NIST Framework Can Help Ensure Responsible, ADA-Compliant AI

Employers need principles in place to ensure responsible use of artificial intelligence that complies with the Americans with Disabilities Act (ADA), according to Patricia Lauren Zuñiga, integrated disability and absence management compliance manager at FINEOS. Following the AI Risk Management Framework from the U.S. National Institute of Standards and Technology (NIST) is a practical way to accomplish this, she said, speaking at SHRM26 in Orlando. 

The NIST framework is a voluntary guidance framework to help organizations identify, assess, and manage risks associated with AI systems.

Zuñiga outlined the following key concepts of the NIST framework:

• Govern (oversight and accountability): Establish policies, roles, and accountability for AI use.
• Map (context and risk identification): Understand how and where AI is used.
• Measure (assessment and evaluation): Analyze and test AI systems for risks.
• Manage (mitigation and continuous improvement): Take action to address risks.

The governance step is central, with organizations then mapping AI use, measuring how the employer is exposed to AI systems to identify new risks, managing those risks, and repeating the cycle. It’s a circular rather than a linear process, Zuñiga said.

Toolkit: Accommodating Employees’ Disabilities

NIST Checklist

Zuñiga provided a list of questions organizations should ask during each step in the NIST process.  

Govern — Oversight and accountability:

• Do we have a written policy for responsible use of AI in HR?
• Have we assigned accountability for AI and ADA compliance within HR, legal, and information technology (IT)?
• Do our vendor contracts require disclosure of bias testing and accessibility standards?
• Are we documenting all AI deployment decisions and audit results?

Map — Context and risk identification:

• Have we identified all points where AI touches applicants or employees, such as recruiting, performance, and leave?
• Have we mapped potential ADA risk areas, such as resume gaps, productivity monitoring, and video interviews?
• Have we engaged stakeholders, such as employees, managers, IT, legal, and inclusion and diversity teams, in defining risks?
• Have we verified that the AI system is compatible with assistive technologies, such as screen readers, voice input, and alternative devices?

Measure — Assessment and evaluation:

• Have we conducted adverse impact testing for applicants and employees with disabilities?
• Have we tested the system for accessibility and usability with adaptive technologies?
• Are productivity and attendance metrics being tested for bias against employees with ADA accommodations?
• Is there a process to ensure human review before finalizing adverse decisions?

Manage — Mitigation and monitoring:

• Do we have a corrective action plan if bias or ADA issues are detected? 
• Is there a clear workflow for triggering accommodations before negative actions?
• Are AI systems being reaudited on a regular schedule, for example, annually?
• Do employees have a clear, documented process to challenge or appeal AI decisions?

Newsletter: Subscribe to SHRM Workplace Compliance News

Highlighted Items

Of the governance checklist items, Zuñiga highlighted the importance of asking whether accountability for AI and ADA compliance has been assigned to someone. It’s not a good look in the courtroom if IT is pointing at vendors or vice versa as the ones who headed up AI. With AI tools, “everybody is involved,” she said. “But who owns it?” She recommended that HR retain decision authority, define AI use, and provide oversight.

When mapping AI use, Zuñiga said that identifying all points where AI touches applicants or employees and mapping potential ADA risk areas are particularly important. Examining these matters can help HR identify AI pitfalls and risks, such as bias.

All the NIST measurement checklist items were important, she noted. Without looking at all of these elements, an employer might falsely appear compliant.

Finally, management needs a clear workflow for triggering accommodations before negative actions, and employees should have a clear, documented process to challenge or appeal AI decisions, she said.  

Employers in the financial services industry have sector-specific expectations for AI governance, such as the Financial Services AI Risk Management Framework, Zuñiga noted.

For other employers, Zuñiga recommended considering using the NIST framework. “You can choose to operationalize AI governance or pay the price later on,” she said.