Compliance & Responsible AI Fall 2024

Questions and Answers

Who negotiates the Codes that are approved by the European AI Bureau?

• Independent experts
• National authorities
• The public
• Stakeholders (correct)

What is the purpose of the CE marking for high-risk systems?

• To indicate compliance with GDPR
• To ensure it is visible, legible, and indelible (correct)
• To provide a certificate of registration
• To show general validity within the EU

How long must automatically generated logs be retained when possible?

• 1 year
• 6 months (correct)
• 5 years
• 10 years

What is one of the immediate corrective actions required for high-risk systems?

The withdrawal or deactivation of the system (D)

What is the maximum penalty for non-compliance according to the outlined obligations?

€15M or 3% of total turnover (D)

What is a requirement under GDPR for processing biometric data?

Obtain user consent before processing (A)

In the context of generative AI, which statement is true regarding the manipulation of content?

Disclosure must occur unless there is human review or editorial control (C)

What obligation does generative AI have when creating content that resembles real people or events?

Inform the public about the artificial generation of content (D)

What is a crucial measure to address identified risks in high-risk AI systems?

Appropriate and targeted risk management measures (B)

Which of the following is NOT a condition for processing biometric data under GDPR?

Adhering to requested privacy settings (B)

What is essential for ensuring the quality of training data in AI systems?

Best practices and relevant unbiased datasets (D)

What must be true for generated content not to require a disclosure statement?

The content underwent human review or editorial control (C)

What aspect of AI systems requires human supervision to minimize risks?

Integrated human-machine interfaces (B)

How can AI systems demonstrate compliance with obligations until harmonized standards are established?

By relying on codes of good practice (B)

Which of the following AI systems is still classified as high risk, regardless of compliance exceptions?

AI systems carrying out profiling (D)

Which element is NOT included in the quality management system for high-risk AI systems?

Marketing strategies (D)

What must stakeholders expect from the Commission regarding compliance guidelines?

Guidelines and concrete examples within 18 months of entry into force (D)

What is necessary for maintaining accuracy, robustness, and security in AI systems?

Constant cybersecurity measures (C)

What types of technical means are necessary for the integration of general-purpose AI models into AI systems?

Operating instructions and evaluation strategies (D)

Which of the following is included in the design specifications and training process of AI models?

Key design choices and rationale (D)

What aspect of model training is relevant to understanding its efficiency?

Estimated energy consumption and training time (C)

What is a critical component of evaluation strategies for AI models?

Publicly available evaluation protocols (A)

What type of testing might be included for internal and external evaluations of AI models?

Adversarial testing, such as red teaming (A)

What responsibility does the AI Office have regarding the transparency of AI systems with limited risk?

Developing codes of good practice (A)

What should be measured as part of evaluating AI model limitations?

Evaluation criteria and measures (B)

Which method is NOT associated with the training and evaluation of AI models?

Identifying user needs and preferences (D)

What is the amount of penalty for prohibited practices?

€35M (B)

Which of the following factors influences the penalties imposed?

Nature and severity of the violation (A)

What is the penalty for inaccurate, incomplete, or misleading information?

€7.5M (A)

What is emphasized as critical in the relationship between AI vendors and regulators?

Collaboration for compliance and responsible innovation (A)

How does the level of risk relate to obligations and penalties?

Higher risk leads to greater obligations and heavier penalties (D)

What is the main purpose of general-purpose AI models?

To exhibit significant generality across various tasks (D)

What does the risk-based approach to AI systems involve?

Classifying AI systems into levels based on potential harm (D)

What is NOT included in the definition of an AI system?

Generating outputs that do not influence environments (D)

Which authority is NOT mentioned as part of the framework for AI regulation?

National Security Agency (C)

What is a primary function of the EU's AI Office?

To assess methodologies and monitor AI regulations (B)

What distinguishes high-risk AI systems?

They are subject to more stringent compliance obligations. (A)

When is the entry into force date of the AI Regulation?

August 1, 2024 (B)

What is excluded from the category of general-purpose AI models?

Models used for research and development before commercialization (D)

What is a significant concern that the European Union aims to address with its AI legislation?

Safety and liability implications of AI (D)

How many months after the entry into force does the general-purpose AI obligation take effect?

12 months (D)

What is the aim of the European Regulation on AI?

To enhance trust and excellence in AI technologies (D)

Who oversees the national regulatory sandbox according to the framework?

National supervisory authorities (C)

What is meant by 'prohibited practices' in relation to AI systems?

Certain AI applications deemed too risky (D)

What does the term 'supervisory authorities' refer to in the context of AI regulation?

Government entities responsible for compliance and monitoring (D)

Flashcards

High-Risk AI Systems

AI systems that could pose significant risks to health, safety, or fundamental rights of individuals.

Risk Management System

A system for identifying, assessing, and mitigating risks related to high-risk AI systems.

Data and Data Governance

Ensuring the quality, bias-free nature, and appropriateness of data used to train high-risk AI systems.

Technical Documentation

Detailed documentation of AI systems, as required by the AI Regulation.

