A system and method for ai impact assessment with threat modelling for responsible ai requirements
The automated Al impact assessment system addresses manual inefficiencies by integrating threat modelling and expert validation, ensuring accurate and timely compliance with responsible Al principles through dynamic regulatory mapping and real-time dashboards.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- PRIVASAPIEN TECH PTE LTD
- Filing Date
- 2025-12-15
- Publication Date
- 2026-06-25
AI Technical Summary
Existing Al impact assessments are manual, time-consuming, and error-prone, failing to capture contextual business requirements and regulatory compliance, leading to incomplete or inaccurate evaluations and increased regulatory and operational risks.
An automated system and method for Al impact assessment with threat modelling, integrating business requirement capture, risk identification, regulatory mapping, and expert validation to ensure compliance with responsible Al principles, using a processor and memory to generate questionnaires, recommendations, and real-time dashboards for dynamic compliance management.
Enables accurate, context-specific, and efficient Al impact assessments that align with global regulations, providing actionable mitigation strategies and real-time compliance monitoring, reducing errors and accelerating safe Al deployment.
Smart Images

Figure IB2025062863_25062026_PF_FP_ABST
Abstract
Description
[0001] A SYSTEM AND METHOD FOR Al IMPACT ASSESSMENT WITH THREAT MODELLING FOR RESPONSIBLE Al REQUIREMENTS
[0002] EARLIEST PRIORITY DATE:
[0003] This Application claims priority from a provisional patent application filed in India having Patent Application No. 202441101479, filed on December 20, 2024, and titled “SYSTEM AND METHOD FOR ARTIFICIAL INTELLIGENCE(AI) IMPACT ASSESSMENT WITH THREAT MODELLING FOR RESPONSIBLE Al REQUIREMENTS”.
[0004] FIELD OF INVENTION
[0005] The present invention relates to the field of artificial intelligence governance and compliance. More particularly, the present invention relates to a system and method for Al impact assessment with threat modelling for responsible Al requirements.
[0006] BACKGROUND
[0007] Artificial Intelligence (Al) has emerged as a transformative technology across industries, enabling automation, predictive analytics, and intelligent decisionmaking. With its rapid adoption, Al systems are increasingly influencing critical business processes, customer interactions, and societal functions. However, the deployment of Al introduces complex challenges related to ethics, compliance, and risk management.
[0008] As artificial intelligence (Al) technologies rapidly advance and become increasingly widespread, organizations are required to implement Al Impact Assessments to comply with Responsible Al principles, including privacy, accountability, safety, security, fairness, explainability, reliability, and sustainability. Responsible Al is the practice of developing, deploying, and using Al systems in a way that is ethical, safe, and trustworthy. Responsible Al is important because misusing Al may cause harm to users, businesses, society, and affected persons. However, conducting Al Impact Assessments is mandated in most of the regulations, but remains a significant challenge for many organizations. The process is often carried out manually or through partial solutions, which can be time-consuming and error prone.
[0009] Existing approaches to Al risk assessment and compliance are fragmented and lack automation. Organizations struggle to identify potential risks across the Al lifecycle, map them to evolving global regulations, and implement technical safeguards effectively. Manual assessments often fail to capture contextual business requirements, resulting in incomplete or inaccurate evaluations. Furthermore, the absence of integrated dashboards and expert validation mechanisms leads to delays, inefficiencies, and increased exposure to regulatory and operational risks.
[0010] Hence, there is a need for an improved system and method for Al impact assessment with threat modelling for responsible Al requirements to address the aforementioned issue(s).
[0011] OBJECTIVES OF THE INVENTION
[0012] The primary objective of the invention is to provide a system and method for automated Al impact assessment augmented with threat modelling, enabling identification of potential Al-related risks across the model lifecycle and aligning them with responsible Al principles such as privacy, security, fairness, explainability, and sustainability.
[0013] Another objective of the invention is to enable contextual compliance mapping and regulatory alignment, by dynamically associating identified risks with applicable global Al regulations and generating questionnaires and templates for data protection impact assessments, thereby ensuring adherence to evolving legal standards.
[0014] Another objective of the invention is to provide dynamic technical safeguard recommendations and expert validation, wherein the system generates actionable mitigation strategies based on global best practices and allows human-in-the-loop intervention for refining and validating recommendations to ensure accuracy and context specificity.
[0015] Yet another objective of the invention is to offer centralized monitoring and workflow orchestration through real-time dashboards, facilitating review of assessments, compliance status, approvals, and risk metrics, while supporting collaborative workflows among Al deployers, governance teams, and stakeholders for accelerated and safe Al deployment.
[0016] SUMMARY
[0017] In accordance with an embodiment of the present disclosure, a system for Al impact assessment with threat modelling for responsible Al requirements is disclosed. The system includes a processor and a memory coupled to the processor, wherein the memory comprises instructions that when executed by the processor cause the processor to capture and interpret one or more objectives of a business unit to align development of a responsible artificial intelligence requirements with one or more business needs. The processor also executes instructions to identify one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs. The processor also executes instructions to generate a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment, wherein the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the business. The processor further executes instructions to map the identified one or more potential artificial intelligence-related risks to an applicable one or more global artificial intelligence regulations. The processor further executes instructions to dynamically generate one or more recommendations and a summary of the session based on the questionnaire for mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment.
