Securities Industry and Financial Markets Association (SIFMA)

AI audits should focus on risk assessment programs rather than individual AI applications. Auditing each application will result in a misallocation of resources, with too much effort spent on low-risk AI (e.g., spam filters, graphics generation for games, inventory management, and cybersecurity monitoring) and not enough effort spent on high-risk AI (e.g., hiring, lending, insurance underwriting, and education admissions). Moreover, a cost-heavy universal audit requirement may result in AI usage centralizing among large firms and the exclusion of smaller firms and startups from participating, simply because the costs of auditing each AI application would be too great. Companies should use the same principles applied to AI applications that are developed in-house for identifying risks associated with third-party AI applications and mitigate those risks through diligence, audits, and contractual terms. (2023) source Unverified