GPAI AI4SME Portal Governance Guidelines
INTRODUCTION
The AI4SME Portal (Portal) template was created by the GPAI Working Group on Innovation and Commercialisation (I&C WG) to achieve the objectives under the Broad Adoption of AI by SMEs Advisory Group.
The Portal template has minimum features and serves as a starting point for appointed Portal Operators from different GPAI Member States to customize it to fit the local context. The Portal matches solution seekers (i.e., AI unaware and AI aware companies) to AI solution providers that have the relevant experience in delivering AI solutions that meet the need of the SMEs. The portal allows any GPAI Member to customize it according to its own local context and manage the portal with their appointed portal operator.
The Portal Materials shall be provided to authorized GPAI Members. Portal Materials shall be made accessible to Portal Operators appointed by the GPAI Member State’s relevant government agency only via secure means (registered name and password). The Portal Materials shall be made available under suitable open-source and creative commons licenses, as applicable.
DEFINITIONS
AIMIND: AI Maturity Index developed by GPAI’s I&C WG
GPAI: The Global Partnership on Artificial Intelligence
GPAI Member: Experts in the AI industry recommended by Member State governments
GPAI Member State: Country that is a member of GPAI
Member State GPAI Representative: A minister from the local government appointed to represent his/her country in GPAI
Member State Agency: The local government agency or equivalent that supports local Solution Seekers and Solution Providers
Portal Operator: A local organization that is identified by the Member State Agency to run and maintain the Portal
Portal Materials: Source code and associated materials for setting up and running the Portal
Solution Seeker: Solution Seekers are SMEs or other organizations that are looking for AI solutions that address their industry needs
Solution Provider: Solution Providers are vendors who wish to offer their AI products and solutions to Solution Seekers
SPMIND: Solution Provider Maturity Index developed by GPAI’s I&C WG
GENERAL PRINCIPLES
All parties [1] associated with the Portal shall adhere to the following general principles:
- Adherence to GPAI’s values: All parties to the platform shall adhere to GPAI’s values and OECD’s Recommendation of the Council on Artificial Intelligence. GPAI has the sole and absolute discretion to disqualify any party that fails to comply with the aforesaid values and recommendations.
- No legal liability to GPAI: GPAI will not be held liable or accountable for any legal liability resulting from member states adopting, hosting, and operating the Portal.
- Compliance with Data Privacy Law: Each country shall implement the Portal in accordance with their data privacy regulations (e.g., General Data Protection Regulation – GDPR, Personal Data Protection Act – PDPA)
- Confidentiality obligations: All parties shall not post commercial secrets or confidential information on the Portal.
Each GPAI Member is encouraged to localize the recommended governance guidelines to suit their local legal and regulatory requirements.
ROLE AND GOVERNANCE
There are six (6) key parties to the GPAI AI4SME Portal:
- GPAI
Role:
GPAI aims to increase AI adoption among SMEs by creating the Portal for matching Solution Seekers and Solution Providers. This initiative is supported by GPAI’s I&C WG which developed the Portal as a template for use by GPAI Member States.
- Member State
Role:
Each Member State represented in the GPAI shall appoint a Member State GPAI Representative to endorse the use of the Portal.
- Member State’s GPAI Representative
Role:
The Member State’s GPAI Representative shall endorse the utilization of the Portal at various levels such as local, state, or national levels.
The Member State’s GPAI Representative shall:
a. Endorse the use of the Portal
b. Appoint a relevant government agency to operationalize the Portal
- Member State’s Agency
Role:
Each Member State Agency shall appoint a Portal Operator to support the implementation and operation of the Portal in their country.
The Member State’s Agency shall:
c. Appoint 1 or more Portal Operators to operate the Portal
d. Promote the use of the Portal among local Solution Seekers and Solution Providers
- Portal Operators
Role:
The Portal Operator(s) shall be fully responsible for the operations and maintenance of the Portal. The Portal Operator shall also be responsible for approving Solution Providers who have registered on the Portal. The Portal Operator shall collaborate with Member State Agency to reach out to potential Solution Providers and Solution Seekers.