[0018] In accordance with an embodiment of the present disclosure, a method for Al impact assessment with threat modelling for responsible Al requirements is disclosed. The method includes capturing and interpreting one or more objectives of a business unit to align development of a responsible artificial intelligence requirements with one or more business needs. The method also includes identifying one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs. The method also includes generating a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment, wherein the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the business. The method further includes mapping the identified one or more potential artificial intelligence-related risks to an applicable one or more global artificial intelligence regulations. Furthermore, the method includes dynamically generating one or more recommendations and a summary of the session based on the questionnaire for mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment.
[0019] To further clarify the advantages and features of the present disclosure, a more particular description of the disclosure will follow by reference to specific embodiments thereof, which are illustrated in the appended figures. It is to be appreciated that these figures depict only typical embodiments of the disclosure and are therefore not to be considered limiting in scope. The disclosure will be described and explained with additional specificity and detail with the appended figures.
[0020] BRIEF DESCRIPTION OF THE DRAWINGS The disclosure will be described and explained with additional specificity and detail with the accompanying figures in which:
[0021] FIG. 1 illustrates a network environment of a system for Al impact assessment with threat modelling for responsible Al requirements in accordance with an embodiment of the present disclosure;
[0022] FIG. 2 illustrates a schematic diagram of a user device of FIG. 1, in accordance with an example implementation of the present subject matter;
[0023] FIG. 3 illustrates a schematic diagram of a system for Al impact assessment with threat modelling for responsible Al requirements of FIG. 1, in accordance with an embodiment of the present disclosure; and
[0024] FIG. 4 is a flow chart representing the steps involved in a method for Al impact assessment with threat modelling for responsible Al requirements, in accordance with an embodiment of the present disclosure.
[0025] Further, those skilled in the art will appreciate that elements in the figures are illustrated for simplicity and may not have necessarily been drawn to scale. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the figures by conventional symbols, and the figures may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the figures with details that will be readily apparent to those skilled in the art having the benefit of the description herein.
[0026] DETAILED DESCRIPTION
[0027] For the purpose of promoting an understanding of the principles of the disclosure, reference will now be made to the embodiment illustrated in the figures and specific language will be used to describe them. It will nevertheless be understood that no limitation of the scope of the disclosure is thereby intended. Such alterations and further modifications in the illustrated system, and such further applications of the principles of the disclosure as would normally occur to those skilled in the art are to be construed as being within the scope of the present disclosure.
[0028] The terms “comprises”, “comprising”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such a process or method. Similarly, one or more devices or subsystems or elements or structures or components preceded by "comprises... a" does not, without more constraints, preclude the existence of other devices, sub-systems, elements, structures, components, additional devices, additional sub-systems, additional elements, additional structures, or additional components. Appearances of the phrase "in an embodiment", "in another embodiment" and similar language throughout this specification may, but not necessarily do, all refer to the same embodiment.
[0029] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the art to which this disclosure belongs. The system, methods, and examples provided herein are only illustrative and not intended to be limiting.
[0030] In the following specification and the claims, reference will be made to a number of terms, which shall be defined to have the following meanings. The singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[0031] FIG. 1 illustrates a network environment for implementing example techniques of a system for Al impact assessment with threat modelling for responsible Al requirements in accordance with an embodiment of the present disclosure.
[0032] Referring to FIG. 1, a user device (105) corresponding to a passenger may be communicatively coupled to a system (120). The passenger is an individual who is destined to use and airline operation. Further, the user may access the system (120) over a network (110). Examples of the user device (105) includes, but is not limited to, a mobile phone, desktop computer, portable digital assistant (PDA), smart phone, tablet, ultra-book, netbook, laptop, multi-processor system, microprocessorbased or programmable consumer electronic system, or any other communication device that a user may use. It will be appreciated that the system (120) may be presented to the user on a corresponding user device (105) as a web application accessed through a browser, through a software application on the user device (105), or, particularly for smartphones, through a mobile application installed at the smartphone. It will be appreciated that, within the context of the disclosure herein, web application refers to a utility implemented on a networked computing system accessible by user device (105) over the Internet (e.g. through browsers) wherein the bulk of the processing takes place at the networked computing system, mobile applications refer to applications installed on smartphones that may communicate with a networked computing system, and a “software” application refers generally to applications other than web browsers installed on other types of user device (105) that may communicate with a networked computing system over the network (110).
[0033] The network (110) may be a single communication network or a combination of multiple communication networks and may use a variety of different communication protocols. The personalized network may be a wireless network, a wired network, or a combination thereof. Examples of such individual personalized networks include, but are not limited to, Global System for Mobile Communication (GSM) network, Universal Mobile Telecommunications System (UMTS) network, Personal Communications Service (PCS) network, Time Division Multiple Access TDMA) network, Code Division Multiple Access (CDMA) network, Next Generation Network (NGN), Public Switched Telephone Network (PSTN). Depending on the technology, the personalized network may include various network entities, such as gateways and routers; however, such details have been omitted for the sake of brevity of the present description.
[0034] The system (120) may have a homepage that is presented to the user (115) accessing a top-level web address for web applications presented to the user (115) in a browser or a welcome screen for software and mobile applications. The homepage may include links to a user log-in interface or general information about the system (120) and the option to register as user (115). It will be appreciated that the presentation of a homepage may not be necessary, for example, if a user (115) bypasses it by directly inputting a web address corresponding to a user log-in page, or if a separate mobile application is designed for users.
