The Hourglass Model (v3) of
Organizational AI Governance

Based on rigorous research with several AI experts, the Hourglass Model (v3) presents the overall structure of the AI Governance Framework.

What’s new in v3:
• Ecosystem-aware • Vendor-integrated • GenAI-explicit • Human capability embedded • Realistic about explainability • Adaptive and agile

Citation: Mäntymäki, M., Minkkinen, M., Birkstedt, T., & Viljanen, M. (2022). Putting AI Ethics into Practice: The Hourglass Model of Organizational AI Governance (arXiv:2206.00335). arXiv. https://doi.org/10.48550/arXiv.2206.00335

The Hourglass Model (v3) consists of seven designated
focus areas (A–G) and related tasks.

Scroll down or click the buttons below to view the focus areas and tasks.
A

A. Accountability and ownership. Putting in place the decision rights and responsibilities to govern AI systems and models, including an organization-wide AI system registry, human oversight, AI competence, and the integration of AI sourcing and operations with organizational governance. 

  • Tasks within focus area A:
  • A1. Organization-level accountability
  • A2. AI system-level accountability
  • A3. AI system registry
  • A4. Human oversight
  • A5. AI competence and training
  • A6. AI sourcing, operations, and governance integration

Back to AI governance focus areas ↑ 

B. AI system. Documentation, performance metrics, and approval processes for AI systems. Maintaining AI system documentation providing a complete view of the organizations’ AI systems and models. Governing AI system vendors including vendor oversight and contractual relationships. 

  • Tasks within focus area B:
  • B1. AI system registration and AI ID
  • B2. AI system version control
  • B3. AI system sourcing and vendor governance
  • B4. AI system planning, scoping, and architecture
  • B5. AI system metrics
  • B6. AI system verification and validation
  • B7. AI system approval
  • B8. AI system performance monitoring
  • B9. Periodic AI system review

Back to AI governance focus areas ↑ 

C. AI model. Documentation, performance metrics, and approval processes for AI modelsMaintaining documentation on the AI models used by the organization. 

  • Tasks within focus area C:​
  • C1. Model inventory and documentation
  • C2. Model version control
  • C3. Model planning and scoping
  • C4. Model metrics
  • C5. Model verification and validation
  • C6. Model approval
  • C7. Model performance monitoring
  • C8. Periodic model review

Back to AI governance focus areas ↑ 

D. AI data. Data quality management, data sourcing, performance metrics and control points. Ensuring copyright, intellectual property, and privacy issues related to AI data are handled. 

  • Tasks within focus area D:
  • D1. Data source documentation
  • D2. Data copyright, intellectual property, and permissions
  • D3. Data quality metrics
  • D4. Data ontologies, inferences, proxies, and metadata
  • D5. Data quality assurance
  • D6. Data quality monitoring
  • D7. Periodic data review

Back to AI governance focus areas ↑ 

E. Risk and impact management. Identifying, managing, and monitoring potential risks and impacts caused by the AI system. Risks may be related to, e.g., discrimination, misleading content produced by generative AI systems, violations of fundamental rights, safety issues, and foreseeable misuse of AI systems. 

  • Tasks within focus area E:
  • E1. AI system harms and impacts pre-assessment
  • E2. Model and GPAI risk assessment
  • E3. AI system impact metrics design
  • E4. AI system impact assessment
  • E5. AI system bias and non-discrimination assurance
  • E6. AI system negative impact minimization
  • E7. AI system impact monitoring
  • E8. Periodic AI system impact review

Back to AI governance focus areas ↑ 

F. Transparency and explainability. Ensuring AI systems’ transparency and explainability. Fulfilling requirements coming from regulation and stakeholders. Ensuring vendor transparency regarding AI products and the use of AI in products and services. 

  • Tasks within focus area F:
  • F1. Transparency and explainability expectation assessment
  • F2. Transparency and explainability design
  • F3. Transparency and explainability validation and assurance
  • F4. Transparency and explainability monitoring
  • F5. Periodic transparency and explainability review

Back to AI governance focus areas ↑ 

G. Regulatory compliance.  Understanding the regulatory environment of an AI system and ensuring its compliance with the relevant regulations (in the EU for example the GDPR, AI Act, national regulations, sector-specific regulations).  

  • Tasks within focus area G:
  • G1. Regulatory environment assessment
  • G2. Regulatory risks, constraints, and design parameter analysis
  • G3. Regulatory design consultation
  • G4. Compliance assessment, including vendor compliance verification
  • G5. Compliance monitoring
  • G6. Periodic compliance review

Back to AI governance focus areas ↑