Co-designing an AI Impact Assessment Report Template with AI Practitioners and AI Compliance Experts

TL;DR

The paper presents a co-design process to create a regulation-grounded AI Impact Assessment Report Template aligned with the EU AI Act, NIST AI RMF, and ISO 42001. Through iterative workshops with AI practitioners and compliance experts, a five-section template incorporating 32 information statements was developed and populated with a real-world meeting-companion use case. Evaluation via a user study showed the template provides more complete risk/benefit information and broader socio-technical coverage than a baseline, while remaining adaptable to uses and roles. The work advances practical AI governance by integrating regulatory requirements into impact assessments and supports pre-deployment as well as design-stage decision-making, with implications for cross-organizational comparisons and stakeholder engagement.

Abstract

In the evolving landscape of AI regulation, it is crucial for companies to conduct impact assessments and document their compliance through comprehensive reports. However, current reports lack grounding in regulations and often focus on specific aspects like privacy in relation to AI systems, without addressing the real-world uses of these systems. Moreover, there is no systematic effort to design and evaluate these reports with both AI practitioners and AI compliance experts. To address this gap, we conducted an iterative co-design process with 14 AI practitioners and 6 AI compliance experts and proposed a template for impact assessment reports grounded in the EU AI Act, NIST's AI Risk Management Framework, and ISO 42001 AI Management System. We evaluated the template by producing an impact assessment report for an AI-based meeting companion at a major tech company. A user study with 8 AI practitioners from the same company and 5 AI compliance experts from industry and academia revealed that our template effectively provides necessary information for impact assessments and documents the broad impacts of AI systems. Participants envisioned using the template not only at the pre-deployment stage for compliance but also as a tool to guide the design stage of AI uses.

Figures (6)

• Figure 1: Overview of our four-step method for designing a comprehensive template for an impact assessment report grounded in the EU AI Act, NIST’s AI RMF, and ISO 42001. In the first step, we interviewed AI compliance experts to elicit two design requirements and design the initial prototype of the template (V1). In the second step, we engaged both AI practitioners and AI experts to iteratively elicit two additional design requirements and co-design four iterations of the template (V2-V5). In the third step, we populated the final version of the template with AI practitioners' responses. In the fourth step, we evaluated it against our four design requirements and the baseline template identified in the literature review of AIIAs stahl2023systematicReview.
• Figure 2: The final template for an Impact Assessment Report. Section 1 provides information on the system's use, components, data, evaluation, and teams; Section 2 lists potential risks; Section 3 lists mitigation strategies; Section 4 outlines the anticipated benefits from the system's use; and Section 5 outlines information about reporting mechanisms and who is responsible for the governance of the use.
• Figure 3: Ratings on twelve statements regarding the four requirements -- R1: Complete, R2: Broad, R3: Adaptable to uses, and R4: Adaptable to different roles -- for both the baseline template and the final template. Participants found that the final report provided more complete information for impact assessments (R1) and addressed all AI system components and impacts more broadly than the baseline (R2).
• Figure 4: First version of the template for an Impact Assessment Report. Section 1 provides information on the system's use and teams; Section 2 lists potential risks; Section 3 lists mitigation strategies; and Section 4 outlines the anticipated benefits from the system's use.
• Figure 5: Impact assessment report for a meeting companion---an AI-based system aimed at monitoring employee behaviour during company meetings to improve meetings experience reportProjectPage.