[0035] A new or unregistered user (115) can access the user log-in interface, fill out the log-in information corresponding to the user's account, and indicate that the user (115) wishes to sign in. It will be appreciated that any conventional registration and log-in techniques for web applications, software application, and mobile applications may be used, whichever is appropriate for the user. While registering the user (115) may be prompted to provide username and corresponding user credentials, not limited to, password, geographical location, and contact information and upon receipt of the foregoing information, a corresponding userprofile may be created and stored on a respective database (385) of the system (120).
[0036] In accordance with an embodiment of the present disclosure, a system (120) for Al impact assessment with threat modelling for responsible Al requirements is disclosed. The system (120) includes a processor (305) and a memory (310) coupled to the processor (305), wherein the memory (310) comprises instructions that when executed by the processor (305) cause the processor (305) to capture and interpret one or more objectives of a business unit to align development of a responsible artificial intelligence requirements with one or more business needs. The processor (305) also executes instructions to identify one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs. The processor (305) also executes instructions to generate a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment, wherein the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the business. The processor (305) further executes instructions to map the identified one or more potential artificial intelligence-related risks to an applicable one or more global artificial intelligence regulations. The processor (305) further executes instructions to dynamically generate one or more recommendations and a summary of the session based on the questionnaire for mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment.
[0037] It may be noted that the foregoing system (120) is an exemplary system (120) and may be implemented as computer executable instructions in any computing or processing environment, including in digital electronic circuitry or in computer hardware, firmware, device driver, or software. As such, the system (120) is not limited to any specific hardware or software configuration.
[0038] FIG. 2 illustrates a schematic diagram of a user device (105), in accordance with an example implementation of the present subject matter. Referring to FIG. 2, the user device (105) may comprise a processor(s) (205), a memory(s) (210) coupled to and accessible by the processor(s) (205), and an interface (225) coupled to the memory(s) (210). The user device (105) disclosed herein may be same as the user device (105) described in FIG. 1. The functions of various elements shown in the figs., including any functional blocks labelled as "processor(s)" (205), may be provided through the use of dedicated hardware as well as hardware capable of executing instructions. When provided by a processor (205), the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. Moreover, explicit use of the term "processor" (205) would not be construed to refer exclusively to hardware capable of executing instructions, and may implicitly comprise, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA). Other hardware, standard and / or custom, may also be coupled to the processor(s) (205). The user device (105) may further include a display (215) in addition to other components such as, but not limited to, keyboard, sensors, logic circuits etc. Further, the user device (105) may include data (220) which may include data (220) that may be stored, utilized, or generated during the operation of the user device (105).
[0039] The memory(s) (210) may be a computer-readable medium, examples of which comprise volatile memory (e.g., RAM), and / or non-volatile memory (e.g., Erasable Programmable read-only memory, i.e., EPROM, flash memory, etc.). The memory(s) (210) may be an external memory, or internal memory, such as a flash drive, a compact disk drive, an external hard disk drive, or the like. The user device (105) may further include an interface (225) that may allow the connection or coupling of the user device (105) with one or more other devices, through a wired (e.g., Local Area Network, i.e., LAN) connection or through a wireless connection (e.g., Bluetooth®, Wi-Fi), for example, for connecting to the system (120) shown in FIG. 1. The interface (225) may also enable intercommunication between different logical as well as hardware components of the user device (105).
[0040] FIG. 3 illustrates a schematic diagram of a system for Al impact assessment with threat modelling for responsible Al requirements of FIG. 1, in accordance with an embodiment of the present disclosure. Referring to FIG. 3, the system (120) includes a processor(s) (305), a memory(s) (310) coupled to and accessible by the processor(s) (305), database (385) and a user interface (390) coupled to the memory(s) (310).
[0041] The system (120) disclosed herein is the same as the system (120) described in FIG. 1. The functions of various elements shown in the figs., including any functional blocks labelled as "processor(s)" (305), may be provided through the use of dedicated hardware as well as hardware capable of executing instructions. When provided by a processor (305), the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. Moreover, explicit use of the term "processor" (305) would not be construed to refer exclusively to hardware capable of executing instructions, and may implicitly comprise, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA). Other hardware, standard and / or custom, may also be coupled to the processor(s) (305). The system (120) may further include other components such as, but not limited to, keyboard, sensors, logic circuits, input / output interfaces etc. Further, the system (120) may include data (not shown) which may include data that may be stored, utilized, or generated during the operation of the computer implemented system (120).
[0042] The memory(s) (310) may be a computer-readable medium, examples of which comprise volatile memory (e.g., RAM), and / or non-volatile memory (e.g., Erasable Programmable read-only memory, i.e., EPROM, flash memory, etc.). The memory(s) (310) may be an external memory, or internal memory, such as a flash drive, a compact disk drive, an external hard disk drive, or the like. The system (120) may further include the user interface (390) that may allow the connection or coupling of the system (120) with one or more other devices, through a wired (e.g., Local Area Network, i.e., LAN) connection or through a wireless connection (e.g., Bluetooth®, Wi-Fi)., for example, for connecting to the user device (105) as shown in FIG. 1. The user interface (390) may also enable intercommunication between different logical as well as hardware components of the system (120).
