The AI revolution is happening whether you guide it or not. The question isn't whether AI will transform your businessāit's whether that transformation will serve human flourishing or just efficiency metrics that matter to spreadsheets instead of stakeholders.
The Current AI Implementation Crisis
67% of organizations deploying AI systems experience "significant unintended outcomes" within their first year. Companies are losing an average of Ā£3.8 million annually due to AI systems that technically work but violate their actual intentions, values, or legal requirements.
Most AI ethics guidance is either too abstract for practical use or too technical for business leaders. You need frameworks that work in the real world, not philosophical treatises about consciousness.
Your Complete A-Z Implementation Roadmap
This book provides the missing bridge between AI ethics theory and practical implementation. Each chapter delivers battle-tested frameworks from A (Accountability Architecture) to Z (Zero-Based Thinking), refined through real organizational implementations.
The AI revolution is happening whether you guide it or not. The question isn't whether AI will transform your businessāit's whether that transformation will serve human flourishing or just efficiency metrics that matter to spreadsheets instead of stakeholders.
The Current AI Implementation Crisis
67% of organizations deploying AI systems experience "significant unintended outcomes" within their first year. Companies are losing an average of Ā£3.8 million annually due to AI systems that technically work but violate their actual intentions, values, or legal requirements.
Most AI ethics guidance is either too abstract for practical use or too technical for business leaders. You need frameworks that work in the real world, not philosophical treatises about consciousness.
Your Complete A-Z Implementation Roadmap
This book provides the missing bridge between AI ethics theory and practical implementation. Each chapter delivers battle-tested frameworks from A (Accountability Architecture) to Z (Zero-Based Thinking), refined through real organizational implementations.
In February 2024 a small claims tribunal in British Columbia ordered Air Canada to pay $812.02 Canadian dollars to a passenger named Jake Moffatt. Moffatt had asked the airline's website chatbot about its bereavement-fare policy after his grandmother died, and the chatbot had told him he could buy a regular ticket and apply for a discount within ninety days. The airline's actual policy was the opposite: bereavement fares had to be arranged in advance. When Moffatt tried to claim the refund, Air Canada refused.
Air Canada's defence at the tribunal was striking. It argued that the chatbot was a separate legal entity, responsible for its own statements, and that the airline could not be held to what it had said. The tribunal disagreed. In a paragraph that has been quoted in nearly every subsequent AI accountability ruling, the adjudicator observed that "it should be obvious to Air Canada that it is responsible for all the information on its website. It makes no difference whether the information comes from a static page or a chatbot."
The dollar amount is trivial. The principle is not. Air Canada had asked the tribunal to accept that an AI system could be a principal in its own right - a legal entity to whose actions the deploying organisation owed no direct accountability. The tribunal refused. Every court and regulator that has since faced the same question has refused as well.
This sets the question for the whole book. AI systems do not bear legal responsibility. They cannot. They will not, regardless of how autonomous or sophisticated they become, because legal responsibility requires a juridical person, and a juridical person requires assets, intent, and the capacity to be sued. Models have none of these. The accountability for what an AI system does sits, always, with one or more humans. The job of governance is to decide which humans, and to make that decision before something goes wrong.
The principal-agent problem in plain English
If you have run a business of any size you already understand the underlying issue. You hire an employee. You tell them what to do, or you tell them what outcomes you want and let them figure out the doing. They act on your behalf. If they make a mistake, several questions follow. Did you give them adequate instructions? Did you train them? Did you supervise them? Did you have a way to catch the mistake before it caused harm? Did you have a way to make the affected party whole afterwards?
These questions answer themselves for most familiar agents. A teller miscounts cash, you catch it at end-of-day reconciliation. A driver causes an accident, your insurance covers it. A trader breaches a limit, your second line of defence flags it. Centuries of practice have produced answers.
An AI system is also an agent, in the same broad sense. It acts on your behalf. The trouble is that the inherited apparatus for supervising agents does not transfer cleanly. AI agents do not get tired, do not visibly hesitate when uncertain, and do not show the small social signals - a colleague's raised eyebrow, a customer's confusion - that humans use to recognise that something is going wrong. They make their mistakes silently, at scale, and often outside the perception of the humans nominally supervising them.
