.

The case study specifies that the company's primary goal for implementing the AI tool is to "identify and retain the best talent." Therefore, improving candidate quality is the intended positive outcome, not a negative consequence. The other options represent well-documented risks associated with using AI in hiring. Automation bias occurs when human reviewers excessively trust the AI's output. Privacy violations can arise from mishandling candidate data. Disparate impacts refer to discriminatory outcomes where the AI systematically disadvantages individuals from protected groups, even if unintentionally.

A. Automation bias: This is a known negative consequence where human decision-makers over-rely on an AI system's recommendations, reducing critical oversight and potentially leading to poor decisions.

C. Privacy violations: The AI tool processes resumes containing sensitive personal data, creating a significant risk of data breaches or misuse, which constitutes a negative consequence.

D. Disparate impacts: AI hiring tools trained on historical data can learn and amplify existing biases, leading to discriminatory outcomes against protected classes, a severe negative consequence.

1. National Institute of Standards and Technology (NIST). (2023). AI Risk Management Framework (AI RMF 1.0).

Page 13

Section 2.2: Discusses how "AI systems can reflect

amplify

or result in harmful bias

" which directly relates to disparate impacts (D).

Page 14

Section 2.2: Notes that "Human-AI system configurations can also lead to errors

" which encompasses the risk of automation bias (A).

2. The White House. (2022). Blueprint for an AI Bill of Rights.

Principle: "Algorithmic Discrimination Protections": This principle explicitly states that people "should not face discrimination by algorithms and systems should be used and designed in an equitable way." This directly addresses the risk of disparate impacts (D).

Principle: "Data Privacy": This principle emphasizes that individuals should have agency over their data and not be subjected to abusive data practices

highlighting the risk of privacy violations (C).

3. Stanford Institute for Human-Centered Artificial Intelligence (HAI). (2023). Artificial Intelligence Index Report 2023.

Chapter 5

Page 188: Discusses the ongoing challenge of bias in large language models

noting that "models can internalize biases and stereotypes... which can lead to downstream harms." This supports the risk of disparate impacts (D) in AI screening tools.

Product liability laws hold the manufacturers, distributors, or sellers of a product responsible for injuries caused by defects. In this scenario, XYZ Corp. is the deployer or user of the third-party AI tool, not its creator. While litigation can be complex, the primary liability for a defective product would fall on the vendor who developed it. XYZ's direct and most probable legal risks stem from its application and use of the tool in the hiring process. Irresponsible use directly implicates laws governing employment practices, such as those concerning discrimination, accessibility for individuals with disabilities, and the privacy of applicant data.

A. Anti-discrimination laws: An improperly designed or used AI hiring tool can perpetuate or create biases, leading to discriminatory outcomes and direct liability under laws like Title VII of the Civil Rights Act.

C. Accessibility laws: If the AI-powered application platform is not accessible to applicants with disabilities, XYZ would face liability under the Americans with Disabilities Act (ADA).

D. Privacy laws: The AI tool processes a significant amount of personal and sensitive data from resumes, creating direct obligations and liability for XYZ under various state and federal privacy regulations.

1. U.S. Equal Employment Opportunity Commission (EEOC). (2023

May 18). Select Issues: Assessing Adverse Impact in Software

Algorithms

and Artificial Intelligence Used in Employment Selection Procedures Under Title VII of the Civil Rights Act of 1964. This guidance explicitly states that employers can be held responsible for using AI tools that result in discrimination

regardless of whether the tool was developed by a third party. (Supports why A is a direct liability).

2. U.S. Equal Employment Opportunity Commission (EEOC). (2022

May 12). The Americans with Disabilities Act and the Use of Software

Algorithms

and Artificial Intelligence to Assess Job Applicants and Employees. This document clarifies that an employer's use of AI tools must comply with the ADA's requirements for reasonable accommodation and non-discrimination

making accessibility a direct liability concern. (Supports why C is a direct liability).

3. National Institute of Standards and Technology (NIST). (2023

January). Artificial Intelligence Risk Management Framework (AI RMF 1.0). NIST SP 1270. The framework distinguishes between different actors in the AI lifecycle. As an "AI deployer

" XYZ is responsible for the risks emerging from the operation of the AI system in its specific context

which includes privacy harms and fairness/bias issues (see Core sections GOVERN 1.1

MAP 2.4

and MEASURE 2.4). Product liability is more directly associated with the "AI developer." (Supports the distinction between user liability and product liability).

4. The White House. (2022

October). Blueprint for an AI Bill of Rights. This document outlines principles for the responsible use of automated systems

including "Safe and Effective Systems" and "Algorithmic Discrimination Protections." It places the onus on organizations deploying these systems to ensure they do not produce discriminatory or unsafe outcomes

reinforcing the user's direct responsibility in areas other than product liability. (Supports why A

C

and D are direct liabilities for the user).

