Capstone Project 2: AI Ethics Policy Design

Designing Substantive, Enforceable AI Ethics Governance for Organizations

1. Project Overview

Purpose

This project asks you to design a comprehensive AI Ethics Policy for a real or hypothetical organization. The word "design" is chosen deliberately: unlike an academic analysis of ethics policy, this project requires you to produce an actual policy document — a practitioner-level deliverable that could, with appropriate organizational process, be adopted and implemented.

AI ethics policies have proliferated in recent years. Most of them are inadequate: aspirational documents full of vague commitments that cannot be measured, enforced, or used to hold anyone accountable. This project is designed specifically to teach you the difference between genuine ethics governance and what critics call "ethics washing" — the practice of publishing ethical-sounding documents that do not constrain organizational behavior.

By the end of this project, you should be able to tell the difference between these two things, and be able to produce the former.

Audience

The policy you produce is written for an organizational audience: executives, board members, legal and compliance functions, AI development teams, procurement officers, and employees. It is not an academic paper and should not read like one. It should read like a policy document: clear, specific, organized, and actionable.

Learning Objectives

By completing this project, you will be able to:

  • Design a comprehensive AI ethics governance structure appropriate to an organization's size, sector, and risk profile
  • Write policy language that is specific, enforceable, and operationally meaningful rather than aspirationally vague
  • Distinguish between genuine ethical constraints and cosmetic ethics commitments
  • Conduct a gap analysis comparing current organizational practice to policy requirements
  • Develop an implementation roadmap that moves from policy adoption to operational reality
  • Design governance metrics that make ethics commitments measurable and reportable

2. Organization Selection

Guidelines for Choosing Your Organization

Your policy should be designed for a specific organization with specific characteristics. Generic policies designed for "any organization" tend to be generic in the worst sense: applicable everywhere, binding nowhere.

You may audit a real organization you have access to, in which case your gap analysis (Section 4) will be grounded in real information about current practices. Alternatively, you may design a policy for a hypothetical organization with specified characteristics. In either case, your project document should clearly describe the organization for which the policy is designed, including:

  • Industry and regulatory environment
  • Size (employees, revenue scale)
  • Nature of AI systems currently deployed or in development
  • Organizational governance structure (publicly traded, privately held, government entity, nonprofit)
  • Jurisdictions in which it operates (relevant for regulatory requirements)
  • Known stakeholder concerns or recent incidents relevant to AI governance

Suggested Organization Types

Mid-size Financial Services Firm. A regional bank or credit union with 500–2,000 employees deploying AI in credit underwriting, fraud detection, customer service chatbots, and compliance monitoring. Subject to OCC guidance on model risk management, CFPB fair lending requirements, and potentially the EU AI Act for European-facing operations.

Hospital System. A regional hospital network with 3,000–8,000 employees deploying AI in clinical decision support, revenue cycle management, patient risk stratification, and scheduling. Subject to HIPAA, FDA regulation of software as a medical device, and ONC interoperability requirements.

City Government. A medium-sized municipal government (300,000–1,000,000 residents) deploying AI in code enforcement, benefits eligibility, traffic management, hiring, and potentially public safety. Subject to constitutional due process requirements, civil rights law, and emerging municipal AI governance ordinances.

E-commerce Company. A mid-size direct-to-consumer company with 200–1,000 employees deploying AI in product recommendations, pricing, fraud detection, customer service, and supply chain optimization. Subject to FTC requirements and potentially the EU AI Act and Digital Services Act for EU-facing operations.

HR Technology Vendor. A software company providing AI-powered hiring, performance management, or workforce analytics tools to other organizations. Subject to EEOC guidance, Title VII disparate impact doctrine, and the EU AI Act's requirements for high-risk AI systems in employment. Unique challenge: the vendor's customers deploy its AI, creating layered accountability questions.

3. Policy Architecture

Your policy must contain all of the following components. This section describes what each component must address and provides guidance on how to write it effectively.

Component 1: AI Ethics Principles

Write 5–8 principles that will govern the organization's AI development and use. These principles are foundational: every subsequent policy provision should be traceable to one or more of them.

What makes a principle substantive rather than generic:

Generic (insufficient): "We are committed to responsible AI."

Substantive (what to aim for): "We will not deploy AI systems in decisions that affect employees, customers, or members of the public without human review that is meaningful — meaning the reviewing human has the information, time, authority, and training to override the AI recommendation when appropriate."

Each principle in your policy should: - State a specific commitment, not a general aspiration - Be specific enough that a reasonable person could determine whether the organization is complying with it - Connect to the organization's specific AI use cases - Be capable of operationalization — that is, it should be possible to design processes that implement it

Component 2: Scope

Define precisely which AI systems and activities the policy governs. This definition is more consequential than it appears. Organizations sometimes draft policies with narrow definitions of "AI" that exclude problematic systems through definitional sleight of hand.