Traceability

The ability to track the history and lifecycle of a high-risk AI system.

Human Supervision

Requirements for integrated human oversight in high-risk AI systems.

Compliance Exceptions

Certain high-risk AI systems may be exempt if they do not pose a significant risk and follow narrow procedural tasks or improve previous human activities.

Presumption of Conformity

Using harmonized European standards or codes of practice to demonstrate compliance, until specific standards are developed.

AI Regulation Timeline

The European AI Regulation's stages of implementation: prohibited practices first (6 months from 08/01/2024), then general-purpose AI models (12-months), high-risk systems (24 months), and finally all obligations (36 months).

High-Risk AI Systems

AI systems with potential significant harm if malfunctioning, mis-used, or wrongly implemented.

General-purpose AI Models

AI models capable of diverse tasks, often trained with massive datasets.

Prohibited Practices

Specific AI practices deemed unacceptable under the AI Act.

AI Systems Definition

Automated systems exhibiting adaptability and influencing physical/virtual environments; inferring and operating independently to produce outputs.

AI Legislation Around the World

Regulations concerning Artificial Intelligence across countries; comparison of approaches, timelines and legislation.

European Union's Lawfare Strategy

EU's approach to regulation and enforcement concerning AI and related technologies.

Supervisory Authorities

Groups overseeing the AI regulation and compliance. Including national and EU authorities.

Application Timeline

The schedule for implementation of the AI regulations in different phases.

EU AI Regulation

EU legislation for governing and regulating artificial intelligence.

AI System Categories

Classifications of AI systems based on their potential risk from low to high.

Risk-Based Approach

AI compliance and assessment based on the estimated risk.

EU AI Committee

Organization that oversees and coordinates AI related initiatives in the EU.

Definitions of AI Systems and Models

Specific parameters used in categorizing AI systems and their components.

Artificial Intelligence: (EU) approach

EU's strategy to ensure that AI is developed and used responsibly and with trust.

AI Office

The EU body responsible for assessing and monitoring AI.

Supplier Obligations

Responsibilities of AI system suppliers regarding conformity, marking, and corrective actions in the EU.

CE Marking

A visible, legible, and indelible mark signifying EU conformity for high-risk AI systems.

Automatically Generated Logs

Records of activities from high-risk AI systems, kept for at least 6 months, potentially required by GDPR.

Immediate Corrective Actions

Actions taken by AI system suppliers to address risks, including withdrawal or deactivation.

Model and Open Source Compliance

Requirements for AI models and open source components concerning compliance. Copyright directive and technical documentation.

Technical Documentation (AI)

Detailed description of an AI model, including training process, data, resources, and energy consumption.

Evaluation Strategies

Methods for assessing AI model performance, including criteria, measures, and limitations.

Adversarial Testing

Testing AI models to see if they can be tricked or manipulated.

System Architecture

How software components in an AI system interact and work together.

Artificially Generated Content

Content created by AI, often indistinguishable from human-created content.

Codes of Good Practice (AI)

Guidelines for developing and using AI systems ethically and responsibly, especially for content detection.

Publicly Available Evaluation Protocols

Standardized methods for testing and evaluating AI performance, widely accessible.

AI Model Training Data

Data used to teach an AI model how to perform a task, includes for training, validation, andtesting

AI Sanctions

Financial penalties for AI system failures or violations of the AI Act (EU).

AI Collaboration

Cooperation between AI developers and regulators for responsible AI development.

AI Transparency (Obligations)

Requirement for AI developers to disclose information about their models.

AI Risk & Penalties

Higher-risk AI systems have more stringent obligations and larger penalties.

AI Codes of Practice

Rules and guidelines for ethical and safe use of AI.

Biometric Data Consent

Obtaining permission before processing biometric and other personal data, as required by GDPR.

Deepfake Disclosure

Telling people content is artificially created or manipulated (images, audio, video, text).

Emotion Recognition Obligations

Inform users of emotion recognition/biometric use and obtain their consent, by GDPR.

Generative AI Disclosure

Must disclose that text or other generated content is artificial.

Generated Content Review

Requires human review/editorial oversight before publishing generative content unless an exception applies.

Study Notes

Compliance & Responsible AI

• Presented by Dr. Nathalie Devillier
• Fall 2024 session
• Focuses on the compliance of AI systems

Course Presentation

• Covers context and benchmarks
• Explores risk-based approach and prohibited systems
• Outlines compliance obligations for high-risk systems
• Discusses transparency of AI systems with limited risk

Context and Benchmarks

• Examines AI legislation globally
• Presents the European Union's Lawfare Strategy
• Details the European Regulation on AI, including its timeline
• Discusses supervisory authorities and definitions of AI systems and models

AI Legislation Around the World

• Presents a global tracker map
• Illustrates jurisdictions in focus (e.g., Australia, Brazil, Canada)

European Union's Lawfare Strategy

• Provides a timeline, including key dates for statements on AI and robotics; digital services regulation; digital markets regulation; regulation on digital resilience (end of trialogue); artificial intelligence; and others

Application Timeline

• Shows phased implementation for AI regulation
• Introduces various deadlines concerning prohibited practices and all obligations