During the initial production monitoring phase, the most critical activity is to actively and continuously test the model's outputs for fairness. Disparity testing is the method used to measure and quantify differences in outcomes across protected groups (e.g., gender). This testing provides the empirical evidence needed to identify whether the model is performing in a biased manner, as was discovered by ABC Corp. It is the foundational step in the monitoring process; without it, the bias would not be detected, and no corrective action, such as analyzing the training data, could be initiated. This ongoing measurement is central to responsible AI governance and operationalizing fairness.

B. Analyze the quality of the training and testing data.

This is a critical diagnostic step to understand the root cause of bias, but it typically occurs after disparity testing has first identified that a problem exists.

C. Compare the results to human decisions prior to deployment.

This is a useful benchmarking exercise but not the primary monitoring task. The previous human process could also have been biased, making it an unreliable benchmark for fairness.

D. Seek approval from management for any changes to the model.

This is a governance step that happens much later in the process, after a bias has been identified, its cause analyzed, and a remediation plan has been developed.

1. NIST AI Risk Management Framework (AI RMF 1.0)

January 2023. The "Measure" function of the framework emphasizes the need for ongoing evaluation post-deployment. It states

"TEVV [testing

evaluation

validation

and verification] occurs pre-deployment

as well as on an ongoing basis post-deployment... to assess whether the system is functioning as intended" (p. 22

Section 4.3). This continuous testing is precisely what disparity testing entails in a fairness context.

2. European Commission

"Ethics guidelines for trustworthy AI"

April 2019. The guidelines list "Diversity

non-discrimination and fairness" as a key requirement. To ensure this

it recommends that AI systems be tested throughout their lifecycle. For post-deployment

it implies a need for "monitoring processes" to "scrutinise the AI system’s outcomes" (p. 15)

which directly corresponds to disparity testing.

3. Inioluwa

D. A.

& T. M. H. Kehtarnavaz

N. (2020). "A Survey on Bias and Fairness in Machine Learning". ACM Computing Surveys

53(3)

1-35. https://doi.org/10.1145/3457607. This paper details various fairness metrics (e.g.

demographic parity

equal opportunity). The calculation and tracking of these metrics

which is the essence of disparity testing

is presented as the fundamental method for assessing algorithmic fairness. Section 3

"Fairness Metrics

" outlines the quantitative tests used to detect bias.

Explainable AI (XAI) refers to the set of processes, methods, and techniques that ensure the outputs and decisions made by an AI system can be understood by humans. The core purpose of XAI is to open the "black box" of complex models, providing clear explanations for their behavior. This directly addresses the regulatory concern for transparency and accountability by allowing users, developers, and regulators to understand why an AI system reached a particular conclusion, which is fundamental for building trust and verifying compliance with legal and ethical standards.

A. Interpretable AI: This is a narrower concept, often referring to the intrinsic property of a model (e.g., a simple decision tree) being understandable due to its simple structure, whereas XAI includes methods applied to complex, non-interpretable models.

B. Trustworthy AI: This is a broad, overarching goal or framework. Explainability is a component required to achieve trustworthy AI, but it is not the specific term for the methods of understanding outputs.

D. Responsible AI: Similar to Trustworthy AI, this is a comprehensive governance framework that encompasses many principles, including fairness, privacy, and security, with XAI being just one of its essential pillars.

1. National Institute of Standards and Technology (NIST). (2023). AI Risk Management Framework (AI RMF 1.0).

Page 4

Section 2

Definitions: "Explainability: A representation of the mechanisms underlying AI system operation

provided in a form that is understandable to a human." This definition directly aligns with the question's description of processes allowing users to understand AI outputs.

2. Gunning

D.

& Aha

D. (2019). DARPA’s Explainable Artificial Intelligence (XAI) Program. AI Magazine

40(2)

44-58.

Page 44

Abstract: The XAI program's goal is to create AI systems where "human users to understand

appropriately trust

and effectively manage the emerging generation of artificially intelligent partners." This foundational source links understanding with trust

matching the question's phrasing.

DOI: https://doi.org/10.1609/aimag.v40i2.2850

3. Stanford University Human-Centered Artificial Intelligence (HAI). (2023). What Are Foundation Models? Report from the Center for Research on Foundation Models (CRFM).

Page 108

Section 6.2

Transparency: The report discusses transparency as a key societal impact

stating

"Transparency is a prerequisite for accountability... At the model level

transparency can mean explainability (i.e.

being able to understand why a model makes the decisions it does)." This highlights explainability as the mechanism for understanding decisions.