Governance:
The Portal Operator shall comply with the following governance guidelines with respect to the operation of the Portal and Portal Operator’s guide [2] available on the online forum:
Operations
a. The Portal shall be made available 24 hours a day, 7 days a week, including all holidays.
b. The Portal metrics collected shall be used only to promote the Portal’s objectives, and shall not be sold, exchanged, or otherwise transacted for other purposes.
c. The Portal Operator shall follow industry best practices in data storage and security.
d. The Portal Operator shall comply with all applicable laws and regulations and all subsidiary legislation thereto with regard to any and all personal data that the Portal Operator collects through the Portal.
e. The Portal Operator shall ensure that WordPress and all plugins used to develop the Portal are updated regularly for security purposes. The Portal Operator shall also ensure all necessary licenses are purchased and licensed appropriately as required.
f. The Portal Operator, shall not be responsible for resolution of any disputes that may arise between the parties using the Portal.
g. The Portal Operator shall provide a channel for the Portal users to provide feedback regarding the services offered by the Portal, to enable the Portal Operator to enhance or improve the user experience and usability of the Portal.
The Portal Operator reserves the right, at its sole and absolute discretion, to bar a Solution Seeker or Solution Provider from using the Portal should the Solution Seeker or Solution Provider fail to adhere to any of the governance guidelines or GPAI values.
Solution Seeker-related matters
h. Access to the Portal by a Solution Seeker shall be free of cost.
i. No Solution Seekers shall be denied access to the Portal
j. I&C WG does not require the Solution Seeker to register for an account to use the Portal. Instead, the Solution Seeker shall be encouraged to participate in the AIMIND [3] assessment, attached as Annex A to this guideline.
k. I&C WG recommends using the mailing list of the Portal for the purpose of collecting the email address of the Solution Seeker.
m. Once approved, the Solution Provider has to upload the use cases for the AI solutions that the Solution Provider has built for its customers, on the Portal.
n. The Portal Operator may request the Solution Provider to remove a use case submitted on the Portal by the Solution Provider, if the Portal Operator is of the view that such use case violates any of GPAI’s values. The Portal Operator shall have the sole and absolute discretion to remove such use case from the Portal if the Solution Provider fails to act within 5 business days from the date of such request by the Portal Operator.
o. The Solution Provider must register an account to use the Portal. All information submitted by the Solution Provider shall be deemed as public information and will be displayed on the Portal for public access.
Solution Provider-related matters
l. The Portal Operator shall process and review all applications from Solution Providers fairly and transparently within a reasonable number of business days from the date of receipt of the application and inform the Solution Provider if the application has been approved.
m. Once approved, the Solution Provider has to upload the use cases for the AI solutions that the Solution Provider has built for its customers, on the Portal.
n. The Portal Operator may request the Solution Provider to remove a use case submitted on the Portal by the Solution Provider, if the Portal Operator is of the view that such use case violates any of GPAI’s values. The Portal Operator shall have the sole and absolute discretion to remove such use case from the Portal if the Solution Provider fails to act within 5 business days from the date of such request by the Portal Operator.
o. The Solution Provider must register an account to use the Portal. All information submitted by the Solution Provider shall be deemed as public information and will be displayed on the Portal for public access.
- Solution Providers
Role:
Solution Providers are vendors who wish to offer their AI products and solutions to Solution Seekers.
Governance:
Solution Providers must register for an account on the Portal and pass the SPMIND assessment (attached as Annex B to this guideline) and subsequent steps as shown below:
Portal Operators shall approve the Solution Provider’s registration based on the following conditions:
- Solution Provider must pass the SPMIND evaluation with a score 2.5 or more.
- Solution Provider must pass the interview by Portal administrator AND/ OR
- Portal Operator accepts relevant documents for evaluation:
a. A Solution Provider accreditation or certification that indicates technical competency
b. Supporting documents that indicate operational viability (e.g. balance sheet, cash flow statement) and AI use cases (e.g. company marketing materials / brochures)
A sample of the interview questions is attached as Annex C to this document. The full set of interview questions can be found in the Portal Operator’s guide [4]. The Portal Operators are encouraged to enhance and localize the sample interview questions as necessary.
