Business A is integrating a generative AI model licensed from a third party (Business B) and is primarily concerned with the risk of toxic or obscene outputs being delivered to users. In this scenario,testing and validationof the AI model for such content risks is the most direct and effective governance strategy.
According to theAI Governance in Practice Report2025, organizations thatdeployAI must engage inperformance monitoring protocolsand ensure systems perform adequately for theirintended purposes, including filtering harmful content:
“Operational governance… development of: →Performance monitoring protocols to ensure systems perform adequately for their intended purposes.” (p. 12)
“Product governance... includes: →System impact assessments to identify and address risk prior to product development or deployment.” (p. 11)
Furthermore, under theEU AI Act, which sets the global standard many organizations aim to align with, there is a clear obligation to test and monitor systems for potential harmful behavior:
“The act imposes regulatory obligations… such as establishing appropriate accountability structures,assessing system impact, providing technical documentation,establishing risk management protocols and monitoring performance...” (p. 7)
Option B directly reflects this best practice ofpre-deployment testing and validationto ensure that the model aligns with Business A’s minimum content safety requirements.
Let’s now evaluate the incorrect options:
A. Fine-tuning on verified user-generated textmay improve model alignment but does not guarantee that the model will generalize correctly, especially if Business A lacks access to model internals (common in third-party licensing scenarios). Fine-tuning also introduces its own risks and may be contractually restricted.
C. A user reporting featureisreactive, not preventive. While helpful for long-term monitoring and mitigation, it does not prevent the initial harm of toxic outputs, which isBusiness A's primary concern.
D. Requesting documentation from Business Bis useful for transparency and risk management, but it does not replaceindependent verificationthat the model meets Business A’s content safety standards.
Thus,testing the model's behavior for unacceptable outputs before deploymentis the most aligned approach with AI governance best practices and obligations.
Submit