Supervisory Authorities

• Highlights the role of member states (France is not yet designated) in applying AI regulation
• Outlines oversight of national regulatory sandboxes
• Mentions controls and sanctions
• Describes the EU perspective on the Al Office, methodologies for assessment and monitoring, national authorities' role, and the development of the Al Committee

Definitions and Categories

• Details general purpose AI model (Art. 3(63)) and AI system (Art. 3(1)) definitions
• Explains systemic risk model (Art. 2(65)) 
• Explains risk-based approach in 4 levels

AI Systems

• Defines AI systems as automated systems designed for varying autonomy levels
• Explicit or implicit inputs determine outputs like predictions, content, recommendations, or decisions influencing physical or virtual environments

General Purpose AI Models

• Defines general purpose AI models trained with large datasets, using large-scale self-supervision and exhibiting wide task generality
• Excludes systems used for research, development, or prototyping before commercial launch

Systemic Risk

• Defines systemic risk as high-impact capabilities of general-purpose AI models, significantly impacting the Union market due to their scale or potential for foreseeable negative consequences in public health, safety, public security, fundamental rights or society

The Risk Approach

• Links risk levels to practical applications & legal obligations
• Categorizes risk levels from unacceptable (forbidden actions) to minimal (no or almost no obligations)

Risk-based Approach: AI Systems - EU Artificial Intelligence Act

• Classifies risk levels with examples: unacceptable (social scoring, manipulation), high risk, limited risk, minimal risk
• Relates risks to prohibited, conformity assessment, transparency obligations, and no obligation categories

Prohibited AI Practices

• Outlines practices prohibited in AI systems (e.g., subliminal techniques, exploitation of vulnerabilities, risk assessments for predicting offenses, real-time biometric identification in public places, database expansion via non-targeted harvesting of data)
• Includes limitations for workplace or educational settings (except for safety/medical reasons)

Subliminal or Intentionally Deceptive Techniques

• Describes the meaning of subliminal and intentional deceptive techniques
• Explains the objective effect (material alteration of behavior) and result (decision-making impairment), with potential harm to individuals

Exploitation of Vulnerabilities

• Explains how AI systems exploit vulnerabilities due to age, health, or economic standing
• Focuses on activities aiming to alter target behavior or causing significant harm

Rating People Based on Social Behavior

• Explains how systems evaluate or classify individuals based on characteristics using a social score
• Highlights potential for less favorable or unfavorable treatment which might be unjustified or disproportionate for the original data

Compliance Obligations: High-Risk AI Systems

• Lists management systems for high-risk AI, including data and data governance, technical documentation, traceability, human oversight, accuracy & robustness, and security plus quality management
• Explains that appropriate and targeted measures need to address the identified risks

Exceptions

• Identifies situations where AI systems, such as those with specific tasks, may not pose significant risk of harm to individual safety.
• States that Annex III systems performing profiling still fall within the high-risk category.

Presumption of Conformity

• Describes the possibility of harmonized EU standards to demonstrate compliance
• Highlights the use of codes of good practice

Supplier Obligations

• Enlists requirements for suppliers of high-risk AI systems, including declaration of conformity, CE marking, registration, logs, corrective actions, cooperation with authorities, information provision, and potential penalties

Models and Open Source

• Explains differences between basic and systemic risk models, particularly documentation requirements: copyright and training datasets for open-source; technical documentation for others

Obligation: Technical Documentation

• Emphasizes the need to provide clear documentation concerning models (training, testing, evaluation results)
• Explains obligations of Al providers integrating models, intellectual property policy, and summary of training content
• Outlines cooperation with the Commission, European AI Office, and national authorities for compliance

Technical Documentation: General Description

• Covers essential elements like tasks, acceptable use policies, release dates, architecture, modality, and model licenses

Technical Documentation: Detailed Description

• Outlines detailed technical requirements based on means, design specifications, training process, and information concerning data usage, resources, training times, operations, and estimations of energy consumption and other relevant details

Additional Information

• Outlines evaluations and adversarial testing processes
• Explains system architecture and how components interact.

Transparency of AI Systems with Limited Risk

• Describes the Al Office's focus on developing codes of good practice for transparency
• Presents examples of case studies (emotion recognition/biometric categorization and generative AI) as specific issues needing attention

Case 1: Emotion Recognition or Biometric Categorization

• Discusses obligations arising from the GDPR for transparency regarding emotion recognition and biometric data processing, such as user consent and data processing conditions.

Case 2: Generative AI

• Highlights obligations pertaining to the disclosure of artificially generated or manipulated content
• Includes measures for transparency, human review, or legal person control

Sanctions

• Lists financial penalties for various violations related to prohibited practices, shortcomings in information accuracy, and moderation practices for SMEs

Conclusion - Key Takeaways

• Underscores collaboration between AI vendors and regulators for responsible AI practices
• Emphasizes the obligation of transparency between designers and suppliers
• Highlights that AI obligations are dynamic and harmonization, especially in codes of practice, is important.
• Links penalties to the level of risk in AI systems