The chatbot at Air Canada was not lying. It was generating fluent text plausibly continuing a conversation about bereavement fares. The fact that the continuation was wrong was visible to the customer, who tried to claim the discount and was refused, but it was not visible to the airline until the dispute reached a tribunal. By then several other passengers may already have been misinformed and never complained.
The principal-agent problem in AI is therefore not new in kind. It is new in speed, in scale, and in opacity. The governance answer must address all three.
The four positions where accountability can sit
In any AI deployment, accountability for an outcome can be assigned to one or more of four positions. A useful governance posture is explicit about which.
The provider. The organisation that built and trained the underlying model. For a deployment using OpenAI's GPT-4, this is OpenAI. For a fine-tuned in-house model, this is your engineering team. Providers carry the risk of fundamental capability failures - the model that systematically misclassifies, the model that has memorised training data, the model that produces output incompatible with the licence it was supposedly trained under.
The deployer. The organisation that puts the model into a context to make decisions or interact with users. Air Canada was a deployer. Most readers of this book work for deployers. Deployers carry the risk of misuse, miscalibration to context, missing guardrails, and inadequate human oversight in the specific use case.
The operator. The person or team running day-to-day supervision of the deployed system. This is sometimes the same as the deployer at the organisational level, but the role is distinct. Operators carry the risk of inattention - the model that drifts and is not noticed, the alert that fires and is not acted on, the audit trail that is not reviewed.
The end user. The person who interacts with the system at the point of action. End-user accountability is real but limited - a doctor who follows a diagnostic AI's recommendation against their own judgement bears some responsibility, but the question of how much depends on what the AI was sold as and what the doctor was told to do with it.
The European Union's AI Act, which we will return to in chapter 12, codifies a version of this taxonomy in law. Article 25 of the Act sets out what happens when a deployer modifies a general-purpose AI system enough that it becomes, in practice, a provider of a new system - and inherits the obligations of one. This kind of provision is going to become more common, not less.
The practical implication is that if your organisation cannot say, for a given AI system, who is the provider, who is the deployer, who is the operator, and what the end user has been told, your accountability is unspecified. Unspecified accountability is what regulators investigate.
Why "the computer says no" is not a defence
A consistent pattern in early AI litigation is the defending organisation trying to hide behind the system. The chatbot said it. The model decided. The algorithm produced the score. Every version of this defence has failed, and the reasoning is always the same: the organisation chose to deploy the system, chose to rely on its outputs, and chose not to put a human in the loop at the point where the decision affected the complainant.
In the Dutch SyRI case, decided by The Hague District Court in February 2020, the Netherlands government had been using an algorithmic system to detect welfare fraud in low-income neighbourhoods. The court found the system violated Article 8 of the European Convention on Human Rights, in part because affected citizens had no way to know they had been flagged, no way to understand on what basis, and no way to contest the outcome. The government's argument - that the system was a neutral technical tool and that human officials still made the final decisions - was rejected. The system shaped the decisions sufficiently that the system itself was the locus of the rights violation.
In the Australian Robodebt scheme, which used automated income-averaging to issue debt notices to welfare recipients, a 2023 royal commission concluded that the scheme had been unlawful from the outset and that senior public servants had known. The commission's report did not say the algorithm was at fault. It said the people who had deployed the algorithm without adequate human review, while the system was issuing wrong debts to hundreds of thousands of Australians, were at fault. Several were referred for further investigation.
The pattern is consistent. Decision-makers who deploy AI systems and then attempt to disclaim responsibility for what those systems do tend to lose. The legal doctrine catching up with the technology is plain: you cannot subcontract accountability to a model.
What this means for a governance posture
The accountability question dictates the structure of the rest of the book. If accountability cannot be transferred to the system, it must be allocated to humans, structured so it does not depend on a single person noticing the right thing at the right moment, and made visible enough that an organisation can demonstrate it has been allocated.
That is a three-part requirement.
First, allocation. Every AI system in the organisation needs a named human owner, a named human reviewer, and a named human escalation point. "Named" means in writing, in a register, reviewed at a known cadence. Not "the analytics team" but a person, with a substitute on holidays.