Your scope section should define: - What counts as an AI system for purposes of this policy (consider: statistical models, rules-based systems, ML-based systems, vendor-supplied algorithmic tools) - Which organizational activities the policy covers (development, procurement, deployment, monitoring, retirement) - Which uses are in scope based on risk level, with a tiered classification - Territorial scope if the organization operates across multiple jurisdictions - Whether the policy applies to third-party vendors and how

Component 3: Governance Structure

Define who is responsible for AI ethics governance and how decisions are made. This section should answer the following questions with specificity:

  • Is there a Chief AI Officer, Chief Ethics Officer, or equivalent executive role with AI ethics responsibility?
  • Is there an AI ethics committee or review board? What is its composition, and who chairs it?
  • What decisions require ethics review, and at what stage in the development or procurement lifecycle?
  • What authority does the ethics function have? Can it block or delay AI deployments? Under what circumstances?
  • How are ethics concerns escalated? From developers to what level?
  • What role does the board of directors or equivalent governing body play?

Effective governance structures name specific roles (not individuals, who change, but roles) and specify what authority they have. Governance structures that merely advise without authority to require changes are structurally incapable of preventing ethical failures.

Component 4: Development Standards

Specify what AI development must include. This section governs the organization's own AI development teams and must address:

  • Required documentation: what must be documented at each stage of development
  • Bias and fairness testing: what tests must be conducted, by whom, before deployment
  • Ethical impact assessment: at what point must an assessment be conducted, what must it cover, and who must review it
  • Data governance: requirements for training data quality, documentation, and consent
  • Diversity requirements: who must be involved in development to ensure diverse perspectives
  • Review and approval: what sign-offs are required before deployment

Component 5: Deployment Standards

Specify what operational deployment must include. Development standards govern what happens before launch; deployment standards govern what happens during operation. This section must address:

  • Human oversight requirements: which systems require human review of AI recommendations, and what does adequate human review entail
  • Transparency to affected parties: what must individuals be told about when and how AI is being used in decisions that affect them
  • Testing before go-live: what operational testing is required
  • Performance monitoring: what metrics must be tracked post-deployment, at what frequency, and reported to whom
  • Thresholds for action: at what performance levels must the organization take action — tune, retrain, suspend, or retire the system

Component 6: Prohibited Uses

This is one of the most important sections of any serious AI ethics policy. The willingness to specify categorical limits — things the organization will not do regardless of business case — is a reliable indicator of whether a policy is genuine governance or performance.

Prohibited uses should be: - Categorical, not subject to business case exceptions - Specific enough to be enforceable - Connected to the organization's actual capabilities and risk profile

Examples of the kind of specific prohibitions that characterize strong policies: - We will not use AI to make final employment termination decisions without human review and documented rationale - We will not use real-time biometric surveillance of employees in work areas - We will not use AI to deny benefits to individuals in protected classes at rates materially higher than other groups without a legally and ethically adequate justification - We will not acquire or use personal data for AI training purposes obtained through means that circumvent users' reasonable privacy expectations

Component 7: Vendor Management

Most organizations use more AI than they build. Third-party AI systems embedded in HR platforms, financial software, clinical tools, marketing technology, and operations software pose the same ethical risks as internally developed systems. This section must specify:

  • Due diligence requirements before procuring AI-enabled tools
  • Contractual requirements for AI vendors (what must vendors commit to)
  • Required representations from vendors about their systems' design, testing, and performance
  • Ongoing monitoring requirements for vendor-supplied AI
  • Remedies available if vendor AI causes harm — what can the organization do contractually

Component 8: Incident Response

What happens when an AI system causes or contributes to harm? This section should define:

  • What constitutes an AI ethics incident requiring formal response
  • Who is notified immediately, within 24 hours, within 72 hours
  • What immediate actions may be taken: monitoring escalation, suspension of the system, notification to affected parties
  • Investigation process: who leads it, what it must examine, what timeline applies
  • Remediation: what the organization will do for affected parties
  • Learning: what process ensures the organization learns from incidents
  • External reporting: when and how regulators, affected communities, or the public will be notified

Component 9: Review and Update Process

Policies that are not regularly reviewed become obsolete quickly in a rapidly changing technology environment. This section should specify:

  • How often the policy will be comprehensively reviewed (recommend: annually)
  • What triggers an out-of-cycle review (significant new AI deployment, regulatory change, major incident)
  • Who is responsible for conducting the review
  • What process governs policy updates (who must approve changes)

4. The Gap Analysis

A policy that describes an ideal state without accounting for the gap between ideal and current practice is a wish list, not a governance document. Your project must include a gap analysis that maps current organizational practice against each policy requirement.

