8.2 Privacy, Safety, Human Review, and Accountability

Privacy and safety before automation

Privacy is broader than hiding obvious personal information. An AI application may handle prompts, uploaded files, chat history, embeddings, retrieved passages, model responses, reviewer notes, logs, traces, and feedback labels. Each item can contain sensitive data. A responsible team decides what data is needed, where it flows, who can access it, how it is encrypted, how long it is retained, and whether it should be masked or excluded before the model sees it.

Safety is the discipline of preventing harmful output, harmful use, and harmful automation. A customer support summary may be low risk if a human agent reviews it before sending. A healthcare triage message, investment recommendation, employee termination decision, or equipment repair instruction is higher risk because bad output can cause serious harm. Safety decisions should be tied to impact, not to whether the technology feels impressive.

Human review is a control, but only when designed well. A human loop should define what reviewers see, what they must verify, what choices they can make, and when they must escalate. Reviewers need source documents, model confidence or quality signals where available, policy guidance, and a way to send corrections back to the system owner. If a reviewer is overloaded, lacks context, or is expected to rubber-stamp every output, the control is weak.

Amazon Augmented AI, often called Amazon A2I, supports human review workflows for ML predictions. It can be used with services such as Amazon Textract and Amazon Rekognition, and it can support custom ML workflows. The key concept is that low-confidence predictions, random samples, or high-impact outputs can be sent to human reviewers. At practitioner depth, know when to insert human review, not how to code the workflow.

Privacy design should start with data classification. Is the prompt using public data, internal confidential data, personal data, regulated data, secrets, or customer records? A model request that summarizes public product pages has a different privacy profile from one that summarizes medical claims or HR notes. IAM, encryption, Amazon S3 bucket controls, AWS KMS, CloudTrail, CloudWatch, and application authorization all matter, but the first question is whether the data should be sent at all.

Generative AI creates additional privacy concerns. Users may paste secrets or personal data into prompts. A retrieval system may surface documents the user should not see. Logs may capture blocked content or sensitive prompts. Review workflows may expose records to reviewers who do not need them. Guardrails and sensitive information filters can help, but they do not replace data minimization, access control, retention policy, and training.

Human review trigger examples:

• The model confidence is below a threshold for a classification or extraction task.
• The output affects eligibility, money, employment, health, legal rights, or physical safety.
• The request contains sensitive personal data, secrets, regulated content, or a denied topic.
• The model response conflicts with retrieved sources or cannot cite evidence.
• A user disputes the result or gives negative feedback.
• Monitoring detects drift, rising complaint rates, unusual usage, or guardrail interventions.
• The action is irreversible, customer-visible, financial, or privileged.

Accountability means the organization can answer who is responsible. A product manager might own user experience and communication. A data owner might approve source data. A security owner might approve IAM, encryption, logging, and retention. A model owner might approve evaluation and monitoring. Legal, risk, or compliance teams might approve high-impact policies. Operations teams might own rollback and incident response. If nobody can pause the AI feature quickly, accountability is incomplete.

Scenario: an insurance team wants to extract information from claim documents with Amazon Textract and a custom ML model. A2I can route uncertain extractions to humans. Privacy controls should limit reviewer access to needed pages and fields. Safety controls should prevent automatic claim denial based only on extracted text. Accountability should name who approves the extraction quality threshold and who handles disputes.

Scenario: an internal assistant summarizes performance review notes. Even if the tool is internal, privacy risk is high. Data minimization, strict authorization, encryption, retention limits, and human review are essential. The assistant should not expose one employee's notes to another manager through retrieval. A responsible team might decide not to automate certain parts if the privacy and fairness risk outweighs productivity.

Scenario: a field service chatbot gives repair steps for industrial equipment. The risk is physical safety. The model should retrieve official procedures, cite sources, avoid unsupported improvisation, and require human confirmation for dangerous steps. If the manual is missing or conflicting, the assistant should stop and escalate. A safe refusal can be the correct business outcome.

AWS Skill Builder practice should include asking what the human does after seeing model output. Can the reviewer change the result? Can they see sources? Can they escalate? Does their feedback improve future monitoring? A design with meaningful human authority is different from a design that merely adds a person at the end.