AI ethics discussions often live in the realm of philosophy departments and conference keynotes -- important but abstract, disconnected from the daily reality of development teams building AI-powered features. This article takes a different approach. It focuses on the practical ethical decisions that developers, architects, and team leads encounter when building AI systems, and the governance structures that help teams navigate them consistently.
This is not about whether AI is "good" or "bad." It is about building AI systems responsibly -- systems that work fairly, protect privacy, operate transparently, and have clear accountability when things go wrong.
Bias in Training Data and Model Outputs
Every large language model is trained on data that reflects the biases of its sources -- the internet, books, code repositories, and other text corpora that overrepresent certain demographics, languages, perspectives, and cultural contexts. This is not a theoretical concern. It has practical consequences for any system that makes or influences decisions about people.
Test AI outputs across demographic dimensions -- equal aggregate accuracy can mask significant disparities.
Where Bias Manifests
Bias appears in AI systems in several concrete ways:
- Language and cultural bias. Models are predominantly trained on English text from North American and European sources. They may perform worse on South African English, misunderstand local idioms, or apply cultural norms that do not apply in the deployment context.
- Demographic bias. Models can associate certain attributes (competence, risk, creditworthiness) with demographic characteristics. A CV screening system might disadvantage candidates from certain universities, a credit assessment might weight postal codes that correlate with race, or a customer service system might respond differently to names that suggest certain ethnic backgrounds.
- Selection bias. If your training data or evaluation dataset does not represent the full range of inputs your system will encounter, you will build a system that works well for the majority and poorly for the minority. This is a particularly insidious form of bias because it can be invisible in aggregate metrics.
Practical Mitigation
Eliminating bias entirely is not realistic given the current state of the technology. Mitigating it to acceptable levels is both possible and necessary.
- Test across demographic dimensions. If your system processes data about people, build evaluation datasets that are stratified by relevant demographics and measure performance separately for each group. Equal aggregate accuracy can mask significant disparities between groups.
- Audit outputs regularly. Implement ongoing monitoring that samples production outputs and checks for demographic patterns. If your customer service AI responds more positively to some customer segments than others, you need to know about it.
- Use human review for high-impact decisions. When an AI system influences decisions about employment, credit, healthcare, or legal matters, human review is both an ethical requirement and, increasingly, a legal one.
- Document known limitations. Every AI system has known biases and limitations. Documenting them -- and sharing that documentation with stakeholders -- is an ethical obligation. Users of the system need to understand its limitations to use it responsibly.
Bias in AI systems is not a bug to be fixed once. It is a condition to be monitored continuously. The question is not whether your system has bias, but whether you are measuring it and actively working to reduce its impact.
Privacy: Handling Personal Information
AI systems often process personal information -- customer queries, employee records, medical data, financial details. The privacy implications are significant and require deliberate architectural decisions.
PII in Prompts and Model Inputs
When you send data to an LLM API, that data leaves your infrastructure and is processed by a third party. For personal information, this raises several questions. Does the API provider store the data? Could it be used for model training? Does the data cross jurisdictional boundaries? Under POPIA and GDPR, sending personal data to a third-party processor requires appropriate legal basis, data processing agreements, and potentially cross-border transfer mechanisms.
Practical approaches:
- Anonymise before processing. Strip personally identifiable information from data before sending it to an LLM. Replace names with placeholders, redact ID numbers, mask email addresses. Re-associate after processing if needed.
- Use enterprise API tiers. Major model providers offer enterprise tiers with contractual guarantees that data is not used for training, is not stored beyond the processing window, and is processed within specified regions. These cost more but are often necessary for compliance.
- Consider on-premise models. For the most sensitive data, open-weight models deployed on your own infrastructure eliminate the third-party processing concern entirely. The quality trade-off versus frontier cloud models may be acceptable depending on your use case.
- Apply data minimisation. Send only the data the model needs to perform the task. If you are summarising a document, you do not need to include the customer's address. If you are classifying a support ticket, you do not need the customer's account history.
POPIA Compliance Specifics
South Africa's Protection of Personal Information Act imposes specific requirements relevant to AI systems:
- Lawful basis for processing. You need a valid condition for processing personal information through an AI system -- consent, legitimate interest, contractual necessity, or another condition specified in the Act.
- Purpose limitation. Personal information collected for one purpose (e.g., customer support) cannot be repurposed for AI training without additional consent.
- Data subject rights. Individuals have the right to know what personal information is held about them and to request correction or deletion. If your AI system stores personal data as part of its processing pipeline, you need mechanisms to honour these requests.
- Cross-border transfers. If your AI processing involves sending data to servers outside South Africa, POPIA requires that the recipient jurisdiction provides adequate protection or that appropriate safeguards are in place.
Bias is not a bug to fix once -- it is a condition to monitor continuously in production.
Transparency and Explainability
When an AI system makes or influences a decision, the affected parties have a right to understand how that decision was made. This is both an ethical principle and an emerging legal requirement under multiple regulatory frameworks.
