Are You Ready for the EU AI Act?

We are in the early days of a new era of artificial intelligence (AI). As AI products and services increasingly come to market, policymakers around the world are grappling with how to realize the benefits and potential of this new technology while at the same time guarding individuals against potential risks. After all, ultimately, society determines the rules that govern the use of technology, to strike the right balance between innovation and protection.  

The European Union has passed the landmark Artificial Intelligence Act. Now finalized -- it’s the first comprehensive regulation on artificial intelligence adopted anywhere in the world. And we have seen in other areas -- notably privacy -- that the EU’s legislative approach has had significant influence elsewhere, although it is too early to say in this case whether policymakers elsewhere will see the Act as a model. The EU AI Act takes a horizontal approach, regulating AI whether it’s a standalone software offering or embodied in hardware, such as a self-driving car. It also takes a life-cycle approach, regulating aspects of AI from the quality of the data used to develop the service to testing for accuracy and bias to human oversight to deployment to post-market monitoring. Parties involved in the development, introduction, sale, distribution and utilization of AI systems all face obligations under the Act. 

Related:EU AI Act Clears Final Hurdle to Become Global Landmark

Because AI systems made available on the EU market will often also be sold elsewhere in the world, and because the EU AI Act will also apply where outputs of an AI system are used in the EU, a consistent global approach to implementing its requirements is advisable to ensure compliance.  

Key Elements of the EU AI Act

The EU AI Act addresses three key risk areas:

Risk Management and AI Governance

Risk management is at the core of the EU AI Act’s approach. Because of this, companies should identify who owns overall responsibility for risk management. Then that person should work with a cross-functional team that includes individuals from legal, privacy, security and the business to map what AI systems the company is developing or using, and for each of those to evaluate the potential risks posed by such systems. The team can then identify how to address or mitigate them.

Related:EU AI Act Passes: How CIOs Can Prepare

There is a strong alignment between good AI governance and the requirements of the EU AI Act. In any AI development, it’s important to have a process to identify, assess and manage risks. Similarly, to ensure good outputs, companies need to use high quality data. It’s essential to monitor the performance of the AI model, as well, to avoid drift and mitigate potential bias. And any AI that makes recommendations should be subject to human oversight. All in all, it requires an end-to-end focus on AI governance. 

From a business strategy perspective, companies must think holistically about how to incorporate AI governance into their development and compliance processes. When developing AI products, businesses need to assess whether they fall within the Act’s reach and establish processes to drive compliance with its obligations. When a company implements AI systems developed by others that fall under the Act, they have to use those systems in accordance with the instructions provided by the system developer and ensure human oversight of the use of any system outputs.  

Related:EU Commission Takes on Disinformation and Election Interference

In many ways, this is like compliance obligations in other areas; however, it will be important for companies to consider the unique aspects of AI -- including new risks not addressed by other legal frameworks -- and to develop the expertise needed to use them responsibly. And, as you implement the Act, there may be provisions that make sense to apply just for offerings put on the European market -- just as companies sometimes apply specific provisions of GDPR only to data originating in Europe. 

Overall, building a strong AI governance program will get you much of the way there. You will still need to account for the specifics of the EU AI Act, but as with a strong privacy program, those are adjustments on top of a strong foundation.

How to Get Started

There are a number of resources and tools available that can provide ideas for design and implementation of AI governance programs. The U.S. National Institute for Standards and Technology has published an AI Risk Management Framework and supporting materials that help guide companies through identifying, mapping, measuring and monitoring risks. Finally, risk management programs from other compliance areas, such as privacy, provide a helpful template for designing a program for AI systems.

When Will the EU AI Act Go Into Effect?

Th EU AI Act provides different timelines to implement its provisions depending on the risk category, and beginning with its publication in the Official Journal after final enactment:

Conclusion

As with any new law, it will be important to see how it’s applied. With the AI Act, a lot is left to standards development, and so it will be important to see how standards will impact compliance. In addition, there are several related regulatory bodies that will be responsible in Member States for enforcing or advising on aspects of the Act. Watching how that advice develops over time will be informative. But these aspects also provide flexibility, so that the Act can continue to function even as AI technology continues to advance in new and unanticipated ways.