[0043] The system (120) may be provided with a database (385) to store one or more business needs (365), risk identification data (370), compliance assessment data (375), and risk quantification data (380). In an example implementation of the system (120) including one or more servers, the databases (385) may databases (385) local to the server or may be remote to the server. It may be noted that the data in the databases (385) may be stored as a table or may be pre-stored as a mapping with the other. This application is not limited thereto.
[0044] The system (120) may include module(s). The module(s) may include a business requirement module (315), a responsible artificial intelligence threat modelling module (320), a compliance module (325), an automatic regulatory requirement module (330), a technical safeguard recommendation module (335), a human-in- the-loop module (340), a permission workflow module (345), a workflow orchestration module (350), a dashboard module (355) and an approval and rejection module (360). In one example, the module(s) may be implemented as a combination of hardware and firmware. In an example described herein, such combinations of hardware and firmware may be implemented in several different ways. For example, the firmware for module(s) may be processor (305) executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the module(s) may include a processing resource (for example, implemented as either single processor or combination of multiple processors), to execute such instructions. Further, the hardware for the module(s) may include communication apparatuses, control circuitries involving electrical and electronics components, sensors, and interface devices, which may be in communication with each other for multi-directional communication therebetween.
[0045] Further, the system (120) includes data. The data may include data that is either stored or generated as a result of functions implemented by the system (120). In an example, data may include one or more business needs (365), risk identification data (370), compliance assessment data (375), and risk quantification data (380). It may be noted that such examples of the various functions are only indicative. The present approaches may be applicable to other examples without deviating from the scope of the present subject matter.
[0046] In the present examples, the non-transitory machine-readable storage medium may store instructions that, when executed by the processing resource, implement the functionalities of modules(s). In such examples, the system (120) may include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions. In other examples of the present subject matter, the machine-readable storage medium may be located at a different location but accessible to the system (120) and the processor(s) (305).
[0047] In operation, the business requirement module (315) is configured to capture and interpret one or more objectives of a business unit to align development of a responsible artificial intelligence (Al) requirements with one or more business needs. The business requirement module (315) captures and interprets one or more objectives of the business unit. The business requirement module (315) serves as the foundational layer for aligning the development of responsible artificial intelligence requirements with specific business needs.
[0048] The business requirement module (315) is designed to collect contextual information such as organizational goals, operational constraints, and compliance priorities. It processes this information to ensure that subsequent risk assessments and compliance evaluations are relevant to the intended use case of the system (120). By interpreting business objectives, the module enables the system (120) to tailor Al impact assessments to the unique requirements of each business unit, thereby bridging the gap between technical risk modelling and strategic business alignment.
[0049] In one embodiment of the present invention the system (120) causes the processor (305) to execute instructions to allow the user to select the business unit and a corresponding template for the session. The business unit selection ensures that the Al impact assessment is contextually aligned with the operational objectives and compliance requirements of the specific unit.
[0050] Once the business unit is selected, the system (120) retrieves a predefined template that consolidates relevant policies, data protection impact assessment questionnaires, and glossary terms associated with that unit. This template serves as the foundation for generating structured workflows and questionnaires, enabling a streamlined and standardized approach to capturing compliance-related information.
[0051] In one embodiment of the present invention the responsible artificial intelligence requirements comprise privacy, accountability, safety, security, fairness, explainability, reliability and sustainability. The system (120) defines and enforces a set of responsible artificial intelligence requirements that serve as guiding principles for Al development and deployment. These requirements comprise privacy, accountability, safety, security, fairness, explainability, reliability, and sustainability, which collectively ensure that the system (120) operate in an ethical, transparent, and trustworthy manner.
[0052] The inclusion of privacy, safeguards user data and prevents unauthorized access or misuse, while accountability ensures that clear governance structures and audit trails exist for all Al-related decisions. Safety and security requirements protect against operational failures and malicious attacks, maintaining the integrity and resilience of the system (120). Fairness addresses bias and discrimination, ensuring equitable outcomes across diverse user groups. Explainability provides transparency into Al decision-making processes, enabling stakeholders to understand and validate system (120) behaviour. Reliability guarantees consistent performance under varying conditions, and sustainability promotes resourceefficient practices that minimize environmental impact.
[0053] In further operation the responsible artificial intelligence threat modelling module (320) is operatively coupled to the business requirement module (315) and is configured to identify one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs. The responsible artificial intelligence threat modelling module (320) is configured to identify one or more potential Al-related risks that may arise during the development and deployment of responsible Al requirements in alignment with business needs.
[0054] The responsible artificial intelligence threat modelling module (320) analyzes the objectives captured by the business requirement module (315) and evaluates them against known risk factors associated with the system (120), such as bias, lack of transparency, security vulnerabilities, and compliance gaps. By systematically assessing these risks, the responsible artificial intelligence threat modelling module (320) enables proactive identification of threats across the Al lifecycle, ensuring that risk mitigation strategies can be incorporated early in the design and development process. This approach enhances the reliability and accountability of system (120) while supporting adherence to responsible Al principles.
[0055] In one embodiment of the present invention the system (120) causes the processor (305) to execute further instructions to ensure that the identified one or more potential artificial intelligence-related risks is compliant to one or more evolving global legal standards automatically comprising privacy, security, safety, fairness, explainability, transparency and sustainability. The system (120) achieves the standards by dynamically mapping each identified risk to corresponding regulatory frameworks and ethical guidelines applicable across jurisdictions. This automated mapping process eliminates the need for manual interpretation of complex regulations, thereby reducing errors and accelerating compliance verification.