Levels of Transparency
Not every AI application requires the same level of explainability. A content recommendation system can operate with less transparency than a credit scoring system. The level of transparency should be proportional to the impact of the decision on the affected individual.
- Disclosure. At minimum, users should know when they are interacting with an AI system or when an AI system has influenced a decision about them. This is the baseline.
- Reasoning. For significant decisions, the system should be able to provide the key factors that influenced the outcome. "Your application was flagged for manual review because the uploaded documents could not be verified against the provided information."
- Contestability. For high-impact decisions, individuals should have the ability to request human review and challenge the AI's determination. This requires that the system logs sufficient information to reconstruct and re-evaluate the decision.
Implementation Approaches
Building explainable AI systems requires intentional design:
- Chain of thought logging. When using chain-of-thought prompting, log the model's reasoning alongside its conclusions. This provides an audit trail that can be reviewed when decisions are questioned.
- Feature attribution. For classification and scoring systems, track which input features most influenced the output. This can be done through prompt design (asking the model to cite the factors that influenced its decision) or through more formal attribution methods.
- Confidence scores. Always output a confidence score alongside any classification or decision. Low-confidence outputs should be flagged for human review, and the confidence threshold should be set conservatively.
Transparency is not just about explaining AI decisions to users. It is about building systems where decisions can be explained, audited, and challenged. Design for explainability from the start -- retrofitting it is extraordinarily difficult.
Accountability Frameworks
When an AI system produces a harmful outcome -- a biased decision, a privacy breach, an incorrect recommendation that causes financial loss -- who is accountable? The model provider? The development team? The business that deployed it? The answer needs to be defined before the incident, not during the post-mortem.
Establishing Clear Accountability
- The deploying organisation is accountable. Regardless of which model or API you use, your organisation bears responsibility for the system's behaviour in production. You chose to deploy it. You defined the use case. You set the guardrails (or failed to).
- Define roles explicitly. Who approves the deployment of a new AI system? Who monitors its performance? Who is notified when quality degrades? Who has the authority to shut it down? These roles should be documented and understood before deployment.
- Maintain human oversight. For decisions with significant impact on individuals, a human must be in the loop -- either reviewing every decision or reviewing a sample with the authority to intervene on the remainder.
- Document decisions. Maintain records of what the system was designed to do, what data it was tested on, what limitations were identified, and what guardrails were implemented. This documentation is your defence when (not if) something goes wrong.
Design for transparency from the start. Retrofitting explainability is extraordinarily difficult.
Practical Governance for Development Teams
Governance does not have to mean bureaucracy. For development teams building AI features, a lightweight governance framework includes:
Pre-Deployment Checklist
- Has the system been tested for bias across relevant demographic dimensions?
- Has a privacy impact assessment been conducted?
- Is personal data anonymised or minimised before AI processing?
- Are users informed when interacting with or being assessed by AI?
- Can the system's decisions be explained at the appropriate level for its impact?
- Is there a human escalation path for high-impact decisions?
- Are monitoring and alerting in place for quality, bias, and cost?
- Have the roles of accountability been documented?
Ongoing Governance
- Monthly quality review. Review a sample of production outputs for quality, bias, and appropriateness. Involve diverse team members in this review -- different perspectives catch different issues.
- Quarterly compliance review. Assess the system against current regulatory requirements. Regulations evolve; your compliance posture needs to evolve with them.
- Incident response process. Define what happens when the system produces a harmful output. How is the issue triaged? Who is notified? What is the remediation process? How are affected individuals informed?
- Model update protocol. When model providers release updates, re-evaluate your system's performance before adopting the new version. Model updates can change behaviour in subtle ways that affect fairness, accuracy, and safety.
The Business Case for Responsible AI
Responsible AI is sometimes framed as a cost -- a tax on development speed in the name of ethics. This framing is wrong. Responsible AI practices reduce risk, build trust, ensure regulatory compliance, and protect the organisation's reputation.
The cost of an AI bias incident -- public backlash, regulatory fines, legal liability, customer churn -- dramatically exceeds the cost of proactive governance. The cost of a privacy breach involving AI-processed personal data can be existential for a business. These are not hypothetical risks; they are events that have occurred at major organisations and will continue to occur as AI adoption accelerates.
At Pepla, we build responsible AI practices into every project from day one. Not because it is fashionable, but because it is the only way to build AI systems that organisations can rely on -- and that the people affected by those systems can trust.
Responsible AI is risk management, not overhead -- the cost of getting it right is a fraction of getting it wrong.
Key Takeaways
- Test for bias across demographic dimensions and monitor continuously in production.
- Anonymise personal data before AI processing. Use enterprise API tiers with data protection guarantees. Apply data minimisation.
- Design for transparency proportional to the impact of the AI's decisions. Log reasoning, attribute features, and output confidence scores.
- Establish clear accountability before deployment, not after an incident.
- Implement a lightweight governance framework: pre-deployment checklists, monthly quality reviews, quarterly compliance reviews, and incident response processes.
- Frame responsible AI as risk management, not overhead. The cost of doing it right is a fraction of the cost of getting it wrong.