The Solution Provider shall comply with all the following requirements at all times:
a. Respect GPAI’s values and, in particular, the principles for responsible stewardship of trustworthy AI, in particular, the following principles:
i. inclusive growth, sustainable development, and well-being;
ii. human-centred values and fairness;
iii. transparency and explainability;
iv. robustness, security and safety;
v. accountability.
b. Information submitted by Solution Providers to the Portal Operator or the Portal must be truthful and accurate
c. Solution Providers must not share any third party confidential information, including but not limited to, their customers’ confidential information, with the Portal Operator or through the Portal.
d. GPAI, GPAI Member, and Portal Operator shall not assume any liability that may arise from any information submitted by the Solution Provider, including but not limited to information that is inaccurate, incomplete, misleading, or exposes confidential information of the Solution Provider’s customers. Solution Provider shall indemnify GPAI, GPAI Member and Portal Operator from any and all such liabilities.
- Solution Seekers
Role:
Solution Seekers shall access the Portal to search for suitable Solution Providers to solve their AI needs and view the list of Solution Providers and their use cases. Solution Seekers can use the ‘Contact Us’ feature to reach out to the Solution Provider.
Governance:
Solution Seekers shall respect GPAI’s values and OECD’s Recommendation of the Council on Artificial Intelligence, in their use of AI solutions within their organization as well as when offering the AI solutions to their customers. In particular, Solutions Seekers shall respect the principles for responsible stewardship of trustworthy AI, including but not limited to:
i. inclusive growth, sustainable development and well-being;
ii. human-centred values and fairness;
iii. transparency and explainability;
iv. robustness, security, and safety;
v. accountability.
Solution Seekers are encouraged to sign up for the mailing list and participate in the AIMIND assessment (attached as Annex A) before they reach out to Solution Providers.
ANNEX A
AIMIND (AI Maturity Index)
AIMIND is an industry-focused AI readiness assessment framework developed by the SMEs Advisory Group under GPAI’s I&C WG. It summarises the critical success factors for AI adoption based on the combined industry experiences of a committee of experts across industries and countries.
AIMIND will classify the organization into either AI Unaware, AI Aware, AI Ready, or AI Competent.
| Pillars | Dimensions | Assessments |
| Organizational Readiness | Management Support | Whether the organization has allocated resources for AI initiatives |
| AI Literacy | Whether the employees could identify potential AI use cases and be savvy consumers of AI solutions | |
| AI Talent | Whether the organization has the capabilities to develop, integrate, and maintain AI models | |
| Employee Acceptance of AI | Whether the employees trust and accept AI-bases systems | |
| Experimentation Culture | Whether the organization has an experimentation culture for employees to explore and develop AI use cases | |
| Ethics and Governance Readiness | AI Governance | Whether the organization has appropriate governance to avoid unintentionally harming end-users |
| AI Risk Control | Whether the organization has a proper classification of the risk level of AI systems | |
| Business Value Readiness | Business Use Case | Whether the organization has identified suitable AI use cases and assessed their value propositions |
| Data Readiness | Data Quality | Whether the organization has processes to ensure the quality (accuracy, completeness) of data collected |
| Reference Data | Whether there is a single source of truth, consistency of data format, and reliable metadata | |
| Infrastructure Readiness | Machine Learning (ML) Infrastructure | Whether the organization has appropriate and sufficient ML infrastructure (e.g., GPU, memory) to support AI model training and deployment |
| Data Infrastructure | Whether the organization is using appropriate data infrastructure (e.g., data lake) as a central repository of data |
ANNEX B
SPMIND (Solution Provider Maturity Index)
SPMIND assesses the Solution Provider’s capabilities, the accuracy of the product or service description, and its suitability for Solution Seekers.
