Does every institution need an AI ethics committee?

Institutions that deploy AI in high-risk use cases (credit decisions, employment screening, medical decision support, content moderation, law enforcement) benefit from a dedicated ethics committee that operates above the governance program. Institutions that deploy AI only in lower-risk operational contexts can typically absorb the ethics function into the existing risk committee. The size threshold that matters is the regulatory exposure, not the company headcount. A small fintech with a credit-decision model has the same ethics function need as a large bank with the same use case.

How does the AI ethics committee compose itself?

The committee typically includes the Chief Risk Officer, the General Counsel, the Chief Information Security Officer, the Data Protection Officer, the head of the business unit operating the AI system, and one or two external members with subject-matter expertise (academic, legal, or industry). External members provide perspective the internal team cannot offer alone. The committee meets quarterly for review and on-demand for adjudication. The committee chair is typically the CRO or the General Counsel, depending on the institution's regulatory exposure profile.

What does the ethics committee produce that the regulator actually examines?

The regulator examines the principles document, the minutes of meetings adjudicating boundary cases, the sign-off records for high-impact deployments, and the institutional response to material incidents. The minutes are the most consequential artifact because they show how the committee applied the principles to specific cases. The auditor uses the minutes to test whether the principles are operationalized or whether they live only in the principles document. Minutes that record adjudication with reasoning carry more weight than minutes that record attendance.

How does AI ethics relate to AI safety in the operational program?

AI ethics is the principles layer. AI safety is one of the operational disciplines under the governance program. AI safety covers the controls that prevent harm: prompt classification, response filtering, refusal rules, human oversight thresholds, escalation procedures. The safety controls implement the principles the ethics committee adopts. The two layers are linked through the policy that translates principles into operational rules and the runtime layer that enforces the rules at the moment of each decision.

Can the AI ethics function be outsourced to an external advisory board?

External advisory boards can provide perspective the internal team cannot. The principle-setting authority does not transfer to the board. The internal committee retains accountability for the principles the institution adopts and the sign-offs on high-impact deployments. The external board functions as an input to the internal committee, not as a substitute. Regulators expect the named individuals inside the institution to hold accountability, which the external board structure cannot satisfy.

AI Ethics and Governance: Where Principles Meet Per-Decision Records

AI ethics and AI governance often get described as a single function. The ethics committee meets quarterly, reviews the principles, debates the boundary cases, and produces a position paper. The governance team runs the program day to day: inventory, risk assessments, policy enforcement, audit. The two functions overlap in vocabulary and diverge sharply in the artifacts they produce. The committee produces principles. The governance team produces per-decision evidence. When a regulator opens an inquiry and asks the institution to demonstrate that a specific AI decision was made under the principles the institution claims, the seam between the two functions is where most enterprises discover a gap.

I want to walk through what the ethics function actually produces, what the governance function actually produces, and the architectural layer that lets a regulator trace a principle through to the per-decision records made under it.

What the ethics function produces

The AI ethics committee operates at the principles layer. The artifacts it produces sit above the operational program.

The principles document

The principles document states the institution's commitments on AI. Fairness, accountability, transparency, human oversight, safety, and privacy are the typical headings. The document is reviewed annually and updated when the institution's stance on a topic shifts. The principles are not the policy. The policy translates the principles into operational rules. The principles set the direction the policy has to honor.

Adjudicated exception decisions

When the governance team encounters a boundary case the policy does not cleanly address, the case escalates to the ethics committee. The committee adjudicates, records the decision and the reasoning, and the governance team updates the policy. The committee's record of adjudicated exceptions is the institutional memory of how the principles have been applied in difficult cases. Auditors and regulators sometimes ask for this record when the case at hand sits in a region the policy alone does not resolve.

Sign-off on high-impact deployments

The committee signs off on new AI deployments that touch high-risk use cases (credit scoring, employment decisions, medical triage, content moderation, law enforcement support). The sign-off is the procurement-gate artifact that the regulator expects under Article 26 of the EU AI Act for deployer obligations on high-risk systems.

What the governance function produces

The governance function operates at the per-decision layer. The artifacts it produces sit below the principles.

The AI usage policy and its version history

The governance team drafts and maintains the AI usage policy. The policy translates the principles into operational rules: identity populations, data classifications, route authorizations, decision-time actions, and the audit record schema. The policy is versioned. Every per-decision record references the policy version that governed the decision.

The AI inventory

The governance team maintains the inventory of AI systems, models, and use cases. The inventory feeds the regulatory exposure map. Fannie Mae LL-2026-04 names inventory as a pillar of mortgage AI governance. The inventory ties each system back to the policy section that governs it.

The per-decision audit records

The governance function produces, through the runtime layer it operates, the per-decision audit records the regulator examines. Identity, role, policy version, data classification, decision outcome, and timestamp are the fields the records carry. The records are independent of the application that made the decision. The records reference the policy version, which references the principle the policy translates. The chain runs from principle through policy through record.

The incident and exception logs

The governance function operates the incident and exception logs. Each incident is the trigger for a review by the ethics committee. Each exception is a time-bounded authorization issued under the committee's adjudication rules. The two logs feed back into the principles and policy update cycle.

The seam between the two functions

The seam between ethics and governance is the policy version reference in the per-decision record. When the seam is broken, the institution holds principles that nothing in the operational system points back to and per-decision records that no principle anchors. When the seam is whole, a regulator can sample a decision, find the policy version, find the principle that informed the policy, and find the committee minutes that adjudicated the principle.

Where the seam breaks in practice

The seam breaks most often at the policy-versus-runtime handoff. The policy is updated, the new version is published, the training program updates, and the runtime enforcement layer does not catch up. Decisions made between the policy update and the runtime layer update reference an inconsistent policy version. The auditor finds decisions that claim to have been made under policy v3.2 but operate under controls only updated to enforce v3.1.

The fix is operational synchronization

The fix is to treat the policy version as a runtime artifact that the enforcement layer reads. The policy update is a deployment, not a document publication. The enforcement layer reloads its rule set when the policy version changes. The per-decision record captures the policy version the enforcement layer was running when the decision was made. The synchronization is operational, not procedural.

What the regulator examines

The regulator's examination crosses the seam between ethics and governance. Specific sampling patterns I see across EU AI Act Article 12 inquiries, Fannie Mae exam preparation, and HIPAA AI-related audits.

The regulator picks a decision the AI system made. The regulator asks the institution to reconstruct the decision and identify the policy that governed it. The regulator asks for the principles the policy translates. The regulator asks for the committee minutes that adopted the principles. The chain has to run from per-decision record back to principle, which means the per-decision record has to carry the policy version reference, and the policy version has to carry the principle reference, and the principle has to live in a document the committee adopted.

DeepInspect

This is the runtime evidence layer DeepInspect provides for the seam between ethics and governance. DeepInspect sits at the AI request boundary as a stateless proxy between the application and any LLM. Every request is evaluated against the policy version the enforcement layer is running. Every decision produces a per-decision audit record containing identity, role, policy version, data classification, decision outcome, and timestamp. The record is signed and committed before the application receives the model's response.

For the institution that operates both an ethics committee and a governance program, the proxy is the runtime artifact that anchors the chain from per-decision record back to policy to principle. The committee's principles continue to live in the principles document. The governance team's policy continues to live in the policy register. The proxy ties the two together at the moment of every decision.