[0056] The system (120) leverages predefined compliance templates and continuously updated regulatory databases to validate whether the system (120) adheres to these principles throughout its lifecycle. For instance, when a risk related to data privacy is detected, the system (120) cross-references global data protection laws and responsible Al policies to confirm alignment. Similarly, risks associated with fairness or explainability are evaluated against standards that mandate bias mitigation and interpretability in Al models. By automating this compliance check, the system (120) ensures that organizations can proactively address regulatory obligations and ethical considerations without disrupting development timelines.
[0057] Furthermore, the compliance mechanism operates in real time, adapting to changes in global regulations and industry best practices. This dynamic approach enables the system (120) to provide actionable insights and recommendations whenever new compliance requirements emerge. As a result, businesses can maintain continuous adherence to responsible Al principles, safeguard user trust, and minimize exposure to legal and reputational risks.
[0058] In further operation the compliance module (325) operatively coupled to the responsible artificial intelligence threat modelling module (320) and is configured to generate a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment. Further, the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the business.
[0059] The compliance module (325) generates the questionnaire for the user to assess regulatory compliance for the selected business unit. The questionnaire is dynamically created based on the objectives captured by the business requirement module (315) and the corresponding template, thereby initiating a structured session for the data protection impact assessment. This ensures that compliance evaluation is not generic but tailored to the operational and regulatory context of the specific business unit.
[0060] The template utilized by the compliance module (325) is created by merging multiple compliance-related resources, including the data protection impact assessment questionnaire, organizational policies, and a glossary of terms relevant to the business. By consolidating these elements, the system (120) provides a comprehensive and standardized framework for conducting assessments. This approach eliminates inconsistencies that often arise in manual compliance processes and ensures that all critical aspects such as privacy, security, and accountability are addressed systematically.
[0061] During operation, the compliance module (325) orchestrates the workflow by presenting the questionnaire to the user in an interactive format. The responses collected are stored for subsequent analysis and validation by other modules within the system (120). This structured process enables organizations to maintain transparency and traceability in compliance activities while reducing the time and effort required for regulatory assessments.
[0062] In further operation the automatic regulatory requirement module (330) is operatively coupled to the responsible artificial intelligence threat modelling module (320) and is configured to map the identified one or more potential artificial intelligence-related risks to an applicable one or more global artificial intelligence regulations.
[0063] The automatic regulatory requirement module (330) maps the identified one or more potential Al-related risks to applicable global Al regulations. The mapping process ensures that every risk detected during threat modelling is evaluated against relevant legal frameworks, ethical guidelines, and compliance standards enforced across different jurisdictions. By automating this process, the system (120) eliminates manual interpretation of complex regulatory texts, reducing errors and accelerating compliance verification.
[0064] The automatic regulatory requirement module (330) operates by leveraging a continuously updated repository of global Al regulations, including data protection laws, algorithmic accountability standards, and sector-specific compliance requirements. When a risk is identified such as bias in decision-making or lack of transparency the automatic regulatory requirement module (330) cross-references this risk with corresponding regulatory provisions. For example, a fairness-related risk may be mapped to anti-discrimination laws and Al ethics guidelines, while a privacy-related risk is aligned with data protection regulations such as GDPR or similar frameworks. This automated mapping ensures that organizations remain compliant with evolving global standards without requiring extensive legal expertise.
[0065] Furthermore, the automatic regulatory requirement module (330) supports dynamic updates, enabling real-time adaptation to changes in regulatory landscapes. As new Al governance policies emerge, the system (120) incorporates them into its compliance database, ensuring that risk mapping remains current and comprehensive.
[0066] In further operation the technical safeguard recommendation module (335) is operatively coupled to the automatic regulatory requirement module (330) and is configured to dynamically generate one or more recommendations and a summary of the session based on the questionnaire. Mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment.
[0067] The technical safeguard recommendation module (335) dynamically generates the one or more recommendations and the summary of the assessment session based on the responses captured through the compliance questionnaire. The primary function of the technical safeguard recommendation module (335) is to provide actionable strategies for mitigating the identified Al-related risks, ensuring that the Al system (120) adheres to responsible Al principles and global regulatory standards.
[0068] The recommendation generation process begins by analyzing the mapped risks and correlating them with global best practices and industry guidelines. For example, if the system (120) detects a risk related to data privacy, the technical safeguard recommendation module (335) may recommend implementing encryption protocols, access control mechanisms, and anonymization techniques. Similarly, for risks associated with fairness or bias, the module may suggest algorithmic audits, bias detection tools, and diverse dataset inclusion strategies. These recommendations are not static, they are dynamically tailored based on the business objectives, regulatory requirements, and contextual factors identified during the assessment session.
[0069] In addition to generating technical safeguards, the technical safeguard recommendation module (335) compiles a comprehensive summary of the session, which includes the identified risks, compliance mapping results, and recommended mitigation measures. This summary serves as a reference document for stakeholders, enabling transparent communication and informed decision-making.
[0070] In one embodiment the human-in-the-loop module (340) operatively coupled to the technical safeguard recommendation module (335) and is configured to enable one or more experts to verify responses, refine and validate one or more recommendations depending upon their role, thereby ensuring that the recommendations are accurate and context specific. The human-in-the-loop module (340) is designed to enable one or more experts to participate in the assessment process by verifying responses, refining recommendations, and validating mitigation strategies generated by the system (120). The inclusion of human oversight ensures that automated outputs are accurate, context-specific, and aligned with organizational policies and ethical standards.