Second, structure. Allocation that depends on a single person is fragile. The Three Lines of Defence model, covered in chapter 9, is one way to give the allocation structural depth. First line: the operational owner. Second line: independent risk and compliance review. Third line: internal audit assurance. Each line has authority over a different question.
Third, visibility. An accountability posture you cannot demonstrate is, for regulatory and litigation purposes, an accountability posture you do not have. The artefacts in the appendices - the risk register, the impact assessment, the incident response playbook - are visibility tools. They are how you show your work.
The rest of Part I sets out the regulatory and conceptual terrain in which this allocation has to be made. Chapter 2 walks the principal regulations and standards. Chapter 3 disentangles the most-conflated terms in the field, because most disagreements about AI ethics turn out to be disagreements about what AI ethics is.
To ask in your next executive meeting
For each AI system already deployed in the organisation:
1. Who is the named owner?
2. Who reviews what the system is doing on a defined cadence?
3. Who would be the escalation point if it went wrong this afternoon?
4. Where is that written down?
5. When was it last reviewed?
If most of those questions cannot be answered, you have your first ninety days of work in front of you. Chapter 18 sets it out as a programme.
Ethics is all about fairness. It spans technical, political, economic, legal, and philosophical domains. Drawing up an ethical AI framework is therefore an overwhelmingly complex task because it lies at the intersection of these five vast domains, among which, complicating matters, technology is rapidly advancing.
We live in a world where no universally accepted ethical framework for human beings exists (e.g., what is considered fair in America may not be fair in China). Therefore, defining ethics for a technology that serves humans globally becomes practically impossible. By restricting its scope to the USA and its close partners, Ethical AI: Building Responsible AI Systems That Benefit Everyone by Sotiris Spyrou succeeds in defining a local AI ethics framework for the USA. However, it's important to note that, although it succeeds in a limited sense, the field of AI ethics continues to evolve and has significant flaws. This book acknowledges these shortcomings while touching upon the framework's ongoing evolution.
At the view of an outline, this book discusses the regulatory map it's based on (the 2024 EU AI Act, NIST's AI Risk Management Framework, ISO/IEC 42001 standards, GDPR Article 22, and so on), what ethical AI means in practice (safety, value, fairness, etc.), known shortcomings and risks of using it (bias, drift, etc.), transparency (explainability, interpretability and the like), risks associated with the use of Agentic AI, a deployer's overall governance posture, and so on.
This book is serious and hard-hitting. It tears to shreds the faƧade of claimed adherence to ethics, demanding substance and measurable evidence of achievement instead. Toward this goal, it lists around 180 checkpoints to ensure that operational procedures that deliver measurable results replace many typically high-sounding ones that sound good but prove void in practice. They fail because of being vaguely defined, and more importantly, because responsibility and accountability mechanisms arenāt built in (who does what task, and by when, follow-up, escalation, and generally, how responsibilities are assigned in a team so that the entire team works together in unison toward delivering fruitful results).
The bookās cover looks attractive and portrays a concept central to itāthe āThree Lines of Defenseā (3LoD, Chapter 9, pp. 89-97). The āThree Lines of Defenseā (f.k.a. āThe Three Lines Modelā) form the pillars of a risk management model that assigns risk responsibilities to operational management (first line), risk and compliance functions (second line), and internal audit (third line). While it does not guarantee that all risks will be contained, it provides reasonable assurance of risk identification, the implementation of controls, compliance, necessary escalation, and provisions permitting independent reviewers to openly challenge management in matters related to performance and delivery.
The author's writing style is forceful and incisive, but it has the beneficial effect of zero tolerance for ways that effectively detract from the detection of the true flaws/defects in a system and, by leaving them unresolved, eventually hinder delivery. The font size used is a bit small, so 50% magnification was necessary for good readability. Apart from minor language errors, the book also has widow/orphan issues.
Balancing its strengths and weaknesses, I finally assign it 4 stars.
Clearly, this book isnāt for a general audience because it belongs to the high-tech domain and focuses on a specialty field within high tech, i.e., AI ethics. I therefore recommend it primarily to AI/IT pros, particularly those who own the responsibility for the outcomes of deployed AI systems, and secondarily, consultants in the other four domains related to ethicsāpolitics, economics, law, and philosophy.