The Timeline of the EU AI Act (And a Look Ahead)

How Does the EU AI Act Work?

The EU AI Act takes a risk-based approach to the use of artificial intelligence. This means that the rules governing AI focus more on how a company uses their technology, and for what purpose, rather than limiting the technology itself. However, some risks are deemed “unacceptable” and these kinds of technologies will be banned. The Act bans AI systems that surveil people according to sensitive characteristics, such as political views and sexual orientation — although law enforcement is not banned altogether from using sensitive biometric information.

“High-risk” AI technologies will be subject to more scrutiny in the form of “risk-mitigation systems, high quality data sets, logging of activity, detailed documentation, clear user information, human oversight” and more. These risks apply to AI technologies that pose a threat to the health, safety, and or the fundamental rights of persons – such as resume-scanning tools, loan evaluation tools, and remote biometric identification systems. Limited risk AI systems must meet certain transparency obligations – these are called “specific transparency risk.” Specific transparency risks are managed through appropriate labeling. In other words, when you are talking to an AI bot, companies are responsible for identifying the bot as such. The EU has stated that most AI technologies pose no risk or minimal risk, and these AI technologies will not be subject to additional obligations.

How Are Companies Preparing for the EU AI Act?

Before you begin to put governance in place, you first have to understand what you’re governing. Strategic companies looking to stay compliant with the EU AI Act prioritize building a comprehensive risk inventory — a central location where all AI-enabled technologies can be monitored and routinely assessed for risk.

Ask yourself the following questions:

1. Risk Identification – Have you catalogued all of your AI systems in use or under development within your organization and documented their purposes and potential risks?
2. Risk Assessment – Do you know whether your AI technologies fall under the EU requirements for unacceptable, high, limited, or minimal risk?
3. AI Validation – Do you have a system in place to formalize the
   validation of an AI application for use in your business?
4. AI Review – Are your stakeholders all aware of use cases, guardrails in place and the key risks associated with adopting these AI applications?
5. AI Risk Mitigation – Have you formalized system for setting the right controls in place, in some cases increasing documentation, in other cases increasing human oversight?
6. Ongoing Monitoring – Can you remain dedication to monitoring changes in AI regulations as well as internal AI systems to ensure that your company stays compliant with the EU AI Act?

Learning more about the Act’s requirements and how implementing robust compliance measures will not only help you avoid penalties but also enhance the trust and reliability of your AI systems.

More Blogs You May Enjoy:

• 25 Tips and Tools for an Integrated GRC Tech Stack
• Navigating The Network and Information Security Directive Update (NIS2)
• Clearing the Haze: Exploring the Movement Away from Marijuana Testing