Chapter 3 Lab: Make Responsible AI Operational

🔬 Lab Instructions

Chapter 3 Lab is the operational reality check. You will classify your own AI use cases into the AI Law's risk tiers, write the Do-Not-Paste briefing you'll give your team, build your CAPA incident-response checklist, and name the governance roles for your department. Everything you write here goes into your Phase 2 Capstone folder.

Lab goal: Walk out with (1) classified risk tier for each of your AI use cases, (2) a 5-line Do-Not-Paste team briefing, (3) a CAPA incident response checklist, (4) governance roles named for your department, (5) feedback to Quanskill.

📌 Lab Flow at a Glance

Confirm

4 quizzes — Golden Rules, Do-Not-Paste, AI Law tiers, incident response 72-hr.

Classify

Tier your AI use cases (Prohibited/High/Medium/Low) and build mitigations.

Operationalise

Write 5-line team briefing, CAPA checklist, governance role map.

📝 Quiz 1: The 5 Golden Rules

The QA Manager uses ChatGPT to draft a customer reply explaining why a delivery is delayed. Which of the 5 Golden Rules is most directly at stake when she clicks Send?

A) Rule 2 — Protect the Data

B) Rule 3 — Verify Every Fact

C) Rule 4 — No AI for Prohibited Uses

📝 Quiz 2: Do-Not-Paste

An MPV Supply Chain analyst wants to paste a full supplier contract (Eastern Resin Co., 50-page agreement with prices and payment terms) into free Claude to summarise the renewal terms. What is the right call?

A) Paste the whole thing — it's just a summarisation task

B) Use the enterprise plan with DPA, OR redact supplier name + prices + payment terms before pasting

C) Don't use AI for this — read it manually instead

📝 Quiz 3: AI Law Risk Tier

MPV deploys Computer Vision on Line 3 that automatically rejects syringes flagged as defective — no human review of the AI's reject decisions. Under Vietnam's AI Law (No. 134/2025/QH15, in force since 1 March 2026), what's the risk tier and what changes if you add a human override?

A) Low-risk in both cases

B) High-Risk without override → Medium-Risk if every AI reject is human-reviewed

C) Prohibited under Article 8

📝 Quiz 4: Incident Response — 72 Hours

An MPV employee accidentally pastes a customer list (200 hospital purchasing officers with names + emails + order quantities) into free ChatGPT to "ask for a quick summary". She realises 30 minutes later. What's the right sequence?

A) Delete the ChatGPT conversation and continue working

B) Contain (1 hr: notify manager + DPO) → Assess (24 hr) → DPO files Decree 13 breach notice within 72 hr → CAPA within 30 days

C) Wait until the next ISO audit and disclose then

Quick Recap — After Quizzes

Verify before sending Desensitise OR enterprise plan Human override = Medium-Risk not High 72-hr breach clock for personal data

🏷️ Exercise 1 — Classify YOUR AI Use Cases Into Risk Tiers (12 min)

Take the 5–6 AI use cases you generated in Chapter 2 Lab (HBR Ideation Sheet). For each, classify it into the AI Law's risk tier and name a mitigation. This becomes your department's AI risk register — keep it for the 2027 healthcare-grace audit.

Tier	Typical examples	What it requires
Prohibited	Social-credit · subliminal · biometric mass surveillance	Cannot deploy
High-Risk	Clinical decisions · production decisions without human override · recruiting decisions	Registration · conformity assessment · human oversight · transparency · post-market monitoring · incident reporting
Medium-Risk	Customer chatbots · CV inspection with human override · deepfake-capable	Transparency labelling · accountability docs · sample audits
Low-Risk	Email classification · CAPA drafting (human reviews) · forecast support · summarisation	General accountability · monitor incidents/complaints

Your AI risk register (one row per use case):

If a use case is High-Risk: stop. Re-scope so a human reviews every AI decision before action. That single change drops most cases to Medium-Risk and dramatically reduces compliance burden during the 18-month healthcare grace period.

📣 Exercise 2 — Write Your 5-Line Do-Not-Paste Team Briefing (8 min)

You will brief your team on the Do-Not-Paste list in your next stand-up. You have 5 lines. Write the actual briefing — in Vietnamese or English, whichever your team uses.

🖼️ Reference: Sample 5-Line Briefing

5-Minute Stand-Up — Do-Not-Paste Reminder

Line 1

Public AI tools (free ChatGPT, free Claude, free Gemini) may log what we type — treat them like a public website's contact form.

Line 2

Never paste: customer / hospital data, employee records, designs, formulae, CAPA/quality records, financial detail, MOH or FDA correspondence.

Line 3

For those categories: use our enterprise Copilot account (M365 login) OR redact identifiers before pasting (names → "Customer A", numbers → ranges).

Line 4

If you accidentally paste something you shouldn't have — tell me within the hour. We have a 72-hour breach-notification clock for personal data.

Line 5

When in doubt, ask. 30 seconds of "is this okay?" beats 6 months of fixing it.

Your team's 5-line briefing (adapt the language to your audience):

🚨 Exercise 3 — Build Your CAPA Incident-Response Checklist (10 min)

The 3-step incident response (Contain · Assess · CAPA) is the framework. Now adapt it to your department: who do you call, who decides, who logs, what gets escalated when. This is the checklist you keep on the wall.

YOUR DEPARTMENT'S AI INCIDENT CHECKLIST 📍 Department: ⏱ Step 1 — CONTAIN (within 1 hour) 📊 Step 2 — ASSESS (within 24 hours) 📋 Step 3 — REPORT & CAPA 👤 Named contacts (real names + phone/email):

👥 Exercise 4 — Name Governance Roles for Your Department (5 min)

Chapter 3.6 listed five roles. For your department, fill in the actual people (or "to be appointed" if the role doesn't exist yet).

Role	Person (or "TBA")
AI Governance Lead (cross-MPV)
Data Protection Officer (DPO)
QMS Owner (your dept liaison)
Department AI Champion (you?)
Vendor / IT contact

One concrete action to fill any "TBA" within 2 weeks:

💭 Exercise 5 — Reflection & Feedback (5 min)

The single Responsible-AI behaviour I want to change this month:

The single thing I want my team to start doing:

Feedback for the Quanskill team on Chapter 3:

Quick Recap — Before Generating Report

Use cases tier-classified 5-line team briefing written CAPA incident checklist built Governance roles named

📤 Generate Your Chapter 3 Lab Report

Click below to compile your risk-classified use case register, team briefing, incident-response checklist, governance role map, and feedback into one document. Save it — this is the governance pack you'll bring to Phase 2.

✅ Chapter 3 Complete

You now have a working governance pack: risk-classified use cases, a team briefing ready for Monday, an incident-response checklist, and named roles. Chapter 4 is the Phase 1 Capstone — your Opportunity Map for Phase 2.

📖 Chapter 4 Theory →