Ethics, governance, compliance: three different things
AI ethics (what we value), AI governance (the operational processes enforcing those values), and AI compliance (meeting legal requirements) are related but distinct. A credible AI ethics programme has all three: values articulated, governance to operationalise them, and compliance with relevant law. Aspirational ethics statements without operational governance mechanisms are ethics-washing.
What a credible policy contains
Scope: which AI systems does the policy cover? Principles with definitions: fairness, transparency, accountability, human oversight, privacy, and safety must be defined specifically for the organisation's actual AI use cases — not stated as generic aspirations. Red lines: explicit commitments about what the organisation will not do with AI even if legal. Ethics review process: how proposed AI deployments are evaluated against the policy before they go live, with genuine authority including the ability to block deployment. Accountability: who is responsible at board, executive, and operational levels; what happens when a potential ethics violation is identified.
Making ethics operational
Effective ethics review processes: trigger before deployment; involve perspectives beyond technology; produce documented outcomes; and have genuine authority. The clearest signal a process is substantive: it has declined proposals. An ethics review that approves everything is not applying rigorous scrutiny — and regulators, sophisticated investors, and civil society organisations now know to ask this question directly.