Conducting the Gap Analysis

For each policy requirement, assess the organization's current state on a three-point scale:

  • Meets requirement: The organization already has documented practices, processes, and accountabilities that satisfy this policy requirement.
  • Partial gap: The organization has relevant practices but they are incomplete, inconsistent, or insufficiently formalized.
  • Significant gap: The organization lacks the practices, processes, or accountabilities required by this policy provision.

Organize your gap analysis in a structured table with columns for: Policy Component, Specific Requirement, Current State Assessment, Evidence for Assessment, and Priority for Remediation.

Sources for Gap Analysis

If auditing a real organization: internal documentation review, interviews with AI development and governance stakeholders, and review of existing policies and procedures.

If working with a hypothetical organization: use industry benchmarks, published surveys of organizational AI governance practices, and regulatory findings about common deficiencies in your chosen sector. Document your assumptions clearly.

5. Implementation Roadmap

A policy without an implementation plan is a declaration of intent. The roadmap translates policy requirements into a sequence of organizational changes, with timelines, owners, and resource requirements.

Structure of the Roadmap

Organize implementation into three phases:

Phase 1 — Foundation (Months 1–6). Establish the governance structures the policy requires. This includes constituting ethics review bodies, designating roles and authorities, and implementing minimum requirements for highest-risk systems already in operation. Immediate prohibited uses take effect.

Phase 2 — Operationalization (Months 7–18). Implement development and deployment standards for new systems and for major updates to existing systems. Train relevant staff. Implement vendor management requirements in new contracts and initiate renegotiation of existing contracts. Develop and implement the incident response process.

Phase 3 — Maturity (Months 19–36). Full implementation for all systems, including retrospective review of existing low-priority deployments. Governance metrics reporting to leadership and board implemented. Culture and training programs achieving measurable completion and competency levels.

For each initiative in the roadmap, specify: responsible role, key milestones, resource requirements (staff time, technology, external expertise), and how completion will be measured.

6. Deliverables

Required Outputs

The Policy Document (8–15 pages). The actual AI ethics policy, formatted as an organizational document. This should be written in the register of a policy document: clear, declarative, organized by section, with numbered provisions. It should contain all nine components described in Section 3. Do not write the policy in academic prose.

Implementation Roadmap (Gantt chart or equivalent). A visual representation of the implementation timeline showing all major initiatives, their sequence and dependencies, and responsible parties. A written narrative (2–3 pages) explaining the logic of the roadmap should accompany the visual.

Training Curriculum Outline. A structured outline of training that the organization will provide to relevant employee populations. Specify: which employees receive which training, learning objectives for each training module, proposed delivery method, and how training completion and competency will be assessed. The outline should be detailed enough that a training developer could use it to build the actual curriculum.

Metrics Dashboard Design. Design a governance metrics dashboard that would allow organizational leadership to monitor the health of AI ethics governance on an ongoing basis. Specify: what metrics are tracked, how each is measured, who is responsible for measurement, how frequently it is updated, and what thresholds trigger escalation. The dashboard should make it possible to answer the question: "Is our AI ethics governance working?"

Presentation to Board or Executive Team (12–15 slides). A slide deck suitable for presenting the policy and implementation plan to the board of directors or executive leadership team. This presentation should make the business case for the policy, not just describe its contents. It should address: why this policy is necessary now, what organizational risks it mitigates, what it will cost to implement, and what the organization risks by failing to act.

7. Evaluation Criteria

Criterion Weight Excellent Adequate Inadequate
Policy Specificity and Enforceability 30% Policy provisions are specific, measurable, and structured so that compliance can be assessed. Governance authority is clearly allocated. Prohibited uses are categorical and meaningful. Most provisions are specific but some remain aspirational. Governance structure is present but authority is unclear in places. Provisions are predominantly aspirational. Governance structure is advisory without clear authority. Prohibited uses are absent or trivially limited.
Completeness of Architecture 20% All nine required components are present and substantive. No component is addressed perfunctorily. Most components are present with reasonable substance. One or two are thin or missing. Multiple components are absent or addressed with only superficial content.
Quality of Gap Analysis 15% Gap analysis is grounded in specific evidence or documented assumptions. Gaps are accurately characterized. Prioritization of remediation is logical. Gap analysis is present but some assessments lack supporting evidence or some gaps are miscategorized. Gap analysis is superficial, unsupported, or absent.
Implementation Realism 15% Implementation roadmap is realistic given the organization's resources, sequencing is logical, and milestones are measurable. Roadmap is generally sensible but some timeline elements are unrealistic or milestones are vague. Roadmap is aspirational without realistic resource or timeline estimates.
Distinguishing Ethics from Ethics Washing 10% Student demonstrates clear understanding of the difference between substantive governance and cosmetic ethics commitments, reflected in the policy itself and in the analysis. Some evidence of this understanding but some provisions slip into generic aspirational language. Policy reproduces the kind of generic, aspirational language that characterizes ethics washing.
Professional Quality 10% Policy document reads as a credible, professional governance document. Other deliverables are polished and suitable for their intended audiences. Generally professional with minor issues. Significant quality issues affecting credibility or usability.