[0071] The human-in-the-loop module (340) operates by providing experts with access to the recommendations and session summaries generated by the technical safeguard recommendation module (335). Experts can review these outputs, identify gaps, and adjust based on domain knowledge, regulatory interpretations, or businessspecific considerations. For example, while the system (120) may suggest a generic encryption protocol for data privacy, an expert can refine this recommendation to include industry-specific encryption standards or additional compliance measures relevant to the organization’s jurisdiction.
[0072] Furthermore, the human-in-the-loop module (340) supports role-based access, allowing different stakeholders such as Al governance teams, compliance officers, and technical leads to contribute according to their responsibilities. This collaborative approach enhances the robustness of the assessment process by combining automated intelligence with human judgment. By integrating expert validation into the workflow, the system (120) ensures that recommendations are not only technically sound but also practically implementable within the organization’s operational framework.
[0073] In further embodiment the permission workflow module (345) is configured to receive a report generated from an expert and based on the report quantify associated risks, generate questions, collect responses, review application controls, and authorize deployment via the approval and rejection module (360). The permission workflow module (345) operates by receiving the detailed report generated by the expert during the human-in-the-loop validation stage. The report typically contains insights on identified risks, contextual factors, and recommendations for mitigation. Using this information, the permission workflow module (345) applies analytical techniques to assign measurable values to each risk, enabling organizations to prioritize mitigation efforts based on severity and potential impact.
[0074] The permission workflow module (345) begins by parsing the expert report and categorizing risks according to predefined parameters such as likelihood, impact, and compliance relevance. It then quantifies these risks using scoring models or weighted metrics, creating a structured risk profile for the Al system (120) under assessment. This quantification process transforms qualitative observations into actionable numerical indicators, facilitating objective decision-making and resource allocation.
[0075] Beyond risk scoring, the permission workflow module (345) dynamically generates additional questions aimed at clarifying ambiguous areas or validating assumptions identified during the expert review. These questions are presented to relevant stakeholders, and their responses are collected for further analysis. The permission workflow module (345) also reviews application controls implemented within the Al system (120), ensuring that technical safeguards align with the quantified risk levels and regulatory requirements.
[0076] Finally, the permission workflow module (345) plays a critical role in deployment authorization. By consolidating quantified risk scores, expert feedback, and compliance checks, the permission workflow module (345) provides a comprehensive risk assessment report to decision-makers. This report serves as the basis for approving or rejecting system (120) deployment. The approval or rejection of the system deployment is made using the approval and rejection module (360), ensuring that only system (120) meeting acceptable risk thresholds and compliance standards proceed to production.
[0077] In another embodiment the workflow orchestration module (350) is configured to generate a workflow of questions wherein the workflow is answered by an Al deployer, reviewed by an Al governance team, and subsequently utilized by one or more stakeholders. The workflow orchestration module (350) ensures that the assessment is carried out in a systematic and collaborative manner, involving multiple stakeholders across different stages of the workflow. The questions generated by the workflow orchestration module (350) are based on the selected business unit, compliance templates, and identified risks, ensuring that the workflow remains contextually relevant and comprehensive.
[0078] The workflow begins with the Al deployer, who is responsible for providing initial responses to the generated questions. These responses typically cover technical details, operational parameters, and deployment considerations for the Al system (120). Once the deployer completes their inputs, the workflow transitions to the Al governance team, which reviews the responses for compliance, ethical alignment, and adherence to responsible Al principles. This review process allows governance experts to validate the accuracy of the information and identify any gaps or inconsistencies that may require further clarification.
[0079] Subsequently, the workflow outputs are made available to stakeholders, including compliance officers, risk managers, and decision-makers. These stakeholders utilize the reviewed information to make informed decisions regarding risk mitigation strategies, regulatory adherence, and deployment approvals. Additionally, the workflow orchestration module (350) supports auditability by maintaining a record of all interactions, responses, and approvals, enabling organizations to demonstrate compliance during regulatory audits or internal reviews.
[0080] In further embodiment the dashboard module (355) configured to centralize the review of assessments and compliance status, providing real-time dashboards for monitoring approvals and risk metrics. The dashboard module (355) serves as the primary interface for stakeholders to monitor and manage the Al impact assessment process in real time. By consolidating data from multiple modules including business requirements, threat modelling, compliance checks, and risk quantification, the dashboard provides a unified view of the assessment lifecycle, ensuring transparency and operational efficiency.
[0081] The dashboard module (355) is designed to display critical information such as compliance status, risk metrics, and approval workflows in an intuitive and interactive format. Users can track the progress of ongoing assessments, review pending approvals, and analyze risk scores generated by the system (120). Realtime updates ensure that decision-makers have immediate access to the latest information, enabling timely interventions when discrepancies or high-risk indicators are detected.
[0082] Additionally, the dashboard supports role-based access, allowing different stakeholders such as Al deployers, governance teams, and compliance officers to view and act upon relevant data according to their responsibilities. This centralized approach eliminates the need for fragmented reporting and manual coordination, reducing delays and improving accountability. By integrating visualization tools and dynamic reporting capabilities, the dashboard module (355) enhances situational awareness and facilitates informed decision-making across the organization.
