Are we really in control? Ingrid Bakker explains how we work on responsible innovation at PGGM
Ingrid Bakker explains how we work on responsible innovation at PGGM.
As a Senior Enterprise Risk Manager at PGGM, a significant part of my work revolves around AI (Artificial Intelligence) risks and the question: are we really in control? I critically challenge the first line: are the risks properly identified, have the right measures been taken, and is governance in order?
My background is a mix of law, IT audit, privacy and data science. That combination now comes together perfectly in AI governance, because AI touches all these domains at once: legal, technical, ethical and organisational. Within PGGM, the second‑line Risk department, Enterprise Risk Management (ERM) and Model Validation, has a logical role in AI policy. AI systems are essentially models, so Model Validation already had a strong position. Because AI applications bring multiple types of risks, ERM and Model Validation jointly take on AI risk management.
We play an important role in drafting AI policy, managing the AI register, assessing the risk classifications of AI systems and advising the business and the Executive Board on risks related to AI.
The foundation for responsible AI use
The AI policy forms the foundation for, and describes the what and why of, responsible use within PGGM. It sets requirements for the responsible development, procurement and use of AI. Very concretely: it describes what is and is not allowed, and what is required to deploy or develop an AI system.
We align with relevant laws and regulations, such as the AI Act, but do not limit ourselves to them. The policy is updated annually, or even earlier if there is reason to do so, which is logically to be expected given the rapid pace of AI developments. That is why an update is already coming within a year. The new update contains two important innovations:
- Specific requirements for agentic AI, because this type of system brings different risks than traditional models;
- One integrated risk classification, so that it is immediately clear what risk level a system has and which requirements apply. This classification takes into account legal requirements, impact on PGGM and/or pension funds in case of errors or inaccuracies, personal data and the degree of autonomy.
The AI risks I focus on
As an enterprise risk manager, my work revolves around two things:
- That risks are identified in a timely and complete manner, and
- That appropriate measures are in place to address them.
PGGM works on a risk‑based basis: the higher the risk, the stricter the requirements. For systems that qualify as high‑risk under the AI Act, compliance, ethics and explainability play a major role. Consider questions such as:
- Is the system fair and non‑discriminatory?
- Can we explain how decisions are made?
- Do we comply with all legal obligations?
For other applications, operational or financial risks may dominate, for example if an AI system plays an important role in processes or decision‑making. What always applies for me: human involvement remains essential. The higher the risk, the more in‑depth the assessment and the more important it is that a human critically reviews and can intervene.
Staying in control: more than ticking a box
Being in control with AI starts with people. Colleagues need to know what risks exist, what is expected of them and which steps they need to take. Clear processes, good training and close cooperation between the first, second and third line are indispensable.
The AI risk analysis is an important instrument, but certainly not the only one. Additional assessments are often needed, such as:
- A DPIA (Data Protection Impact Assessment) if personal data are processed;
- Supplier security assessments when we procure technology;
- Model validation when it concerns complex or critical models.
There is a lot of substantive knowledge in the first line. That is where initiatives arise that help to structurally better control AI applications, for example around registration, version control, monitoring and accountability. This ensures that an application is not only developed responsibly, but also remains controlled throughout its entire lifecycle.
Collaboration as the key
AI risk management is a multidisciplinary topic. When drafting and applying AI policy, we work together with colleagues from, among others, risk, data & analytics, innovation, legal, security and procurement. These different perspectives are needed to create policy that not only sets clear requirements, but also truly fits practice.
I see my own role mainly as that of connector. I bring perspectives together, ensure that the right expertise is at the table at the right time, and safeguard that we keep both the risks and the practical feasibility in view. Many colleagues were involved in the review of the new AI policy. This shows how relevant the topic is and helps to create support.
When AI governance really makes a difference
A recent case involving a new AI application shows how AI policy works in practice. An AI risk analysis was carried out and assessed by Risk. The application turned out to qualify as high‑risk under the AI Act. Because we discussed this at an early stage, it became clear which obligations were associated with this and what impact it would have on the organisation. Based on that insight, the business ultimately decided not to use the application.
For me, this is a good example of what “in control” means: we do not do everything that is technically possible. We make conscious decisions, based on a clear picture of risks, obligations and impact.
Transparency and explainability
For many years, PGGM has set high standards for model risk management. Model Validation tests and monitors models and reports on them, and AI systems logically fall under this. The requirements for transparency and explainability are therefore not new, but the bar has been raised. Partly due to the AI Act, we look even more explicitly at questions such as:
- Can we explain how the model arrives at an outcome?
- Can we make that understandable for management, supervisors and – where relevant – participants?
- Can we demonstrate that we have set up the right controls and monitoring?
This sometimes requires additional documentation and checks, but it also strengthens trust in AI applications.
Where we stand now and where we are heading
PGGM already has a mature foundation for AI risk management. The fundamentals are in place: policy, processes, roles and expertise. At the same time, I believe that AI risk management is never “finished”. The technology is developing rapidly, regulations are changing and the expectations of participants, funds and supervisors are also evolving.
The next step is twofold: further professionalisation, through the new policy update, tightened guidelines and governance tooling, and further embedding, by integrating AI risk analysis even better into existing processes.
This way, applications do not remain under the radar and risks are identified in time.
Training and awareness of employees are crucial in this. AI is no longer a niche topic; more and more colleagues are coming into contact with it. They need to know what the opportunities are, but also which risks exist and which steps they must take to work responsibly with AI.
I am happy to contribute to this awareness, as a critical sparring partner, as a connector between disciplines and as someone who uses her “odd mix” of backgrounds to help advance AI responsibly at PGGM.
Innovations Director Mladen Sančanin on the AI Accelerator and the future of AI within PGGM
AI has value when it is woven into everyday work
‘We are using AI more and more, not because we have to, but because it genuinely adds value’
Caroline Dautzenberg on the use of AI within PGGM Pension Services
PGGM CEO Edwin Velzel on the AI Accelerator and the future of AI at PGGM
Share or Print Article
click on the icon