| Topics | Requirements | Assessment |
| Organizational Maturity and Corporate Governance | Understanding of the value chain | The organization can identify the stages in the value chain into which his offer will fit. The extent of the value chain and the nature of its stages will depend on the specific context of the applicant (B2B or B2C, etc.). The value chain must cover a minima possible end users, purchasers of the solution and subcontractors. |
| Decision-makers’ AI culture | The direction and management of the company concerned by the AI projects have an AI culture and sufficient understanding of the needs, constraints, limitations and risks associated with AI projects. | |
| AI skills of staff involved in AI projects | The personnel involved in all the engineering phases necessary for the development and deployment of AI (including the software and data aspects) are identified and the company implements means to ensure their skills. | |
| Control of dependencies and subcontracting | The organization analyses the criticality of digital dependencies (software, libraries, data) and/or relationships with subcontractors, with regard to the AI project (total, partial or minority dependencies) and provides remedial strategies in the event of breakdowns in these dependencies and/or relationships. | |
| Commercial Maturity | Mastery of the business use case | The organization is able to clearly present the different uses (sector of activity, specific technological expectations, customer size, etc.) for which he intends his AI solutions. Uses may concern both external customers and interlocutors within the company. |
| Consistency of business strategies | The organization implements a business strategy consistent with the nature of the proposed AI solution. If the “AI” argument is not highlighted in its marketing strategy, explain the relevance of this choice. | |
| Relevance of development and deployment strategies | The organization implements development and deployment strategies adapted to the uses for which he intends his products/services (type of customer -SME, ETI, etc.- the criticality of the sector, the structure of the customer’s company, or the customer’s development and deployment standards | |
| Synergies with the ecosystem | The organization maintains links with the relevant ecosystem (incubators, competitiveness clusters, participation in projects, scientific contributions, etc.). | |
| Administrative and tax compliance | The organization must be registered in the trade and companies register and have paid the taxes and social security contributions due on the date of the application. | |
| Go-to-market experience | The organization carries out actions relating to the placing on the market of the AI solution, e.g. actions carried out with customers, actions relating to regulatory compliance related to the final application domain of the AI solution, actions of the sales department, etc. | |
| Customer References | The organization is able to present customer references: attestation of success of a sales action or integration of an AI solution with a customer or references from proofs of concept (POC) if the organization has not yet carried out a sales action. | |
| Data Maturity | Data governance | The organization implements a process allowing to clearly identify the different data sets used as input and generated as output, to know the origin of the data and whether they are managed internally or externally, and to identify the persons responsible for the processing carried out on this data. |
| Mastery of the data lifecycle | The organization is able to explain, for each stage of the data life cycle, the methods used for identifying the needs and constraints associated with each stage. These stages are expected to cover all the processing and operations carried out on the data from its creation until its deletion. | |
| Fairness and legality of data processing | The organization implements methods allowing the identification of data and metadata which may potentially cause unfairness in the processing carried out by AI and of elements whose processing may not comply with regulation depending on the application cases. | |
| Mastery of access rights | The organization implements methods to restrict the model’s access to data likely to cause unfairness or illegal processing, both during the development phase and in operational conditions. | |
| Mastery of quality | The organization implements data quality monitoring processes throughout the data life cycle. The organization proposes data quality attributes that are relevant to his context. | |
| Mastery of data corpus preparation | Within the framework of learning the models, the organization implements methods for splitting the data sets in accordance with best practices in the field (only applicable to certain types of AI solutions). | |
| Mastery of data under operational conditions | The organization implements methods to ensure that the input data under operational conditions is similar to the data used to create the models (only applicable to certain types of AI solutions). | |
| Ethics Maturity | Ethics Awareness | The organization carries out actions relevant for raising awareness of ethics among all personnel involved in AI projects. |
| AI-specific risk management | The organization implements a risk-based approach, which covers in particular the risks specific to the use of AI, and also includes the risks for fundamental rights (society, individual impact). (Only organization’s ability to identify risks is assessed not the quality and appropriateness of risk reduction strategies ). | |