[0083] Further in additional embodiment, the real-time dashboard is configured to provide a centralized review of assessments, one or more compliance statuses, one or more approvals, and risk metrics and enable accelerated and safe artificial intelligence impact assessment augmented by threat modelling.
[0084] The real-time dashboard provides the centralized review of assessments, compliance statuses, approvals, and risk metrics. This dashboard acts as an integrated control center, consolidating outputs from all modules such as business requirement capture, threat modelling, compliance evaluation, and risk quantification into a single, interactive interface. By centralizing this information, the dashboard eliminates the need for fragmented reporting and manual coordination, enabling stakeholders to access critical insights instantly. The real-time dashboard is designed to display dynamic updates on assessment progress, compliance checks, and approval workflows. Users can monitor risk metrics generated by the threat modelling and quantification modules, track pending actions, and review completed assessments in a structured format. This capability ensures transparency and accelerates decision-making by providing stakeholders with actionable intelligence at every stage of the Al impact assessment process.
[0085] Consider a non -limiting example wherein the system (120) initiates a Al impact assessment process by allowing a user to select a business unit and a corresponding template through the business requirement module (315). This template consolidates organizational policies, data protection impact assessment questionnaires, and glossary terms, ensuring that the assessment is contextually aligned with business objectives. Once the session is initiated, the responsible Al threat modelling module analyzes the captured objectives and identifies potential Al-related risks across the model lifecycle, focusing on responsible Al principles such as privacy, fairness, and explainability. Following risk identification, the compliance module (325) generates a dynamic questionnaire based on the selected template and business objectives. The responses collected are processed to evaluate regulatory adherence. Simultaneously, the automatic regulatory requirement module (330) maps identified risks to applicable global Al regulations, ensuring compliance with evolving legal standards. Based on this mapping and questionnaire responses, the technical safeguard recommendation module (335) dynamically generates mitigation strategies and compiles a session summary aligned with global best practices. To enhance accuracy, the human-in-the-loop module (340) enables experts to review responses and refine recommendations, ensuring context-specific and practical solutions. The workflow orchestration module (350) structures the assessment process by routing questions to Al deployers, governance teams, and stakeholders for collaborative review. The permission workflow module (345) then evaluates expert reports, assigns measurable risk scores, and validates application controls before authorizing deployment. Finally, the dashboard module (355) provides a real-time, centralized view of assessments, compliance status, approvals, and risk metrics, enabling accelerated and safe Al impact assessment augmented by threat modelling. This integrated approach ensures transparency, regulatory compliance, and proactive risk mitigation throughout the Al lifecycle.
[0086] FIG. 4 is a flow chart representing the steps involved in a method for Al impact assessment with threat modelling for responsible Al requirements, in accordance with an embodiment of the present disclosure.
[0087] The method (400) includes capturing and interpreting one or more objectives of a business unit to align development of a responsible artificial intelligence requirements with one or more business needs in step (405). This process begins by allowing a user to select the relevant business unit and associated template, which consolidates organizational policies, compliance guidelines, and operational goals.
[0088] The system processes this information to understand the context in which the Al solution will operate. By interpreting these objectives, the system ensures that subsequent risk assessments and compliance evaluations are tailored to the business environment. This alignment is critical because responsible Al principles such as fairness, transparency, and accountability must be implemented in a way that supports organizational priorities without compromising ethical standards.
[0089] The method (400) also includes identifying one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs in step (410). Once business objectives are captured, the system proceeds to identify the one or more potential Al-related risks associated with developing and deploying the Al solution.
[0090] The responsible Al threat modelling module analyzes the objectives and evaluates them against known risk categories, including bias, lack of explainability, security vulnerabilities, and compliance gaps. This step is essential for proactive risk management, as it enables organizations to anticipate challenges before they impact operations or regulatory compliance. The responsible Al threat modelling module uses structured threat modelling techniques to map risks across the Al lifecycle, from data collection and model training to deployment and monitoring.
[0091] The method (400) also includes generating a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment, wherein the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the businessin step (415).
[0092] Further, the system generates the questionnaire for the user to assess regulatory compliance for the selected business unit. This questionnaire is based on the captured objectives and a predefined template, which merges a data protection impact assessment questionnaire, organizational policies, and a glossary of relevant terms.
[0093] The integration of these elements ensures that the questionnaire addresses all critical compliance areas, including privacy, security, and accountability. The session initiated through this template provides a structured approach for collecting responses from stakeholders, enabling comprehensive documentation of compliance measures. By automating questionnaire generation, the system reduces manual effort, ensures consistency, and accelerates the compliance evaluation process, thereby supporting efficient and accurate Al governance.
[0094] The method (400) also includes mapping the identified one or more potential artificial intelligence-related risks to an applicable one or more global artificial intelligence regulations in step (420). After collecting responses, the system maps the identified Al-related risks to applicable global Al regulations. This step is performed by the automatic regulatory requirement module, which cross-references risks with a continuously updated repository of international laws, ethical guidelines, and industry standards.
[0095] For example, privacy -related risks are mapped to data protection regulations such as General Data Protection Regulation (GDPR), while fairness-related risks are aligned with anti-discrimination laws and Al ethics frameworks. This automated mapping ensures that organizations remain compliant with evolving regulatory landscapes without requiring extensive legal expertise.
