Question 4
IVA bank must choose between a closed LLM service accessed only via API and an open-source LLM whose code and weights can be self-hosted under a permissive license. From a governance and risk-management perspective, which statement best characterizes adopting the open-source model?
Correct answer: A
Explanation
An open-source model under a permissive license lets the bank “inspect, modify, and self-host” the code and weights, which increases control and transparency. That same control shifts responsibility to the bank for “patching, security hardening, monitoring misuse,” and meeting the license terms, because governance and risk management require the operator to manage those risks directly.
Why each option is right or wrong
A. The bank can inspect, modify, and self-host the model, but must also own patching, security hardening, monitoring misuse, and complying with the model’s license terms.
Under a permissive open-source license, the bank is permitted to access the source code and weights, modify them, and deploy them on its own infrastructure, so the governance benefit is direct control over the model stack. But that same choice makes the bank the operator for risk purposes: it must implement its own patch management, security hardening, abuse monitoring, and license compliance, rather than relying on a vendor’s managed service controls or contractual SLAs.
B. Using open-source AI automatically transfers all legal liability to the original authors.
Open-source software use does not automatically shift legal liability away from the deploying organization.
C. Open-source licenses prohibit fine-tuning, so behavior is fixed.
Permissive open-source licenses generally allow modification, including fine-tuning and adaptation.
D. Using an open-source model obligates the bank to publish all of its training and inference data.
Open-source model use does not inherently require publishing private training or inference data.