| Fairness of the processing carried out under operational conditions | The organization implements a risk-based approach, identifying the risks of unfairness in operational conditions. (Only organization’s ability to identify risks is assessed not the quality and appropriateness of risk reduction strategies). | |
| Explainability and interpretability | The organization implements methods to ensure that end users and people impacted by the processing carried out by the AI solutions are informed of the elements that led to the production of the system’s outputs. The information received is suitable for the use of these people. | |
| Traceability of decision-making | The organization implements methods to trace the data that led to an output from the AI solution. The organization must at least show that it implements strategies to keep a history of the processing carried out. | |
| Transparency | The organization provides technical documentation specifying in particular the types of algorithm implemented, the expected performances and the field of use (internal use or for certain interlocutors of the organization). | |
| Stakeholder information | The organization implements strategies allowing the stakeholders (development, use, inspection, general public, etc.) to have the information elements necessary for their relationship with the AI solution. | |
| Environmental impact | The organization implements strategies to limit the impact of its solution on the environment. These strategies can relate to the data, the algorithm, or internal processes. | |
| Infrastructure Maturity | Control of the data infrastructure | The organization formalizes the specifications of the infrastructure necessary for each stage of the data life cycle and makes sure to implement the resources (material and human) necessary for the proper functioning of the infrastructure at each stage (these stages cover all the processing and operations carried out on the data from its creation until its deletion). |
| Mastery of system engineering infrastructure | The organization formalizes the specifications of the infrastructure required at each stage of the system engineering cycle and makes sure to implement the resources (material and human) necessary for the proper functioning of the infrastructure at each stage (these stages cover at least specification, development, verification and validation, deployment and maintenance). | |
| Control of the infrastructure in operational conditions | The organization formalizes the specifications of the necessary infrastructure in operational conditions, and either adapts his system to the customer’s infrastructure, or informs his customer in an appropriate manner of the resources (material and human) necessary for the smooth operation of the system. | |
| Protection and security | The organization implements data protection strategies at each stage of the system engineering cycle, e.g., GDPR policy. | |
| End-to-End Maturity | Control of the design | The organization formalizes the basic principles of its AI solutions by taking into account the needs relating to the target operational context (type of users, business constraints, etc.) and technical constraints. |
| Proficiency in data engineering | The organization formalizes the necessary operations within the framework of the data engineering stages, and sets up appropriate resources (software, hardware and personnel). | |
| Mastery of model development | The organization formalizes the necessary operations as part of the selection and development of the AI model, and sets up appropriate resources (software, hardware and personnel). | |
| Mastery of system implementation | The organization formalizes the operations necessary for the implementation of the complete system, and sets up appropriate resources (software, hardware and personnel). | |
| Proficiency in verification | The organization implements a structured approach for carrying out verifications of AI solutions. Verification methods go beyond unit tests for proper functioning, cover complete AI solutions and not just models, and the performance indicators used are adapted to the types of performance sought by the client. | |
| Control of deployment | The organization implements procedures to ensure proper use of the system, monitoring of the system once deployed, and allowing maintenance operations to be carried out. |
ANNEX C
Example of Sample Interview Questions to Solution Providers
| Requirements | Interview Questions |
| Organizational maturity and corporate governance | What is the AI background of your leadership team or employees? |
| Commercial maturity | How does your AI solution feature within your business strategy? |
| Data maturity | What is the approach you use to manage the data from ingestion, pre-processing, and modelling to model prediction? Are there constraints that you are handling in each step? |
| Ethics maturity | Does your company incorporate the capability to explain the model predictions in your AI solution? If so, please elaborate. |
| Infrastructure maturity | Is there any specific infrastructure your company uses to support the stages of data lifecycle (i.e. ingestion, pre-processing, modelling and model prediction)? |
| End-to-end maturity | How experienced are your engineers in developing data pipelines and AI models? |
[1] All parties to the Portal refer to solution seekers, solution providers, portal operators, and GPAI Members.
[2] The Portal Operator is required to register an account on the forum in order to gain access to Portal Operator’s guide.
[3] AI Maturity Index developed by GPAI’s I&C WG.
[4] The Portal Operator is required to register an account on the forum ( https://ai4smeportal.org/ )in order to gain access to the Portal Operator’s guide.