8. Example Policy Excerpts: Substantive vs. Aspirational Language

One of the core skills this project develops is the ability to write policy language that is genuinely constraining rather than merely aspirational. The following examples illustrate the difference.

Human Oversight

Aspirational (insufficient): "We are committed to meaningful human oversight of AI systems."

Substantive (what to aim for): "For all Tier 1 AI systems (as defined in Section 2.3), deployment requires a designated Human Review Officer with authority to override AI recommendations. The Human Review Officer must have access to: (a) the AI recommendation and the inputs on which it was based, (b) a plain-language explanation of the factors that contributed to the recommendation, (c) the historical accuracy of the system across relevant demographic groups, and (d) a mechanism to flag the recommendation for further review without penalty. Human Review Officers must receive a minimum of 16 hours of initial training and 4 hours of annual refresher training before performing this function."

Vendor Management

Aspirational (insufficient): "We expect our AI vendors to share our commitment to responsible AI."

Substantive (what to aim for): "Before procuring any AI-enabled tool that will affect employment decisions, credit decisions, or access to services, the organization must obtain from the vendor: (a) a technical description of the model and its training data, (b) performance statistics disaggregated by race, gender, and age where technically feasible, (c) a written representation that the vendor has conducted bias testing and a description of the methodology, (d) the vendor's incident response commitment including notification timelines, and (e) contractual right to audit the system or commission an independent third-party audit at the organization's expense. Vendors that decline to provide items (a) through (e) are disqualified from procurement."

Microsoft's Responsible AI Standard as a Reference Point

Microsoft's Responsible AI Standard (v2, 2022) is among the most substantive publicly available corporate AI ethics policy documents. It is organized around six principles and contains specific, measurable requirements for AI development teams. Key features that distinguish it from weaker policies include:

  • Specific required activities (impact assessments, red-teaming, model cards) tied to system risk classification
  • Named accountability roles with defined responsibilities
  • Prohibited use categories that are specific and categorical
  • Requirement that systems in sensitive use cases obtain independent review before deployment

Your policy should aspire to comparable levels of specificity. Note that even Microsoft's standard has been criticized for gaps and inconsistencies between policy and practice — there is always room for improvement, and your analysis can note where the standard falls short.

9. Common Pitfalls: Why AI Ethics Policies Fail in Practice

Understanding why AI ethics policies commonly fail will help you design a policy that avoids these failures.

Pitfall 1: Principle inflation without operational substance. Many policies list six to ten principles — fairness, accountability, transparency, privacy — and then stop. Principles without operational requirements (what you must do to implement them) and governance structures (who ensures they are implemented) are decorative.

Pitfall 2: Advisory governance without authority. Ethics committees and review boards that can only recommend, not require or prohibit, are structurally unable to prevent deployment of harmful systems when business teams are motivated to proceed. If the governance structure cannot say no, it cannot do its job.

Pitfall 3: Scope gaps that exclude problematic systems. Policies limited to "AI" defined narrowly as machine learning may inadvertently exclude algorithmic decision systems, statistical models, or vendor-supplied tools that pose equivalent risks. Scope definitions should be written to capture risk, not to reflect technical taxonomy.

Pitfall 4: Vendor blind spots. Organizations that have detailed requirements for internally developed AI often have no requirements for purchased AI systems, despite the fact that most organizational AI risk comes from procured tools. Any serious AI ethics policy must govern vendor AI.

Pitfall 5: Paper compliance without culture. A policy that employees do not know exists, understand, or believe the organization takes seriously will not affect behavior. Implementation must include training, visible leadership commitment, and demonstrated willingness to make costly decisions (declining deployments, requiring changes) based on ethics requirements.

Pitfall 6: No teeth. Policies that specify no consequences for non-compliance — for employees, teams, or vendors — rely entirely on goodwill. Effective governance includes clear consequences for policy violations.

Pitfall 7: Static documents in a dynamic environment. A policy written in 2024 that is not reviewed until 2029 will be obsolete. AI capabilities, uses, regulatory requirements, and societal expectations change rapidly. Governance requires regular review cycles and mechanisms for triggered updates.

Your policy design should directly address each of these common failure modes. Your evaluation criteria presentation (slide 5) should explicitly explain how your policy avoids them.

This capstone project synthesizes material from Parts 4 (Accountability and Governance), 5 (Law and Regulation), 6 (Organizational Implementation), and 7 (Leadership and Culture) of this textbook. Students should review Chapter 16 (Building an AI Ethics Governance Structure), Chapter 20 (From Policy to Practice), and Appendix D (AI Ethics Policy Benchmarking Tool) as they complete this project.