[0096] The method (400) also includes dynamically generating one or more recommendations and a summary of the session based on the questionnaire for mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment in step (425). The final step involves dynamically generating the one or more recommendations and the comprehensive session summary based on the questionnaire responses and mapped risks. The technical safeguard recommendation module analyzes the assessment data and provides actionable strategies for mitigating identified risks, drawing from global best practices and industry standards.
[0097] Recommendations may include implementing encryption for privacy, bias detection tools for fairness, and explainability frameworks for transparency. The session summary consolidates all findings, including identified risks, compliance mapping results, and recommended safeguards, providing stakeholders with a clear roadmap for responsible Al deployment.
[0098] Thus, various embodiments of the system (120) and method (400) for artificial intelligence impact assessment with threat modelling for responsible artificial intelligence requirements provides several benefits over conventional Al impact assessment methods by introducing an automated, integrated, and adaptive framework for responsible Al governance. Unlike traditional manual processes that are time-consuming and prone to errors, the system (120) enables automated risk identification and compliance mapping, ensuring that assessments are accurate and contextually aligned with business objectives. By dynamically associating identified risks with global Al regulations, the invention guarantees continuous adherence to evolving legal standards without requiring specialized legal expertise, thereby reducing regulatory exposure and operational delays. Another key advantage lies in the system’s ability to generate technical safeguard recommendations based on global best practices and validate them through human- in-the-loop intervention. This combination of automation and expert oversight ensures that recommendations are both technically sound and practically implementable. Furthermore, the centralized dashboard provides real-time visibility into assessments, compliance status, approvals, and risk metrics, enabling faster decision-making and collaborative governance across stakeholders. The workflow orchestration and permission workflow module (345) enhance accountability by structuring multi-level reviews and providing measurable risk scores, which support informed deployment decisions. The invention is inherently scalable and adaptive, capable of incorporating updates to regulatory frameworks and industry standards, making it suitable for diverse sectors and jurisdictions. By embedding transparency, auditability, and proactive compliance into the Al lifecycle, the system (120) not only mitigates risks but also strengthens trust in Al technologies.
[0099] It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the disclosure and are not intended to be restrictive thereof.
[0100] While specific language has been used to describe the disclosure, any limitations arising on account of the same are not intended. As would be apparent to a person skilled in the art, various working modifications may be made to the method in order to implement the inventive concept as taught herein.
[0101] The figures and the foregoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, the order of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts need to be necessarily performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples.
Claims
WE CLAIM:
1. A system for artificial intelligence impact assessment with threat modelling for responsible artificial intelligence requirements comprising: a processor; a memory coupled to the processor, wherein the memory comprises instructions that when executed by the processor cause the processor to: capture and interpret one or more objectives of a business unit to align development of a responsible artificial intelligence requirements with one or more business needs; identify one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs; generate a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment, wherein the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the business; map the identified one or more potential artificial intelligence-related risks to an applicable one or more global artificial intelligence regulations; and dynamically generate one or more recommendations and a summary of the session based on the questionnaire for mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment.
2. The system as claimed in claim 1, to cause the processor to ensure that the identified one or more potential artificial intelligence-related risks is compliant to one or more evolving global legal standards automatically comprising privacy, security, safety, fairness, explainability, transparency and sustainability.
3. The system as claimed in claim 1, to cause the processor to enable one or more experts to verify responses, refine and validate one or more recommendations depending upon their role, thereby ensuring that the recommendations are accurate and context specific.
4. The system as claimed in claim 1, to cause the processor to centralize the review of assessments and compliance status, providing real-time dashboards for monitoring approvals and risk metrics.
5. The system as claimed in claim 1, to cause the processor, to provide a realtime dashboard configured to: provide a centralized review of assessments, one or more compliance statuses, one or more approvals, and risk metrics; and enable accelerated and safe artificial intelligence impact assessment augmented by threat modelling.
6. The system as claimed in claim 1, wherein the responsible artificial intelligence requirements comprise privacy, accountability, safety, security, fairness, explainability, reliability and sustainability.
7. The system as claimed in claim 1, to cause the processor to allow the user to select the business unit and a corresponding template for the session.
8. The system as claimed in claim 1, to cause the processor to generate a workflow of questions wherein the workflow is answered by an Al deployer, reviewed by an Al governance team, and subsequently utilized by one or more stakeholders.
9. The system as claimed in claim 1, to cause the processor to receive a report generated from an expert and based on the report quantify associated risks, generatequestions, collect responses, review application controls, and authorize deployment.
10. A method for artificial intelligence impact assessment with threat modelling for responsible artificial intelligence requirements comprising: capturing and interpreting one or more objectives of a business unit to align development of a responsible artificial intelligence requirements with one or more business needs; identifying one or more potential artificial intelligence-related risks in the development of the responsible artificial intelligence requirements with one or more business needs; generating a questionnaire for a user to access regulatory compliance for the business unit based on the one or more objectives and a template thereby initiating a session for a data protection impact assessment, wherein the template is created by merging a data protection impact assessment questionnaire, policies and glossary pertaining to the business; mapping the identified one or more potential artificial intelligence- related risks to an applicable one or more global artificial intelligence regulations; and dynamically generating one or more recommendations and a summary of the session based on the questionnaire for mitigating the identified one or more potential artificial intelligence-related risks based on one or more global best practices thereby ensuring safe Al impact assessment.