Figure 1: Bot Governance – high level experiential architecture
Bot lifecycle management: The governance solution should have the capability to manage the end-to-end bot lifecycle, covering aspects like bot onboarding, technology choices, registration and deregistration, Risk rating and control mechanism and bot reuse, etc. It would also include the lifecycle management of the AI model deployed as part of the bot. The critical aspect of this lifecycle is threat modeling, which allows organization to identify the potential threats and drive the risk ratings and corresponding controls. A suitable lifecycle management process will ensure that an approved, secured and robust mechanism is adopted.
Identity and access management: With the increasing adoption of pervasive automation, bots would provide more in-depth access to systems—as a result, identification and accesses for bots must be managed appropriately and centrally.This would include capabilities like identity management, authentication and authorization, credential management, roles and entitlements, segregation of duties, access verification and reconciliation as well as access governance.
Secure by design: One of the key aspects of ensuring confidence in automation is around built-in security. It’s incredibly pertinent to take security considerations while designing the Bot, ensuring that critical aspects like data security and privacy, auditing, transparency, explainability, etc. are factored in. Apart from these features, Bot design should also have containment mechanisms built-in - both static as well as dynamic in nature. In addition, features like model/bot certification, change control, auditing and transaction reconciliation, vulnerability & penetration testing , etc. should also be considered while developing an automation bot. Some of these features can be as simple as limiting the number of transactions in a day or complex ones like mechanisms to ensure that solution is not doing anything unintended dynamically, and any deviation from the regular intended steps can be contained immediately. In the healthcare industry, 21 CFR Part 11 compliance is one such example that can be adopted. Despite these checks in place, there are functions within an organization that are reluctant to adopt automation, given the sensitive nature of the process and data involved, a case in point being automation related to the financial domain. In such cases, it is pertinent that each transaction is reconciled, clearly showcasing the integrity and accuracy of such transactions, and slowly once the confidence builds up, automation Bots are rolled out.
Monitoring: With pervasive automation, digital workers are accessing the core systems, and it’s important to ensure that necessary monitoring is in place to prevent any unwarranted events. Like any other monitored solution, automation solution also needs to be continuously monitored and audited to ensure compliance and adherence to the expected behavior. For cognitive automation, the monitoring should be much more in-depth, looking at essential facets like model decay, precision, accuracy, explainability, and any new biases to ensure that automation is working in line with the organization's policies and also adhering to the regulatory and legal compliances. The monitoring systems should be able to proactively identify the possibility of an adverse event and immediately take the required corrective actions while notifying the required teams. The monitoring process also needs to constantly evolve, keeping up with the changing landscape and ensuring control and adherence.
Availability: With security, monitoring and containment controls in place, the function and service owner would still like to understand the contingency plan in case something goes wrong. Availability solution addresses this need and ensures the functional rollback and data correction are done as required. Automation solutions need to have an inbuilt ability to identify the changes made on the data and reverse them; if anything untoward is observed.
The automation solution, without taking into consideration availability aspects, would be incomplete and extremely risky.
As digital workers in the form of various bots become pervasive in the enterprise, it’s important to ensure they have governance frameworks and tools to monitor the work done by these digital workers. Apart from monitoring, these solutions needs to be secured during the design process and must be coupled with availability solutions, in case things go wrong. Having these frameworks in place will help in addressing the adoption and scalability challenges and expedite the digital transformation journey while ensuring adherence to compliances and risk mitigation.