Understanding the European Union Artificial Intelligence Act
The European Union’s Artificial Intelligence (AI) Act is a pioneering regulation designed to establish and harmonize comprehensive rules for the development and use of AI systems across the EU. As AI technologies become increasingly integral to organizational operations, this regulation aims to ensure that AI development aligns with the EU’s human-centric values and fundamental rights. Internal auditors will be crucial in helping organizations understand the risks and opportunities associated with AI and navigating the complex regulatory landscape.
Scope and Applicability
The EU AI Act clearly defines AI systems, encompassing machine learning, logic-based and knowledge-based approaches, and systems capable of inference from data. Internal auditors must ensure their organizations’ AI systems align with or can be mapped to these definitions. Understanding these distinctions is the first step in providing assurance and insights related to compliance.
Embracing a Risk-Based Approach
The EU AI Act categorizes AI systems based on their risk to health, safety, and fundamental human rights. Internal auditors should first ensure that their organizations are not engaging in prohibited AI practices, such as subliminal, manipulative, and deceptive techniques, discriminatory biometric categorization, or expanding facial recognition databases through untargeted scraping of images. Identifying, understanding, and assessing high-risk AI systems, especially those used in critical areas like healthcare, law enforcement, and essential services, is vital.
Meeting Mandatory Requirements for High-Risk AI Systems
High-risk AI systems are subject to stringent requirements under the AI Act. Internal auditors must ensure robust risk management systems are in place, including processes for identifying, assessing, and mitigating risks associated with high-risk AI systems. Assessing the organization’s data governance structures and processes is essential to ensure high-quality data usage, appropriate documentation, and compliance with record-keeping practices. Key considerations for auditors include:
- Data sources
- Effectiveness of data production processes and controls
- Data completeness, accuracy, and reliability
- Usage of data by the AI system
Ensuring Compliance and Continuous Monitoring
Compliance with the EU AI Act requires continuous monitoring of AI systems. Internal auditors must verify that high-risk AI systems undergo regular assessments and understand when external evaluations are necessary. They should also ensure that proper mechanisms for continuous monitoring, including incident reporting and timely corrective actions, are in place. A proactive approach helps address potential risks and maintain compliance throughout the AI systems’ lifecycle.
Upholding Human Oversight
Human oversight is a critical aspect of the EU AI Act to prevent unintended consequences and maintain trust in AI systems. Internal auditors should ensure that AI systems are designed to enhance human decision-making and that measures for human control are included throughout. Verifying that users of AI systems are adequately trained to understand and manage these complex systems is also essential.
Biometric Data
The EU AI Act imposes specific restrictions on using biometric data and remote biometric identification systems. Internal auditors must ensure compliance with these restrictions and limit the use of biometric data to permitted scenarios, such as security or authentication. Specific rules govern the use of remote biometric identification systems, especially in public spaces and for law enforcement. Auditors need to understand and verify compliance with the rules applicable to their organization.
Ethical Considerations and Fundamental Rights
The EU AI Act emphasizes ethical considerations and the protection of fundamental rights. Internal auditors should evaluate whether AI systems are developed and used in a non-discriminatory manner, promoting equality and cultural diversity. Key areas for auditors to consider include privacy, data protection, freedom of expression, and non-discrimination.
Documentation and Reporting
Comprehensive documentation and reporting are crucial for demonstrating compliance with the EU AI Act. Internal auditors should ensure that detailed technical documentation is maintained for all AI systems, providing a clear trail of their development, functioning, and compliance measures. Additionally, auditors should verify that their organizations meet regulatory reporting obligations, including incident reporting and annual compliance statements.
Source: wolterskluwer.com
