AI Registry and Inventory Solution

The vendor is required to provide AI (artificial intelligence) registry and inventory solution maintain, and implement a registry and inventory solution to include consulting and governance services for all commonwealth artificial intelligence systems.
- Office responsibilities per sb 4
a. Per {KRS 42.726(2)(q)}
•    Establishing, publishing, maintaining, and implementing comprehensive policy standards and procedures for the responsible, ethical, and transparent use of generative artificial intelligence systems and high-risk artificial intelligence systems by departments, agencies, and administrative bodies, including but not limited to policy standards and procedures that:
o    Govern their procurement, implementation, and ongoing assessment; 
o    Address and provide resources for security of data and privacy; and 
o    Create guidelines for acceptable use policies for integrating high-risk artificial intelligence systems.
b. Per {KRS 42.720 to 42.742}
•    Creating an artificial intelligence governance committee to govern the use of artificial intelligence systems by state departments, state agencies, and state administrative bodies by:
o    Developing policy standards and guiding principles to mitigate risks and protect data and privacy of citizens and businesses that adhere to the latest version of standard ISO and IEC 42001 of the international organization for standardization;
o    Establishing technology standards to provide protocols and requirements for the use of generative artificial intelligence and high-risk artificial intelligence systems; 
o    Ensuring transparency in the use of artificial intelligence systems; 
o    Maintaining a centralized registry to include current inventory of generative artificial intelligence systems and high-risk artificial intelligence systems; and 
o    Developing an approval process to include a registry of application, use case, and decision rationale aimed at mitigation of risks.
•    The artificial intelligence governance committee shall develop policies and procedures to ensure that any department, program, cabinet, agency, or administrative body that utilizes and accesses the commonwealth's information technology and technology infrastructure shall:
o    Ensuring artificial intelligence models have comprehensive and complete documentation that is available for review and inspection; 
o    Requiring review and intervention by human’s dependent on the use case and potential risk for all outcomes from generative and high-risk artificial intelligence systems; and 
o    Ensuring the use of generative artificial intelligence and high-risk artificial intelligence systems are resilient, accountable, and explainable.
•    The commonwealth office of technology shall prioritize personal privacy and the protection of the data of individuals and businesses as the state develops, implements, employs, and procures artificial intelligence systems, generative artificial intelligence systems, and high-risk artificial intelligence systems by ensuring all departments, agencies, and administrative bodies:
o    Allow only the use of necessary data in artificial intelligence systems; 
o    Do not allow unrestricted access to personal data controlled by the commonwealth; and 
o    Secure all data and implement a timeframe for data retention.
•    To maintain and secure the technology infrastructure, information technology, information resources, and personal information, all departments, agencies, and administrative bodies shall be subject to review of generative artificial intelligence systems or high-risk artificial intelligence systems.
•    An artificial intelligence system makes external decisions related to citizens of the commonwealth, a department, agency, or administrative body shall:
o    Disclose how artificial intelligence is used in the decision-making process; 
o    Provide the extent of human involvement in validating and oversight of any decision made; and 
o    Make readily available options for individuals to appeal a consequential decision that involves artificial intelligence.
•    Any disclaimer under paragraph (a) of this subsection shall also provide information regarding third-party artificial intelligence products or programs, including but not limited to information as to how the high-risk artificial intelligence system or generative artificial intelligence system works, such as system cards or other documented information provided by developers.
•    Operating standards for utilization of high-risk artificial intelligence systems shall prohibit the use of a high-risk artificial intelligence system to render a consequential decision without the design and implementation of a risk management policy and program for high-risk artificial intelligence systems. 
•    Each risk management policy designed and implemented shall at a minimum adhere to the latest version of standard ISO and IEC 42001 of the international organization for standardization, or another national or internationally recognized risk management framework for artificial intelligence systems, and consider the:
o    Size and complexity of the deployer;
o    Nature, scope, and intended use of the high-risk artificial intelligence system and its deployer; and
o    Sensitivity and volume of data processed.

- Contract Period/Term: 1 year
- Questions/Inquires Deadline: August 11, 2025