Compliance & Responsible AI Fall 2024

Questions and Answers

Who negotiates the Codes that are approved by the European AI Bureau?

Independent experts

National authorities

The public

Stakeholders (correct)

What is the purpose of the CE marking for high-risk systems?

To indicate compliance with GDPR

To ensure it is visible, legible, and indelible (correct)

To provide a certificate of registration

To show general validity within the EU

How long must automatically generated logs be retained when possible?

1 year

6 months (correct)

5 years

10 years

What is one of the immediate corrective actions required for high-risk systems?

The withdrawal or deactivation of the system

What is the maximum penalty for non-compliance according to the outlined obligations?

€15M or 3% of total turnover

What is a requirement under GDPR for processing biometric data?

Obtain user consent before processing

In the context of generative AI, which statement is true regarding the manipulation of content?

Disclosure must occur unless there is human review or editorial control

What obligation does generative AI have when creating content that resembles real people or events?

Inform the public about the artificial generation of content

What is a crucial measure to address identified risks in high-risk AI systems?

Appropriate and targeted risk management measures

Which of the following is NOT a condition for processing biometric data under GDPR?

Adhering to requested privacy settings

What is essential for ensuring the quality of training data in AI systems?

Best practices and relevant unbiased datasets

What must be true for generated content not to require a disclosure statement?

The content underwent human review or editorial control

What aspect of AI systems requires human supervision to minimize risks?

Integrated human-machine interfaces

How can AI systems demonstrate compliance with obligations until harmonized standards are established?

By relying on codes of good practice

Which of the following AI systems is still classified as high risk, regardless of compliance exceptions?

AI systems carrying out profiling

Which element is NOT included in the quality management system for high-risk AI systems?

Marketing strategies

What must stakeholders expect from the Commission regarding compliance guidelines?

Guidelines and concrete examples within 18 months of entry into force

What is necessary for maintaining accuracy, robustness, and security in AI systems?

Constant cybersecurity measures

What types of technical means are necessary for the integration of general-purpose AI models into AI systems?

Operating instructions and evaluation strategies

Which of the following is included in the design specifications and training process of AI models?

Key design choices and rationale

What aspect of model training is relevant to understanding its efficiency?

Estimated energy consumption and training time

What is a critical component of evaluation strategies for AI models?

Publicly available evaluation protocols

What type of testing might be included for internal and external evaluations of AI models?

Adversarial testing, such as red teaming

What responsibility does the AI Office have regarding the transparency of AI systems with limited risk?

Developing codes of good practice

What should be measured as part of evaluating AI model limitations?

Evaluation criteria and measures

Which method is NOT associated with the training and evaluation of AI models?

Identifying user needs and preferences

What is the amount of penalty for prohibited practices?

€35M

Which of the following factors influences the penalties imposed?

Nature and severity of the violation

What is the penalty for inaccurate, incomplete, or misleading information?

€7.5M

What is emphasized as critical in the relationship between AI vendors and regulators?

Collaboration for compliance and responsible innovation

How does the level of risk relate to obligations and penalties?

Higher risk leads to greater obligations and heavier penalties

What is the main purpose of general-purpose AI models?

To exhibit significant generality across various tasks

What does the risk-based approach to AI systems involve?

Classifying AI systems into levels based on potential harm

What is NOT included in the definition of an AI system?

Generating outputs that do not influence environments

Which authority is NOT mentioned as part of the framework for AI regulation?

National Security Agency

What is a primary function of the EU's AI Office?

To assess methodologies and monitor AI regulations

What distinguishes high-risk AI systems?

They are subject to more stringent compliance obligations.

When is the entry into force date of the AI Regulation?

August 1, 2024

What is excluded from the category of general-purpose AI models?

Models used for research and development before commercialization

What is a significant concern that the European Union aims to address with its AI legislation?

Safety and liability implications of AI

How many months after the entry into force does the general-purpose AI obligation take effect?

12 months

What is the aim of the European Regulation on AI?

To enhance trust and excellence in AI technologies

Who oversees the national regulatory sandbox according to the framework?

National supervisory authorities

What is meant by 'prohibited practices' in relation to AI systems?

Certain AI applications deemed too risky

What does the term 'supervisory authorities' refer to in the context of AI regulation?

Government entities responsible for compliance and monitoring

Study Notes

Compliance & Responsible AI

• Presented by Dr. Nathalie Devillier
• Fall 2024 session
• Focuses on the compliance of AI systems

Course Presentation

• Covers context and benchmarks
• Explores risk-based approach and prohibited systems
• Outlines compliance obligations for high-risk systems
• Discusses transparency of AI systems with limited risk

Context and Benchmarks

• Examines AI legislation globally
• Presents the European Union's Lawfare Strategy
• Details the European Regulation on AI, including its timeline
• Discusses supervisory authorities and definitions of AI systems and models

AI Legislation Around the World

• Presents a global tracker map
• Illustrates jurisdictions in focus (e.g., Australia, Brazil, Canada)

European Union's Lawfare Strategy

• Provides a timeline, including key dates for statements on AI and robotics; digital services regulation; digital markets regulation; regulation on digital resilience (end of trialogue); artificial intelligence; and others

Application Timeline

• Shows phased implementation for AI regulation
• Introduces various deadlines concerning prohibited practices and all obligations

