Ethics, Security, and Compliance Drive SAP’s Responsible AI Framework

For many companies, the rapid innovation in artificial intelligence (AI) evokes two feelings: excitement about how AI can enhance their business and fear regarding how it might adversely affect their business by disrupting ethical, security, and compliance standards. The latter necessitates that technology companies like SAP—which is bringing AI to everything, everywhere—adhere to and communicate their Responsible AI practices to ensure their customers can safely and ethically utilize AI in their businesses. In this context, SAP took the stage on May 21, at SAP Sapphire in Orlando, to outline its Responsible AI practices and methodology.

SAP’s framework for developing trusted AI tools is anchored in three core pillars, as stated by Sudhakar Singh, Head of Responsible AI at SAP:

• AI Ethics – What should be done.
• AI Security – How it should be done.
• AI Compliance – Ensuring things are done as they should be.

These pillars establish the standards that SAP follows as it develops its AI offerings, such as SAP Business AI, which involves collaboration with partners that provide their own models and tools.

Embedding Responsible AI

When SAP builds its AI offerings, it’s on top of security practices already embedded in SAP’s platform, explained Franziska Dobrigkeit, SAP Senior Product Specialist, during the presentation. These features include identity and access management, logging and monitoring, and data grounding and filtering to ensure AI is using the correct data accurately.

Singh added that SAP undertakes a comprehensive risk evaluation process for its AI products. This process includes threat modeling and risk assessments, testing for data extraction or misuse, and red teaming to “break the system” before it is exposed to the dangers of the real-life bad actors.

“We try to break our own applications before anyone else can do it,” said Singh. “I love breaking our systems.”

AI risk is integrated into SAP’s broader enterprise risk management framework with specific AI risk management strategies. They include , prompt injection to test for potential misuse of the model through prompts, testing for unauthorized data access, and testing for toxic or biased outputs. The overarching SAP risk management process also includes access controls at infrastructure and application layers.

Beyond internal standards, SAP also complies with numerous international AI standards and is currently working towards achieving compliance with the EU AI Act. “SAP is proactively looking to adapt to evolving global AI regulations,” said Singh.

Ensuring AI Safety with Partner Models

Partner models are frequently used in SAP Business AI, and Dobrigkeit detailed how SAP seeks to ensure quality security through preview access that allows testing. SAP also provides benchmarking through its platform, which is used for both internal and external models to evaluate business use case performance against real-world scenarios. This benchmarking aims to ensure that models align ethically and are market-ready.

Data retention and the potential use of data to train public AI models are also significant concerns for companies. According to Dobrigkeit, SAP has strong contractual controls with its AI partners to prohibit data retention or training use.

For SAP-hosted and SAP-built models, Singh stated that SAP employs practices such as data anonymization, data minimization, and layered data security to ensure that its customer data is secure and not used to train models that competitors of its customers may utilize.

What about the use of ChatGPT? SAP does not directly use the public ChatGPT in its AI products. However, it does use the underlying private, secure, and contracted GPT models, Singh indicated.

What SAP Customers Can Do to Be Responsible AI Consumers

Security, risk, and ethical efforts from a technology vendor can only go so far in ensuring the responsible use of AI; end-user organizations also play a crucial role. Singh recommended educating users to question AI outputs and avoid placing blind trust in them.

“At the end of the day, it’s about human intelligence and common sense. That is always required,” said Singh.

For companies building their own AI products, Dobrigkeit advised that they should be looking at how AI integrates into their common business scenarios. Companies should play with prompts and inputs to fine-tune and benchmark them against desired outcomes. They should be checking for bias in model outputs.

“Make sure the model quality is where you want it—that the answer is good no matter what the user inputs,” said Dobrigkeit. “Then make use of the features that we provide for security.”

She added that nothing is 100% secure, but SAP is doing all it can to ensure it’s producing secure, responsible AI products and development tools.

What This Means for SAPinsiders

• Much like SAP, its customers should have their own Responsible AI policies and procedures. End-user organizations should be training their employees on how to securely and ethically use AI tools to ensure standards in security, ethics, and compliance are upheld.
• SAP is adhering to global standards of Responsible AI use and has many internal practices that focus on producing AI products and development tools that align with pillars of security, ethics, and compliance. This includes layers of testing for weaknesses, bias, hallucination, and more.
• Data retention and data training are major concerns for SAP customers, and SAP has stated that it is taking steps to mitigate this risk through its own procedures and benchmarks, which it also requires partners to follow contractually.