As the EU AI Act approaches its final passage, organizations involved in both developing and deploying AI technologies will face new transparency and risk assessment requirements, although the exact rules are yet to be finalized.
The European Parliament’s mid-March vote to approve the EU AI Act marks a significant milestone as the world’s first major legislation aimed at regulating the use and implementation of artificial intelligence applications.
While the vote does not signify the law’s definitive enactment, it does signal forthcoming regulatory changes that will impact many Chief Information Officers (CIOs) overseeing AI tool usage within their organizations. The legislation will not only affect entities directly engaged in AI development but also those simply utilizing AI technologies. Furthermore, these regulations will extend beyond the EU’s borders, impacting any organization interacting with EU residents.
The journey toward AI legislation has been years in the making, with the EU initially proposing the legislation in April 2021. Despite some advocacy for AI regulation from prominent figures like Elon Musk and Sam Altman, the EU AI Act also faces criticism.
The legislation will impose new obligations on organizations to validate, monitor, and audit the entire AI lifecycle. Kjell Carlsson, head of AI strategy at Domino Data Lab, expresses concern about the potential chilling effect of the law on AI research and adoption due to hefty fines and unclear definitions. However, ignoring the AI revolution to evade regulations is not a viable option, Carlsson emphasizes, as AI adoption is essential for organizational survival and growth.
The EU AI Act covers three main areas:
- Banned uses of AI: Prohibitions include AI applications threatening human rights, such as biometric categorization systems based on sensitive physical features. Monitoring of employee or student emotions, social scoring, predictive policing based on personal profiles, and manipulation of human behavior are also banned.
- Obligations for high-risk AI systems: Organizations utilizing high-risk AI tools must conduct risk assessments, mitigate risks, maintain use logs, ensure transparency, and provide human oversight. Examples of high-risk systems include those used in critical infrastructure, education, employment decisions, healthcare, and banking.
- Transparency requirements: General-purpose AI systems must comply with transparency standards, including publishing detailed training data summaries. Additionally, deepfakes must be clearly labeled.
However, some challenges lie ahead, particularly regarding compliance with transparency rules and the impending regulations’ details. Organizations may struggle to meet transparency requirements, especially if they lack extensive documentation or robust data management practices. While the law isn’t retroactive, it will apply to existing AI systems, necessitating documentation of processes and data use.
EU regulators have up to 18 months from the law’s final passage to finalize specific definitions and rules, presenting additional uncertainties and challenges for compliance. The legislation’s focus on AI system effects rather than the systems themselves could pose difficulties given AI’s rapid evolution and unpredictability. As such, continued regulatory input and guidance will be essential for navigating the complexities of AI governance effectively.
Source: cio.com