Supervisory Authorities

• Highlights the role of member states (France is not yet designated) in applying AI regulation
• Outlines oversight of national regulatory sandboxes
• Mentions controls and sanctions
• Describes the EU perspective on the Al Office, methodologies for assessment and monitoring, national authorities' role, and the development of the Al Committee

Definitions and Categories

• Details general purpose AI model (Art. 3(63)) and AI system (Art. 3(1)) definitions
• Explains systemic risk model (Art. 2(65)) 
• Explains risk-based approach in 4 levels

AI Systems

• Defines AI systems as automated systems designed for varying autonomy levels
• Explicit or implicit inputs determine outputs like predictions, content, recommendations, or decisions influencing physical or virtual environments

General Purpose AI Models

• Defines general purpose AI models trained with large datasets, using large-scale self-supervision and exhibiting wide task generality
• Excludes systems used for research, development, or prototyping before commercial launch

Systemic Risk

• Defines systemic risk as high-impact capabilities of general-purpose AI models, significantly impacting the Union market due to their scale or potential for foreseeable negative consequences in public health, safety, public security, fundamental rights or society

The Risk Approach

• Links risk levels to practical applications & legal obligations
• Categorizes risk levels from unacceptable (forbidden actions) to minimal (no or almost no obligations)

Risk-based Approach: AI Systems - EU Artificial Intelligence Act

• Classifies risk levels with examples: unacceptable (social scoring, manipulation), high risk, limited risk, minimal risk
• Relates risks to prohibited, conformity assessment, transparency obligations, and no obligation categories

Prohibited AI Practices

• Outlines practices prohibited in AI systems (e.g., subliminal techniques, exploitation of vulnerabilities, risk assessments for predicting offenses, real-time biometric identification in public places, database expansion via non-targeted harvesting of data)
• Includes limitations for workplace or educational settings (except for safety/medical reasons)

Subliminal or Intentionally Deceptive Techniques

• Describes the meaning of subliminal and intentional deceptive techniques
• Explains the objective effect (material alteration of behavior) and result (decision-making impairment), with potential harm to individuals

Exploitation of Vulnerabilities

• Explains how AI systems exploit vulnerabilities due to age, health, or economic standing
• Focuses on activities aiming to alter target behavior or causing significant harm

Rating People Based on Social Behavior

• Explains how systems evaluate or classify individuals based on characteristics using a social score
• Highlights potential for less favorable or unfavorable treatment which might be unjustified or disproportionate for the original data

Compliance Obligations: High-Risk AI Systems

• Lists management systems for high-risk AI, including data and data governance, technical documentation, traceability, human oversight, accuracy & robustness, and security plus quality management
• Explains that appropriate and targeted measures need to address the identified risks

Exceptions

• Identifies situations where AI systems, such as those with specific tasks, may not pose significant risk of harm to individual safety.
• States that Annex III systems performing profiling still fall within the high-risk category.

Presumption of Conformity

• Describes the possibility of harmonized EU standards to demonstrate compliance
• Highlights the use of codes of good practice

Supplier Obligations

• Enlists requirements for suppliers of high-risk AI systems, including declaration of conformity, CE marking, registration, logs, corrective actions, cooperation with authorities, information provision, and potential penalties

Models and Open Source

• Explains differences between basic and systemic risk models, particularly documentation requirements: copyright and training datasets for open-source; technical documentation for others

Obligation: Technical Documentation

• Emphasizes the need to provide clear documentation concerning models (training, testing, evaluation results)
• Explains obligations of Al providers integrating models, intellectual property policy, and summary of training content
• Outlines cooperation with the Commission, European AI Office, and national authorities for compliance

Technical Documentation: General Description

• Covers essential elements like tasks, acceptable use policies, release dates, architecture, modality, and model licenses

Technical Documentation: Detailed Description

• Outlines detailed technical requirements based on means, design specifications, training process, and information concerning data usage, resources, training times, operations, and estimations of energy consumption and other relevant details

Additional Information

• Outlines evaluations and adversarial testing processes
• Explains system architecture and how components interact.

Transparency of AI Systems with Limited Risk

• Describes the Al Office's focus on developing codes of good practice for transparency
• Presents examples of case studies (emotion recognition/biometric categorization and generative AI) as specific issues needing attention

Case 1: Emotion Recognition or Biometric Categorization

• Discusses obligations arising from the GDPR for transparency regarding emotion recognition and biometric data processing, such as user consent and data processing conditions.

Case 2: Generative AI

• Highlights obligations pertaining to the disclosure of artificially generated or manipulated content
• Includes measures for transparency, human review, or legal person control

Sanctions

• Lists financial penalties for various violations related to prohibited practices, shortcomings in information accuracy, and moderation practices for SMEs

Conclusion - Key Takeaways

• Underscores collaboration between AI vendors and regulators for responsible AI practices
• Emphasizes the obligation of transparency between designers and suppliers
• Highlights that AI obligations are dynamic and harmonization, especially in codes of practice, is important.
• Links penalties to the level of risk in AI systems

Description

Explore the critical aspects of compliance in AI systems with Dr. Nathalie Devillier. This course covers global AI legislation, risk-based approaches, and the European Union's Lawfare Strategy, focusing on compliance obligations for high-risk AI systems. Understand transparency requirements and benchmarks in the evolving landscape of AI regulations.